Does anyone know if there a reason that the outbreak protection minimum interval is 15 minutes? (This limit isn't documented in the CLI manual, but when you try to set it below this from the CLI it's blocked). Outbreak protection seems like it would be a great feature if we could set it to 5 or even 10 minutes, but 15 minutes is just too long for end users... they end up screaming at the help desk looking for their messages, so we end up having to turn the outbreak protection off.
A related question.... does anyone know if outbreak protection utilizes the sender reputation status to weigh against its findings? If not this seems like it would be a good thing...
Jeff
Jeff Roback
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi, Carl, thanks for taking a look at this!
In looking through the logs, I do think a shorter timer would prove useful. These days people see email as almost like IM, so they're expecting a pretty quick response. I've looked at logs and seen many instances where you could see a spam burst coming in, and the first few people who were on the list it passed through, but by the fourth or fifth, which was only a few minutes later, it was already catching them (if outbreak is turned off). Even if the FortiGuard database hasn't caught them yet, the RBL lists frequently do (see an example below,). So it does appear that things move fast enough now that having that check at 5 minutes would be worth it.
My though on the sender reputation was in response to other feedback we've gotten from end users. Several have mentioned to me that they were involved in a back and forth thread of emails over a period of an hour or more, and suddenly a message would get held up in the outbreak quarantine. I can understand why, technically, because something in the message was suspicious (even though we had the setting to low), but from an end user's perspective I could see why that would be hard to understand, and also that it would really interrupt their workflow.
So I was thinking it would be nice if we had the option to utilize the sender reputation database as an offset against the outbreak protection.... if a message was suspicious, but the sender had a good reputation for sending non-spam messages over at least several hours, then perhaps we'd let it skip the outbreak queue.
One more question on outbreak protection... the manual states that if a message is in the outbreak quarantine and this is found to be spam, if the original rule was reject, that the message should go to system quarantine. (5.3.7 manual pg 509 "messages held for FortiGuard spam outbreak protection...the actual action will fallback to "system quarantine"). This makes sense, because you can't reject the message at this point, but what I've been seeing is that it ends up going to the user quarantine. So they're now getting a lot of spam messages in their user quarantine. Is this behavior by design? to work around it, for now I've set the FortiGuard action to drop instead of reject to work around this, but my preference would be the behavior the manual describes where items from the outbreak quarantine go to the system quarantine.
And finally one more request re: outbreak. (I've been spending a lot of time studying it lately ). When searching the logs for messages, the action of the outbreak quarantine is a bit misleading and really confused us at first. if you search through the History section by the sender/recipient/etc to find a message, you'll only see the message flow from the time it was released from the queue, which leads you to believe the system didn't hold it. We did realize that if you look at the disposition, it will show Delayed,action, but to find out what time it was originally captured and held, you have to go to the event tab and search to find the first half of the message history where it was held up. It would be really helpful if when you clicked on the session ID from the History section (which is our standard method of analyzing behavior), it would show you the log entries of the original time it came in and that it was held. (I've got screen shots of these we use to train our techs internally if that's helpful).
Here's an example of spam blast getting caught just 60 seconds later by an update in a DNSBL. When I have outbreak turned off, I see this happening all day long.
Thanks again for looking at these ideas. We're really impressed with fortimail!
Jeff
Jeff Roback
I can confirm that we will lower the minimum Outbreak Protection hold to 5 minutes in the next release.
Thanks for the other feedback. There are major changes afoot for the GUI in v.5.4 *coming soon* and logging changes soon after so will take the remaining feedback onboard for future changes.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Outbreak Protection utilizes data analytics on the FortiGuard query network to identify new threats based on incoming queries. Because of this a period of time/volume of email is required to accurately detect these threats which was optimally deemed to be 15 minutes. I will discuss this with the development team to see if these timers can be tweaked in the future.
> does anyone know if outbreak protection utilizes the sender reputation status to weigh against its findings?
Not directly however, Outbreak Protection itself is one big sender reputation network relying on the global visibility of the whole of FortiGuard, not just the local FML.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Hi, Carl, thanks for taking a look at this!
In looking through the logs, I do think a shorter timer would prove useful. These days people see email as almost like IM, so they're expecting a pretty quick response. I've looked at logs and seen many instances where you could see a spam burst coming in, and the first few people who were on the list it passed through, but by the fourth or fifth, which was only a few minutes later, it was already catching them (if outbreak is turned off). Even if the FortiGuard database hasn't caught them yet, the RBL lists frequently do (see an example below,). So it does appear that things move fast enough now that having that check at 5 minutes would be worth it.
My though on the sender reputation was in response to other feedback we've gotten from end users. Several have mentioned to me that they were involved in a back and forth thread of emails over a period of an hour or more, and suddenly a message would get held up in the outbreak quarantine. I can understand why, technically, because something in the message was suspicious (even though we had the setting to low), but from an end user's perspective I could see why that would be hard to understand, and also that it would really interrupt their workflow.
So I was thinking it would be nice if we had the option to utilize the sender reputation database as an offset against the outbreak protection.... if a message was suspicious, but the sender had a good reputation for sending non-spam messages over at least several hours, then perhaps we'd let it skip the outbreak queue.
One more question on outbreak protection... the manual states that if a message is in the outbreak quarantine and this is found to be spam, if the original rule was reject, that the message should go to system quarantine. (5.3.7 manual pg 509 "messages held for FortiGuard spam outbreak protection...the actual action will fallback to "system quarantine"). This makes sense, because you can't reject the message at this point, but what I've been seeing is that it ends up going to the user quarantine. So they're now getting a lot of spam messages in their user quarantine. Is this behavior by design? to work around it, for now I've set the FortiGuard action to drop instead of reject to work around this, but my preference would be the behavior the manual describes where items from the outbreak quarantine go to the system quarantine.
And finally one more request re: outbreak. (I've been spending a lot of time studying it lately ). When searching the logs for messages, the action of the outbreak quarantine is a bit misleading and really confused us at first. if you search through the History section by the sender/recipient/etc to find a message, you'll only see the message flow from the time it was released from the queue, which leads you to believe the system didn't hold it. We did realize that if you look at the disposition, it will show Delayed,action, but to find out what time it was originally captured and held, you have to go to the event tab and search to find the first half of the message history where it was held up. It would be really helpful if when you clicked on the session ID from the History section (which is our standard method of analyzing behavior), it would show you the log entries of the original time it came in and that it was held. (I've got screen shots of these we use to train our techs internally if that's helpful).
Here's an example of spam blast getting caught just 60 seconds later by an update in a DNSBL. When I have outbreak turned off, I see this happening all day long.
Thanks again for looking at these ideas. We're really impressed with fortimail!
Jeff
Jeff Roback
Jeff Roback wrote:
My though on the sender reputation was in response to other feedback we've gotten from end users. Several have mentioned to me that they were involved in a back and forth thread of emails over a period of an hour or more, and suddenly a message would get held up in the outbreak quarantine.
What I found in my tests: When Fortimail fails to communicate with Fortiguard on mail check (internet problem, udp packet loss, etc...) and "outbreak" is enabled, it automatically moves the message to outbreak queue...
I don't know if it is a feature by design or a bug... But it explain your case of some emails are quarantine in even the message is not spam.
Regards, Paulo Raponi
I can confirm that we will lower the minimum Outbreak Protection hold to 5 minutes in the next release.
Thanks for the other feedback. There are major changes afoot for the GUI in v.5.4 *coming soon* and logging changes soon after so will take the remaining feedback onboard for future changes.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Fantastic news, very excited to see it!
Jeff
Jeff Roback
Hi there, was wondering if there was an ETA on when a build with this reduced timeframe would be released. We're starting to see a serious uptick in spam that's not getting detected by fortimail's native lists and is getting through to end users, and I'm thinking the outbreak protection would really help.
Along those lines, should we still be sending samples of spam that makes it through the fortimail to submitspam@service.fortinet.com? I've been forwarding the spam messages as attachments. I don't mind sending the on, but want to be sure they're getting looked at and evaluated.
Thanks, Jeff
Jeff Roback
This was implemented in the 5.3.9 patch release. Minimum is now 6 mins.
Re the spam samples to submitspam, they are looked at and processed but PM me and we can arrange to share some sample so I can investigate further.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Great news! I didn't see a mention of it in the release notes so I didn't think to try it ;) I'm going to test that right now.
I'll PM on the spam.
Jeff Roback
Carl Windsor wrote:This was implemented in the 5.3.9 patch release. Minimum is now 6 mins.
Re the spam samples to submitspam, they are looked at and processed but PM me and we can arrange to share some sample so I can investigate further.
Hi Carl, wanted to let you know this has been a TREMENDOUS help in reducing spam. We're catching a ton of additional messages this way, and the 6 minute delay has been tolerated by users pretty well.
However, we are still seeing a surprising large amount of spam still come through in what look like pretty obviously spam messages. I sent you a PM to send you some samples, did you get that?
Thanks! Jeff
Jeff Roback
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1066 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.