Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CraigPink
New Contributor

Created on ‎04-16-2015 08:48 AM

Advice to tighten up Spam/Quarantine content

 

Hi All,

 

I am seeking advice on how I can fine tune our spam settings to help produce a better result.  

 

Our system is setup to send pretty much everything to quarantine as when we had our profile set to discard we were having too many false positive emails and users were complaining about not receiving email.  Unfortunately, this means that many users are getting regular spam going to quarantine and the quarantine reports themselves have become spammy in nature (two reporting periods a day)

 

Now I feel dumb doing it this way as the system is correctly identifying so much spam that we are just pushing to our users quarantine anyways, but I am unsure how to filter those out, while keeping things loose enough that we don't get a high false positive on legitimate mail.

 

Primarily we have trouble with parents emails to schools from local ISP email addresses where the ISP servers are constantly jumping on and off of blacklists.

 

This wouldn't be an issue if we were rejecting email rather than discarding it as the end user would be notified their mail was not delivered.  However with Discard neither the sender or receiver have any indication of what happened to the email.

 

Most of this is an inherited configuration, so I am not sure if I should be using different/better DNSBL/SURBL servers or not.

 

DNSBL: bl.spamcop.net, sbl-xbl.spamhaus.org

SURBL: multi.surbl.org

 

Thanks in advance.

 

Preview file
59 KB
6663
0 Kudos
2 Solutions
Bromont_FTNT
Staff
Staff

Created on ‎04-16-2015 08:54 AM

You could set the action to reject instead of discard, or send to system quarantine with notification to sender (and recipient).

 

View solution in original post

2052
0 Kudos
Bromont_FTNT
Staff
Staff
In response to CraigPink

Created on ‎04-16-2015 12:12 PM

Typically backscatter would occur if you don't use recipient verification and your exchange server rejects because a user doesn't exist, the Fortimail then sends a DSN back to a valid e-mail address the spammers spoofed. Rejecting because of recipient verification or SPAM are similar in my view, if the mail system shows the 220 banner upon connection the spammer knows the system is up and running.

 

If you use system quarantine with notification to sender only it's the sender that knows his message didn't get to the recipient and he can take appropriate action. System quarantine with notification to recipient would generate more "reports" than the personal quarantine so I would advise against that.

View solution in original post

2052
0 Kudos
4 REPLIES 4
Bromont_FTNT
Staff
Staff

Created on ‎04-16-2015 08:54 AM

You could set the action to reject instead of discard, or send to system quarantine with notification to sender (and recipient).

 

2053
0 Kudos
CraigPink
New Contributor
In response to Bromont_FTNT

Created on ‎04-16-2015 11:56 AM

Bromont wrote:

You could set the action to reject instead of discard, or send to system quarantine with notification to sender (and recipient).

 

I was under the impression Reject was not good to use due to Backscatter or validating your domain is active to spammers.  Are there any concerns like such I should worry about in regards to Reject vs Discard?  Rejecting would work as our senders will know the message was not received instead of both sender and receiver having no clue and our helpdesk getting the call.

 

Out of curiosity, what would be the difference between System Quarantine with notification to sender, and personal Quarantine with quarantine report email?

 

Thanks for follwo up

2008
0 Kudos
Bromont_FTNT
Staff
Staff
In response to CraigPink

Created on ‎04-16-2015 12:12 PM

Typically backscatter would occur if you don't use recipient verification and your exchange server rejects because a user doesn't exist, the Fortimail then sends a DSN back to a valid e-mail address the spammers spoofed. Rejecting because of recipient verification or SPAM are similar in my view, if the mail system shows the 220 banner upon connection the spammer knows the system is up and running.

 

If you use system quarantine with notification to sender only it's the sender that knows his message didn't get to the recipient and he can take appropriate action. System quarantine with notification to recipient would generate more "reports" than the personal quarantine so I would advise against that.

2053
0 Kudos
CraigPink
New Contributor
In response to Bromont_FTNT

Created on ‎04-17-2015 09:58 AM

 

Thank you.  I will give Reject a try and see how things go.

2008
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.