Fortinet black logo

Handbook

Message Flood

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:586962
Download PDF

Message Flood

The convenience offered by MM1 and MM4 messaging can be abused by users sending spam or attempting to overload the network with an excess of messages. MMS flood prevention can help prevent this type of abuse. A message flood occurs when a single subscriber sends a volume of messages that exceed the flood threshold that you set. The threshold defines the maximum number of messages allowed, the period during which the subscriber sent messages are considered, and the length of time the sender is restricted from sending messages after a flood is detected. For example, for the first threshold you may determine that any subscriber who sends more than 100 MM1 messages in an hour (60 minutes) will have all outgoing messages blocked for 30 minutes.

Action Description
Log Add a log entry indicating that a message flood has occurred. You must also enable logging by going to Security Profiles > MMS Profile, <applicable profile> > Logging > MMS Scanning > Bulk Messages, and toggling on the checkbox.
DLP Archive Save the first message to exceed the flood threshold, or all the messages that exceed the flood threshold, in the DLP archive. DLP archiving flood messages may not always produce useful results. Since different messages can be causing the flood, reviewing the archived messages may not be a good indication of what is causing the problem since the messages could be completely random.
All messages All the messages that exceed the flood threshold will be saved in the DLP archive.
First message only Save only the first message to exceed the flood threshold in the DLP archive. Other messages in the flood are not saved. For message floods this may not produce much useful information since a legitimate message could trigger the flood threshold.
Intercept Messages that exceed the flood threshold are passed to the recipients, but if quarantine is enabled for intercepted messages, a copy of each message will also quarantined for later examination. If the quarantine of intercepted messages is disabled, the Intercept action has no effect.
Block Messages that exceed the flood threshold are blocked and will not be delivered to the message recipients. If quarantine is enabled for blocked messages, a copy of each message will quarantined for later examination.
Alert Notification If the flood threshold is exceeded, the Carrier-enabled FortiGate unit will send an MMS flood notification message.

In the GUI when Alert Notification is selected it displays the fields to configure the notification.

Flood protection for MM1 messages prevents your subscribers from sending too many messages to your MMSC. Configuring flood protection for MM4 messages prevents another service provider from sending too many messages from the same subscriber to your MMSC.

Message flood configuration settings

The following are message flood configuration settings in Security Profiles > Message Flood.

Message Flood

Lists the large amount of messages that are being sent to you from outside sources.
Delete Removes messages from the list.

To remove multiple messages from within the list, on the Message Flood page, in each row of the messages you want removed, select the check box and then select Delete.

To remove all messages from the list, on the Message Flood page, select the check box in the check box column and then select Delete.
Remove All Entries Removes all messages from the list.
Protocol Sorts/filters by the protocol used.
MMS Profile Sorts/filters by the MMS profile that is used.
Sender Sorts/filters by the sender’s email address.
Level Sorts/filters by he level of severity of the message.
Count The count column can be up or down and these settings can be turned off by selecting beside the column’s name.
Window Size (minutes) The time in minutes.
Timer (minutes:seconds) The time in seconds and in minutes. The timer column can be up or down and these settings turned off by selecting beside the column’s name.
Page Controls Use to navigate through the list.

Message Flood

The convenience offered by MM1 and MM4 messaging can be abused by users sending spam or attempting to overload the network with an excess of messages. MMS flood prevention can help prevent this type of abuse. A message flood occurs when a single subscriber sends a volume of messages that exceed the flood threshold that you set. The threshold defines the maximum number of messages allowed, the period during which the subscriber sent messages are considered, and the length of time the sender is restricted from sending messages after a flood is detected. For example, for the first threshold you may determine that any subscriber who sends more than 100 MM1 messages in an hour (60 minutes) will have all outgoing messages blocked for 30 minutes.

Action Description
Log Add a log entry indicating that a message flood has occurred. You must also enable logging by going to Security Profiles > MMS Profile, <applicable profile> > Logging > MMS Scanning > Bulk Messages, and toggling on the checkbox.
DLP Archive Save the first message to exceed the flood threshold, or all the messages that exceed the flood threshold, in the DLP archive. DLP archiving flood messages may not always produce useful results. Since different messages can be causing the flood, reviewing the archived messages may not be a good indication of what is causing the problem since the messages could be completely random.
All messages All the messages that exceed the flood threshold will be saved in the DLP archive.
First message only Save only the first message to exceed the flood threshold in the DLP archive. Other messages in the flood are not saved. For message floods this may not produce much useful information since a legitimate message could trigger the flood threshold.
Intercept Messages that exceed the flood threshold are passed to the recipients, but if quarantine is enabled for intercepted messages, a copy of each message will also quarantined for later examination. If the quarantine of intercepted messages is disabled, the Intercept action has no effect.
Block Messages that exceed the flood threshold are blocked and will not be delivered to the message recipients. If quarantine is enabled for blocked messages, a copy of each message will quarantined for later examination.
Alert Notification If the flood threshold is exceeded, the Carrier-enabled FortiGate unit will send an MMS flood notification message.

In the GUI when Alert Notification is selected it displays the fields to configure the notification.

Flood protection for MM1 messages prevents your subscribers from sending too many messages to your MMSC. Configuring flood protection for MM4 messages prevents another service provider from sending too many messages from the same subscriber to your MMSC.

Message flood configuration settings

The following are message flood configuration settings in Security Profiles > Message Flood.

Message Flood

Lists the large amount of messages that are being sent to you from outside sources.
Delete Removes messages from the list.

To remove multiple messages from within the list, on the Message Flood page, in each row of the messages you want removed, select the check box and then select Delete.

To remove all messages from the list, on the Message Flood page, select the check box in the check box column and then select Delete.
Remove All Entries Removes all messages from the list.
Protocol Sorts/filters by the protocol used.
MMS Profile Sorts/filters by the MMS profile that is used.
Sender Sorts/filters by the sender’s email address.
Level Sorts/filters by he level of severity of the message.
Count The count column can be up or down and these settings can be turned off by selecting beside the column’s name.
Window Size (minutes) The time in minutes.
Timer (minutes:seconds) The time in seconds and in minutes. The timer column can be up or down and these settings turned off by selecting beside the column’s name.
Page Controls Use to navigate through the list.