Concepts And Flow

FortiMail antispam techniques

The following table highlights some of the FortiMail antispam techniques. For information about how these techniques are executed, see “Order of execution” on page 16.

Table 1: FortiMail antispam technique highlights

Forged IP scanning See “Forged IP” on page 505.
Greylist scanning See “Configuring greylisting” on page 624.
DNSBL scanning In addition to supporting Fortinet’s FortiGuard Antispam

DNSBL service, the FortiMail unit supports third-party DNS Blacklist servers. See “Configuring DNSBL options” on page 507.

SURBL scanning In addition to supporting Fortinet’s FortiGuard Antispam

SURBL service, the FortiMail unit supports third-party Spam URI Realtime Block Lists servers. See “Configuring SURBL options” on page 509.

Deep header scanning See “Configuring deep header options” on page 508.
Bayesian scanning See “Training the Bayesian databases” on page 645.
Heuristic scanning See “Configuring heuristic options” on page 511.
Image spam scanning See “Configuring image spam options” on page 514.
PDF scanning See “Configuring scan conditions” on page 515.
Black/white lists •      For information on global black/white lists, see “Configuring the global black list and white list” on page 616.

•      For information on domain-wide black/white lists, see “Configuring the per-domain black lists and white lists” on page 618.

•      For information on personal black/white lists, see “Configuring the personal black lists and white lists” on page 620.

•      For information on session black/white lists, see “Click the arrow to expand Lists.” on page 499.

Banned word scanning See “Configuring banned word options” on page 512.
White list word scanning See “Configuring whitelist word options” on page 513.
Sender reputation See “Viewing the sender reputation statuses” on page 197.

FortiGuard Antispam service

The FortiGuard Antispam service is a Fortinet-managed service that provides a three-element approach to screening email messages.

  • The first element is a DNS Black List (DNSBL) which is a “living” list of known spam origins.
  • The second element is in-depth email screening based on a Uniform Resource Identifier (URI) contained in the message body – commonly known as Spam URI Realtime Block Lists (SURBLs).
  • The third element is the FortiGuard Antispam Spam Checksum Blocklist (SHASH) feature. Using SHASH, the FortiMail unit sends a hash of an email to the FortiGuard Antispam server which compares the hash to hashes of known spam messages stored in the FortiGuard Antispam database. If the hash results match, the email is flagged as spam.

FortiGuard query results can be cached in memory to save network bandwidth. For information on configuring caching and other FortiGuard Antispam services, see “Configuring FortiGuard updates and antispam queries” on page 233.

FortiGuard Antispam DNSBL

To achieve up-to-date real-time identification, the FortiGuard Antispam service uses globally distributed spam probes that receive over one million spam messages per day. The FortiGuard Antispam service uses multiple layers of identification processes to produce an up-to-date list of spam origins. To further enhance the service and streamline performance, the FortiGuard Antispam service continuously retests each of the “known” identities in the list to determine the state of the origin (active or inactive). If a known spam origin has been decommissioned, the FortiGuard Antispam service removes the origin from the list, thus providing customers with both accuracy and performance.

The FortiMail FortiGuard Antispam DNSBL scanning process works this way:

  1. Incoming email (SMTP) connections are directed to the FortiMail unit.
  2. Upon receiving the inbound SMTP connection request, the FortiMail unit extracts the source information (sending server’s domain name and IP address).
  3. The FortiMail unit transmits the extracted source information to Fortinet’s FortiGuard Antispam service using a secure communication method.
  4. The FortiGuard Antispam service checks the sender’s source information against its DNSBL database of known spam sources and sends the results back to the FortiMail unit.
  5. The results are cached on the FortiMail unit.
    • If the results identify the source as a known spam source, the FortiMail unit acts according to its configured policy.
    • The cache on the FortiMail unit is checked for additional connection attempts from the same source. The FortiMail unit does not need to contact the FortiGuard Antispam service if the results of a previous connection attempt are cached.
    • Additional connection requests from the same source do not need to be submitted to the FortiGuard Antispam service again because the classification is stored in the system cache.

Once the incoming connection has passed the first pass scan (DNSBL), and has not been classified as spam, it will then go through a second pass scan (SURBL) if the administrator has configured the service.

FortiGuard Antispam SURBL

To detect spam based on the message body URIs (usually web sites), Fortinet uses FortiGuard Antispam SURBL technology. Complementing the DNSBL component, which blocks messages based on spam origin, SURBL technology blocks messages that have spam hosts mentioned in message bodies. By scanning the message body, SURBL is able to determine if the message is a known spam message regardless of origin. This augments the DNSBL technology by detecting spam messages from a spam source that may be dynamic, or a spam source that is yet unknown to the DNSBL service. The combination of both technologies provides a superior managed service with higher detection rates than traditional DNSBLs or SURBLs alone.

The FortiMail FortiGuard Antispam SURBL scanning process works this way:

  1. After accepting an incoming SMTP connection (passed first-pass scan), the email message is received.
  2. After an incoming SMTP connection has passed the DNSBL scan, the FortiMail unit accepts delivery of email messages.
  3. The FortiMail unit generates a signature (URI) based on the contents of the received email message.
  4. The FortiMail unit transmits the signature to the FortiGuard Antispam service.
  5. The FortiGuard Antispam service checks the email signature against its SURBL database of known signatures and sends the results back to the FortiMail unit.
  6. The results are cached on the FortiMail unit.
    • If the results identify the signature as known spam email content, the FortiMail unit acts according to its configured policy.
    • Additional connection requests with the same email signature do not need to be re-classified by the FortiGuard Antispam service, and can be checked against the classification in the system cache.
    • Additional messages with the same signature do not need to be submitted to the FortiGuard Antispam service again because the signature classification is stored in the system cache.

Once the message has passed both elements (DNSBL and SURBL), it goes to the next layer of defense; the FortiMail unit that includes additional spam classification technologies.

This entry was posted in Administration Guides, FortiMail and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.