Skip to main content
Alexander_Mueller
Alexander_Mueller
New Member
December 10, 2018
Solved

FortiMail 200E/Sandbox Email Question

  • December 10, 2018
  • 1 reply
  • 5721 views

Hy, i have one question

We are Using FortiMail 200E and Sandbox 1000D,

at the moment we have a lot infected Emails with .doc Attachmend

under the Fortimail System->Fortisandbox its acitivated the all Office (specially .doc) are sended to the Sandbox.

 

But sometime we have the problem, if Fortimail notice this is a Spam Mail (over the IP), then he send the email to the personal Quarantine and stops checks with AntivVirus and Sandbox.

 

We have activiated under Security->Quarantine Controll all Re-Scan Options.

 

Bt its possible to make thats the checks continue and not stops after AntiSpam?

 

With best regards from Germany

    Best answer by Carl_Windsor_FTNT

    >its possible to make thats the checks continue and not stops after AntiSpam?

     

    No, but what you want is possible in a different way.   Reason Sandboxing happens after AntiSpam is to keep the load down on the FortiSandbox (default - antispam-content-sandbox).  You can however change the scan order so FSA happens after AV but before the AS (sandbox-antispam-content). 

     

    config system fortisandbox
           set scan-order {antispam-content-sandbox | sandbox-antispam-content | antispam-sandbox-content}
    end

     

    ....but be aware this will add additional load to the sandbox.

    1 reply

    Carl_Windsor_FTNT
    Staff
    Carl_Windsor_FTNTAnswer
    Staff
    December 10, 2018

    >its possible to make thats the checks continue and not stops after AntiSpam?

     

    No, but what you want is possible in a different way.   Reason Sandboxing happens after AntiSpam is to keep the load down on the FortiSandbox (default - antispam-content-sandbox).  You can however change the scan order so FSA happens after AV but before the AS (sandbox-antispam-content). 

     

    config system fortisandbox
           set scan-order {antispam-content-sandbox | sandbox-antispam-content | antispam-sandbox-content}
    end

     

    ....but be aware this will add additional load to the sandbox.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    December 10, 2018

    The quirk in OP's setup is that he distrusts the anti-spam on the FML. In my experience, if you relax the AS measures a bit FML won't catch all but all that it catches is real SPAM. Especially by checking against the blacklist from FortiGuard.

    As the (SPAM) mail has not yet been accepted (*) you can legally safe discard it then, and not quarantine it.

    Quarantining SPAM is somehow...you could save a lot of energy and other cost if you just store every mail then.

     

    (*)...if FML is working as mail relay or mail gateway, that is, in front.

     

    In a typical environment I see 95% of all SPAM mails rejected because of blacklisting servers alone. If you push all that junk through your sandbox you will probably need a very big one.

     

    But thanks Carl for that precious hint anyway.

    Carl_Windsor_FTNT
    Staff
    Carl_Windsor_FTNT
    Staff
    December 10, 2018

    >In a typical environment I see 95% of all SPAM mails rejected because of blacklisting

    >servers alone. If you push all that junk through your sandbox you will probably need a

    >very big one.

     

    Indeed, this is why the default is the more efficient method of detect as Spam first (less load) and then allow rescan on release to prevent the threats being released.

    Terms & ConditionsAccessibility statement