Technical Note : Using DENY firewall policies to stop Spam on a FortiGate

There are many tricks to catching spam, and one of the simplest, and most effective, would seem to be blocking it before it gets into your network. Of course it's not quite so simple without knowing the source of the spam, but the spam messages themselves can provide the information you need to determine where they come from. Spam log messages, generated by the FortiGate logging function, contain IP addresses of the mail servers that have delivered spam to your mail server. These unwanted server connections can be blocked with a DENY firewall policy.

If your SMTP mail server connects to the Internet through a FortiGate unit, you can use the technique described in this document to reduce the amount of spam reaching your network.

This document describes:

• How to generate the needed spam log messages
• How to analyze the spam logs to find IP addresses of spam sources
• How to block email connections for known spam sources

Figure 1: This document describes a spam-reduction strategy for a network with an SMTP server connected to the Internet through a FortiGate Antivirus Firewall

Note: The technique described here will not be effective if the spammer is spoofing the spam mail server IP address. If spammers don't forge their IP address, you can block mail once you've determined what the IP address of the mail server is. Careful use of the technique described here reduces the amount of spam entering your network. Use caution when denying connections from SMTP servers because it's always possible to block legitimate mail if implemented too enthusiastically

Generating spam log messages

1. Using the FortiGate web-based manager, go to Log&Report > Log Config > Log Setting.
2. Enable memory, and set the level to Information.
   In addition to memory, log to disk will also be available if your FortiGate unit is equipped with a hard disk. You can also send log messages to a FortiLog unit if one is available.
3. Under Log Filter, check all the spam filtering options in the memory column.
4. Go to Log&Report > Log Access > Spam Filter and select the Column Settings button.
5. In the Available Fields window, select all fields except Detailed Information and move them to the right. Displaying these extra columns will show as much information as possible in each log message.
6. Give the FortiGate unit time to record spam log messages.
   

Analyzing spam log messages

Using the FortiGate web-based manager, go to Log&Report > Log Access > Spam Filter. In the generated logs (see figure 2), any IP address in the Source column repeatedly listed with a message indicating the IP address is in an RBL/ORDBL list is likely a source of spam. Adding a DENY firewall policy to block connections from this source address not only saves internal network resources by stopping spam messages, but also eliminates the need for repeated queries to RBL/ORDBL servers about this IP address.

Figure 2: Sample Spam Log messages

Adding the DENY firewall policy

For easy maintenance, have the firewall policy block an address group instead of a single address. Create an address group by going to Firewall > Address > Group. After naming the group, any address defined in Firewall > Address > Address may be added to the group. This way, new addresses can be easily added or removed from the address group and the DENY policy without modifying the policy itself.

1. Using the FortiGate web-based manager, go to Firewall > Policy and select Create New.
2. In the New Policy window, set Source Interface/Zone to the FortiGate interface connected to the Internet.
3. Set Source Address Name to the address group containing the IP addresses to block.
4. Set the Destination Interface/Zone to the interface your mail server is connected to and set the destination address to that of your mail server.
5. Set the schedule to always, the service to SMTP, and the action to DENY.
6. Enter a comment describing the policy, like "Block spam mail server connections".
7. Move the deny policy to the top of the policy list.

All connections from the IP addresses in the address group will be blocked from even establishing a connection with the FortiGate unit.

Figure 3: Example firewall policy at the top of a FortiGate-1000 port2 to port1 policy list