«

»

FortiGuard Spam Filtering

Out of the many hardware Spam solutions out there, you can find equipment to fit just about any budget. The age old rule still stands though, “you get what you pay for”. Somewhere in the middle price range you will find the Fortinet products. These are well above the Linksys level but not quite at the Cisco level for those out there familiar with network equipment…

The Background Info:

Fortinet makes several products catered to specific needs but still focuses primarily on security concerns with all of their models. Fortinet is known for reliability in anti-virus protection and intrusion prevention but this article will spec out the functionality of their Spam filtering specifically.

For my needs, the FortiGate turned out to be the most useful for us here at Crossroads Realty. This unit is a firewall first and foremost and can handle a wide arrangement of setups. From Virus/Spam and Intrusion protection to VPNs, Virtual IP routing, and also Web Filtering. Now there is another unit, the FortiMail, that focuses more on the email side of things, but this unit does not have the overall features that I was looking for in a single piece of equipment.

The Data:

On average, Crossroads Realty receives 9,384 emails per day. 8,208 of them are labled as Spam from the FortiGate. That works out to roughly 87% of all our incoming email being blocked as Spam. And some still gets through beyond that which requires a more hands on approach by myself and also our email users.

In total there are 3 different types of filtering services taking place on the unit simultaneously: the subscription based FortiGuard service, 3rd party RBLs (Real Time Blacklists), and manual filters setup by me. The FortiGuard service is responsible for blocking about 80% of the Spam. The 3rd party service (I chose to use Spamhaus.org) blocks about 3%, and my manual filters block about 17%. Now, these numbers can not be compared directly to each other since the email runs through some of the FortiGuard services first and gets blocked before it ever reaches the others. There are a number of spam out there that would in fact get blocked by more than one of these filters but it is the first one the Spam comes in contact with that gets the credit for it.

Below is the order and method in which all our filters fight the Spam problem. This step by step will show the journey each email takes on its way through the firewall. One peice of information first… There are 2 different IP addresses that are checked with each email that comes in: 1- The “Last Hop” IP address is the Internet address of the last computer that handled that specific email before it was sent to our mail server. 2 – The “Header IP” is the internet address of the origin of that particular email. Since emails often get passed through many pieces of equipment on their way to your in-box, the FortiGuard service takes more than just one of them into account.

  • Step 1 – The “Last Hop” IP address is compared to a “whitelist” that I control. If the email matches an IP address that I put on this whitelist, then it is allowed through the firewall instantly. These emails will bypass all the following steps.
  • Step 2 – The FortiGuard and the Spamhaus services will both check the “Last Hop” IP address to see if is from a “known” source of Spam. If either of these services match the email, it is blocked.
  • Step 3 – The email is checked against certain header values that I have defined as being characteristic of Spam. The header values can be something like who the email was send “To:” and “From:”, or something more technical like what format the email is in and what type of program was used to send the email (such as Outlook, Outlook Express, Thunderbird, WebMail, etc…)
  • Step 4 – The email is checked against a list of banned words in the subject line. For example, any email that has the word “Viagra” in the subject is automatically blocked.
  • Step 5 – Now the “Header IP” of each email is compared to the same “whitelist” I mentioned above.
  • Step 6 – The email is checked against a list of banned words in the body of the email. For example, an email that mentions certain stocks are going to “take off” soon are blocked.
  • Step 7 – The Final Step. In this last phase of the filtering process, each email is run through a variety of filters all at the same time. What ever service identifies an email as Spam first will block it. The email that passes through all of these checks is allowed through to the user’s in-box.
    • FortiGuard “Header IP” check
    • FortiGuard URL check (checks for links in the email to spam websites)
    • FortiGuard “Check Sum” that works similar to a virus scan in that Fortinet runs a database of known Spam signatures.
    • Spamhaus “Header IP” check
    • Reverse DNS check. This determines if the email is in fact coming from the computer that it says it is. I have disabled this feature since it is known to cause false positives including emails sent from the Monmouth MLS.

So there you go, that is exactly how each and every email gets scanned on a FortiGate unit like the one we have at Crossroads Realty, Inc. This unit successfully blocks over 8,000 Spam each day without breaking a sweat.

About the author

RJ Ponzio

RJ founded Shore Web Tech LLC in 2011. The mission of Shore Web Tech (SWT) is to help small and medium local businesses take advantage of today's affordable technology solutions. RJ currently holds Google's "AdWords Qualified Individual" certification.

3 comments

  1. Sharon Asay

    How amazing the percentage of spam e-mail is out there and how great it is to have the resources as you do to prevent the max incoming spam into Crossroads. Thanks for the detailed explanation of the order and method in which all our filters fight the Spam problem.

  2. Marc Williams

    to much stuff to read. To many links, over 2 dozen on this site alone. Who has the time?

  3. Domenick Marmorato

    It is amazing how much spam is blocked. It is also amazing how much spam gets thru. Think you should add “autodesk” and “autocad” to your list of blocked items. Interesting explanation on how spam filters work. Thanks, Dom

Leave a Reply

Your email address will not be published.