FortiGate Email Filtering Course 201 – Administration, Content Inspection and SSL VPN Email Filtering FortiGate Email Filtering 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering Module Objectives By the end of this module participants will be able to: Identify the email filtering methods used on the FortiGate device Configure banned word, IP address and email address filters Define firewall policies using email filter profiles Identify the differences between the email filtering capabilities of the FortiGate and FortiMail units 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering Email Filtering Email filtering SPAM? Email filtering can be configured to manage unsolicited bulk email, to detect spam messages and identify transmissions from known/suspected spam servers. Judging an email message as spam is subjective. FortiGuard uses the definition of spam as unsolicited bulk email meaning that the recipient has not granted verifiable permission for the message to be sent and the sender has no discernible relationship with the recipient. An email message can be considered spam if the recipient’s personal identity and context are irrelevant because the message is equally applicable to many other potential recipients or the recipient has not granted deliberate or explicit permission for it to be sent. FortiGuard uses spam probes located around the world to attract spam email. This information is used to continually update lists of spammers and improve spam detection rates. 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering Email Filtering Email filtering SPAM? FortiGate unit can detect and manage spam email 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering Spam Actions Tag Discard Subject: Free Stuff Subject: [SPAM] Free Stuff If the FortiGate unit determines a message to be spam it can perform one of the following actions: Tag A custom phrase or word is added to the subject line or a MIME header and value is added into the body of an email. To affix the tag to the subject line, the FortiGate unit will convert the entire subject line including the tag to UTF-8. This improves the display for some email clients that cannot properly display subject lines that use more than one encoding Discard Immediately drop connection if spam is detected For SMTP, if virus scanning is enabled, spam email can only be discarded. There is no option for Tagging. 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering Spam Actions Tag Discard Subject: Free Stuff Tag to add a custom phrase/word to subject line or a MIME header and value to body of an email message Discard to immediately drop connection if spam is detected Subject: [SPAM] Free Stuff 01-4310-0201-RTOL-20110729
Email Filtering Methods Course 201 – Administration, Content Inspection and SSL VPN Email Filtering Email Filtering Methods The FortiGate unit uses a number of techniques to help detect spam Some use the FortiGuard Antispam service and require a subscription Others use DNS servers or filters created on the device Click here to read more about the email filtering methods used on the FortiGate unit 01-4310-0201-RTOL-20110729
FortiGuard IP Address Check Course 201 – Administration, Content Inspection and SSL VPN Email Filtering FortiGuard IP Address Check Received: from mail.acme.com (10.10.10.1) by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000 The FortiGate queries the FortiGuard Antispam service to determine if the source IP address of the client (from the email header) sending the email is blacklisted. A match will cause the FortiGate unit to treat the delivered message as spam. Queries the FortiGuard FortiIP Sender IP Reputation Database. 01-4310-0201-RTOL-20110729
FortiGuard IP Address Check Course 201 – Administration, Content Inspection and SSL VPN Email Filtering FortiGuard IP Address Check Received: from mail.acme.com (10.10.10.1) by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000 FortiGate unit queries the FortiGuard Antispam Service to determine if the source IP address of the sender is blacklisted A match will cause the FortiGate unit to treat the message as spam 01-4310-0201-RTOL-20110729
FortiGuard URL and Email Address Check Course 201 – Administration, Content Inspection and SSL VPN Email Filtering FortiGuard URL and Email Address Check Visit our web site at www.acme.com to learn more about this great offer or send an email to deals@acme.com. The FortiGate unit queries the FortiGuard Antispam service to determine if any URLs or email addresses in the message body are associated with spam. For example, URL links to advertisements, also known as spamvertizements. Queries the FortiGuard FortiSig2 spam signature database for email addresses and FortiSig1spam signature database for URLs. The message body URLs are verified against an up to date list of spam sources. 01-4310-0201-RTOL-20110729
FortiGuard URL and Email Address Check Course 201 – Administration, Content Inspection and SSL VPN Email Filtering FortiGuard URL and Email Address Check Visit our web site at www.acme.com to learn more about this great offer or send an email to deals@acme.com. FortiGate unit queries the FortiGuard Antispam Service to determine if any URLs or email addresses in the message are associated with spam 01-4310-0201-RTOL-20110729
FortiGuard Email Checksum Check Course 201 – Administration, Content Inspection and SSL VPN Email Filtering FortiGuard Email Checksum Check Our online pharmacy offers great prices on all your prescription medications. hash The FortiGate unit sends a hash of an email to the FortiGuard Antispam service which compares the hash to hashes of known spam messages stored in the FortiGuard Antispam database. Queries the FortiGuard FortiSig3 spam signature database for email spam object checksums 01-4310-0201-RTOL-20110729
FortiGuard Email Checksum Check Course 201 – Administration, Content Inspection and SSL VPN Email Filtering FortiGuard Email Checksum Check Our online pharmacy offers great prices on all your prescription medications. hash The FortiGate unit sends a hash of the email message to the FortiGuard Antispam Service FortiGuard Antispam Service compares the hash received to hashes of known spam messages 01-4310-0201-RTOL-20110729
IP Address Black/White List (BWL) Course 201 – Administration, Content Inspection and SSL VPN Email Filtering IP Address Black/White List (BWL) Mark as Spam Received: from mail.acme.com (10.10.10.1) by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000 Mark as Clear Mark as Reject When performing an IP address check, the FortiGate unit compares the IP address of the sender to the IP address Black/White list on the FortiGate unit in sequence. If a match is found the action associated with the IP address is taken If no match is found the message is passed to the next enabled spam filter Multiple IP address Black/White lists can be added on the FortiGate unit and the appropriate list is selected in the email filter profile. Each entry in the IP Address Black/White list can be assigned one of the following actions: Mark as Clear Messages from clients with matching IP addresses will be allowed, bypassing further email filtering Mark as Reject Messages from clients with matching IP addresses will be rejected. The FortiGate unit will return a reject message to the client (sender of the email) Mark as Reject only applies to mail delivered by SMTP If Mark as Reject is used with POP3 or IMAP mail the action will be Mark as Spam Mark as Spam Messages with matching IP addresses will be treated as spam subject to the action configured in the email filter profile 01-4310-0201-RTOL-20110729
IP Address Black/White List (BWL) Course 201 – Administration, Content Inspection and SSL VPN Email Filtering IP Address Black/White List (BWL) Mark as Spam Received: from mail.acme.com (10.10.10.1) by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000 Mark as Clear Mark as Reject The FortiGate unit compares the IP address of the sender of an email message to the IP addresses specified in the email filter profile An administrator can add to or edit the IP addresses and configure the action to take 01-4310-0201-RTOL-20110729
Email Address Black/White List (BWL) Course 201 – Administration, Content Inspection and SSL VPN Email Filtering Email Address Black/White List (BWL) Mark as Spam From: bsmith@acme.com Mark as Clear The FortiGate unit compares the email address of the sender of an email message to the email addresses specified in the email filter profile An administrator can add to or edit the email addresses and configure the action to take Wild card and regular expressions can be used to define the email address When performing an email address check, the FortiGate unit compares the message sender’s email address to the Email Address Black/White list on the FortiGate unit in sequence: If a match is found the action associated with the email address is taken. If no match is found the message is passed to the next enabled spam filter. Multiple Email Address Black/White lists can be added on the FortiGate unit and the appropriate list is selected in the email filter profile. Each entry in the Email Address Black/White list can be assigned one of the following actions: Mark as Clear Messages with matching reply-to email addresses will be allowed, bypassing further email filtering. Mark as Spam Messages with matching reply-to email addresses will be treated as spam subject to the action configured in the email filter profile. If you need to enter a pattern in the E-mail Address field, select whether to use Wild Cards or Regular Expression to specify the pattern. Click here to read more using regular expressions 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering HELO DNS Lookup DNS Received: from mail.acme.com (10.10.10.1) by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000 The FortiGate unit takes the domain name specified by the client in the HELO greeting sent when starting the SMTP session and does a DNS lookup to determine if the domain exists. If the lookup fails, the FortiGate unit determines that any messages delivered during the SMTP session are spam The logic of this check is that if a domain is capable of sending mail, it should be capable of receiving mail routed by DNS records 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering HELO DNS Lookup DNS Received: from mail.acme.com (10.10.10.1) by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000 The FortiGate unit compares the source domain name of an email message to the registered IP address in DNS If a domain is capable of sending mail, it should be capable of receiving mail routed by DNS records SMTP only 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering Return Email DNS Check DNS From: bsmith@acme.com A or MX record The FortGate unit performs a DNS lookup on the reply-to domain to see if there is an A or MX record. If no such records exist, the message is treated as spam 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering Return Email DNS Check DNS From: bsmith@acme.com The FortiGate unit compares the address domain of an incoming email message to the registered IP address in DNS A or MX record 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering Banned Word Check Banned words Let us fill all your prescription drugs. Visit our online pharmacy for great prices on prescription medications. We offer the widest selection of popular drugs. Drugs Score=10 Pharmacy Score=5 Prescription Threshold=18 10 +5 +5 =20 Spam can be controlled by blocking email messages containing specific words or patterns. If enabled in the email filter profile the FortiGate unit searches for words or patterns in email messages. If matches are found values assigned to the words are totaled. If the defined threshold value is exceeded the message is marked as spam. When determining the banned word score total for an email message, the score for each word is only added once no matter how many times the word appears in the message This score is set when a new pattern is created If no matches are found the email is passed along Banned word lists can use Perl regular expressions or wildcards. Banned words can be one word or a phrase up to 127 characters long. For a single word, the FortiGate unit blocks all email containing the word. For a phrase, the FortiGate unit blocks all email containing the exact phrase. To block any word in a phrase, use Perl regular expressions Click here to read more using regular expressions 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering Banned Word Check Banned words Let us fill all your prescription drugs. Visit our online pharmacy for great prices on prescription medications. We offer the widest selection of popular drugs. Drugs Score=10 Pharmacy Score=5 Prescription The FortiGate unit can block email based on words or patterns in the message A score is assigned to any banned words in the message If the threshold is exceeded, the message is marked as spam Wildcards and regular expressions can be used to define the banned words Threshold=18 10 +5 +5 =20 Click here to read more using regular expressions 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering MIME Headers Check Header list MIME-Version: 1.0 Content-Type: multipart/mixed; X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Distribution: Bulk X-Distribution=Bulk Mark as Spam Mark as Clear The FortiGate unit can check the MIME header list of incoming mail against the preconfigured spam mime headers list. Available in CLI only: config spamfilter profile edit sample config <protocol ie. smtp, pop> set options spamhdrcheck Compare MIME header key-value to values entered. If match found, corresponding action is taken Configure in CLI: config spamfilter mheader 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering MIME Headers Check Header list MIME-Version: 1.0 Content-Type: multipart/mixed; X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Distribution: Bulk X-Distribution=Bulk The FortiGate unit can check the MIME header information of incoming email messages If a match is found on the header list configured on the device, the corresponding action is taken Configured through CLI only config spamfilter mheader Mark as Spam Mark as Clear 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering DNSBL and ORDBL Check DNSBL Received: from mail.acme.com (10.10.10.1) by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000 ORDBL Check email traffic against pre-configured DNS blackhole lists (DNSBL) or open relay database lists (ORDBL). The FortiGate unit compares the IP address or domain name of the sender to any lists configured. Configure in CLI: config spamfilter dnsbl Config spamfilter ordbl 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering DNSBL and ORDBL Check DNSBL Received: from mail.acme.com (10.10.10.1) by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000 ORDBL The FortiGate unit can compare the IP address or domain name of incoming email message against third-party DNSBL and ORDBL lists Match IP addresses or domain names of known spammers Configured though CLI only config spamfilter dnsbl config spamfilter ordbl 01-4310-0201-RTOL-20110729
FortiGuard Email Filtering Options Course 201 – Administration, Content Inspection and SSL VPN Email Filtering FortiGuard Email Filtering Options Cache IP address: 10.10.10.1 URL: www.acme.com Message checksum: x65Fsd34c Caching is available and is strongly recommended as it improves performance by reducing the number of ForitGate unit requests sent to the FortiGuard server. Caching values apply to both email filtering and web filtering The Cache uses a small percentage of the FortiGate’s system memory. When the Cache is full the last recently used item is deleted. A Time to Live (TTL) setting controls the number of seconds email filtering query results are stored in the cache before contacting the server again. FortiGuard Services are reachable over port 53. An alternate port of 8888 can be used. Use Test Availability to verify that the FortiGuard services are available through either the default port or the alternate port. 01-4310-0201-RTOL-20110729
FortiGuard Email Filtering Options Course 201 – Administration, Content Inspection and SSL VPN Email Filtering FortiGuard Email Filtering Options Cache IP address: 10.10.10.1 URL: www.acme.com Message checksum: x65Fsd34c Caching improves performance by reducing FortiGate unit requests to FortiGuard servers Small amount of FortiGate system memory dedicated to the cache TTL settings controls the number of second query results are cached Alternate port number of 8888 can be configured for access to FortiGuard servers 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering Email Filter Profile Email filter profile: Class_Email_Filter Email filtering operations applied to traffic through email filter profiles. Email filter profiles are in turn applied to policies. Any traffic matching the policy will have the email filtering operations applied to it Firewall policy 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering Email Filter Profile Email filter profile: Class_Email_Filter Enable email filtering operations on a protocol-by-protocol basis in email filter profile Profile in turn applied to firewall policy Any traffic being examined by the policy will have the email filter operations applied to it Firewall policy 01-4310-0201-RTOL-20110729 01-4310-0201-RTOL-20110729 30
FortiMail Email Filtering Course 201 – Administration, Content Inspection and SSL VPN Email Filtering FortiMail Email Filtering Enhanced set of features for detecting and blocking spam Some techniques not available on FortiGate units Stand-alone email filtering system Second layer of protection in addition to FortiGate Legacy virus protection Email quarantine The FortiMail unit provides an enhanced set of features for detecting and blocking spam compared to the FortiGate device, including some techniques not available in the FortiGate unit: Forged IP Scanning Graylist scanning Bayesian scanning Heuristics scanning Image spam scanning PDF scanning Dictionary scanning The FortiMail device can be configured to act as a stand-alone email filtering system or it can be the second layer of protection in addition to the FortiGate device. Entire email messages can be quarantined. The FortiMail device can also be configured to provide full messaging server functionality. 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Email Filtering Student Resources Click here to view the list of resources used in this module 01-4310-0201-RTOL-20110729