FortiMail Student Guide

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETYou can add dictionary profiles to content profiles in the Content Monitor and Filtering section. You can alsoenable Scan Options to apply the dictionary lookups to PDF, Microsoft Office, and archive content.When you create dictionary profiles, you can associate each entry with a score. For each Content Monitor andFiltering entry, the defined action is run only if the total score meets or exceeds the minimum score value. Aminimum score value of 1 causes the action to be executed if any of the dictionary words or phrases arefound in the message.FortiMail Student Guide 351

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETYou can use the Personal quarantine option only for incoming content action profiles. The rest of the optionsare identical. The most commonly-used actions are Reject, and System Quarantine to folder where content isquarantined to the Content folder.Another common action is Encrypt with profile. You can use a dictionary match of a certain word or phrase totrigger identity-based encryption. You will learn more about identity-based encryption in another lesson.FortiMail Student Guide 352

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETSimilar to other inspection profiles, you can apply content profiles to email flows by enabling them in IP- orrecipient-based policies.FortiMail Student Guide 353

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETThe logs generated by the content profile show whether the log was triggered by an attachment scan rule ordictionary match. The cross search result includes details like file name, attachment filter rule, dictionaryprofile name, and the dictionary word or phrase.FortiMail Student Guide 354

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETFortiMail Student Guide 355

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETIn this section, you will learn how to use FortiMail’s data loss prevention features to control, with high level ofgranularity, the type of data that is allowed to enter or leave your organization by email.FortiMail Student Guide 356

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETYou can define custom patterns or use a prebuilt data template or file filters to build DLP rules. A single DLPprofile can contain multiple rules. The DLP feature is disabled on entry-level models, such as the VM01 or the200D, and you must enable it using the CLI. Enable DLP on these models using the following commands: config system global set data-loss-prevention enable endYou must reload your management GUI after you enable DLP.FortiMail Student Guide 357

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETWhen you configure DLP, you need to define sensitive data first. You can define sensitive data usingpredefined patterns, such as file filters and data templates; user-defined patterns, such as documentfingerprints and string; or regular expression-based patterns. Next, you must configure DLP scan rules thatdefine where to look for sensitive data in an email, for example, in the email header or body. Then you mustadd the DLP scan rules to DLP profiles to define what action to take. After the DLP profile is complete, youcan apply it to an IP- or recipient-based policy.FortiMail Student Guide 358

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETYou can use file filters to match email attachments based on the file extension or file type. FortiMail comeswith nine predefined filters. You can also create new filters. File filters are used by the DLP and content filterfeatures.FortiMail Student Guide 359

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETFortiMail comes with a list of predefined data types, such as credit cards, social security numbers, and socialinsurance numbers. You can use these data templates to define your sensitive data, based on file contents, inDLP rules. Using these templates means that you don’t have to perform extra configuration steps.FortiMail Student Guide 360

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETAnother technique you can use to detect sensitive data is fingerprinting. When you use fingerprinting, youmust provide the file. FortiMail generates and stores a file checksum fingerprint. The fingerprint is thencompared with all future email attachments for a match.You can use one of the following methods to generate fingerprints:• Manually upload files to FortiMail• Create an SMB or CIFS fingerprint source that can be used by FortiMail to generate fingerprintsautomatically from the contents of the shared folderThe manual method is sufficient when you have only a few documents to fingerprint. If you have a large list ofdocuments that go through many version changes, you should use a fingerprint source.FortiMail Student Guide 361

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETA single DLP scan rule can have multiple conditions. You can specify whether the rule is triggered aftermatching any or all of the conditions. In the DLP scan rule, you can define string-based or regular expression-based patterns to match any part of the email. You can select contains sensitive data to apply the sensitivedata definitions, such as fingerprint source, or data templates.FortiMail Student Guide 362

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETThis slide shows an example DLP scan rule. The DLP rule matches if the following conditions are met:• The sender is internal (from a protected domain)• The body and attachment contain credit card numbersYou can use exceptions to exempt certain email from the DLP scan rule. In this example, the rule is ignoredfor all email sent from [email protected] Student Guide 363

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETAfter you define the DLP scan rules, you can add them to DLP profiles. You can also modify the action profileto specify how to handle email identified by the DLP profile. This example shows that the identified emailmessages are sent to the system quarantine DLP folder.DLP profiles use the same action profiles as content profiles. To configure an action profile for DLP, clickProfile > Content > Action.FortiMail Student Guide 364

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETThe DLP profile can be referenced by IP- or recipient-based policies. Since this DLP profile is intended toinspect outbound emails, it is applied to an outbound recipient-based policy.FortiMail Student Guide 365

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETLogs generated by a DLP event are assigned the Data Loss Prevention classifier. To see exactly what emailcontent was caught, click the session ID to view the cross search result of that event.FortiMail Student Guide 366

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETFortiMail Student Guide 367

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETIn this section, you will learn how you can configure FortiMail to archive incoming messages, outgoingmessages, or both, to meet organizational or compliance requirements. FortiMail can archive email to local orremote storage, and can use multiple archives based on flexible archiving policies.FortiMail Student Guide 368

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETTo use FortiMail email archiving, you must create archive mailboxes by adding an archive account. You canuse the default account, or create a new one. You can define the archive account password, access options,mailbox rotation schedules, and disk quota. You can also define the archive storage location, which can beeither local or remote. FTP and SFTP are the only supported remote storage options.FortiMail Student Guide 369

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETArchive policies allow you to define which email messages the FortiMail archives.The Account option allows you to define where the archived email messages are saved. The Pattern optionallows you to define a string that FortiMail searches for to make archiving decisions. The Policy type optionallows you to define where FortiMail searches the Pattern.Policy type supports the following email locations:• Sender Address• Recipient Address• Keyword in Subject• Keyword in Body• Attachment File NameAfter you create a valid archive policy, FortiMail immediately begins archiving email that matches the policy.FortiMail Student Guide 370

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETExempt policies are used to exempt specific email messages from being archived. An exempt policy typicallyis used to exclude spam email from the archive policy in order to use the archive storage more efficiently.FortiMail Student Guide 371

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETYou can also use antispam action profiles and content action profiles to archive email. For each action profile,select Archive to account, and select a destination archive account.A typical use case scenario involves using dictionary profiles, which are supported by both antispam andcontent profiles, to monitor and archive email messages that contain specific words or phrases.FortiMail Student Guide 372

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETYou can use the cross search results of the logs to verify that email is archived correctly.FortiMail Student Guide 373

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETYou can access the archived email message using the management GUI. You can also access the archivemailbox using IMAP if the relevant access options are configured in the archive account options.You can export archived email messages in .mbox or .eml formats. You can’t deleting messages from thearchive. The only way to delete archived messages is to format the mail disk.FortiMail Student Guide 374

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETFortiMail Student Guide 375

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETIn this lesson, you learned how to configure antivirus scanning using FortiMail’s local malware detectiontechniques, as well as FortiSandbox’s advanced threat protection techniques. You explored how to controlemail content using content filtering, and protect sensitive data with data loss prevention. You also learned athow to enable, and manage email archiving.FortiMail Student Guide 376

DO NOT REPRINT  Antivirus and Content Inspection© FORTINETThank you!FortiMail Student Guide 377

DO NOT REPRINT  Antispam© FORTINETIn this lesson, we’ll show how to configure the FortiMail’s antispam feature.FortiMail Student Guide 378

DO NOT REPRINT  Antispam© FORTINETThese are the topics that will be covered in this lesson. You will learn about FortiMail’s antispam scanningtechniques and how to configure them.FortiMail Student Guide 379

DO NOT REPRINT  Antispam© FORTINETIn this section we will define what spam is, and the different tiers of spam defense available to the FortiMail.We will also take a look at the Antispam profile, and action profile features.FortiMail Student Guide 380

DO NOT REPRINT  Antispam© FORTINETThe industry-standard definition of email spam has two components. First, the email messages areunsolicited; that is, the recipient hasn’t requested or granted permission for the email. Second, the emailmessages are considered bulk mailings because they are sent out in mass quantities and contain identical (ornearly identical) content. The industry term for this is unsolicited bulk email (UBE).FortiMail’s antispam service is a combination of two tiers of spam defense: the FortiGuard antispam servicecombined with FortiMail’s built-in antispam detection techniques. By leveraging the FortiGuard antispamservice, FortiMail has access to the latest knowledge of emerging spam threats and outbreaks.Email messages are inspected at two distinct layers: the session layer and the application layer. The sessionlayer analyzes the attributes and behaviors of the IP connection and the SMTP session for traits that arecommon to spam activity. FortiMail can detect spam even before the message headers and message bodyare sent. This saves valuable resources and improves the performance of the FortiMail server. Theapplication layer analyzes the content of the message headers and message body after they arrive. FortiMailuses this data to perform many different types of spam detection.FortiMail Student Guide 381

DO NOT REPRINT  Antispam© FORTINETWhen an email message matches the selection criteria specified in an IP or a recipient policy, you canactivate an antispam profile to perform any of the available antispam scanning techniques. In the antispamprofile, select the default action to be executed if the message is verified to be spam, or associate differentaction profiles with different antispam techniques.In the Scan Options section, you can define a size limit for messages to scan. If an email is larger than thespecified value, FortiMail skips antispam inspections on that email. You can also bypass an email fromantispam inspections if the user is authenticated. Be careful with this setting because an authenticated userisn’t always a safe sender.FortiMail Student Guide 382

DO NOT REPRINT  Antispam© FORTINETAntispam action profiles differ based on their Direction setting. For example, the Personal quarantine option isnot available for outgoing antispam action profiles.For most deployments, the Personal quarantine option is the common choice for all inbound spam email. Afteryou select Personal quarantine, FortiMail sends all spam email to individual quarantine mailboxes. The enduser must manage their own quarantines. You can enable email or web release, as well as enable the optionto add the sender of a released message to the user’s safelist.For outgoing email, use the Reject, or system quarantine options.FortiMail Student Guide 383

DO NOT REPRINT  Antispam© FORTINETFortiMail Student Guide 384

DO NOT REPRINT  Antispam© FORTINETIn this section, you will learn about the various spam fighting techniques available in the antispam profile. Youwill also learn how to configure FortiMail to block spoofed headers and backscatter attempts.FortiMail Student Guide 385

DO NOT REPRINT  Antispam© FORTINETThe FortiGuard IP Reputation feature queries the FortiGuard antispam service to determine if the remoteMTA IP address is in the FortiGuard blocklist database. If you select Extract IP from Received Header, thequery also examines the public IP addresses of all other SMTP servers that appear in the Received: headersof the email.FortiMail Student Guide 386

DO NOT REPRINT  Antispam© FORTINETFortiGuard URI filtering sorts known URIs into categories, such as phishing, spam, and malicious. You canconfigure the URI filter profile to check for specific categories. If an email message contains any URIs thatmatch the enabled categories in the URI filter profile, FortiMail treats that message as spam.The URI filter feature allows for a lot of customization. In most deployments, you should filter the Security Riskcategory, however, you can customize the URI filter profile to filter email messages containing URIs that,traditionally, would not be considered spam.FortiMail Student Guide 387

DO NOT REPRINT  Antispam© FORTINETRegular FortiGuard updates ensure that FortiMail has the most current threat information available. Even so,it’s still possible for FortiGuard to receive a spam message that it hasn’t seen before and has little or noinformation about. When you select Spam outbreak protection, the suspicious email is held in a dedicatedqueue for a specific period of time and then re-evaluated. This gives FortiGuard an opportunity to learn aboutthe potential spam outbreak and update its databases. After the timeout value for the email expires, FortiMailqueries the FortiGuard servers again. If the ratings come back as clean, FortiMail releases the email to therecipient, otherwise it applies the antispam action.This feature is effective against zero-day spam outbreaks.By default, the hold period is 30 minutes, but you can modify it using the following CLI commands: config system fortiguard antispam set outbreak-protection-period <minutes> endFortiMail Student Guide 388

DO NOT REPRINT  Antispam© FORTINETGreylisting is an automatic, low-maintenance antispam technique that takes advantage of a common traitamong spammers: impatience. Greylisting examines the triplet of source IP, sender, and recipient of anincoming email message. If FortiMail hasn’t seen the triplet before, it sends a temporary failure code—code451—that instructs the sending MTA to try re-sending the message later. At this point, most spammers giveup and move on to other potential victims.However, legitimate senders queue the message and attempt to deliver it again after a delay. It’s important toremember that the remote MTA is responsible for retransmitting the message. The redelivered message isthen put through the remaining scans. FortiMail then adds the triplet to a database of permitted senders, andprocesses future delivery attempts from that sender without the greylisting delay.FortiMail Student Guide 389

DO NOT REPRINT  Antispam© FORTINETThere are three distinct timers involved in greylisting:The Greylising period timer starts when a sender first attempts to deliver a message with a new triplet. If thesender attempts to deliver the message again before the greylisting period is over, the result is a temporaryfail error. By default, the greylisting period is ten minutes. The sender must wait at least this long beforeattempting to send the message again.The greylist-init-expiry-period timer starts when a sender first attempts to deliver a message with a newtriplet. The sender must retry before the greylist-init-expiry-period expires, otherwise the greylisting processrestarts. You can configure this value only in the CLI.After the sender successfully delivers a message outside the Greylisting period but before the greylist-initi-expiry-period expires, FortiMail creates an entry in the greylist database for the individual triplet and startsthe Greylist TTL timer. By default, the value for the TTL timer is 30 days. Once the TTL timer starts, anydelivery attempts from a triplet with a valid TTL aren’t subjected to the greylist process. After the message isdelivered, the TTL values reset and the message is processed using all remaining configured scans.FortiMail Student Guide 390

DO NOT REPRINT  Antispam© FORTINETYou can set up greylist exemptions to prevent specific senders, MTAs, or domains from being greylisted. It’sgood practice to apply exemptions before you enable gresylisting to make sure delay-sensitive email isn’tgreylisted.FortiMail Student Guide 391

DO NOT REPRINT  Antispam© FORTINETTo monitor each triplet’s greylist status, click Monitor > Greylist > Display.Triplets still in the greylisting period have a status of Fail Temporarily. The expiry value for these tripletsdisplays the greylist-init-expiry-period.Triplets that have gone through the whole greylisting process and can send email freely have a status ofPASSTHROUGH. For these triplets, the expiry value is the Greylisting TTL.FortiMail Student Guide 392

DO NOT REPRINT  Antispam© FORTINETLarge organizations often have multiple email servers sending and receiving email on behalf of many useraccounts. Tracking the greylist status of each triplet permutation would result in a massive greylist database.To avoid this, FortiMail creates consolidated greylist entries that are called AutoExempt entries. Unlikeindividual entries, consolidated AutoExempt entries track only the domain portion of the sender email addressand the /24 subnet of the sender’s MTAs.To maintain confidence even with this loose tracking, FortiMail creates consolidated AutoExempt entries onlyif the email messages pass all other antispam, antivirus, and content scans, and don’t appear on any safelists.FortiMail Student Guide 393

DO NOT REPRINT  Antispam© FORTINETSender policy framework (SPF) is a common technique that you can use to validate senders. Using SPF, adomain owner publishes specially formatted DNS text (TXT) records. The records contain the domain’sauthorized MTAs. Using the SPF check feature, FortiMail performs a DNS TXT record lookup for the sendingdomain of any email session. If an SPF entry exists, FortiMail compares the address with the address of thesending MTA, and, if it no match is found, treats the email as spam.DMARC is much more comprehensive. Using DMARC, FortiMail validates both SPF and DKIM. However, theemail must pass only one of these checks. If the email fails both the SPF and DKIM checks, then it is treatedas a spam. DMARC validation isn’t universally adopted yet, however it’s slowly becoming more popular.FortiMail Student Guide 394

DO NOT REPRINT  Antispam© FORTINETBehavior Analysis uses a variety of methods to identify spam not caught directly by FortiGuard. By applyingelements of heuristics and a fuzzy matching algorithm, which compares spam recently detected (within thepast 6 hours) by FortiGuard signatures on the device in question, behavioral analysis can detect changingspam samples. This method is useful to detect and prevent new zero-day spam outbreaks.Header Analysis looks for the presence of header entries that are commonly found together in spam email.FortiMail Student Guide 395

DO NOT REPRINT  Antispam© FORTINETFortiGuard maintains a set of heuristic rules based on known spam content. These heuristic rules use PERL-compatible regular expressions (PCRE), a powerful form of regular expression matching, to locate spam-identified attributes within each message. These rules are continuously updated as new spam threats emerge.As each rule is evaluated against the message, a score is generated reflecting how much of the rule’s criteriawas found in the message. When a rule’s processing is complete, the score is added to the message’s totalscore. If the total score meets or exceeds the set threshold, the message is determined to be spam.Heuristics scanning can be very resource intensive.FortiMail Student Guide 396

DO NOT REPRINT  Antispam© FORTINETWhen you enable heuristic scanning in an antispam profile, you use two settings to fine-tune the behavior.The first setting, threshold, determines what total score is necessary to decide that an email is spam. Thedefault value may be appropriate for most environments, but you can increase it if there are false positives, ordecrease it as necessary. Expect to tune this value multiple times as there is no universal value that suits alldeployments. If the threshold is not set correctly, it can generate unnecessary false positives or negatives.The second setting, the percentage of rules used, specifies how much of the rule list to apply to eachmessage. The rule ordering is maintained by FortiGuard so that the rules to detect the most prevalent spamare at the top of the list, and rules for older, more obscure spam are lower. This rule ordering changes overtime as FortiGuard responds to the ever-changing spam landscape. Heuristic rule processing is a fairlyresource-intensive process, so you can use this setting to strike a balance between performance andthoroughness.FortiMail Student Guide 397

DO NOT REPRINT  Antispam© FORTINETA spam URI realtime block list (SURBL) is similar, in concept, to the FortiGuard URI filter, but it uses third-party SURBL servers. FortiMail extracts URIs from email messages and sends them to the SURBL servers,which identify if the URIs are known to be associated with spam.The DNS block list (DNSBL) is also similar, in concept, to the FortiGuard IP reputation feature, but it usesthird-party DNSBL servers. FortiMail can also include the IPs from the chain of Received: headers in DNSBLscans if you select Extract IP from Received Header in the antispam profile. Just like the FortiGuard IPReputation scan, the DNSBL scan ignores any RFC 1918 addresses. If an IP is blocklisted by the DNSBLserver, FortiMail treats the email as spam and executes the configured action.FortiMail Student Guide 398

DO NOT REPRINT  Antispam© FORTINETWhen you enable the banned word scan in an antispam profile, the banned word scan compares the subjectand message body against a simple list of prohibited words. If a message contains one or more of the wordsin the list, FortiMail treats the message as spam.The safelist word scan uses a similar list of words to compare against the subject or body of an email.However, if a match is found, FortiMail exempts the email in question from antispam inspections. Otherinspection profiles that you enable still apply.To maintain efficiency, the word lists support wildcard characters but not regular expressions or extendedcharacter set encodings.FortiMail Student Guide 399

DO NOT REPRINT  Antispam© FORTINETA dictionary scan provides a more flexible way to identify email messages that contain specific words orphrases. To use this feature, you must create a dictionary profile containing words or phrases of interest. Thiscan include regular expressions as well as extended character set encodings. If the scan finds one or moredictionary entries in the email message, FortiMail adds the X-FEAS-DICTIONARY: header to the emailheader, followed by the dictionary word or pattern that was found in the email, and treats the email as spam.Dictionary scans are more resource intensive than banned word scans because they provide more flexibilitythan banned word scans. For simple lists of words, consider using banned word scans to improveperformance.FortiMail Student Guide 400