Excluding senders from bounce verification
If you do not want to verify bounce verification tags from certain senders, you can do so by adding the sender host names to the exempt list.
To configure the tagging exempt list
- Go to AntiSpam > Bounce Verification > Verification Exempt List.
- Click New.
- Add the host name. FortiMail will use reverse DNS to resolve the client’s IP address into host name. You can use wildcard to include all hosts within a domain, for instance, *.example.com.
- Click Create.
Configuring endpoint reputation
Go to AntiSpam > Endpoint Reputation to manually blacklist carrier end points, to exempt them from automatic blacklisting due to their reputation score, and to view the list of automatically blacklisted carrier end points.
This section contains the following topics:
- About endpoint reputation
- Manually blacklisting endpoints
- Exempting endpoints from endpoint reputation
- Configuring the endpoint reputation score window
- Viewing the endpoint reputation statuses
About endpoint reputation
A carrier end point is any device on the periphery of a carrier’s or Internet service provider’s (ISP) network. It could be, for example, a subscriber’s GSM cellular phone, wireless PDA, or computer using DSL service.
Figure 283:Carrier end points
Unlike MTAs, computers in homes and small offices and mobile devices such as laptops and cellular phones that send email may not have a static IP address. Cellular phones’ IP addresses especially may change very frequently. After a device leaves the network or changes its IP address, its dynamic IP address may be reused by another device. Because of this, a sender reputation score that is directly associated with an SMTP client’s IP address may not function well. A device sending spam could start again with a clean sender reputation score simply by rejoining the network to get another IP address, and an innocent device could be accidentally blacklisted when it receives an IP address that was previously used by a spammer.
To control spam from SMTP clients with dynamic IP addresses, you can use the endpoint reputation score method instead.
The endpoint reputation score method does not directly use the IP address as the SMTP client’s unique identifier. Instead, it uses the subscriber ID, login ID, MSISDN, or other identifier. (An MSISDN is the number associated with a mobile device, such as a SIM card on a cellular phone network.) The IP address is only temporarily associated with this identifier while the device is joined to the network.
When a device joins the network of its service provider, such as a cellular phone carrier or DSL provider, it may use a protocol such as PPPoE or PPPoA which supports authentication. The network access server (NAS) queries the remote authentication dial-in user server (RADIUS) for authentication and access authorization. If successful, the RADIUS server then creates a record which associates the device’s MSISDN, subscriber ID, or other identifier with its current IP address.
The server, next acting as a RADIUS client, sends an accounting request with the mapping to the FortiMail unit. (The FortiMail unit acts as an auxiliary accounting server if the endpoint reputation daemon is enabled.) The FortiMail unit then stores the mappings, and uses them for the endpoint reputation feature.
When the device leaves the network or changes its IP address, the RADIUS server acting as a client requests that the FortiMail unit stop accounting (that is, remove its local record of the IP-to-MSISDN/subscriber ID mapping). The FortiMail unit keeps the reputation score associated with the MSISDN or subscriber ID, which will be re-mapped to the new IP address on the next time that the mobile device joins the network.
The endpoint reputation feature can be used with traditional email, but it can also be used with MMS text messages.
The multimedia messaging service (MMS) protocol transmits graphics, animations, audio, and video between mobile phones. There are eight interfaces defined for the MMS standard, referred to as MM1 through MM8. MM3 uses SMTP to transmit text messages to and from mobile phones. Because it can be used to transmit content, spammers can also use MMS to send spam.
You can blacklist MSISDNs or subscriber IDs to reduce MMS and email spam.
In addition to manually blacklisting or exempting MSISDNs and subscriber IDs, you can configure automatic blacklisting based on endpoint reputation score. If a carrier end point sends email or text messages that the FortiMail unit detects as spam, the endpoint reputation score increases. You can configure session profiles to log or block, for a period of time, email and text messages from carrier end points whose endpoint reputation score exceeds the threshold during the automatic blacklisting window. For information on enabling endpoint reputation scans in session profiles and configuring the score threshold and automatic blacklisting duration, see “Configuring session profiles” on page 482. For information on configuring the automatic blacklisting window, see “Configuring the endpoint reputation score window” on page 643.
To use the endpoint reputation feature
- Enter the following CLI command to start the endpoint reputation daemon: config antispam setting
set carrier-endpoint-status enable
end
- On the web UI, go to AntiSpam > Endpoint Reputation and configure the settings described in “Manually blacklisting endpoints” on page 641, “Exempting endpoints from endpoint reputation” on page 641, and “Configuring the endpoint reputation score window” on page 643.
- Go to Profile > Session > Session. Mark the check box of the Enable Endpoint Reputation option, then select either Reject or Monitor from Action. For details, see “Configuring session profiles” on page 482.
- Go to Policy > Policies > IP Policies. Select the session profile in an IP-based policy. For details, see “Controlling email based on IP addresses” on page 475.
- If you enable antispam, antivirus, and history logging, you can go to Monitor > Log to view endpoint reputation-related log messages. For details, see “Configuring logging” on page 671 and “Viewing log messages” on page 206.
Emails from at least one customer are still going to quarantine after being added to personal AND system safe list. What am I missing?