Hi All,
I am seeking advice on how I can fine tune our spam settings to help produce a better result.
Our system is setup to send pretty much everything to quarantine as when we had our profile set to discard we were having too many false positive emails and users were complaining about not receiving email. Unfortunately, this means that many users are getting regular spam going to quarantine and the quarantine reports themselves have become spammy in nature (two reporting periods a day)
Now I feel dumb doing it this way as the system is correctly identifying so much spam that we are just pushing to our users quarantine anyways, but I am unsure how to filter those out, while keeping things loose enough that we don't get a high false positive on legitimate mail.
Primarily we have trouble with parents emails to schools from local ISP email addresses where the ISP servers are constantly jumping on and off of blacklists.
This wouldn't be an issue if we were rejecting email rather than discarding it as the end user would be notified their mail was not delivered. However with Discard neither the sender or receiver have any indication of what happened to the email.
Most of this is an inherited configuration, so I am not sure if I should be using different/better DNSBL/SURBL servers or not.
DNSBL: bl.spamcop.net, sbl-xbl.spamhaus.org
SURBL: multi.surbl.org
Thanks in advance.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You could set the action to reject instead of discard, or send to system quarantine with notification to sender (and recipient).
Typically backscatter would occur if you don't use recipient verification and your exchange server rejects because a user doesn't exist, the Fortimail then sends a DSN back to a valid e-mail address the spammers spoofed. Rejecting because of recipient verification or SPAM are similar in my view, if the mail system shows the 220 banner upon connection the spammer knows the system is up and running.
If you use system quarantine with notification to sender only it's the sender that knows his message didn't get to the recipient and he can take appropriate action. System quarantine with notification to recipient would generate more "reports" than the personal quarantine so I would advise against that.
You could set the action to reject instead of discard, or send to system quarantine with notification to sender (and recipient).
Bromont wrote:You could set the action to reject instead of discard, or send to system quarantine with notification to sender (and recipient).
I was under the impression Reject was not good to use due to Backscatter or validating your domain is active to spammers. Are there any concerns like such I should worry about in regards to Reject vs Discard? Rejecting would work as our senders will know the message was not received instead of both sender and receiver having no clue and our helpdesk getting the call.
Out of curiosity, what would be the difference between System Quarantine with notification to sender, and personal Quarantine with quarantine report email?
Thanks for follwo up
Typically backscatter would occur if you don't use recipient verification and your exchange server rejects because a user doesn't exist, the Fortimail then sends a DSN back to a valid e-mail address the spammers spoofed. Rejecting because of recipient verification or SPAM are similar in my view, if the mail system shows the 220 banner upon connection the spammer knows the system is up and running.
If you use system quarantine with notification to sender only it's the sender that knows his message didn't get to the recipient and he can take appropriate action. System quarantine with notification to recipient would generate more "reports" than the personal quarantine so I would advise against that.
Thank you. I will give Reject a try and see how things go.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.