Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.0.8 Administration Guide
    7.0.8
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Filtering order

    Filtering order

    The FortiGate checks for spam using various filtering techniques. The filtering order used by the FortiGate depends on which mail protocol is used.

    Filters requiring a query to a server and a reply (FortiGuard Antispam service and DNSBL/ORDBL) are run simultaneously. To avoid delays, queries are sent while other filters are running. The first reply to trigger a spam action takes effect as soon as the reply is received.

    Each spam filter passes the email to the next if no matches or problems are found. If the action in the filter is Mark as Spam, the FortiGate tags the email as spam according to the settings in the email filter profile. If the action in the filter is Mark as Reject, the email session is dropped. If the action in the filter is Mark as Clear, the email is exempt from any remaining filters. For SMTP and SMTPS, if the action is Discard, the email is discarded or dropped.

    SMTP and SMTPS spam filtering order

    The FortiGate scans SMTP and SMTPS email for spam in a specific order, which depends on whether or not the local override feature is enabled. This feature is disabled by default, but enabling it gives priority to local spam filters.

    You can enable local override (set local-override) in an email filter profile to override SMTP or SMTPS remote checks, which includes checks for IP RBL, IP FortiGuard AntiSpam, and HELO DNS with the locally defined antispam block and/or allow lists.

    Note

    SMTPS spam filtering is available on FortiGates that support SSL content scanning and inspection.
    To configure local override of an antispam filter:
    config emailfilter profile
    edit <name>
        set spam-filtering enable
        set options spambal spamfsip spamfsurl spamhelodns spamfsphish
        config smtp
            set local-override {enable | disable}
        end
        set spam-bal-table 1
    next
end

    Local override disabled

    Local override enabled
    1. HELO DNS lookup, last hop IP check against ORDBL
    2. Return email DNS check, FortiGuard email checksum check, FortiGuard URL check, FortiGuard IP address check, phishing URLs detection
    3. Last hop IP checks local block/allow list
    4. Envelope address checks local block/allow list
    5. Headers IPs local block/allow list
    6. Headers email address local block/allow list, MIME header checks based on local list of patterns (mheader)
    7. Banned words (subject first, then body) based on local block/allow list (bword)
    1. Last hop IP checks local block/allow list
    2. Envelope address checks local block/allow list
    3. Headers IPs local block/allow list, MIME header checks based on local list of patterns (mheader)
    4. Headers email address local block/allow list
    5. Banned words (subject first, then body) based on local list of patterns (bword)
    6. HELO DNS lookup, last hop IP check against ORDBL
    7. Return email DNS check, FortiGuard email checksum check, FortiGuard URL check, FortiGuard IP address check, phishing URLs detection

    IMAP, IMAPS, POP3, and POP3S spam filtering order

    The FortiGate scans IMAP, IMAPS, POP3, and POP3S email for spam in the following order:

    1. MIME headers check, email address block/allow list check
    2. Banned word check on email subject
    3. IP block/allow list check
    4. Banned word check on email body
    5. Return email DNS check, FortiGuard email checksum check, FortiGuard URL check, DNSBL and ORDBL checks
    Note

    IMAPS and POP3S spam filtering are available on FortiGates that support SSL content scanning and inspection.
    Previous
    Next

    Filtering order

    Filtering order

    The FortiGate checks for spam using various filtering techniques. The filtering order used by the FortiGate depends on which mail protocol is used.

    Filters requiring a query to a server and a reply (FortiGuard Antispam service and DNSBL/ORDBL) are run simultaneously. To avoid delays, queries are sent while other filters are running. The first reply to trigger a spam action takes effect as soon as the reply is received.

    Each spam filter passes the email to the next if no matches or problems are found. If the action in the filter is Mark as Spam, the FortiGate tags the email as spam according to the settings in the email filter profile. If the action in the filter is Mark as Reject, the email session is dropped. If the action in the filter is Mark as Clear, the email is exempt from any remaining filters. For SMTP and SMTPS, if the action is Discard, the email is discarded or dropped.

    SMTP and SMTPS spam filtering order

    The FortiGate scans SMTP and SMTPS email for spam in a specific order, which depends on whether or not the local override feature is enabled. This feature is disabled by default, but enabling it gives priority to local spam filters.

    You can enable local override (set local-override) in an email filter profile to override SMTP or SMTPS remote checks, which includes checks for IP RBL, IP FortiGuard AntiSpam, and HELO DNS with the locally defined antispam block and/or allow lists.

    Note

    SMTPS spam filtering is available on FortiGates that support SSL content scanning and inspection.
    To configure local override of an antispam filter:
    config emailfilter profile
    edit <name>
        set spam-filtering enable
        set options spambal spamfsip spamfsurl spamhelodns spamfsphish
        config smtp
            set local-override {enable | disable}
        end
        set spam-bal-table 1
    next
end

    Local override disabled

    Local override enabled
    1. HELO DNS lookup, last hop IP check against ORDBL
    2. Return email DNS check, FortiGuard email checksum check, FortiGuard URL check, FortiGuard IP address check, phishing URLs detection
    3. Last hop IP checks local block/allow list
    4. Envelope address checks local block/allow list
    5. Headers IPs local block/allow list
    6. Headers email address local block/allow list, MIME header checks based on local list of patterns (mheader)
    7. Banned words (subject first, then body) based on local block/allow list (bword)
    1. Last hop IP checks local block/allow list
    2. Envelope address checks local block/allow list
    3. Headers IPs local block/allow list, MIME header checks based on local list of patterns (mheader)
    4. Headers email address local block/allow list
    5. Banned words (subject first, then body) based on local list of patterns (bword)
    6. HELO DNS lookup, last hop IP check against ORDBL
    7. Return email DNS check, FortiGuard email checksum check, FortiGuard URL check, FortiGuard IP address check, phishing URLs detection

    IMAP, IMAPS, POP3, and POP3S spam filtering order

    The FortiGate scans IMAP, IMAPS, POP3, and POP3S email for spam in the following order:

    1. MIME headers check, email address block/allow list check
    2. Banned word check on email subject
    3. IP block/allow list check
    4. Banned word check on email body
    5. Return email DNS check, FortiGuard email checksum check, FortiGuard URL check, DNSBL and ORDBL checks
    Note

    IMAPS and POP3S spam filtering are available on FortiGates that support SSL content scanning and inspection.
    Previous
    Next