Transparent mode deployment Example 3: FortiMail unit for an ISP or carrier
FortiMail™ Secure Messaging Platform Version 4.0 Patch 1 Install Guide
Revision 2 131
http://docs.fortinet.com/ • Feedback
Because many mail servers use DNSBL to combat spam, if a subscriber’s IP address is
added to a DNSBL, it can instantly cause email service interruption. If the subscriber’s IP
address is dynamic rather than static, when the spammer’s IP address is reassigned to
another subscriber, this can cause problems for an innocent subscriber. Even worse, if
many subscribers on your network share a single public IP address, if that single IP
address is blacklisted, all of your customers could be impacted.
Protecting the public range of IP addresses from being blacklisted is essential for service
providers to be able to guarantee a service level to subscribers.
In addition to jeopardizing customer retention, spam originating from your internal network
can also cost money and time. Spam consumes bandwidth and network resources.
Tracking which in your block of IPs is currently blacklisted, and paying to have them de-
listed, can be a significant recurring cost.
By scanning email destined for the Internet, you can thereby reduce your own costs and
maximize customers’ satisfaction with your service levels.
To deploy the FortiMail unit at an ISP or carrier, you must complete the following:
• Configuring the connection with the RADIUS server
• Removing the network interfaces from the bridge
• Configuring the session profiles
• Configuring the IP-based policies
• Configuring the outgoing proxy
• Testing the installation
Configuring the connection with the RADIUS server
FortiMail units can use your RADIUS accounting records to combat spam and viruses.
This reduces spam and viruses originating from your network, and reduces the likelihood
that your public IP addresses will be blacklisted.
Unlike MTAs, computers in homes and small offices and mobile devices such as laptops
and cellular phones that send email may not have a static IP address. Cellular phones’ IP
addresses especially may change very frequently. After a device leaves the network or
changes its IP address, its dynamic IP address may be reused by another device.
Because of this, a sender reputation score that is directly associated with an SMTP client’s
IP address may not function well. A device sending spam could start again with a clean
sender reputation score simply by rejoining the network to get another IP address, and an
innocent device could be accidentally blacklisted when it receives an IP address that was
previously used by a spammer.
To control spam from SMTP clients with dynamic IP addresses, you may be able to use
the MSISDN reputation score method instead.
The MSISDN reputation score method does not directly use the IP address as the SMTP
client’s unique identifier. Instead, it uses the subscriber ID, login ID, MSISDN, or other
identifier. (An MSISDN is the number associated with a mobile device, such as a SIM card
on a cellular phone network.) The IP address is only temporarily associated with this
identifier while the device is joined to the network.
Note: This example assumes you have already completed the Quick Start Wizard. For
details, see “Quick Start Wizard” on page 77.
To Next Page
Loading...
