Fortinet black logo

Cookbook

Filtering order

Copy Link
Copy Doc ID 9bd2f947-ece6-11ec-bb32-fa163e15d75b:110225
Download PDF

Filtering order

The FortiGate checks for spam using various filtering techniques. The filtering order used by the FortiGate depends on which mail protocol is used.

Filters requiring a query to a server and a reply (FortiGuard Antispam service and DNSBL/ORDBL) are run simultaneously. To avoid delays, queries are sent while other filters are running. The first reply to trigger a spam action takes effect as soon as the reply is received.

Each spam filter passes the email to the next if no matches or problems are found. If the action in the filter is Mark as Spam, the FortiGate tags the email as spam according to the settings in the email filter profile. If the action in the filter is Mark as Reject, the email session is dropped. If the action in the filter is Mark as Clear, the email is exempt from any remaining filters. For SMTP and SMTPS, if the action is Discard, the email is discarded or dropped.

SMTP and SMTPS spam filtering order

The FortiGate scans SMTP and SMTPS email for spam in a specific order, which depends on whether or not the local override feature is enabled. This feature is disabled by default, but enabling it gives priority to local spam filters.

You can enable local override (set local-override) in an email filter profile to override SMTP or SMTPS remote checks, which includes checks for IP RBL, IP FortiGuard AntiSpam, and HELO DNS with the locally defined antispam block and/or allow lists.

Note

SMTPS spam filtering is available on FortiGates that support SSL content scanning and inspection.

To configure local override of an antispam filter:
config emailfilter profile
    edit <name>
        set spam-filtering enable
        set options spambwl spamfsip spamfsurl spamhelodns spamfsphish
        config smtp
            set local-override {enable | disable}
        end
        set spam-bwl-table 1
    next
end

Local override disabled

Local override enabled

  1. HELO DNS lookup, last hop IP check against ORDBL
  2. Return email DNS check, FortiGuard email checksum check, FortiGuard URL check, FortiGuard IP address check, phishing URLs detection
  3. Last hop IP checks local block/allow list
  4. Envelope address checks local block/allow list
  5. Headers IPs local block/allow list
  6. Headers email address local block/allow list, MIME header checks based on local list of patterns (mheader)
  7. Banned words (subject first, then body) based on local block/allow list (bword)
  1. Last hop IP checks local block/allow list
  2. Envelope address checks local block/allow list
  3. Headers IPs local block/allow list, MIME header checks based on local list of patterns (mheader)
  4. Headers email address local block/allow list
  5. Banned words (subject first, then body) based on local list of patterns (bword)
  6. HELO DNS lookup, last hop IP check against ORDBL
  7. Return email DNS check, FortiGuard email checksum check, FortiGuard URL check, FortiGuard IP address check, phishing URLs detection

IMAP, IMAPS, POP3, and POP3S spam filtering order

The FortiGate scans IMAP, IMAPS, POP3, and POP3S email for spam in the following order:

  1. MIME headers check, email address block/allow list check
  2. Banned word check on email subject
  3. IP block/allow list check
  4. Banned word check on email body
  5. Return email DNS check, FortiGuard email checksum check, FortiGuard URL check, DNSBL and ORDBL checks
Note

IMAPS and POP3S spam filtering are available on FortiGates that support SSL content scanning and inspection.

Filtering order

The FortiGate checks for spam using various filtering techniques. The filtering order used by the FortiGate depends on which mail protocol is used.

Filters requiring a query to a server and a reply (FortiGuard Antispam service and DNSBL/ORDBL) are run simultaneously. To avoid delays, queries are sent while other filters are running. The first reply to trigger a spam action takes effect as soon as the reply is received.

Each spam filter passes the email to the next if no matches or problems are found. If the action in the filter is Mark as Spam, the FortiGate tags the email as spam according to the settings in the email filter profile. If the action in the filter is Mark as Reject, the email session is dropped. If the action in the filter is Mark as Clear, the email is exempt from any remaining filters. For SMTP and SMTPS, if the action is Discard, the email is discarded or dropped.

SMTP and SMTPS spam filtering order

The FortiGate scans SMTP and SMTPS email for spam in a specific order, which depends on whether or not the local override feature is enabled. This feature is disabled by default, but enabling it gives priority to local spam filters.

You can enable local override (set local-override) in an email filter profile to override SMTP or SMTPS remote checks, which includes checks for IP RBL, IP FortiGuard AntiSpam, and HELO DNS with the locally defined antispam block and/or allow lists.

Note

SMTPS spam filtering is available on FortiGates that support SSL content scanning and inspection.

To configure local override of an antispam filter:
config emailfilter profile
    edit <name>
        set spam-filtering enable
        set options spambwl spamfsip spamfsurl spamhelodns spamfsphish
        config smtp
            set local-override {enable | disable}
        end
        set spam-bwl-table 1
    next
end

Local override disabled

Local override enabled

  1. HELO DNS lookup, last hop IP check against ORDBL
  2. Return email DNS check, FortiGuard email checksum check, FortiGuard URL check, FortiGuard IP address check, phishing URLs detection
  3. Last hop IP checks local block/allow list
  4. Envelope address checks local block/allow list
  5. Headers IPs local block/allow list
  6. Headers email address local block/allow list, MIME header checks based on local list of patterns (mheader)
  7. Banned words (subject first, then body) based on local block/allow list (bword)
  1. Last hop IP checks local block/allow list
  2. Envelope address checks local block/allow list
  3. Headers IPs local block/allow list, MIME header checks based on local list of patterns (mheader)
  4. Headers email address local block/allow list
  5. Banned words (subject first, then body) based on local list of patterns (bword)
  6. HELO DNS lookup, last hop IP check against ORDBL
  7. Return email DNS check, FortiGuard email checksum check, FortiGuard URL check, FortiGuard IP address check, phishing URLs detection

IMAP, IMAPS, POP3, and POP3S spam filtering order

The FortiGate scans IMAP, IMAPS, POP3, and POP3S email for spam in the following order:

  1. MIME headers check, email address block/allow list check
  2. Banned word check on email subject
  3. IP block/allow list check
  4. Banned word check on email body
  5. Return email DNS check, FortiGuard email checksum check, FortiGuard URL check, DNSBL and ORDBL checks
Note

IMAPS and POP3S spam filtering are available on FortiGates that support SSL content scanning and inspection.