Does anyone know if there a reason that the outbreak protection minimum interval is 15 minutes? (This limit isn't documented in the CLI manual, but when you try to set it below this from the CLI it's blocked). Outbreak protection seems like it would be a great feature if we could set it to 5 or even 10 minutes, but 15 minutes is just too long for end users... they end up screaming at the help desk looking for their messages, so we end up having to turn the outbreak protection off.
A related question.... does anyone know if outbreak protection utilizes the sender reputation status to weigh against its findings? If not this seems like it would be a good thing...
In looking through the logs, I do think a shorter timer would prove useful. These days people see email as almost like IM, so they're expecting a pretty quick response. I've looked at logs and seen many instances where you could see a spam burst coming in, and the first few people who were on the list it passed through, but by the fourth or fifth, which was only a few minutes later, it was already catching them (if outbreak is turned off). Even if the FortiGuard database hasn't caught them yet, the RBL lists frequently do (see an example below,). So it does appear that things move fast enough now that having that check at 5 minutes would be worth it.
My though on the sender reputation was in response to other feedback we've gotten from end users. Several have mentioned to me that they were involved in a back and forth thread of emails over a period of an hour or more, and suddenly a message would get held up in the outbreak quarantine. I can understand why, technically, because something in the message was suspicious (even though we had the setting to low), but from an end user's perspective I could see why that would be hard to understand, and also that it would really interrupt their workflow.
So I was thinking it would be nice if we had the option to utilize the sender reputation database as an offset against the outbreak protection.... if a message was suspicious, but the sender had a good reputation for sending non-spam messages over at least several hours, then perhaps we'd let it skip the outbreak queue.
One more question on outbreak protection... the manual states that if a message is in the outbreak quarantine and this is found to be spam, if the original rule was reject, that the message should go to system quarantine. (5.3.7 manual pg 509 "messages held for FortiGuard spam outbreak protection...the actual action will fallback to "system quarantine"). This makes sense, because you can't reject the message at this point, but what I've been seeing is that it ends up going to the user quarantine. So they're now getting a lot of spam messages in their user quarantine. Is this behavior by design? to work around it, for now I've set the FortiGuard action to drop instead of reject to work around this, but my preference would be the behavior the manual describes where items from the outbreak quarantine go to the system quarantine.
And finally one more request re: outbreak. (I've been spending a lot of time studying it lately ). When searching the logs for messages, the action of the outbreak quarantine is a bit misleading and really confused us at first. if you search through the History section by the sender/recipient/etc to find a message, you'll only see the message flow from the time it was released from the queue, which leads you to believe the system didn't hold it. We did realize that if you look at the disposition, it will show Delayed,action, but to find out what time it was originally captured and held, you have to go to the event tab and search to find the first half of the message history where it was held up. It would be really helpful if when you clicked on the session ID from the History section (which is our standard method of analyzing behavior), it would show you the log entries of the original time it came in and that it was held. (I've got screen shots of these we use to train our techs internally if that's helpful).
Here's an example of spam blast getting caught just 60 seconds later by an update in a DNSBL. When I have outbreak turned off, I see this happening all day long.
Thanks again for looking at these ideas. We're really impressed with fortimail!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.