Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiMail 7.6.0 Administration Guide
    7.6.0
    7.6.1
    7.6.0
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.7
    6.2.0
    6.0.6
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    Antispam tuning

    Antispam tuning

    • If the spam catch rate is low, see Troubleshoot antispam issues for fine tuning instructions.

    • Use safe lists and block lists with caution. They can increase incorrect results.

      For example, a system-level safe list entry for *.edu email addresses allows email from all .edu top level domains. Sender email addresses in the SMTP envelope (MAIL FROM:) and message header (From:) can be fake, too. The result is that all spam from any .edu email address — real or fake — would bypass antispam scans.

      Better approaches are to either use client IP addresses (which are harder to fake) in access control policies or to use DKIM or SPF sender authentication (which is stronger and widely supported).

      Do not safelist protected domain names. Sender email addresses can be faked, so they may not really belong to the protected domain. This could allow spammers to bypass antispam scans.

    • To prevent directory harvest attacks (DHA), use a combination of recipient verification and sender reputation.

      • DHA is a common method used by spammers. It utilizes recipient verification in an attempt to determine an email server’s valid email addresses so that they can be added to a spam database.

      If Recipient Address Verification (accessed through Domain & User > Domain > Domain) is enabled, each recipient address will be verified with the protected email server. For email destined for invalid recipient addresses, the FortiMail unit will return User Unknown messages to the SMTP client. However, spammers will utilize this response to guess and learn valid recipient addresses.

      To prevent this, enable Enable sender reputation in session profiles (located in Profile > Session > Session). Sender reputation weighs each SMTP client’s IP address and assigns them a score. If the SMTP client sends several email messages to unknown recipients, the sender’s reputation score is increased significantly. When the sender reputation score exceeds the threshold, the SMTP client’s SMTP sessions are terminated at connection level.

    • To prevent delivery status notification (DSN) spam, enable bounce verification.

      • Spammers may sometimes use the DSN mechanism to bypass antispam measures. In this attack, sometimes called “backscatter”, the spammer spoofs the email address of a legitimate sender and intentionally sends spam to an undeliverable recipient, expecting that recipients' email servers will send a DSN back to senders to notify them of the delivery failure. Because this attack utilizes innocent email servers and a standard notification mechanism, many antispam mechanisms may be unable to detect the difference between legitimate and spoofed DSN.

      To prevent this, enable bounce address tagging and verification (located in Security > Bounce Verification > Setting) and configure it with an active key. In addition, disable both the Bypass bounce verification option (located in Domain & User > Domain > Domain) and the Bypass bounce verification check option (located in Profile > Session > Session). It is also recommended to select Use antispam profile settings for the Bounce verification action option (located in Security > Bounce Verification > Setting). Finally, verify that all email, both incoming and outgoing, is routed through the FortiMail unit. The FortiMail unit cannot tag email, or recognize legitimate DSN for previously sent email, if all email does not pass through it.

    Previous
    Next

    Antispam tuning

    Antispam tuning

    • If the spam catch rate is low, see Troubleshoot antispam issues for fine tuning instructions.

    • Use safe lists and block lists with caution. They can increase incorrect results.

      For example, a system-level safe list entry for *.edu email addresses allows email from all .edu top level domains. Sender email addresses in the SMTP envelope (MAIL FROM:) and message header (From:) can be fake, too. The result is that all spam from any .edu email address — real or fake — would bypass antispam scans.

      Better approaches are to either use client IP addresses (which are harder to fake) in access control policies or to use DKIM or SPF sender authentication (which is stronger and widely supported).

      Do not safelist protected domain names. Sender email addresses can be faked, so they may not really belong to the protected domain. This could allow spammers to bypass antispam scans.

    • To prevent directory harvest attacks (DHA), use a combination of recipient verification and sender reputation.

      • DHA is a common method used by spammers. It utilizes recipient verification in an attempt to determine an email server’s valid email addresses so that they can be added to a spam database.

      If Recipient Address Verification (accessed through Domain & User > Domain > Domain) is enabled, each recipient address will be verified with the protected email server. For email destined for invalid recipient addresses, the FortiMail unit will return User Unknown messages to the SMTP client. However, spammers will utilize this response to guess and learn valid recipient addresses.

      To prevent this, enable Enable sender reputation in session profiles (located in Profile > Session > Session). Sender reputation weighs each SMTP client’s IP address and assigns them a score. If the SMTP client sends several email messages to unknown recipients, the sender’s reputation score is increased significantly. When the sender reputation score exceeds the threshold, the SMTP client’s SMTP sessions are terminated at connection level.

    • To prevent delivery status notification (DSN) spam, enable bounce verification.

      • Spammers may sometimes use the DSN mechanism to bypass antispam measures. In this attack, sometimes called “backscatter”, the spammer spoofs the email address of a legitimate sender and intentionally sends spam to an undeliverable recipient, expecting that recipients' email servers will send a DSN back to senders to notify them of the delivery failure. Because this attack utilizes innocent email servers and a standard notification mechanism, many antispam mechanisms may be unable to detect the difference between legitimate and spoofed DSN.

      To prevent this, enable bounce address tagging and verification (located in Security > Bounce Verification > Setting) and configure it with an active key. In addition, disable both the Bypass bounce verification option (located in Domain & User > Domain > Domain) and the Bypass bounce verification check option (located in Profile > Session > Session). It is also recommended to select Use antispam profile settings for the Bounce verification action option (located in Security > Bounce Verification > Setting). Finally, verify that all email, both incoming and outgoing, is routed through the FortiMail unit. The FortiMail unit cannot tag email, or recognize legitimate DSN for previously sent email, if all email does not pass through it.

    Previous
    Next