profile antispam
Use this command to configure system-wide antispam profiles.
FortiMail units can use various methods to detect spam, such as the FortiGuard Antispam service, DNSBL queries, Bayesian scanning, and heuristic scanning. Antispam profiles contain settings for these features that you may want to vary by policy. Depending on the feature, before you configure antispam policies, you may need to enable the feature or configure its system-wide settings.
Syntax
config profile antispam
edit <profile_name>
config bannedwords
edit <word_str>
set subject {enable | disable}
config dnsbl-server
edit <server_name>
config surbl-server
edit <server_name>
config safelistwords
edit <word_str>
set subject {enable | disable}
set action-banned-word <action_profile>
set action-bayesian <action-profile_name>
set action-behavior-analysis <action-profile_name>
set action-deep-header <action-profile_name>
set action-default <action-profile_name>
set action-dictionary <action-profile_name>
set action-dmarc
set action-fortiguard <action-profile_name>
set action-fortiguard-blockip <action-profile-name>
set action-fortiguard-phishing-uri <action-profile-name>
set action-grey-list <action-profile_name>
set action-heuristic <action-profile_name>
set action-image-spam <action-profile_name>
set action-impersonation-analysis <action>
set action-newsletter <action-profile_name>
set action-rbl <action-profile_name>
set action-spf-neutral <action>
set action-spf-perm-error <action>
set action-spf-sender-alignment <action>
set action-spf-soft-fail <action>
set action-spf-temp-error <action>
set action-surbl <action-profile_name>
set action-suspicious-newsletter <action-profile_name>
set action-uri-filter <action-profile_name>
set action-uri-filter-secondary <action-profile_name>
set action-virus <action-profile_name>
set aggressive {enable | disable}
set apply-action-default {enable | disable}
set banned-word {enable | disable}
set bayesian {enable | disable}
set behavior-analysis {enable | disable}
set bayesian-autotraining {enable | disable}
set bayesian-user-db {enable | disable}
set bayesian-usertraining {enable | disable}
set deepheader {enable | disable}
set deepheader-analysis {enable | disable}
set deepheader-check-ip {enable | disable}
set dictionary {enable | disable}
set dictionary-type
set dmarc-status {enable | disable}
set fortiguard-antispam {enable | disable}
set fortiguard-check-ip {enable | disable}
set fortiguard-phishing-uri {enable | disable}
set greylist {enable | disable}
set heuristic {enable | disable}
set heuristic-lower <threshold_int>
set heuristic-rules-percent <percentage_int>
set heuristic-upper {threshold_int}
set image-spam {enable | disable}
set impersonation
set impersonation-analysis {enable | disable}
set ip-reputation-level1-status {enable | disable}
set ip-reputation-level2-status {enable | disable}
set ip-reputation-level3-status {enable | disable}
set newsletter-status {enable | disable}
set scan-bypass-on-auth {enable | disable}
set scan-pdf {enable | disable}
set spam-outbreak-protection {enable | disable | monitor-only}
set spf-checking {enable | disable}
set spf-fail-status {enable | disable}
set spf-neutral-status {enable | disable}
set spf-none-status {enable | disable}
set spf-pass-status {enable | disable}
set spf-perm-error-status {enable | disable}
set spf-soft-fail-status {enable | disable}
set spf-temp-error-status {enable | disable}
set suspicious-newsletter-status {enable | disable}
set uri-filter-secondary <filter>
set uri-filter-secondary-status {enable | disable}
set uri-filter-status {enable | disable}
set safelist-enable {enable | disable}
set safelist-word {enable | disable}
end
Variable |
Description |
Default |
Enter the name of an antispam profile. |
|
|
Enter the banned word. You can use wildcards in banned words. But regular expressions are not supported. For more information about wildcards and regular expressions, see the FortiMail Administration Guide. |
|
|
Enable to check the subject line for the banned word. |
disable |
|
Enable to check the message body for the banned word. |
disable |
|
Enter a DNSBL server name to perform a DNSBL scan. The FortiMail unit will query DNS blocklist servers. |
|
|
Enter a SURBL server name to perform a SURBL scan. The FortiMail unit will query SURBL servers. |
|
|
|
||
Enable to check the subject line for the safelisted word. |
disable |
|
Enable to check the message body for the safelisted word. |
disable |
|
Enter the action profile that you want the FortiMail unit to use if the banned word scan determines that the email is spam. |
|
|
Enter the action profile that you want the FortiMail unit to use if the Bayesian scan determines that the email is spam. |
|
|
Enter the action profile that you want the FortiMail unit to use if the behavior analysis scan determines that the email is spam. |
|
|
Enter the action profile that you want the FortiMail unit to use if the deep header scan determines that the email is spam. |
|
|
Enter the default action profile that you want all scanners of the FortiMail unit to use. However, if you choose an action profile other than “default" for a scanner, this scanner will use the chosen profile. |
|
|
Enter the action profile that you want the FortiMail unit to use if the heuristic scan determines that the email is spam. |
|
|
Enter the action profile for DMARC check failure. If either SPF check or DKIM check passes, DMARC check will pass. If both fail, DMARC check fails. |
|
|
Enter the action profile that you want the FortiMail unit to use if the FortiGuard Antispam scan determines that the email is spam. |
|
|
Enter the action profile that you want the FortiMail unit to use if the FortiGuard block IP scan determines that the email is spam. |
|
|
Enter the action profile that you want the FortiMail unit to use if the FortiGuard phishing URI scan determines that the email is spam. |
|
|
Enter the action profile that you want the FortiMail unit to use if the grey list scan determines that the email is spam. |
|
|
Enter the action profile that you want the FortiMail unit to use if the heuristic scan determines that the email is spam. |
|
|
Enter the action profile that you want the FortiMail unit to use if the impersonation alaysis determines the email is from someone impersonating a known email address. |
|
|
Enter the action profile that you want the FortiMail unit to use if the image scan determines that the email is spam. |
|
|
Enter the action profile that you want the FortiMail unit to use if the newsletter scan determines that the email is spam. |
|
|
Enter the action profile that you want the FortiMail unit to use if the RBL scan determines that the email is spam. |
|
|
Enter the action FortiMail performs if the SPF fails, which means the host is not authorized to send messages. |
|
|
Enter the action FortiMail performs if SPF neutral fails, which means the SPF record is found but no definitive assertion. |
|
|
Enter the action FortiMail performs if SPF none fails, whichs means there is no SPF record. |
|
|
Enter the action FortiMail performs if SPF pass fails, which means it discovers the host is not authorized to send a message. |
|
|
Enter the action FortiMail performs if SPF perm error fails, which means the SPF records are invalid. |
|
|
Enter the action FortiMail performs if SPF sender alignment fails, which means the header from the subject authorization domain mismatch. |
|
|
Enter the action Fortimail takes if spf soft fail fails, which means the host is not authorized to send messages but not a strong statement. |
|
|
Enter the action FortiMail performs if action SPF temp error fails, which means there is a processing error. |
|
|
Enter the action profile that you want the FortiMail unit to use if the SURBL scan determines that the email is spam. |
|
|
Enter the action profile that you want the FortiMail unit to use if the suspicious newsletter scan determines that the email is spam. |
|
|
Enter the action profile that you want the FortiMail unit to use if the URI filter scan determines that the email is spam. |
|
|
Enter the action profile that you want the FortiMail unit to use if the URI filter scan determines that the email is spam. |
|
|
Enter the action profile that requires the FortiMail unit to treat messages with viruses as spam. |
|
|
Enable this option to examine file attachments in addition to embedded images. To improve performance, enable this option only if you do not have a satisfactory spam detection rate. |
disable |
|
Enable this option to apply default action to all messages. |
disable | |
Enable this option to scan banned words for this antispam profile. |
disable |
|
Enable this option to activate Bayesian scan for this antispam profile. |
disable |
|
Enable this option to activate behavior analysis scan for this antispam profile. |
disable | |
Enable to use FortiGuard Antispam and SURBL scan results to train per-user Bayesian databases that are not yet mature (that is, they have not yet been trained with 200 legitimate email and 100 spam in order to recognize spam). |
enable |
|
Enable to use per-user Bayesian databases. If disabled, the Bayesian scan will use either the global or the per-domain Bayesian database, whichever is selected for the protected domain. |
disable |
|
Enable to accept email forwarded from email users to the Bayesian control email addresses in order to train the Bayesian databases to recognize spam and legitimate email. |
enable |
|
Enable to perform extensive inspection of message headers. For more information, see “set as profile modify fortishield" on page 184 and “set as profile modify dnsbl" on page 181. |
disable |
|
Enable to inspect all message headers for known spam characteristics. If the FortiGuard Antispam scan is enabled, this option uses results from that scan, providing up-to-date header analysis. For more information, see “set as profile modify fortishield" on page 184. |
disable |
|
Enable to query for the blocklist status of the IP addresses of all SMTP servers appearing in the If this option is disabled, the FortiMail unit checks only the IP address of the current SMTP client. This option applies only if you have also configured either or both FortiGuard Antispam scan and DNSBL scan. For more information, see “set as profile modify fortishield" on page 184 and “set as profile modify dnsbl" on page 181. |
disable |
|
Enter the number of dictionary term matches above which the email will be considered to be spam. |
|
|
Enable to perform a dictionary scan for this profile. |
disable |
|
Enter the dictionary profile name. |
|
|
Enter the type of dictionary profile. |
|
|
Enable to have the unit perform email authentication with SPF and DKIM checking. If either SPF check or DKIM check passes, DMARC check will pass. If both fail, DMARC fails. |
disable |
|
Enable to perform a DNSBL scan for this profile. The FortiMail unit will query DNS blocklist servers defined using “set out_profile profile modify deepheader" on page 405. |
disable |
|
Enable to let the FortiMail unit query the FortiGuard Antispam service to determine if any of the uniform resource identifiers (URI) in the message body are associated with spam. If any URI is blocklisted, the FortiMail unit considers the email to be spam, and you can select the action that the FortiMail unit will perform. |
disable |
|
Enable to include whether or not the IP address of the SMTP client is blocklisted in the FortiGuard Antispam query. |
disable |
|
Enable to include whether or not the phishing URI is blocklisted in the FortiGuard Antispam query. |
disable |
|
Enable to perform a greylist scan. |
disable |
|
Enable to perform a heuristic scan. |
disable |
|
Enter the score equal to or below which the FortiMail unit considers an email to not be spam. |
-20.000000 |
|
Enter the percentage of the total number of heuristic rules that will be used to calculate the heuristic score for an email message. The FortiMail unit compares this total score to the upper and lower level threshold to determine if an email is:
To improve system performance and resource efficiency, enter the lowest percentage of heuristic rules that results in a satisfactory spam detection rate. |
100 |
|
Enter the score equal to or above which the FortiMail unit considers an email to be spam. |
10.000000 |
|
Enable to perform an image spam scan. |
disable |
|
Enter the impresonation profile used by this profile to prevent email spoofing attacks. |
|
|
Enable sender impersonation analysis to automatically learn and track the mapping of display names and internal email addresses to prevent spoofing attacks. |
disable |
|
Enable IP reputation to enable the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted. FortiGuard categorizes the blocklisted IP addresses into three levels, level 1 has the worst reputation and level 3 the best. |
disable |
|
Enable IP reputation to enable the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted. FortiGuard categorizes the blocklisted IP addresses into three levels, level 1 has the worst reputation and level 3 the best. |
disable |
|
Enable IP reputation to enable the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted. FortiGuard categorizes the blocklisted IP addresses into three levels, level 1 has the worst reputation and level 3 the best. |
disable |
|
Enable dection of newsletters to make sure newsletters and other marketing campaigns are not spam. |
|
|
Enable to make the FortiMail unit check if the host is not authorized to send messages. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-fail. |
|
|
Enable to make the FortiMail unit check if the SPF record is found but no definitive assertion. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-neutral. |
|
|
Enable to make the FortiMail unit check if there is no SPF record. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-none. |
|
|
Enable to make the FortiMail unit check if the host is authorized to send messages. If the client IP address fails the SPF check, FortiMail takes the antispam action configured in action-spf-pass. |
|
|
spf-sender-alignment-status {enable | disable} |
Enable to make the FortiMail unit check if the header from the authorization domain is mismatched. If the client IP address fails the SPF check, FortiMail takes the desired action entered in action-spf-sender-alignment. |
|
Enable to make the FortiMail unit check if the SPF records are invalid. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-perm-error. |
|
|
Enable to make the FortiMail unit check if the host is not authorized to send messages but not a strong statement. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-soft-fail. |
|
|
Enable to make the FortiMail unit check if there is a processing error. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in |
|
|
Enable to omit antispam scans when an SMTP sender is authenticated. |
disable |
|
Enter the maximum size, in bytes, that the FortiMail unit will scan for spam. Messages exceeding the limit will not be scanned for spam. To scan all email regardless of size, enter |
1204 bytes for predefined profiles
600 bytes for user-defined profiles |
|
Enable to scan the first page of PDF attachments using heuristic, banned word, and image spam scans, if they are enabled. |
disable |
|
Enable to temporarily hold suspicious email for a certain period of time (configurable with When set to |
disable | |
Enable to have the FortiMail unit perform the action configured in this antispam profile, instead of the action configured in the session profile. See spf-validation {enable | disable}. Starting from 6.0.3 release, you can also specify different actions toward defferent SPS check results:
|
disable |
|
Enable to perform a SURBL scan. The FortiMail unit will query SURBL servers defined using “set out_profile profile modify surblserver" on page 421. |
disable |
|
Enable the detection of newsletters. |
disable | |
Specify the URI filter to use. |
|
|
To take different actions towards different URI filters/categories, you can specify a primary and a secondary filter, and specify different actions for each filter. If both URI filters match an email message, the primary filter action will take precedence. |
|
|
Enable or disable the secondaryURI filter scan. |
disable | |
Enable or disable URI filter scan. |
disable | |
Enable to treat email with viruses as spam. When enabled, instead of performing the action configured in the antivirus profile, the FortiMail unit will instead perform either the general or individualized action in the antispam profile. For details, see “set out_profile profile modify individualaction" on page 415 and “set out_profile profile modify actions" on page 400. |
disable |
|
Enable to automatically update personal safelist database from sent email. |
disable |
|
Enable to perform a safelist word scan. The scan will examine the email for words configured in “set out_profile profile modify safelistwordlist" on page 426. |
disable |