Local-based filters
There are six types of local spam filters:
- HELO DNS lookup
- Return email DNS check
- Block/allow list
- Banned words*
- Trusted IP addresses*
- MIME header*
* These filters can only be configured in the CLI.
By default, HELO DNS and return email DNS checks are done before the block/allow list check. In some situations, such as when configuring a block/allow list to clear an email from performing further filtering, configure the following to give precedence to the block/allow list: config emailfilter profile edit <name> config smtp set local-override enable next end end |
HELO DNS lookup and return email DNS checking are not supported while in flow-based inspection mode. See Inspection mode feature comparison. |
HELO DNS lookup
Whenever a client opens an SMTP session with a server, the client sends a HELO command with the client domain name. The FortiGate takes the domain name specified by the client in the HELO and performs a DNS lookup to determine if the domain exists. If the lookup fails, the FortiGate determines that any emails delivered during the SMTP session are spam. The HELO DNS lookup is only available for SMTP traffic.
Return email DNS check
The FortiGate performs a DNS lookup on the return field. If no such record exists, the email is treated as spam. When return email DNS checking is enabled, the FortiGate takes the domain in the reply-to email address and reply-to domain, and checks the DNS servers to see if there is an A or MX record for the domain. If the domain does not exist, the FortiGate treats the email as spam.
Block/allow list
Block/allow lists can be made from emails or IP subnets to forbid or allow them to send or receive emails. The following table summarizes the configurable options in a block/allow list.
Type |
Description |
Pattern |
Action |
---|---|---|---|
IP/Netmask and IPv6/Netmask |
The FortiGate compares the IP address of the client delivering the email to the addresses in the IP address block/allow list specified in the email filter profile. If a match is found, the FortiGate takes the action configured for the matching block/allow list entry against all delivered email. By default the |
The filter is an IP address with a subnet mask. |
|
Recipient Address |
The FortiGate compares the sender email address to the contents of the RCPT TO envelope header and To: mail header to the specified pattern. If a match is found, the FortiGate takes the action configured for the matching block/allow list entry. |
|
|
Sender Address |
The FortiGate compares the sender email address to the contents of the MAIL FROM envelope header, From: mail header, and Sender: mail header to the specified pattern. If a match is found, the FortiGate takes the action configured for the matching block/allow list entry. |
||
Subject |
The FortiGate compares the sender email address to the contents of the Subject: mail header to the specified pattern. If a match is found, the FortiGate takes the action configured for the matching block/allow list entry. |
Banned words
When banned word checking is enabled, the FortiGate examines emails for words that appear in the banned word list specified in the email filter profile.
The banned word pattern can be either wildcard or Perl regular expression, which could include part of a word, a whole word, a phrase, multiple words, or multiple phrases.
Each time the banned word filter detects a pattern in an email, it adds the pattern score to the sum of scores for the message. The score is set when creating a new pattern to block content (set score
). Higher scores indicate more offensive content. If the total score of the discovered banned words in the email exceeds the threshold value set in the email filter profile, then the FortiGate treats the email as spam. The score for each pattern is counted only once, even if that pattern appears many times in the email. The default score for banned word patterns is 10, and the default threshold in the email filter is 10. This means that by default, an email message is blocked by a single match.
For example, if the FortiGate scans an email containing only this sentence: “The score for each word or phrase is counted only once, even if that word or phrase appears many times in the email message.” and the banned word list contains the following patterns:
Banned word pattern |
Pattern type |
Assigned score |
Score added to sum for entire page |
Comments |
---|---|---|---|---|
word |
Wildcard |
20 |
20 |
The pattern appears twice, but it is counted once. |
word phrase |
Wildcard |
20 |
0 |
Both words appear in the email, but they do not appear together as specified in the pattern. There are no matches. |
word*phrase |
Wildcard |
20 |
20 |
A match occurs as long as “word” appears before “phrase” regardless of what is in between them. The pattern appears twice, but it is counted once. |
mail*age |
Wildcard |
20 |
20 |
This pattern is a match because “email message” appears in the email. |
The email would be treated as spam if the banned word threshold is set to 60 or less.
To apply a banned word filter to an email filter profile:
- Configure the banned words list:
config emailfilter bword edit 1 set name "banned" config entries edit 23 set pattern-type {wildcard | regexp} set pattern <string> set score <1 - 99999> next end next end
- Configure the email filter profile:
config emailfilter profile edit "myBannedWordsProfile" set spam-filtering enable set options bannedword set spam-bword-threshold <0 - 2147483647> set spam-bword-table 23 next end
Once a banned word list is configured in the CLI and applied to an email filter profile, some settings can be edited in the GUI for that particular email filter profile. A banned word profile can be selected, and its Threshold ( |
Trusted IP addresses
When the FortiGate creates a list of trusted IP addresses, any incoming email traffic from these IP address is exempt from having IP-based checks, such as DNSBL, RBL, FortiGuard Antispam service, or locally-defined IP block lists.
If the FortiGate sits behind a company’s mail transfer units, it may be unnecessary to check email IP addresses because they are internal and trusted. In this case, only external IP addresses would be checked. In some cases, external IP addresses may be added to the list if they are known to not be spam sources.
To configure a trusted IP address list:
- Define the IP address list:
config emailfilter iptrust edit 1 set name "trustedIP" config entries edit 33 set addr-type {ipv4 | ipv6} set ipv4-subnet <IPv4_classnet> set ipv6-subnet <IPv6_network> next end next end
- Add the list to the email filter profile:
config emailfilter profile edit "email_filter_profile" set spam-iptrust-table 1 next end
MIME header
This feature filters by the MIME header.
To configure a MIME header check:
- Define the header content:
config emailfilter mheader edit 100 set name "mheader" config entries edit 1 set fieldname <string> set fieldbody <string> set pattern-type {wildcard | regexp} set action {spam | clear} next end next end
- Add the header to the email filter profile:
config emailfilter profile edit "email_filter_profile" set options spamhdrcheck set spam-mheader-table 100 next end
Configuring a local-based email filter
To configure a local-based email filter in the GUI:
- Configure the email filter profile:
- Go to Security Profiles > Email Filter and click Create New, or edit an existing profile.
- Select a Feature set (Proxy-based is used in this example) and enable Enable spam detection and filtering.
- In the Local Spam Filtering section, enable the desired filters (HELO DNS Lookup, Return Email DNS Check, Block/Allow List).
In the Block/Allow List table, click Create New. The Create Anti-Spam Block/Allow List Entry pane opens.
- Set the Type to IP/Netmask and enter an IP/Netmask.
- Select an Action.
- Click OK to save the block/allow list.
- Click OK save the email filter profile.
- Configure the firewall policy:
- Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.
- Set the inspection-mode to Proxy-based.
- Enable the Email Filter option and select the previously created profile.
- Set SSL Inspection to a profile that has deep SSL inspection enabled.
Deep inspection is required to filter SMTP, POP3, IMAP, or any SSL/TLS encapsulated protocol.
- Configure the other settings as needed.
- Click OK.
To configure a local-based email filter in the CLI:
- Configure a block/allow list:
config emailfilter block-allow-list edit 1 set name "myBAL" config entries edit 1 set status enable set type ip set action spam set addr-type ipv4 set ip4-subnet 10.1.100.0 255.255.255.0 next end next end
- Configure an email filter profile:
config emailfilter profile edit "myLocalEmailFilter" set spam-filtering enable set options spambal spamhelodns spamraddrdns config smtp set action tag end set spam-bal-table 1 next end
- Use the profile in a firewall policy:
config firewall policy edit 1 set inspection-mode proxy set ssl-ssh-profile "deep-inspection" set emailfilter-profile "myLocalEmailFilter" next end