Local-based filters

There are six types of local spam filters:

* These filters can only be configured in the CLI.

Tooltip

By default, HELO DNS and return email DNS checks are done before the block/allow list check. In some situations, such as when configuring a block/allow list to clear an email from performing further filtering, configure the following to give precedence to the block/allow list:

config emailfilter profile
    edit <name>
        config smtp
            set local-override enable
        next
    end
end

HELO DNS lookup

Whenever a client opens an SMTP session with a server, the client sends a HELO command with the client domain name. The FortiGate takes the domain name specified by the client in the HELO and performs a DNS lookup to determine if the domain exists. If the lookup fails, the FortiGate determines that any emails delivered during the SMTP session are spam. The HELO DNS lookup is only available for SMTP traffic.

Return email DNS check

The FortiGate performs a DNS lookup on the return field. If no such record exists, the email is treated as spam. When return email DNS checking is enabled, the FortiGate takes the domain in the reply-to email address and reply-to domain, and checks the DNS servers to see if there is an A or MX record for the domain. If the domain does not exist, the FortiGate treats the email as spam.

Block/allow list

Block/allow lists can be made from emails or IP subnets to forbid or allow them to send or receive emails. The following table summarizes the configurable options in a block/allow list.

Type

Description

Pattern

Action

IP/Netmask and IPv6/Netmask

The FortiGate compares the IP address of the client delivering the email to the addresses in the IP address block/allow list specified in the email filter profile.

If a match is found, the FortiGate takes the action configured for the matching block/allow list entry against all delivered email.

By default the hdrip setting under config smtp is disabled. If enabled, the FortiGate checks all the IP addresses in the header of SMTP email against the specified IP address block/allow list.

The filter is an IP address with a subnet mask.

  • Mark as Reject: the email is dropped before reaching its destination.
  • Mark as Spam: the email is allowed through, but it will be tagged with an indicator marking the email as spam.
  • Mark as Clear: the email is allowed to go through to its destination on the assumption that it is not spam.

 

 

Email Regular Expression

The FortiGate compares the sender email address, as shown in the email envelope MAIL FROM, to the pattern in the patterned field. If a match is found, the FortiGate takes the action configured for the matching block/allow list entry.

The filter is a regular expression.

For example, ^[_a-z0-9-]+(\.[_a-z0-9-]+)*@(example|xmple|examp).(com|org|net) can be used to filter based on a number of email domain name combinations.

Email Wildcard

The FortiGate compares the sender email address, as shown in the email header and envelope MAIL FROM, to the pattern in the patterned field. If a match is found, the FortiGate takes the action configured for the matching block/allow list entry.

The filter is an email address with a wildcard symbol in place of the variable characters (such as *.example.com or fred@*.com).

Banned words

When banned word checking is enabled, the FortiGate examines emails for words that appear in the banned word list specified in the email filter profile.

The banned word pattern can be either wildcard or Perl regular expression, which could include part of a word, a whole word, a phrase, multiple words, or multiple phrases.

Each time the banned word filter detects a pattern in an email, it adds the pattern score to the sum of scores for the message. The score is set when creating a new pattern to block content (set score). Higher scores indicate more offensive content. If the total score of the discovered banned words in the email exceeds the threshold value set in the email filter profile, then the FortiGate treats the email as spam. The score for each pattern is counted only once, even if that pattern appears many times in the email. The default score for banned word patterns is 10, and the default threshold in the email filter is 10. This means that by default, an email message is blocked by a single match.

For example, if the FortiGate scans an email containing only this sentence: “The score for each word or phrase is counted only once, even if that word or phrase appears many times in the email message.” and the banned word list contains the following patterns:

Banned word pattern

Pattern type

Assigned score

Score added to sum for entire page

Comments

word

Wildcard

20

20

The pattern appears twice, but it is counted once.

word phrase

Wildcard

20

0

Both words appear in the email, but they do not appear together as specified in the pattern. There are no matches.

word*phrase

Wildcard

20

20

A match occurs as long as “word” appears before “phrase” regardless of what is in between them. The pattern appears twice, but it is counted once.

mail*age

Wildcard

20