Configuring antispam settings : Configuring bounce verification and tagging
Configuring bounce verification and tagging
The Bounce Verification submenu lets you configure bounce address tagging and verification.
Spammers sometimes fraudulently use others’ email addresses as the sender email address in the message envelope (MAIL FROM:) when delivering spam. When an email cannot be delivered, email servers often return a a delivery status notification (DSN) message, sometimes also known as a bounce message, to the sender email address located in the message envelope.
While DSNs are normally useful in notifying email users when an email could not be delivered, in this case, it could result in delivery of a DSN to an email user who never actually sent the original message. Because the invalid bounce message is from a valid email server, it can be difficult to detect as invalid.
You can combat this problem with bounce address tagging and verification. If the FortiMail unit tags outgoing email, it can verify the tags of incoming bounce messages to guarantee that the bounce message is truly in reply to a previous outgoing email.
For a FortiMail unit to perform bounce address tagging, the following must be true:
bounce verification is enabled
a bounce address key must exist and be activated
in the protected domain to which the sender belongs, the “Bypass bounce verification” option is disabled (see “Configuring protected domains”)
the recipient domain is not in the tagging exempt list
The FortiMail unit will use the currently activated key to generate bounce address tags for all outgoing email. You can create multiple keys, but only one can be activated at any time.
The activated private key is used, together with randomizing data, to generate the tag that is applied to the sender email address in the message envelope, also known as the bounce address, of all outgoing messages. The format of tagged sender email addresses is:
prvs=1234567890=user1@example.com
where the sender email address is user1@example.com and the prefix is the bounce address tag. The tag is different for every email message, and uniquely identifies the email message.
 
Bounce address tagging is applied to the sender email address in the message envelope only; it is not applied to the sender email address in the message header.
If the email server for the recipient email domain cannot deliver the email, it will send a bounce message whose recipient is the tagged email address. When the bounce message arrives at the FortiMail unit, it will use the private keys to verify the bounce address tag. Incoming email is subject to bounce verification if all the following is true:
bounce verification is enabled
at least one bounce address key exists
in the protected domain to which the recipient belongs, the Bypass Bounce Verification option is disabled (see “Configuring protected domains”)
in the session profile, the Bypass Bounce Verification check option is disabled (see “Configuring session profiles”)
the sender email address (MAIL FROM:) in the message envelope is empty
the DSN sender is not in the verification example list
 
The sender email address is typically empty for bounce messages. The sender email address may also be empty for some types of spam that are not bounce messages. Because the sender email addresses of those types of spam will not have a proper tag, similar to bounce message spam, these spam will fail the bounce verification process. Email sent from email clients or webmail will not have an empty sender email address, and therefore will not be subject to the bounce verification process.
If the tag is successfully verified, the bounce verification scan removes the tag, restoring the recipient email address to one known by the protected domain, and allows the bounce message.
If the tag is not successfully verified, the bounce verification scan will perform the action that you have configured for invalid bounce messages.
To access this part of the web UI, your administrator account’s:
Domain must be System
access profile must have Read or Read-Write permission to the Policy category
For details, see “About administrator account permissions and domains”.
To configure bounce verification settings
1. Go to AntiSpam > Bounce Verification > Settings.
2. Configure the following as required:
 
GUI item
Description
New, Edit, Delete
(buttons)
Click to create, edit or delete a key.
Note: If you delete a key, any email with a tag generated when that key was active will fail bounce verification. After activating a new key, keep the previously active key until any tags generated with the old key expire.
Delete is unavailable if the Status of the key is Active.
Key
Displays the string of text that is the private key. This can be any arbitrary string of text, and will be used together with randomizing data to generate each bounce address tag.
Status
Indicates which key is activated for use.
Active: The key is activated.
Inactive: The key is deactivated.
Only one of the keys may be activated at any given time. The activated key is the one that will be used to generate the bounce address tags for outgoing email. Both activated and deactivated keys will be used for bounce address tag verification of incoming email.
To activate or deactivate a key, double-click it and modify its Status.
Last Used
Displays the date and time when the key was generated or last used to verify the bounce address tag of an incoming email, whichever is later.
Enable bounce verification
Mark this check box to enable verification of bounce address tags for all incoming email.
If you want to make exceptions for email that does not require bounce address tag verification, you can bypass bounce verification in protected domains and session profiles. For more information, see “Configuring protected domains” and “Configuring session profiles”.
Bounce verification tag expires in (days)
Enter the number of days after creation when bounce message keys will expire and their resulting tags will fail verification.
Keys will be automatically removed
Displays the period of time after which unused, deactivated keys will be automatically removed.
The activated key will not be automatically removed.
Bounce verification action
Select which action that a FortiMail unit will perform when an incoming email fails bounce address tagging verification, either:
Reject: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (Relaying denied).
Discard: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client.
Use antispam profile setting: Use the actions configured in the antispam profile that you selected in the policy that matches the email message. For more information on actions, see “Configuring antispam action profiles”.
To configure a bounce address tagging and verification key
1. Go to AntiSpam > Bounce Verification > Settings.
2. Click New to add a key or double-click to a key to modify it.
A dialog appears:
3. Configure the following:
 
GUI item
Description
Key name
Enter the string of text that will be used together with randomizing data in order to generate each bounce address tag. Keys must not be identical.
This field cannot be modified after a key is created. Instead, you must create a new key. If you are certain that no email has used a key, and therefore no bounce messages can exist which would require tag verification, you can safely delete that key.
Status
Select the activation status of the key.
Active: The key will be activated, and used to generate bounce address tags for outgoing messages. If any other key is currently activated, it will be deactivated when this new key is saved and activated.
Inactive: The key will be deactivated. You can activate the key at a later time.
Only one of the keys may be activated at any given time.The activated key is the one that will be used to generate tags for outgoing messages. Both activated and deactivated keys will be used for bounce address tag verification of incoming email.