Fortimail Settings Heuristic and RBL - Recomendations / Best Practices

Jeff_Roback · ‎01-23-2017

A few questions on others' experience and tuning of Fortimail and recommendations or best practices.

1) Does anyone have any experience with tuning the Fortimail heuristic settings that they could share? I know that everyone will have different results, but it would be helpful to have some baseline suggestions from others. The FORTIMAIL Configuration For Enterprise Deployment PDF suggests starting with 100% of rules at 3.50, so we've started there, but since this is from 2010, I was wondering if this is still the best starting point, and if we should be increasing/decreasing by .01, .1, or 1 at a time....

2) Do you find it's necessary to use public DNSBL lists in addition to the Fortiguard and Hueristic rulesets? We're currently use b.barracudacentral.org, bl.spamcop.net and zen.spamhaus.org. But I'm wondering if there are others we should consider.

3) How has your experience been with using SURBL? We have experimented with multi.surbl.org, but have seen a fair number of false positives from this.

I have looked at the Fortimail documentation; this is very comprehensive, but a bit light on real world recommendations. I have also read through the Fortimail cookbooks, but those are unfortunately far to general to be of much help.

I know there was some discussion of an updated best practices guide a while back, does anyone know if that ever got written?

Thanks! Jeff

Jeff Roback

abelio · ‎01-23-2017

Hello Jeff

Jeff Roback wrote:
1) Does anyone have any experience with tuning the Fortimail heuristic settings that they could share? I know that everyone will have different results, but it would be helpful to have some baseline suggestions from others. The FORTIMAIL Configuration For Enterprise Deployment PDF suggests starting with 100% of rules at 3.50, so we've started there, but since this is from 2010, I was wondering if this is still the best starting point, and if we should be increasing/decreasing by .01, .1, or 1 at a time....

Well, disable it at all...

Source of false positives; nothing to gain with heuristic layer;

you have more powerful and manageable filters in your FML

2) Do you find it's necessary to use public DNSBL lists in addition to the Fortiguard and Hueristic rulesets? We're currently use b.barracudacentral.org, bl.spamcop.net and zen.spamhaus.org. But I'm wondering if there are others we should consider.

There are a lot of free dnsbls out there. You can choose one or another; but fortiguard service layer (if active) is doing the job very well and applies before those dnsbls.

3) How has your experience been with using SURBL? We have experimented with multi.surbl.org, but have seen a fair number of false positives from this.

Interesting; my experience with multi.surbl.org is very good and I'll recommend it in the base setup, but your comment goes in the opposite direction

I have looked at the Fortimail documentation; this is very comprehensive, but a bit light on real world recommendations. I have also read through the Fortimail cookbooks, but those are unfortunately far to general to be of much help.

agree.

I know there was some discussion of an updated best practices guide a while back, does anyone know if that ever got written?

Fortinet's official Fortimail 201 course afaik.

regards

/ Abel

Jeff_Roback · ‎01-23-2017

Thanks for sharing your experience with this!

A couple followup questions, have you found sender reputation to be helpful? We've played with it a bit but found that since it's happening before the email header arrives it's tough to track down delays reported by users..

Have you used outbreak protection either? we've played with that a bit and at first were finding it helped out a lot with new spam, but we ended up having users really complain about delays for inbound mail which did appear to be attributed to outbreak protection delaying legitimate messages, even with the setting on Low.

Jeff

Jeff Roback

abelio · ‎01-24-2017

Jeff Roback wrote:

A couple followup questions, have you found sender reputation to be helpful? We've played with it a bit but found that since it's happening before the email header arrives it's tough to track down delays reported by users..

Yes, is useful for us at least.

As session profile feature, you could apply it in several ways depending on your setup, maybe different session profiles for different sources,

Have you used outbreak protection either? we've played with that a bit and at first were finding it helped out a lot with new spam, but we ended up having users really complain about delays for inbound mail which did appear to be attributed to outbreak protection delaying legitimate messages, even with the setting on Low.

Same thing: different antispam profiles for different users groups following your need.

You also can control outbreak delay:

config system fortiguard antispam

set outbreak-protection-period <min>

end

regards

/ Abel

Jeff_Roback · ‎02-05-2017

thanks for the thoughts. The minimum outbreak protection level is 15 minutes, which is just too long for our users, so we're not able to utilize it. Which is a bummer, because it does really seem to help a lot with catching spam.

Jeff Roback

abelio · ‎02-06-2017

Hi Jeff

there is an explanation here https://forum.fortinet.com/FindPost/145491

about this default

regards

/ Abel