Fortinet black logo

Administration Guide

How FortiMail processes email

How FortiMail processes email

FortiMail units receive email for defined email domains and control relay of email to other domains. Email passing through the FortiMail unit can be scanned for viruses and spam. Policies and profiles govern how the FortiMail unit scans email and what it does with email messages containing viruses or spam. For information about policies, see Configuring policies. For information about profiles, see Configuring profiles.

In addition to policies and profiles, other configured items, such as email domains, may affect how your FortiMail unit processes email.

See also:

Email domains

An email domain is a set of email accounts that reside on a particular email server. The email domain name is the portion of the user’s email address following the “@” symbol.

FortiMail units can be configured to protect email domains (referred to as “protected domains” in this Administration Guide) by defining policies and profiles to scan and relay incoming and outgoing email.

If the FortiMail unit is operating in gateway mode or transparent mode, there is one local email domain that represents the FortiMail unit itself. If the FortiMail unit is operating in server mode, protected domains reside locally on the FortiMail unit’s built-in email server.

For information about creating protected domains, see Configuring protected domains.

In transparent mode, each network interface includes a proxy and/or implicit MTA that receives and relays email. By default, the proxy/implicit MTA responds to SMTP greetings (HELO/EHLO) using the host name of the SMTP server of the protected domain. This “masquerade” hides the existence of the FortiMail unit. For information on configuring the SMTP greeting, see Configuring protected domains.

Access control rules

The access control rules allow you to control how email messages move to, from, and through the FortiMail unit. Using access control rules the FortiMail unit can analyze email messages and take action based on the result. Messages can be examined according to the sender email address, recipient email address, and the IP address or host name of the system delivering the email message.

Each access control rule specifies an action to be taken for matching email.

For information about configuring access control rules, see Configuring access control rules.

Recipient address verification

Recipient address verification ensures that the FortiMail unit rejects email with invalid recipients and does not scan or send them to the protected email server. This verification can reduce the load on the FortiMail unit when a spammer tries to send messages to every possible recipient name on the email server.

If you want to use recipient address verification, you need to verify email recipient addresses by using either the email server or an LDAP server.

Usually you can use the email server to perform address verification. This works with most email servers that provide a User unknown response to invalid addresses.

For instructions on configuring recipient address verification, see Configuring protected domains.

Disclaimer messages and customized appearance

You can customize both the disclaimer and replacement messages, as well as the appearance of the FortiMail unit interface.

The disclaimer message is attached to all email, generally warning the recipient the contents may be confidential.

Replacement messages are messages recipients receive instead of their email. These can include warnings about messages sent and incoming messages that are spam or infected with a virus. See Customizing replacement messages.

You can customize the appearance of the FortiMail unit web pages visible to mail administrators to better match a company look and feel. See Customizing the GUI appearance.

Advanced delivery features

Processing email takes time. Processing delays can cause clients and servers to time out. To reduce this problem, you can:

  • defer delivery to process oversized email at a time when traffic is expected to be light
  • send delivery status notifications (DSN)

For full configuration and procedural details regarding oversized emails, see the Cookbook recipe Downloading oversized email attachments.

Antispam techniques

Spam detection is a key feature of the FortiMail unit. The feature is based on two tiers of spam defense:

Each tier plays an important role in separating spam from legitimate email. FortiGuard Antispam delivers a highly-tuned managed service for the classification of spam while the FortiMail unit offers superior antispam detection and control technologies.

In addition to scanning incoming email messages, FortiMail units can also inspect the content of outgoing email messages. This can help eliminate the possibility that an employee or a compromised computer could send spam, resulting in the blocklisting of your organization’s email servers.

For more information on FortiMail antispam techniques, see Configuring profiles and Configuring security settings.

FortiMail antispam techniques

The following table highlights some of the FortiMail antispam techniques. For information about how these techniques are executed, see Order of execution.

FortiMail antispam technique highlights

Greylist scanning

See Configuring greylisting.

DNSBL scanning

In addition to supporting Fortinet’s FortiGuard Antispam DNSBL service, the FortiMail unit supports third-party DNS Blocklist servers.

SURBL scanning

In addition to supporting Fortinet’s FortiGuard Antispam SURBL service, the FortiMail unit supports third-party Spam URL Realtime Block Lists servers. See Configuring SURBL options.

Bayesian scanning

See Training the Bayesian databases.

Heuristic scanning

See Configuring heuristic options.

Image spam scanning

See Configuring image spam options.

PDF scanning

See Configuring scan options.

Block/safe lists

Banned word scanning

See Configuring banned word options.

Safe list word scanning

See Configuring safelist word options.

Sender reputation

See Viewing sender reputation statuses.

FortiGuard Antispam service

The FortiGuard Antispam service is a Fortinet-managed service that provides a three-element approach to screening email messages.

The first element is a DNS Block List (DNSBL) which is a “living” list of known spam origins.

The second element is in-depth email screening based on a Uniform Resource Identifier (URL) contained in the message body – commonly known as Spam URL Realtime Block Lists (SURBLs).

The third element is the FortiGuard Antispam Spam Checksum Blocklist (SHASH) feature. Using SHASH, the FortiMail unit sends a hash of an email to the FortiGuard Antispam server which compares the hash to hashes of known spam messages stored in the FortiGuard Antispam database. If the hash results match, the email is flagged as spam.

FortiGuard query results can be cached in memory to save network bandwidth.

FortiGuard Antispam DNSBL

To achieve up-to-date real-time identification, the FortiGuard Antispam service uses globally distributed spam probes that receive over one million spam messages per day. The FortiGuard Antispam service uses multiple layers of identification processes to produce an up-to-date list of spam origins. To further enhance the service and streamline performance, the FortiGuard Antispam service continuously retests each of the “known” identities in the list to determine the state of the origin (active or inactive). If a known spam origin has been decommissioned, the FortiGuard Antispam service removes the origin from the list, thus providing customers with both accuracy and performance.

The FortiMail FortiGuard Antispam DNSBL scanning process works this way:

  1. Incoming email (SMTP) connections are directed to the FortiMail unit.
  2. Upon receiving the inbound SMTP connection request, the FortiMail unit extracts the source information (sending server’s domain name and IP address).
  3. The FortiMail unit transmits the extracted source information to Fortinet’s FortiGuard Antispam service using a secure communication method.
  4. The FortiGuard Antispam service checks the sender’s source information against its DNSBL database of known spam sources and sends the results back to the FortiMail unit.
  5. The results are cached on the FortiMail unit.
  • If the results identify the source as a known spam source, the FortiMail unit acts according to its configured policy.
  • The cache on the FortiMail unit is checked for additional connection attempts from the same source. The FortiMail unit does not need to contact the FortiGuard Antispam service if the results of a previous connection attempt are cached.
  • Additional connection requests from the same source do not need to be submitted to the FortiGuard Antispam service again because the classification is stored in the system cache.

Once the incoming connection has passed the first pass scan (DNSBL), and has not been classified as spam, it will then go through a second pass scan (SURBL) if the administrator has configured the service.

FortiGuard Antispam SURBL

To detect spam based on the message body URLs (usually web sites), Fortinet uses FortiGuard Antispam SURBL technology. Complementing the DNSBL component, which blocks messages based on spam origin, SURBL technology blocks messages that have spam hosts mentioned in message bodies. By scanning the message body, SURBL is able to determine if the message is a known spam message regardless of origin. This augments the DNSBL technology by detecting spam messages from a spam source that may be dynamic, or a spam source that is yet unknown to the DNSBL service. The combination of both technologies provides a superior managed service with higher detection rates than traditional DNSBLs or SURBLs alone.

The FortiMail FortiGuard Antispam SURBL scanning process works this way:

  1. After accepting an incoming SMTP connection (passed first-pass scan), the email message is received.
  2. After an incoming SMTP connection has passed the DNSBL scan, the FortiMail unit accepts delivery of email messages.
  3. The FortiMail unit generates a signature (URL) based on the contents of the received email message.
  4. The FortiMail unit transmits the signature to the FortiGuard Antispam service.
  5. The FortiGuard Antispam service checks the email signature against its SURBL database of known signatures and sends the results back to the FortiMail unit.
  6. The results are cached on the FortiMail unit.
  • If the results identify the signature as known spam email content, the FortiMail unit acts according to its configured policy.
  • Additional connection requests with the same email signature do not need to be re-classified by the FortiGuard Antispam service, and can be checked against the classification in the system cache.
  • Additional messages with the same signature do not need to be submitted to the FortiGuard Antispam service again because the signature classification is stored in the system cache.

Once the message has passed both elements (DNSBL and SURBL), it goes to the next layer of defense; the FortiMail unit that includes additional spam classification technologies.

Order of execution

FortiMail units perform each of the antispam scanning and other actions listed in the sequence presented in the following table. Disabled scans are skipped. This is a general sequence only and actions are based on the results of many factors.

Note

This table does not include everything the FortiMail unit does when a client connects to deliver email. Only the antispam techniques, and other functions having an effect on the antispam techniques, are included. Other non-antispam functions may be running in parallel to the ones in the table.

Note

FortiMail actions can be categorized as following:

  • Final actions: Reject, discard, rewrite, personal quarantine, and system quarantine. If these actions are taken, no more further scanning will be processed.
  • Non-final actions: Tag, add header, replace, archive, notify, BCC, and encrypt. If one or more of these actions have been taken, FortiMail will keeping process the email with other scanners.
  • Delivery actions: Original Host, Alternate Host, BCC

Exceptions:

  • If antivirus scanning is matched, antispam scanning will be skipped.
  • If antivirus and antispam scanning is matched with non-final actions, attachment scanning will still be done but content monitor will not.
  • If Sandbox scanning is matched, content monitor will still be done.
  • If FortiGuard antispam and IP reputation checking detects spam, no further antispam checking will be performed, even though the actions are non-final.

Note

The PDF file type scan does not appear in this table. When enabled, the PDF file type converts the first page of any PDF attachments into to a format the heuristic, banned word, and image spam scanners can scan. If any of these scanners are enabled, they will scan the first page of the PDF at the same time they examine the message body, according to the sequence in the table below.

Execution sequence of antispam techniques

Check

Check Involves

Action If Positive

Action If Negative

Client initiates communication with the FortiMail unit

Sender reputation

Client IP address

If the client IP is in the sender reputation database, check the score and enable any appropriate restrictions, if any.

Add the IP address to the sender reputation database and keep a reputation score based on the email received.

Proceed to the next check.

FortiGuard block IP check

Client IP address

If the “Check FortiGuard Block IP at connection phase” is enabled in a session profile, FortiMail will check the client IP address against the FortiGuard block IP list. If positive, FortiMail rejects the email.

Proceed to the next check.

Endpoint reputation

Client endpoint ID

If the client endpoint ID is in the sender reputation database, check the score and enable any appropriate restrictions, if any.

Add the IP address to the endpoint reputation database and keep a reputation score based on the email received.

Proceed to the next check.

Sender rate control per connection

Client IP address

Apply any connection limitations specified in the session profile. Proceed to the next check.

In there are no connection limitations, or if no session profile applies, proceed to the next check.

HELO/EHLO received from SMTP client

HELO/EHLO

Domain of the HELO/EHLO command

If invalid characters appear in the domain, reject the HELO/EHLO command. Session will not continue until a proper HELO/EHLO command is received.

Proceed to the next check.

MAIL FROM: and RCPT TO: commands received from SMTP client

Sender rate control per message

Client IP address

Apply any connection limitations specified in the session profile. Proceed to the next check.

In there are no connection limitations, or if no session profile applies, proceed to the next check.

Sender domain check

Domain of envelope sender (MAIL FROM:)

If any of the domain checks (the Check sender domain and Reject empty domains checks listed in Unauthenticated Session Settings in the session profile) fail, an error is returned to the SMTP client. The error depends on which particular check failed.

Proceed to the next check.

System safe list

(Phase I)

Client IP address and email address/domain of the envelope sender (MAIL FROM:)

If the client IP or email address/domain of the sender appear in the system safe list, deliver the email and cancel remaining antispam checks (but not the antivirus and content checks).

Proceed to the next check.

System block list

(Phase I)

Client IP address and email address/domain of the envelope sender (MAIL FROM:)

If the client IP or email address/domain of the sender appear in the system block list, invoke the block list action for the email.

Proceed to the next check.

Session sender

safe list

(Phase I)

Client IP address and email address/domain of the envelope sender (MAIL FROM:)

If the client IP or email address/domain of the sender appear in the session safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks).

Proceed to the next check.

Session sender block list

(Phase I)

Client IP address and email address/domain of the envelope sender (MAIL FROM:)

If the client IP or email address/domain of the sender appear in the session block list, invoke the block list action for the message.

Proceed to the next check.

Authentication difference check

Envelope sender (MAIL FROM:)

Checks to see if the sender email address in the SMTP envelope matches the authenticated user name. If not allowed in the IP-based policy, the email will be rejected.

Proceed to the next check.

Bounce Verification

Envelope recipient (RCPT TO:)

Apply actions specified in the bounce verification settings.

Proceed to the next check.

Access control rules

Client IP address, envelope sender and recipient (MAIL FROM: and RCPT TO:)

If the combination of client IP, the domain/email address of the sender, and the domain/email of the recipient matches an access control rule (Policy > Access Control > Receiving), the FortiMail unit performs the action selected in the access control rule, which is one of the following:

  • Safe: Accept and relay the email, skipping all subsequent antispam checks, except greylisting, only if the recipient belongs to a protected domain or the sender is authenticated.
  • Safe & Relay: Accept and relay the email, skipping all subsequent antispam checks.
  • RELAY: Accept and relay the email if it passes subsequent antispam checks. Do not apply greylisting.
  • REJECT: Reject the email and return SMTP reply code 550 to the client.
  • DISCARD: Accept the email, but silently delete it instead of delivering it. Neither the sender nor the recipient are notified of the deletion.

If a matching access control rule does not exist, and if the recipient is a member of a protected domain, the default action is RELAY; if the recipient is not a member of a protected domain, the default action is REJECT.

For more information, see Configuring access control rules.

Recipient domain check

Domain of envelope recipient (RCPT TO:)

If any of the domain checks (the Check recipient domain and Reject if recipient and helo domain match but sender domain is different checks listed in Unauthenticated Session Settings in the session profile) fail, an error is returned to the SMTP client. The error depends on which check failed.

Proceed to the next check.

Session recipient safe list

Envelope recipient (RCPT TO:)

If the recipient appears in the session recipient safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks).

Proceed to the next check.

Session recipient block list

Envelope recipient (RCPT TO:)

If the recipient appears in the session recipient block list, reject the message.

Proceed to the next check.

Recipient verification

Envelope recipient (RCPT TO:)

If the recipient is unknown, reject the message.

Proceed to the next check.

Greylist

Envelope sender (MAIL FROM:), envelope recipient (RCPT TO:), and client IP subnet address

If the sender is in the greylist database or if the client IP subnet appears in the greylist exempt list, the message is passed to the next check.

Note: This check is omitted if the access control rule’s action is RELAY.

If the sender is not in the greylist database, a temporary failure code is returned to the SMTP client.

DATA command received from SMTP client

System safe list

(Phase II)

Message header sender (From:)

If the email address/domain of the sender appears in the system safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks).

Proceed to the next check.

System block list

(Phase II)

Message header sender (From:)

If the email address/domain of the sender appears in the system block list, invoke the block list action for the message.

Proceed to the next check.

Domain safe list

Client IP, envelope sender (MAIL FROM:) and message header sender (From:)

If the client IP, email address/domain of the sender appears in the domain safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks).

Proceed to the next check.

Domain block list

Client IP, envelope sender (MAIL FROM:) and message header sender (From:)

If the client IP, email address/domain of the sender appears in the domain block list, invoke the block list action for the message.

Proceed to the next check.

Session sender safe list

(Phase II)

Message header sender (From:)

If the email address/domain of the sender appears in the session sender safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks).

Proceed to the next check.

Session sender block list

(Phase II)

Message header sender (From:)

If the email address/domain of the sender appears in the session sender block list, the block list action is invoked.

Proceed to the next check.

Personal safe list

Client IP, envelope sender (MAIL FROM:) and message header sender (From:)

If the client IP, email address/domain of the sender appears in the personal safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks).

Proceed to the next check.

Personal block list

Client IP, envelope sender (MAIL FROM:) and message header sender (From:)

If the client IP, email address/domain of the sender appears in the personal block list, the message is discarded.

Proceed to the next check.

End of message (EOM) command received from SMTP client

Antivirus

Message body and attachments

If an infected message is detected, and the antispam profile is configured to treat viruses as spam, the default spam action will be invoked on the infected message.

Proceed to the next check.

Safe List Word

Message subject and/or body

If the safelisted word scanner determines that the message is not spam, deliver the message and cancel remaining antispam checks.

Proceed to the next check.

FortiGuard Antispam

Message header and body

If the FortiGuard scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. No further antispam checking will be performed.

Proceed to the next check.

DMARC

Client IP address

DMARC performs email authentication with SPF and DKIM checking.

If failed, treat the email as spam.

Proceed to the next check.

SPF check

Client IP address

This option compares the client IP address to the IP addresses of authorized senders in the DNS record (RFC 4408).

If failed, treat the email as spam.

Proceed to the next check.

Spam outbreak protection

Message header and body

If the FortiGuard scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Behavior analysis

Message body

If the scanner determines the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Impersonation analysis

Message header

If the scanner determines the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Banned Word

Message subject and/or body

If the banned word scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Dictionary

Message body

If the dictionary scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

DNSBL

Client IP address

If the DNSBL scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

SURBL

Every URL in the message body

If the SURBL scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Heuristic

Message body

If the heuristic antispam scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Image Spam

Embedded images

If Aggressive scan is enabled, attached images are also examined.

If the image spam scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Header analysis

Message header

If the header analysis scan determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Bayesian

Message body

If the Bayesian scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Suspicious Newsletter

Message header and body

If the newsletter scan determines that the message is a newsletter, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Content

Message header, body, and attachment

If the content scanner determines that the message is spam or prohibited, the action configured in the content profile individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

DLP

Message header, body, and attachment

Apply the action configured in the DLP profile.

Deliver the message.

How FortiMail processes email

FortiMail units receive email for defined email domains and control relay of email to other domains. Email passing through the FortiMail unit can be scanned for viruses and spam. Policies and profiles govern how the FortiMail unit scans email and what it does with email messages containing viruses or spam. For information about policies, see Configuring policies. For information about profiles, see Configuring profiles.

In addition to policies and profiles, other configured items, such as email domains, may affect how your FortiMail unit processes email.

See also:

Email domains

An email domain is a set of email accounts that reside on a particular email server. The email domain name is the portion of the user’s email address following the “@” symbol.

FortiMail units can be configured to protect email domains (referred to as “protected domains” in this Administration Guide) by defining policies and profiles to scan and relay incoming and outgoing email.

If the FortiMail unit is operating in gateway mode or transparent mode, there is one local email domain that represents the FortiMail unit itself. If the FortiMail unit is operating in server mode, protected domains reside locally on the FortiMail unit’s built-in email server.

For information about creating protected domains, see Configuring protected domains.

In transparent mode, each network interface includes a proxy and/or implicit MTA that receives and relays email. By default, the proxy/implicit MTA responds to SMTP greetings (HELO/EHLO) using the host name of the SMTP server of the protected domain. This “masquerade” hides the existence of the FortiMail unit. For information on configuring the SMTP greeting, see Configuring protected domains.

Access control rules

The access control rules allow you to control how email messages move to, from, and through the FortiMail unit. Using access control rules the FortiMail unit can analyze email messages and take action based on the result. Messages can be examined according to the sender email address, recipient email address, and the IP address or host name of the system delivering the email message.

Each access control rule specifies an action to be taken for matching email.

For information about configuring access control rules, see Configuring access control rules.

Recipient address verification

Recipient address verification ensures that the FortiMail unit rejects email with invalid recipients and does not scan or send them to the protected email server. This verification can reduce the load on the FortiMail unit when a spammer tries to send messages to every possible recipient name on the email server.

If you want to use recipient address verification, you need to verify email recipient addresses by using either the email server or an LDAP server.

Usually you can use the email server to perform address verification. This works with most email servers that provide a User unknown response to invalid addresses.

For instructions on configuring recipient address verification, see Configuring protected domains.

Disclaimer messages and customized appearance

You can customize both the disclaimer and replacement messages, as well as the appearance of the FortiMail unit interface.

The disclaimer message is attached to all email, generally warning the recipient the contents may be confidential.

Replacement messages are messages recipients receive instead of their email. These can include warnings about messages sent and incoming messages that are spam or infected with a virus. See Customizing replacement messages.

You can customize the appearance of the FortiMail unit web pages visible to mail administrators to better match a company look and feel. See Customizing the GUI appearance.

Advanced delivery features

Processing email takes time. Processing delays can cause clients and servers to time out. To reduce this problem, you can:

  • defer delivery to process oversized email at a time when traffic is expected to be light
  • send delivery status notifications (DSN)

For full configuration and procedural details regarding oversized emails, see the Cookbook recipe Downloading oversized email attachments.

Antispam techniques

Spam detection is a key feature of the FortiMail unit. The feature is based on two tiers of spam defense:

Each tier plays an important role in separating spam from legitimate email. FortiGuard Antispam delivers a highly-tuned managed service for the classification of spam while the FortiMail unit offers superior antispam detection and control technologies.

In addition to scanning incoming email messages, FortiMail units can also inspect the content of outgoing email messages. This can help eliminate the possibility that an employee or a compromised computer could send spam, resulting in the blocklisting of your organization’s email servers.

For more information on FortiMail antispam techniques, see Configuring profiles and Configuring security settings.

FortiMail antispam techniques

The following table highlights some of the FortiMail antispam techniques. For information about how these techniques are executed, see Order of execution.

FortiMail antispam technique highlights

Greylist scanning

See Configuring greylisting.

DNSBL scanning

In addition to supporting Fortinet’s FortiGuard Antispam DNSBL service, the FortiMail unit supports third-party DNS Blocklist servers.

SURBL scanning

In addition to supporting Fortinet’s FortiGuard Antispam SURBL service, the FortiMail unit supports third-party Spam URL Realtime Block Lists servers. See Configuring SURBL options.

Bayesian scanning

See Training the Bayesian databases.

Heuristic scanning

See Configuring heuristic options.

Image spam scanning

See Configuring image spam options.

PDF scanning

See Configuring scan options.

Block/safe lists

Banned word scanning

See Configuring banned word options.

Safe list word scanning

See Configuring safelist word options.

Sender reputation

See Viewing sender reputation statuses.

FortiGuard Antispam service

The FortiGuard Antispam service is a Fortinet-managed service that provides a three-element approach to screening email messages.

The first element is a DNS Block List (DNSBL) which is a “living” list of known spam origins.

The second element is in-depth email screening based on a Uniform Resource Identifier (URL) contained in the message body – commonly known as Spam URL Realtime Block Lists (SURBLs).

The third element is the FortiGuard Antispam Spam Checksum Blocklist (SHASH) feature. Using SHASH, the FortiMail unit sends a hash of an email to the FortiGuard Antispam server which compares the hash to hashes of known spam messages stored in the FortiGuard Antispam database. If the hash results match, the email is flagged as spam.

FortiGuard query results can be cached in memory to save network bandwidth.

FortiGuard Antispam DNSBL

To achieve up-to-date real-time identification, the FortiGuard Antispam service uses globally distributed spam probes that receive over one million spam messages per day. The FortiGuard Antispam service uses multiple layers of identification processes to produce an up-to-date list of spam origins. To further enhance the service and streamline performance, the FortiGuard Antispam service continuously retests each of the “known” identities in the list to determine the state of the origin (active or inactive). If a known spam origin has been decommissioned, the FortiGuard Antispam service removes the origin from the list, thus providing customers with both accuracy and performance.

The FortiMail FortiGuard Antispam DNSBL scanning process works this way:

  1. Incoming email (SMTP) connections are directed to the FortiMail unit.
  2. Upon receiving the inbound SMTP connection request, the FortiMail unit extracts the source information (sending server’s domain name and IP address).
  3. The FortiMail unit transmits the extracted source information to Fortinet’s FortiGuard Antispam service using a secure communication method.
  4. The FortiGuard Antispam service checks the sender’s source information against its DNSBL database of known spam sources and sends the results back to the FortiMail unit.
  5. The results are cached on the FortiMail unit.
  • If the results identify the source as a known spam source, the FortiMail unit acts according to its configured policy.
  • The cache on the FortiMail unit is checked for additional connection attempts from the same source. The FortiMail unit does not need to contact the FortiGuard Antispam service if the results of a previous connection attempt are cached.
  • Additional connection requests from the same source do not need to be submitted to the FortiGuard Antispam service again because the classification is stored in the system cache.

Once the incoming connection has passed the first pass scan (DNSBL), and has not been classified as spam, it will then go through a second pass scan (SURBL) if the administrator has configured the service.

FortiGuard Antispam SURBL

To detect spam based on the message body URLs (usually web sites), Fortinet uses FortiGuard Antispam SURBL technology. Complementing the DNSBL component, which blocks messages based on spam origin, SURBL technology blocks messages that have spam hosts mentioned in message bodies. By scanning the message body, SURBL is able to determine if the message is a known spam message regardless of origin. This augments the DNSBL technology by detecting spam messages from a spam source that may be dynamic, or a spam source that is yet unknown to the DNSBL service. The combination of both technologies provides a superior managed service with higher detection rates than traditional DNSBLs or SURBLs alone.

The FortiMail FortiGuard Antispam SURBL scanning process works this way:

  1. After accepting an incoming SMTP connection (passed first-pass scan), the email message is received.
  2. After an incoming SMTP connection has passed the DNSBL scan, the FortiMail unit accepts delivery of email messages.
  3. The FortiMail unit generates a signature (URL) based on the contents of the received email message.
  4. The FortiMail unit transmits the signature to the FortiGuard Antispam service.
  5. The FortiGuard Antispam service checks the email signature against its SURBL database of known signatures and sends the results back to the FortiMail unit.
  6. The results are cached on the FortiMail unit.
  • If the results identify the signature as known spam email content, the FortiMail unit acts according to its configured policy.
  • Additional connection requests with the same email signature do not need to be re-classified by the FortiGuard Antispam service, and can be checked against the classification in the system cache.
  • Additional messages with the same signature do not need to be submitted to the FortiGuard Antispam service again because the signature classification is stored in the system cache.

Once the message has passed both elements (DNSBL and SURBL), it goes to the next layer of defense; the FortiMail unit that includes additional spam classification technologies.

Order of execution

FortiMail units perform each of the antispam scanning and other actions listed in the sequence presented in the following table. Disabled scans are skipped. This is a general sequence only and actions are based on the results of many factors.

Note

This table does not include everything the FortiMail unit does when a client connects to deliver email. Only the antispam techniques, and other functions having an effect on the antispam techniques, are included. Other non-antispam functions may be running in parallel to the ones in the table.

Note

FortiMail actions can be categorized as following:

  • Final actions: Reject, discard, rewrite, personal quarantine, and system quarantine. If these actions are taken, no more further scanning will be processed.
  • Non-final actions: Tag, add header, replace, archive, notify, BCC, and encrypt. If one or more of these actions have been taken, FortiMail will keeping process the email with other scanners.
  • Delivery actions: Original Host, Alternate Host, BCC

Exceptions:

  • If antivirus scanning is matched, antispam scanning will be skipped.
  • If antivirus and antispam scanning is matched with non-final actions, attachment scanning will still be done but content monitor will not.
  • If Sandbox scanning is matched, content monitor will still be done.
  • If FortiGuard antispam and IP reputation checking detects spam, no further antispam checking will be performed, even though the actions are non-final.

Note

The PDF file type scan does not appear in this table. When enabled, the PDF file type converts the first page of any PDF attachments into to a format the heuristic, banned word, and image spam scanners can scan. If any of these scanners are enabled, they will scan the first page of the PDF at the same time they examine the message body, according to the sequence in the table below.

Execution sequence of antispam techniques

Check

Check Involves

Action If Positive

Action If Negative

Client initiates communication with the FortiMail unit

Sender reputation

Client IP address

If the client IP is in the sender reputation database, check the score and enable any appropriate restrictions, if any.

Add the IP address to the sender reputation database and keep a reputation score based on the email received.

Proceed to the next check.

FortiGuard block IP check

Client IP address

If the “Check FortiGuard Block IP at connection phase” is enabled in a session profile, FortiMail will check the client IP address against the FortiGuard block IP list. If positive, FortiMail rejects the email.

Proceed to the next check.

Endpoint reputation

Client endpoint ID

If the client endpoint ID is in the sender reputation database, check the score and enable any appropriate restrictions, if any.

Add the IP address to the endpoint reputation database and keep a reputation score based on the email received.

Proceed to the next check.

Sender rate control per connection

Client IP address

Apply any connection limitations specified in the session profile. Proceed to the next check.

In there are no connection limitations, or if no session profile applies, proceed to the next check.

HELO/EHLO received from SMTP client

HELO/EHLO

Domain of the HELO/EHLO command

If invalid characters appear in the domain, reject the HELO/EHLO command. Session will not continue until a proper HELO/EHLO command is received.

Proceed to the next check.

MAIL FROM: and RCPT TO: commands received from SMTP client

Sender rate control per message

Client IP address

Apply any connection limitations specified in the session profile. Proceed to the next check.

In there are no connection limitations, or if no session profile applies, proceed to the next check.

Sender domain check

Domain of envelope sender (MAIL FROM:)

If any of the domain checks (the Check sender domain and Reject empty domains checks listed in Unauthenticated Session Settings in the session profile) fail, an error is returned to the SMTP client. The error depends on which particular check failed.

Proceed to the next check.

System safe list

(Phase I)

Client IP address and email address/domain of the envelope sender (MAIL FROM:)

If the client IP or email address/domain of the sender appear in the system safe list, deliver the email and cancel remaining antispam checks (but not the antivirus and content checks).

Proceed to the next check.

System block list

(Phase I)

Client IP address and email address/domain of the envelope sender (MAIL FROM:)

If the client IP or email address/domain of the sender appear in the system block list, invoke the block list action for the email.

Proceed to the next check.

Session sender

safe list

(Phase I)

Client IP address and email address/domain of the envelope sender (MAIL FROM:)

If the client IP or email address/domain of the sender appear in the session safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks).

Proceed to the next check.

Session sender block list

(Phase I)

Client IP address and email address/domain of the envelope sender (MAIL FROM:)

If the client IP or email address/domain of the sender appear in the session block list, invoke the block list action for the message.

Proceed to the next check.

Authentication difference check

Envelope sender (MAIL FROM:)

Checks to see if the sender email address in the SMTP envelope matches the authenticated user name. If not allowed in the IP-based policy, the email will be rejected.

Proceed to the next check.

Bounce Verification

Envelope recipient (RCPT TO:)

Apply actions specified in the bounce verification settings.

Proceed to the next check.

Access control rules

Client IP address, envelope sender and recipient (MAIL FROM: and RCPT TO:)

If the combination of client IP, the domain/email address of the sender, and the domain/email of the recipient matches an access control rule (Policy > Access Control > Receiving), the FortiMail unit performs the action selected in the access control rule, which is one of the following:

  • Safe: Accept and relay the email, skipping all subsequent antispam checks, except greylisting, only if the recipient belongs to a protected domain or the sender is authenticated.
  • Safe & Relay: Accept and relay the email, skipping all subsequent antispam checks.
  • RELAY: Accept and relay the email if it passes subsequent antispam checks. Do not apply greylisting.
  • REJECT: Reject the email and return SMTP reply code 550 to the client.
  • DISCARD: Accept the email, but silently delete it instead of delivering it. Neither the sender nor the recipient are notified of the deletion.

If a matching access control rule does not exist, and if the recipient is a member of a protected domain, the default action is RELAY; if the recipient is not a member of a protected domain, the default action is REJECT.

For more information, see Configuring access control rules.

Recipient domain check

Domain of envelope recipient (RCPT TO:)

If any of the domain checks (the Check recipient domain and Reject if recipient and helo domain match but sender domain is different checks listed in Unauthenticated Session Settings in the session profile) fail, an error is returned to the SMTP client. The error depends on which check failed.

Proceed to the next check.

Session recipient safe list

Envelope recipient (RCPT TO:)

If the recipient appears in the session recipient safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks).

Proceed to the next check.

Session recipient block list

Envelope recipient (RCPT TO:)

If the recipient appears in the session recipient block list, reject the message.

Proceed to the next check.

Recipient verification

Envelope recipient (RCPT TO:)

If the recipient is unknown, reject the message.

Proceed to the next check.

Greylist

Envelope sender (MAIL FROM:), envelope recipient (RCPT TO:), and client IP subnet address

If the sender is in the greylist database or if the client IP subnet appears in the greylist exempt list, the message is passed to the next check.

Note: This check is omitted if the access control rule’s action is RELAY.

If the sender is not in the greylist database, a temporary failure code is returned to the SMTP client.

DATA command received from SMTP client

System safe list

(Phase II)

Message header sender (From:)

If the email address/domain of the sender appears in the system safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks).

Proceed to the next check.

System block list

(Phase II)

Message header sender (From:)

If the email address/domain of the sender appears in the system block list, invoke the block list action for the message.

Proceed to the next check.

Domain safe list

Client IP, envelope sender (MAIL FROM:) and message header sender (From:)

If the client IP, email address/domain of the sender appears in the domain safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks).

Proceed to the next check.

Domain block list

Client IP, envelope sender (MAIL FROM:) and message header sender (From:)

If the client IP, email address/domain of the sender appears in the domain block list, invoke the block list action for the message.

Proceed to the next check.

Session sender safe list

(Phase II)

Message header sender (From:)

If the email address/domain of the sender appears in the session sender safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks).

Proceed to the next check.

Session sender block list

(Phase II)

Message header sender (From:)

If the email address/domain of the sender appears in the session sender block list, the block list action is invoked.

Proceed to the next check.

Personal safe list

Client IP, envelope sender (MAIL FROM:) and message header sender (From:)

If the client IP, email address/domain of the sender appears in the personal safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks).

Proceed to the next check.

Personal block list

Client IP, envelope sender (MAIL FROM:) and message header sender (From:)

If the client IP, email address/domain of the sender appears in the personal block list, the message is discarded.

Proceed to the next check.

End of message (EOM) command received from SMTP client

Antivirus

Message body and attachments

If an infected message is detected, and the antispam profile is configured to treat viruses as spam, the default spam action will be invoked on the infected message.

Proceed to the next check.

Safe List Word

Message subject and/or body

If the safelisted word scanner determines that the message is not spam, deliver the message and cancel remaining antispam checks.

Proceed to the next check.

FortiGuard Antispam

Message header and body

If the FortiGuard scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. No further antispam checking will be performed.

Proceed to the next check.

DMARC

Client IP address

DMARC performs email authentication with SPF and DKIM checking.

If failed, treat the email as spam.

Proceed to the next check.

SPF check

Client IP address

This option compares the client IP address to the IP addresses of authorized senders in the DNS record (RFC 4408).

If failed, treat the email as spam.

Proceed to the next check.

Spam outbreak protection

Message header and body

If the FortiGuard scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Behavior analysis

Message body

If the scanner determines the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Impersonation analysis

Message header

If the scanner determines the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Banned Word

Message subject and/or body

If the banned word scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Dictionary

Message body

If the dictionary scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

DNSBL

Client IP address

If the DNSBL scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

SURBL

Every URL in the message body

If the SURBL scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Heuristic

Message body

If the heuristic antispam scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Image Spam

Embedded images

If Aggressive scan is enabled, attached images are also examined.

If the image spam scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Header analysis

Message header

If the header analysis scan determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Bayesian

Message body

If the Bayesian scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Suspicious Newsletter

Message header and body

If the newsletter scan determines that the message is a newsletter, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

Content

Message header, body, and attachment

If the content scanner determines that the message is spam or prohibited, the action configured in the content profile individual action is invoked. If the individual action is set to default, then the antispam profile default action is used.

Proceed to the next check.

DLP

Message header, body, and attachment

Apply the action configured in the DLP profile.

Deliver the message.