Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jeff_Roback
Contributor

Outbreak Protection, why 15 minutes minimum?

Does anyone know if there a reason that the outbreak protection minimum interval is 15 minutes?   (This limit isn't documented in the CLI manual, but when you try to set it below this from the CLI it's blocked).   Outbreak protection seems like it would be a great feature if we could set it to 5 or even 10 minutes, but 15 minutes is just too long for end users... they end up screaming at the help desk looking for their messages, so we end up having to turn the outbreak protection off.

 

A related question.... does anyone know if outbreak protection utilizes the sender reputation status to weigh against its findings?   If not this seems like it would be a good thing...

 

Jeff

Jeff Roback

Jeff Roback
2 Solutions
Jeff_Roback

Hi, Carl, thanks for taking a look at this!

 

In looking through the logs, I do think a shorter timer would prove useful.   These days people see email as almost like IM, so they're expecting a pretty quick response.  I've looked at logs and seen many instances where you could see a spam burst coming in, and the first few people who were on the list it passed through, but by the fourth or fifth, which was only a few minutes later, it was already catching them (if outbreak is turned off).    Even if the FortiGuard database hasn't caught them yet, the RBL lists frequently do  (see an example below,).  So it does appear that things move fast enough now that having that check at 5 minutes would be worth it.

  

My though on the sender reputation was in response to other feedback we've gotten from end users.  Several have mentioned to me that they were involved in a back and forth thread of emails over a period of an hour or more, and suddenly a message would get held up in the outbreak quarantine.   I can understand why, technically, because something in the message was suspicious (even though we had the setting to low), but from an end user's perspective I could see why that would be hard to understand, and also that it would really interrupt their workflow.  

 

So I was thinking it would be nice if we had the option to utilize the sender reputation database as an offset against the outbreak protection.... if a message was suspicious, but the sender had a good reputation for sending non-spam messages over at least several hours, then perhaps we'd let it skip the outbreak queue.  

 

One more question on outbreak protection... the manual states that if a message is in the outbreak quarantine and this is found to be spam, if the original rule was reject, that the message should go to system quarantine. (5.3.7 manual pg 509 "messages held for FortiGuard spam outbreak protection...the actual action will fallback to "system quarantine").  This makes sense, because you can't reject the message at this point, but what I've been seeing is that it ends up going to the user quarantine.    So they're now getting a lot of spam messages in their user quarantine.   Is this behavior by design?  to work around it, for now I've set the FortiGuard action to drop instead of reject to work around this, but my preference would be the behavior the manual describes where items from the outbreak quarantine go to the system quarantine.   

 

And finally one more request re: outbreak.  (I've been spending a lot of time studying it lately   ).    When searching the logs for messages, the action of the outbreak quarantine is a bit misleading and really confused us at first.    if you search through the History section by the sender/recipient/etc to find a message, you'll  only see the message flow from the time it was released from the queue, which leads you to believe the system didn't hold it.  We did realize that if you look at the disposition, it will show Delayed,action, but to find out what time it was originally captured and held, you have to go to the event tab and search to find the first half of the message history where it was held up.   It would be really helpful if when you clicked on the session ID from the History section (which is our standard method of analyzing behavior), it would show you the log entries of the original time it came in and that it was held.  (I've got screen shots of these we use to train our techs internally if that's helpful).

 

Here's an example of spam blast getting caught just 60 seconds later by an update in a DNSBL.  When I have outbreak turned off, I see this happening all day long.

 

Thanks again for looking at these ideas.  We're really impressed with fortimail!

Jeff

Jeff Roback

View solution in original post

Jeff Roback
Carl_Windsor_FTNT

I can confirm that we will lower the minimum Outbreak Protection hold to 5 minutes in the next release.

 

Thanks for the other feedback.  There are major changes afoot for the GUI in v.5.4 *coming soon* and logging changes soon after so will take the remaining feedback onboard for future changes.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

View solution in original post

10 REPLIES 10
Carl_Windsor_FTNT

Outbreak Protection utilizes data analytics on the FortiGuard query network to identify new threats based on incoming queries.  Because of this a period of time/volume of email is required to accurately detect these threats which was optimally deemed to be 15 minutes.  I will discuss this with the development team to see if these timers can be tweaked in the future.

 

> does anyone know if outbreak protection utilizes the sender reputation status to weigh against its findings? 

 

Not directly however, Outbreak Protection itself is one big sender reputation network relying on the global visibility of the whole of FortiGuard, not just the local FML.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

Jeff_Roback

Hi, Carl, thanks for taking a look at this!

 

In looking through the logs, I do think a shorter timer would prove useful.   These days people see email as almost like IM, so they're expecting a pretty quick response.  I've looked at logs and seen many instances where you could see a spam burst coming in, and the first few people who were on the list it passed through, but by the fourth or fifth, which was only a few minutes later, it was already catching them (if outbreak is turned off).    Even if the FortiGuard database hasn't caught them yet, the RBL lists frequently do  (see an example below,).  So it does appear that things move fast enough now that having that check at 5 minutes would be worth it.

  

My though on the sender reputation was in response to other feedback we've gotten from end users.  Several have mentioned to me that they were involved in a back and forth thread of emails over a period of an hour or more, and suddenly a message would get held up in the outbreak quarantine.   I can understand why, technically, because something in the message was suspicious (even though we had the setting to low), but from an end user's perspective I could see why that would be hard to understand, and also that it would really interrupt their workflow.  

 

So I was thinking it would be nice if we had the option to utilize the sender reputation database as an offset against the outbreak protection.... if a message was suspicious, but the sender had a good reputation for sending non-spam messages over at least several hours, then perhaps we'd let it skip the outbreak queue.  

 

One more question on outbreak protection... the manual states that if a message is in the outbreak quarantine and this is found to be spam, if the original rule was reject, that the message should go to system quarantine. (5.3.7 manual pg 509 "messages held for FortiGuard spam outbreak protection...the actual action will fallback to "system quarantine").  This makes sense, because you can't reject the message at this point, but what I've been seeing is that it ends up going to the user quarantine.    So they're now getting a lot of spam messages in their user quarantine.   Is this behavior by design?  to work around it, for now I've set the FortiGuard action to drop instead of reject to work around this, but my preference would be the behavior the manual describes where items from the outbreak quarantine go to the system quarantine.   

 

And finally one more request re: outbreak.  (I've been spending a lot of time studying it lately   ).    When searching the logs for messages, the action of the outbreak quarantine is a bit misleading and really confused us at first.    if you search through the History section by the sender/recipient/etc to find a message, you'll  only see the message flow from the time it was released from the queue, which leads you to believe the system didn't hold it.  We did realize that if you look at the disposition, it will show Delayed,action, but to find out what time it was originally captured and held, you have to go to the event tab and search to find the first half of the message history where it was held up.   It would be really helpful if when you clicked on the session ID from the History section (which is our standard method of analyzing behavior), it would show you the log entries of the original time it came in and that it was held.  (I've got screen shots of these we use to train our techs internally if that's helpful).

 

Here's an example of spam blast getting caught just 60 seconds later by an update in a DNSBL.  When I have outbreak turned off, I see this happening all day long.

 

Thanks again for looking at these ideas.  We're really impressed with fortimail!

Jeff

Jeff Roback

Jeff Roback
pcraponi

Jeff Roback wrote:

 

My though on the sender reputation was in response to other feedback we've gotten from end users.  Several have mentioned to me that they were involved in a back and forth thread of emails over a period of an hour or more, and suddenly a message would get held up in the outbreak quarantine. 

What I found in my tests: When Fortimail fails to communicate with Fortiguard on mail check (internet problem, udp packet loss, etc...) and "outbreak" is enabled, it automatically moves the message to outbreak queue...

I don't know if it is a feature by design or a bug... But it explain your case of some emails are quarantine in even the message is not spam.

 

 

Regards, Paulo Raponi

Regards, Paulo Raponi
Carl_Windsor_FTNT

I can confirm that we will lower the minimum Outbreak Protection hold to 5 minutes in the next release.

 

Thanks for the other feedback.  There are major changes afoot for the GUI in v.5.4 *coming soon* and logging changes soon after so will take the remaining feedback onboard for future changes.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

Jeff_Roback

Fantastic news, very excited to see it!

 

Jeff

Jeff Roback

Jeff Roback
Jeff_Roback

Hi there, was wondering if there was an ETA on when a build with this reduced timeframe would be released.   We're starting to see a serious uptick in spam that's not getting detected by fortimail's native lists and is getting through to end users, and I'm thinking the outbreak protection would really help.   

 

Along those lines, should we still be sending samples of spam that makes it through the fortimail to submitspam@service.fortinet.com?   I've been forwarding the spam messages as attachments.   I don't mind sending the on, but want to be sure they're getting looked at and evaluated.

 

Thanks, Jeff

Jeff Roback

Jeff Roback
Carl_Windsor_FTNT

This was implemented in the 5.3.9 patch release.  Minimum is now 6 mins.

Re the spam samples to submitspam,  they are looked at and processed but PM me and we can arrange to share some sample so I can investigate further.

 

Dr. Carl Windsor Field Chief Technology Officer Fortinet

Jeff_Roback

Great news!  I didn't see a mention of it in the release notes so I didn't think to try it ;)   I'm going to test that right now.

 

I'll PM on the spam.

Jeff Roback

Jeff Roback
Jeff_Roback

Carl Windsor wrote:

This was implemented in the 5.3.9 patch release.  Minimum is now 6 mins.

Re the spam samples to submitspam,  they are looked at and processed but PM me and we can arrange to share some sample so I can investigate further.

 

 

Hi Carl, wanted to let you know this has been a TREMENDOUS help in reducing spam.  We're catching a ton of additional messages this way, and the 6 minute delay has been tolerated by users pretty well.   

 

However, we are still seeing a surprising large amount of spam still come through in what look like pretty obviously spam messages.    I sent you a PM to send you some samples, did you get that?

Thanks! Jeff

Jeff Roback

Jeff Roback
Labels
Top Kudoed Authors