Fortinet white logo
Fortinet white logo

Cookbook

HELO DNS lookup

There are six types of local spam filters:

* These filters can only be configured in the CLI.

Tooltip

By default, HELO DNS and return email DNS checks are done before the block/allow list check. In some situations, such as when configuring a block/allow list to clear an email from performing further filtering, configure the following to give precedence to the block/allow list:

config emailfilter profile
    edit <name>
        config smtp
            set local-override enable
        next
    end
end

HELO DNS lookup

Whenever a client opens an SMTP session with a server, the client sends a HELO command with the client domain name. The FortiGate takes the domain name specified by the client in the HELO and performs a DNS lookup to determine if the domain exists. If the lookup fails, the FortiGate determines that any emails delivered during the SMTP session are spam. The HELO DNS lookup is only available for SMTP traffic.

Return email DNS check

The FortiGate performs a DNS lookup on the return field. If no such record exists, the email is treated as spam. When return email DNS checking is enabled, the FortiGate takes the domain in the reply-to email address and reply-to domain, and checks the DNS servers to see if there is an A or MX record for the domain. If the domain does not exist, the FortiGate treats the email as spam.

Block/allow list

Block/allow lists can be made from emails or IP subnets to forbid or allow them to send or receive emails. The following table summarizes the configurable options in a block/allow list.

Type

Description

Pattern

Action

IP/Netmask and IPv6/Netmask

The FortiGate compares the IP address of the client delivering the email to the addresses in the IP address block/allow list specified in the email filter profile.

If a match is found, the FortiGate takes the action configured for the matching block/allow list entry against all delivered email.

By default the hdrip setting under config smtp is disabled. If enabled, the FortiGate checks all the IP addresses in the header of SMTP email against the specified IP address block/allow list.

The filter is an IP address with a subnet mask.

  • Mark as Reject: the email is dropped before reaching its destination.
  • Mark as Spam: the email is allowed through, but it will be tagged with an indicator marking the email as spam.
  • Mark as Clear: the email is allowed to go through to its destination on the assumption that it is not spam.

Email Regular Expression

The FortiGate compares the sender email address, as shown in the email envelope MAIL FROM, to the pattern in the patterned field. If a match is found, the FortiGate takes the action configured for the matching block/allow list entry.

The filter is a regular expression.

For example, ^[_a-z0-9-]+(\.[_a-z0-9-]+)*@(example|xmple|examp).(com|org|net) can be used to filter based on a number of email domain name combinations.

Email Wildcard

The FortiGate compares the sender email address, as shown in the email header and envelope MAIL FROM, to the pattern in the patterned field. If a match is found, the FortiGate takes the action configured for the matching block/allow list entry.

The filter is an email address with a wildcard symbol in place of the variable characters (such as *.example.com or fred@*.com).

Banned words

When banned word checking is enabled, the FortiGate examines emails for words that appear in the banned word list specified in the email filter profile.

The banned word pattern can be either wildcard or Perl regular expression, which could include part of a word, a whole word, a phrase, multiple words, or multiple phrases.

Each time the banned word filter detects a pattern in an email, it adds the pattern score to the sum of scores for the message. The score is set when creating a new pattern to block content (set score). Higher scores indicate more offensive content. If the total score of the discovered banned words in the email exceeds the threshold value set in the email filter profile, then the FortiGate treats the email as spam. The score for each pattern is counted only once, even if that pattern appears many times in the email. The default score for banned word patterns is 10, and the default threshold in the email filter is 10. This means that by default, an email message is blocked by a single match.

For example, if the FortiGate scans an email containing only this sentence: “The score for each word or phrase is counted only once, even if that word or phrase appears many times in the email message.” and the banned word list contains the following patterns:

Banned word pattern

Pattern type

Assigned score

Score added to sum for entire page

Comments

word

Wildcard

20

20

The pattern appears twice, but it is counted once.

word phrase

Wildcard

20

0

Both words appear in the email, but they do not appear together as specified in the pattern. There are no matches.

word*phrase

Wildcard

20

20

A match occurs as long as “word” appears before “phrase” regardless of what is in between them. The pattern appears twice, but it is counted once.

mail*age

Wildcard

20

20

This pattern is a match because “email message” appears in the email.

The email would be treated as spam if the banned word threshold is set to 60 or less.

To apply a banned word filter to an email filter profile:
  1. Configure the banned words list:
    config emailfilter bword
        edit 1
            set name "banned"
            config entries
                edit 23
                    set pattern-type {wildcard | regexp}
                    set pattern <string>
                    set score <1 - 99999>
                next
            end
        next
    end
    
  2. Configure the email filter profile:
    config emailfilter profile
        edit "myBannedWordsProfile"
            set spam-filtering enable
            set options bannedword
            set spam-bword-threshold <0 - 2147483647>			
            set spam-bword-table 23
        next
    end
Note

Once a banned word list is configured in the CLI and applied to an email filter profile, some settings can be edited in the GUI for that particular email filter profile. A banned word profile can be selected, and its Threshold (spam-bword-threshold) can be edited.

Trusted IP addresses

When the FortiGate creates a list of trusted IP addresses, any incoming email traffic from these IP address is exempt from having IP-based checks, such as DNSBL, RBL, FortiGuard Antispam service, or locally-defined IP block lists.

If the FortiGate sits behind a company’s mail transfer units, it may be unnecessary to check email IP addresses because they are internal and trusted. In this case, only external IP addresses would be checked. In some cases, external IP addresses may be added to the list if they are known to not be spam sources.

To configure a trusted IP address list:
  1. Define the IP address list:
    config emailfilter iptrust
        edit 1
            set name "trustedIP"
            config entries
                edit 33
                    set addr-type {ipv4 | ipv6}
                    set ipv4-subnet <IPv4_classnet>
                    set ipv6-subnet <IPv6_network>
                next
            end
        next
    end
  2. Add the list to the email filter profile:
    config emailfilter profile
        edit "email_filter_profile"
            set spam-iptrust-table 1
        next
    end

MIME header

This feature filters by the MIME header.

To configure a MIME header check:
  1. Define the header content:
    config emailfilter mheader
        edit 100
            set name "mheader"
            config entries
                edit 1
                    set fieldname <string>
                    set fieldbody <string>
                    set pattern-type {wildcard | regexp}
                    set action {spam | clear}
                next
            end
        next
    end
  2. Add the header to the email filter profile:
    config emailfilter profile
        edit "email_filter_profile"
            set options spamhdrcheck
            set spam-mheader-table 100
        next
    end

Configuring a local-based email filter

To configure a local-based email filter in the GUI:
  1. Configure the email filter profile:
    1. Go to Security Profiles > Email Filter and click Create New, or edit an existing profile.
    2. Select a Feature set (Proxy-based is used in this example) and enable Enable Spam Detection and Filtering.
    3. In the Local Spam Filtering section, enable the desired filters (HELO DNS Lookup, Return Email DNS Check, Black White List).
    4. If Black White List is enabled, click Create New. The Create Anti-Spam Black White List Entry pane opens.
    5. Select a Type, enter a Pattern, and select an Action.

    6. Click OK to save the block/allow list.

    7. Click OK save the email filter profile.
  2. Configure the firewall policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.
    2. Set the inspection-mode to Proxy-based.
    3. Enable the Email Filter option and select the previously created profile.

    4. Set SSL Inspection to a profile that has deep SSL inspection enabled.

      Deep inspection is required to filter SMTP, POP3, IMAP, or any SSL/TLS encapsulated protocol.

    5. Configure the other settings as needed.
    6. Click OK.
To configure a local-based email filter in the CLI:
  1. Configure a block/allow list:
    config emailfilter bwl
        edit 1
            set name "myBAL"
            config entries
                edit 1
                    set status enable
                    set type ip
                    set action spam
                    set addr-type ipv4
                    set ip4-subnet 10.1.100.0 255.255.255.0
                next
            end
        next
    end
  2. Configure an email filter profile:
    config emailfilter profile                                             
        edit "myLocalEmailFilter"
            set spam-filtering enable
            set options spambwl spamhelodns spamraddrdns
            config smtp
                set action tag
            end
            set spam-bwl-table 1
        next
    end
  3. Use the profile in a firewall policy:
    config firewall policy
        edit 1
            set inspection-mode proxy                                     	
            set emailfilter-profile "myLocalEmailFilter"                 	
        next
    end

HELO DNS lookup

There are six types of local spam filters:

* These filters can only be configured in the CLI.

Tooltip

By default, HELO DNS and return email DNS checks are done before the block/allow list check. In some situations, such as when configuring a block/allow list to clear an email from performing further filtering, configure the following to give precedence to the block/allow list:

config emailfilter profile
    edit <name>
        config smtp
            set local-override enable
        next
    end
end

HELO DNS lookup

Whenever a client opens an SMTP session with a server, the client sends a HELO command with the client domain name. The FortiGate takes the domain name specified by the client in the HELO and performs a DNS lookup to determine if the domain exists. If the lookup fails, the FortiGate determines that any emails delivered during the SMTP session are spam. The HELO DNS lookup is only available for SMTP traffic.

Return email DNS check

The FortiGate performs a DNS lookup on the return field. If no such record exists, the email is treated as spam. When return email DNS checking is enabled, the FortiGate takes the domain in the reply-to email address and reply-to domain, and checks the DNS servers to see if there is an A or MX record for the domain. If the domain does not exist, the FortiGate treats the email as spam.

Block/allow list

Block/allow lists can be made from emails or IP subnets to forbid or allow them to send or receive emails. The following table summarizes the configurable options in a block/allow list.

Type

Description

Pattern

Action

IP/Netmask and IPv6/Netmask

The FortiGate compares the IP address of the client delivering the email to the addresses in the IP address block/allow list specified in the email filter profile.

If a match is found, the FortiGate takes the action configured for the matching block/allow list entry against all delivered email.

By default the hdrip setting under config smtp is disabled. If enabled, the FortiGate checks all the IP addresses in the header of SMTP email against the specified IP address block/allow list.

The filter is an IP address with a subnet mask.

  • Mark as Reject: the email is dropped before reaching its destination.
  • Mark as Spam: the email is allowed through, but it will be tagged with an indicator marking the email as spam.
  • Mark as Clear: the email is allowed to go through to its destination on the assumption that it is not spam.

Email Regular Expression

The FortiGate compares the sender email address, as shown in the email envelope MAIL FROM, to the pattern in the patterned field. If a match is found, the FortiGate takes the action configured for the matching block/allow list entry.

The filter is a regular expression.

For example, ^[_a-z0-9-]+(\.[_a-z0-9-]+)*@(example|xmple|examp).(com|org|net) can be used to filter based on a number of email domain name combinations.

Email Wildcard

The FortiGate compares the sender email address, as shown in the email header and envelope MAIL FROM, to the pattern in the patterned field. If a match is found, the FortiGate takes the action configured for the matching block/allow list entry.

The filter is an email address with a wildcard symbol in place of the variable characters (such as *.example.com or fred@*.com).

Banned words

When banned word checking is enabled, the FortiGate examines emails for words that appear in the banned word list specified in the email filter profile.

The banned word pattern can be either wildcard or Perl regular expression, which could include part of a word, a whole word, a phrase, multiple words, or multiple phrases.

Each time the banned word filter detects a pattern in an email, it adds the pattern score to the sum of scores for the message. The score is set when creating a new pattern to block content (set score). Higher scores indicate more offensive content. If the total score of the discovered banned words in the email exceeds the threshold value set in the email filter profile, then the FortiGate treats the email as spam. The score for each pattern is counted only once, even if that pattern appears many times in the email. The default score for banned word patterns is 10, and the default threshold in the email filter is 10. This means that by default, an email message is blocked by a single match.

For example, if the FortiGate scans an email containing only this sentence: “The score for each word or phrase is counted only once, even if that word or phrase appears many times in the email message.” and the banned word list contains the following patterns:

Banned word pattern

Pattern type

Assigned score

Score added to sum for entire page

Comments

word

Wildcard

20

20

The pattern appears twice, but it is counted once.

word phrase

Wildcard

20

0

Both words appear in the email, but they do not appear together as specified in the pattern. There are no matches.

word*phrase

Wildcard

20

20

A match occurs as long as “word” appears before “phrase” regardless of what is in between them. The pattern appears twice, but it is counted once.

mail*age

Wildcard

20

20

This pattern is a match because “email message” appears in the email.

The email would be treated as spam if the banned word threshold is set to 60 or less.

To apply a banned word filter to an email filter profile:
  1. Configure the banned words list:
    config emailfilter bword
        edit 1
            set name "banned"
            config entries
                edit 23
                    set pattern-type {wildcard | regexp}
                    set pattern <string>
                    set score <1 - 99999>
                next
            end
        next
    end
    
  2. Configure the email filter profile:
    config emailfilter profile
        edit "myBannedWordsProfile"
            set spam-filtering enable
            set options bannedword
            set spam-bword-threshold <0 - 2147483647>			
            set spam-bword-table 23
        next
    end
Note

Once a banned word list is configured in the CLI and applied to an email filter profile, some settings can be edited in the GUI for that particular email filter profile. A banned word profile can be selected, and its Threshold (spam-bword-threshold) can be edited.

Trusted IP addresses

When the FortiGate creates a list of trusted IP addresses, any incoming email traffic from these IP address is exempt from having IP-based checks, such as DNSBL, RBL, FortiGuard Antispam service, or locally-defined IP block lists.

If the FortiGate sits behind a company’s mail transfer units, it may be unnecessary to check email IP addresses because they are internal and trusted. In this case, only external IP addresses would be checked. In some cases, external IP addresses may be added to the list if they are known to not be spam sources.

To configure a trusted IP address list:
  1. Define the IP address list:
    config emailfilter iptrust
        edit 1
            set name "trustedIP"
            config entries
                edit 33
                    set addr-type {ipv4 | ipv6}
                    set ipv4-subnet <IPv4_classnet>
                    set ipv6-subnet <IPv6_network>
                next
            end
        next
    end
  2. Add the list to the email filter profile:
    config emailfilter profile
        edit "email_filter_profile"
            set spam-iptrust-table 1
        next
    end

MIME header

This feature filters by the MIME header.

To configure a MIME header check:
  1. Define the header content:
    config emailfilter mheader
        edit 100
            set name "mheader"
            config entries
                edit 1
                    set fieldname <string>
                    set fieldbody <string>
                    set pattern-type {wildcard | regexp}
                    set action {spam | clear}
                next
            end
        next
    end
  2. Add the header to the email filter profile:
    config emailfilter profile
        edit "email_filter_profile"
            set options spamhdrcheck
            set spam-mheader-table 100
        next
    end

Configuring a local-based email filter

To configure a local-based email filter in the GUI:
  1. Configure the email filter profile:
    1. Go to Security Profiles > Email Filter and click Create New, or edit an existing profile.
    2. Select a Feature set (Proxy-based is used in this example) and enable Enable Spam Detection and Filtering.
    3. In the Local Spam Filtering section, enable the desired filters (HELO DNS Lookup, Return Email DNS Check, Black White List).
    4. If Black White List is enabled, click Create New. The Create Anti-Spam Black White List Entry pane opens.
    5. Select a Type, enter a Pattern, and select an Action.

    6. Click OK to save the block/allow list.

    7. Click OK save the email filter profile.
  2. Configure the firewall policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.
    2. Set the inspection-mode to Proxy-based.
    3. Enable the Email Filter option and select the previously created profile.

    4. Set SSL Inspection to a profile that has deep SSL inspection enabled.

      Deep inspection is required to filter SMTP, POP3, IMAP, or any SSL/TLS encapsulated protocol.

    5. Configure the other settings as needed.
    6. Click OK.
To configure a local-based email filter in the CLI:
  1. Configure a block/allow list:
    config emailfilter bwl
        edit 1
            set name "myBAL"
            config entries
                edit 1
                    set status enable
                    set type ip
                    set action spam
                    set addr-type ipv4
                    set ip4-subnet 10.1.100.0 255.255.255.0
                next
            end
        next
    end
  2. Configure an email filter profile:
    config emailfilter profile                                             
        edit "myLocalEmailFilter"
            set spam-filtering enable
            set options spambwl spamhelodns spamraddrdns
            config smtp
                set action tag
            end
            set spam-bwl-table 1
        next
    end
  3. Use the profile in a firewall policy:
    config firewall policy
        edit 1
            set inspection-mode proxy                                     	
            set emailfilter-profile "myLocalEmailFilter"                 	
        next
    end