Configuring antispam profiles and antispam action profiles

The AntiSpam submenu lets you configure antispam profiles and related action profiles.

This section contains the following topics:

• Managing antispam profiles
• Configuring email impersonation profiles
• Configuring cousin domain profiles
• Configuring antispam action profiles

Managing antispam profiles

The AntiSpam tab lets you manage and configure antispam profiles. Antispam profiles are sets of antispam scans that you can apply by selecting one in a policy.

FortiMail units can use various methods to detect spam, such as the FortiGuard Antispam service, DNSBL queries, Bayesian scanning, and heuristic scanning. Antispam profiles contain settings for these features that you may want to vary by policy. Depending on the feature, before you configure antispam policies, you may need to enable the feature or configure its system-wide settings.

For information on the order in which FortiMail units perform each type of antispam scan, see Order of execution.

You can use an LDAP query to enable or disable antispam scanning on a per-user basis. For details, see Configuring LDAP profiles and Configuring scan override options.

To view and manage incoming antispam profiles

1. Go to Profile > AntiSpam > AntiSpam.

GUI item	Description
Clone (button)	Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.
Batch Edit (button)	Edit several profiles simultaneously. See Performing a batch edit.
Domain (drop-down list)	Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.
Profile Name	Displays the name of the profile. The profile name is editable.
Domain Name (column)	Displays either System or a domain name.
(Green dot in column heading)	Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

2. Either click New to add a profile or double-click a profile to modify it.

A multisection dialog appears.

3. Configure the following:

GUI item	Description
Domain	Select the entire FortiMail unit (System) or name of a protected domain. You can see only the domains that are permitted by your administrator profile. For more information, see About administrator account permissions and domains.
Profile name	For a new profile, enter the name of the profile.
Default action	Select the default action to take when the policy matches. See Configuring antispam action profiles.
FortiGuard	See Configuring FortiGuard options.
Greylist	Enable to apply greylisting. For more information, see Configuring greylisting. Note: Enabling greylisting can improve performance by blocking most spam before it undergoes other resource-intensive antispam scans.
SPF	If the sender domain DNS record lists SPF authorized IP addresses, use this option to compare the client IP address to the IP addresses of authorized senders in the DNS record (RFC 4408). If the DNS record for the domain name of the sender does not publish SPF information, the FortiMail unit omits the SPF client IP address validation. If the client IP address fails the SPF check, FortiMail will take the antispam action configured in this antispam profile. But unlike SPF checking in a session profile, failed SPF checking in an antispam profile will not increase the client’s reputation score. Starting from 6.0.3 release, you can specify different actions towards different SPF check results: Fail: The host is not authorized to send messages. Soft Fail: The host is not authorized to send messages but not a strong statement. Permanent Error: The SPF records are invalid. Temporary Error: Processing error. Pass: The host is authorized to send messages. Neutral: SPF record is found but no definitive assertion. None: No SPF record. Note: No SPF check is performed for direct connections from RFC 1918 private IP addresses. Note: If you select to Bypass SPF checking in the session profile (see Configuring sender validation options), SPF checking will be bypassed even though you enable it in the antispam profile. Note: Before FortiMail 4.3.1 release, only SPF hardfailed (-all) email is treated as spam. Starting from 4.3.2 to 6.0.2 release, you can use a CLI command (set spf-checking {strict | aggressive} under config antispam settings) to control if the SPF softfailed (~all) email should also be treated as spam. For details, see the FortiMail CLI Guide. Starting from 6.0.3, this command is removed.
DKIM	DomainKeys Identified Mail (DKIM) checking utilizes public and private keys to digitally sign outbound emails to prove that email has not been tampered with in transit.
DMARC	Domain-based Message Authentication, Reporting & Conformance (DMARC) performs email authentication with SPF and DKIM checking. If either SPF check or DKIM check passes, DMARC check will pass. If both of them fails, DMARC check fails. FortiMail conducts DMARC alignment, whereby at least one of the domains authenticated by SPF or DKIM must align with the header-from domain. For more information, see RFC 7489. Starting from 7.0.1 release, you can generate DMARC reports with the following CLI command, from the system level and domain level, respectively: config antispam dmarc-report config domain-setting For more details, see the FortiMail 7.0.1 CLI Reference.
Behavior analysis	Behavior analysis (BA) analyzes the similarities between the uncertain email and the known spam email in the BA database and determines if the uncertain email is spam. The BA database is a gathering of spam email caught by FortiGuard Antispam Service. Therefore, the accuracy of the FortiGuard Antispam Service has a direct impact on the BA accuracy. You can adjust the BA aggressiveness using the following CLI commands: config antispam behavior-analysis set analysis-level {high | medium | low} end The high setting means the most aggressive while the low setting means the least aggressive. The default setting is medium. You can also reset (empty) the BA database using the following CLI command: diagnose debug application mailfilterd behavior-analysis update
Header analysis	Enable this option to examine the entire message header for spam characteristics.
Impersonation	See Configuring impersonation options.
Heuristic	See Configuring heuristic options.
SURBL	See Configuring SURBL options.
DNSBL	See Configuring DNSBL options.
Banned word	See Configuring banned word options.
Safelist word	See Configuring safelist word options.
Dictionary	See Configuring dictionary options.
Image spam	See Configuring image spam options.
Bayesian	See Configuring Bayesian options.
Suspicious newsletter	Suspicious newsletters are part of the newsletter category. But FortiMail may find them to be suspicious because they may actually be spam under the disguise of newsletters. Note that if you enable detection of both newsletters and suspicious newsletters and specify actions for both types, if a newsletter is found to be suspicious, the action towards suspicious newsletters will take effect, not the action towards newsletters.
Newsletter	Although newsletters and other marketing campaigns are not spam, some users may find them annoying. Enable detection of newsletters and select an action profile to deal with them. For example, you can tag newsletter email so that users can filter them in their email clients.
Scan Options	See Configuring scan options.

Configuring FortiGuard options

The FortiGuard section of antispam profiles lets you configure the FortiMail unit to query the FortiGuard Antispam service to check the following:

• IP Reputation: if the SMTP client IP address is a public one, the FortiMail unit will query the FortiGuard Antispam service to determine if the current SMTP client is blocklisted; if the SMTP client IP address is a private one, the FortiMail unit will query the FortiGuard Antispam service to determine if the first public IP address in the header is blocklisted. If the Extract IP from Received Header option is enabled, the FortiGuard scan will also examine the public IP addresses of all other SMTP servers that appear in the Received: lines of the message header.

FortiGuard Antispam scans do not examine private network addresses, as defined in RFC 1918.

• URL category: this option determines if any uniform resource identifiers (URL) in the message body are associated with spam. FortiGuard URL filter groups URL into various categories, such as hacking, drug abuse and so on. You can configure the FortiGuard URL filter to check for certain categories only. For details, see Configuring the FortiGuard URL filter. If a URL is blocklisted, the FortiMail unit treats the email as spam and performs the associated action. You can also exempt URLs from spam filtering. For details, see Configuring the FortiGuard URL filter.

To take different actions towards different URL filters/categories, you can specify a primary and a secondary filter, and specify different actions for each filter. If both URL filters match an email message, the primary filter action will take precedence.

To reduce false positives, unrated IP addresses will be ignored and no actions will be taken.

• Spam outbreak protection: enable this option to temporarily hold suspicious email for a certain period of time (configurable with CLI command config profile antispam set spam-outbreak-protection and config system fortiguard antispam set outbreak-protection-period) if the enabled FortiGuard antispam check (block IP and/or URL filter) returns no result. After the specified time interval, FortiMail will query the FortiGuard server for the second time. This provides an opportunity for the FortiGuard antispam service to update its database in cases a spam outbreak occurs. To view the email on hold, go to Monitor > Mail Queue > Spam Outbreak.

When set to Monitor only, email is not deferred. Instead, "X-FEAS-Spam-outbreak: monitor-only" is inserted as its header, and the email is logged.

Note: If email messages are temporarily held by FortiGuard spam outbreak protection, and the "reject" action is configured in the action profile, the actual action will fallback to "system quarantine" if spam is detected afterwards.

Note: Email from some sources, such as safelisted IP addresses and ACL relay rules, will be exempted from FortiGuard spam outbreak protection scan.

When FortiGuard detects spam for both IP reputation and URL category in an email, the URL category action will be taken and logged. For example, if the IP reputation action is "Tag" while the URL category action is "Reject", the email will be rejected. Before v6.4.3, the IP Reputation action will be taken and logged instead.

Before enabling FortiGuard, you must enable and configure FortiGuard Antispam rating queries.

FortiGuard URL filter and URL scanning have two levels of control: strict or aggressive. For details see Configuring antispam profiles and antispam action profiles. Starting from 6.0.4 release, the aggressive setting also scans the domain part of envelope MAIL FROM, header From, and Reply-To addresses. If the domains are identified as spam, the configured antispam actions will be applied.

If the FortiGuard option is enabled, you may improve performance and the spam catch rate by also enabling Block IP and caching. For details on enabling caching, see “Configuring centralized administration.

To configure FortiGuard scan options

1. When configuring an antispam profile, select the FortiGuard check box in the AntiSpam Profile dialog.
2. From Action, select the action profile that you want the FortiMail unit to use if the FortiGuard Antispam scan finds spam email. This action is the default action for all the FortiGuard filters, including IP reputation, URL filter, and spam outbreak protection.

For more information, see Configuring antispam action profiles.

3. If you want the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted, enable IP Reputation. If the SMTP client IP address is a private one, the FortiMail unit will query the FortiGuard Antispam service to determine if the first public IP address in the header is blocklisted.

FortiGuard categorizes the blocklisted IP addresses into three levels -- level 1 has the worst reputation, level 2 has better reputation, and level 3 has even better reputation. To help prevent false positives, you can choose to take different actions towards different IP reputation levels. Usually you should take strict actions, such as reject or discard, towards level 1 IP addresses while take loose actions, such as quarantine or tag, towards level 3 IP addresses. Using default actions for level 1, 2, and 3 means to use the IP Reputation action; using the default action for IP reputation means to use the FortiGuard action; and using the FortiGuard default action means to use the antispam profile action.

If you want to check all SMTP servers in the Received: lines of the message header, enable the Extract IP from Received Header option.

4. If you want to use the FortiGuard URL filter service, select a URL category profile from the Primary or Secondary URL Category list. For details, see Configuring heuristic options. Then select an action profile. The default action means to use the FortiGuard action, not the antispam profile action.

Note: If the secondary URL category is matched, the email will be deferred in the spam outbreak queue if the spam outbreak protection is enabled.

5. If you want use the spam outbreak protection feature, enable it. Then select an action profile. The default action means to use the FortiGuard action, not the antispam profile action.
6. Continue to the next section, or click Create to save the antispam profile.

Configuring impersonation options

The FortiMail unit includes rules used by the impersonation filter to determine whether messages are spam, and takes action according to the configured actions specified. If the individual action is set to default, then the antispam profile default action is used.

The antispam profile impersonation filter is comprised of sender alignment, and impersonation analysis and cousin domain profiles. Sender alignment is an SPF related function that checks for a Header From and authorization domain mismatch. Impersonation profiles and cousin domain profiles check for appropriate display and domain names respectively.

To configure impersonation scan options

1. When configuring an antispam profile, enable Impersonation under Scan Configurations.

2. Click the plus to expand Impersonation.

3. Enable Sender Alignment to check for a Header From and authorization domain mismatch.

From Action, select the action profile that you want the FortiMail unit to use if a mismatch occurs.

4. Enable Impersonation analysis to automatically learn and track the mapping of display names and internal email addresses to prevent spoofing attacks.

From Action, select the action profile that you want the FortiMail unit to use if the addresses do not match.

5. Click the plus to expand Impersonation analysis, and select an Impersonation profile to apply to the antispam profile.

For more information, see Configuring email impersonation profiles.

6. Enable Cousin Domain to scan for domain names that are deliberately misspelled in order to appear to come from a trusted domain.

From Action, select the action profile that you want the FortiMail unit to use if the cousin domain scan is triggered.

7. Click the plus to expand Cousin Domain, and select a Cousin Domain profile to apply to the antispam profile.
8. Additionally, enable the various cousin domain scan options if you wish to scan for cousin domain names either within the email header, the email body, and/or automatically.

For more information, see Configuring cousin domain profiles.

9. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring heuristic options

The FortiMail unit includes rules used by the heuristic filter. Each rule has an individual score used to calculate the total score for an email. A threshold for the heuristic filter is set for each antispam profile. To determine if an email is spam, the heuristic filter examines an email message and adds the score for each rule that applies to get a total score for that email. For example, if the subject line of an email contains “As seen on national TV!”, it might match a heuristic rule that increases the heuristic scan score towards the threshold.

• Email is spam if the total score equals or exceeds the threshold.
• Email is not spam if the total score is less than the threshold.

The FortiMail unit comes with a default heuristic rule set. To ensure that the most up-to-date spam methods are included in the percentage of rules used to calculate the score, update your FortiGuard Antispam packages regularly. See Configuring centralized administration.

To configure heuristic scan options

1. When configuring an antispam profile, enable Heuristic under Scan Configurations.
2. Click the plus to expand Heuristic.
3. From Action, select the action profile that you want the FortiMail unit to use if the heuristic scan finds spam email.

For more information, see Configuring antispam action profiles.

4. In Threshold, enter the score at which the FortiMail unit considers an email to be spam. The default value is recommended.
5. In the The percentage of rules used field, enter the percentage of the total number of heuristic rules to use to calculate the heuristic score for an email message.
6. Continue to the next section, or click Create or OK to save the antispam profile.

Heuristic scanning is resource intensive. If spam detection rates are acceptable without heuristic scanning, consider disabling it or limiting its application to policies for problematic hosts.

You can also apply this scan to PDF attachments. For more information, see Configuring scan options.

See also

Managing antispam profiles

Configuring antispam action profiles

Configuring SURBL options

In addition to supporting Fortinet’s FortiGuard Antispam SURBL service, the FortiMail unit supports third-party Spam URL Realtime Block Lists (SURBL) servers. You can specify which public SURBL servers to use as part of an antispam profile. Consult the third-party SURBL service providers for any conditions and restrictions.

The SURBL section of antispam profiles lets you configure the FortiMail unit to query one or more SURBL servers to determine if any of the uniform resource identifiers (URL) in the message body are associated with spam. If a URL is blocklisted, the FortiMail unit treats the email as spam and performs the associated action. There are two types of URLs. For details, see Configuring antispam profiles and antispam action profiles.

To configure SURBL scan options

1. When configuring an antispam profile, enable SURBL in the AntiSpam Profile dialog.
2. From Action, select the action profile that you want the FortiMail unit to use if the SURBL scan finds spam email.

For more information, see Configuring antispam action profiles.

3. Next to SURBL click Configuration.

A pop-up window appears that displays the domain name of the SURBL servers.

4. To add a new SURBL server address, click New and type the address in the field that appears.

Since the servers will be queried from top to bottom, you may want to put the reliable servers with less traffic to the top of the list. Click the drop-down menu in the title bar to sort the entries.

5. Select a server and click OK.

The pop-up window closes.

6. Continue to the next section, or click Create or OK to save the antispam profile.

Closing the pop-up window does not save the antispam profile and its associated SURBL server list. To save changes to the SURBL server list, in the antispam profile, click OK before navigating away to another part of the web UI.

Configuring DNSBL options

In addition to supporting Fortinet’s FortiGuard Antispam DNSBL service, the FortiMail unit supports third-party DNS blocklist servers. You can enable DNSBL filtering as part of the antispam profile, and define multiple DNSBL servers for each antispam profile. Consult the third-party DNSBL service providers for any conditions and restrictions.

DNSBL scans examine the IP address of the SMTP client that is currently delivering the email message. If the Enable Block IP to query for the blocklist status of the IP addresses of all SMTP servers appearing in the Received: lines of header lines. option located in the Deep header section is enabled, DNSBL scan will also examine the IP addresses of all other SMTP servers that appear in the Received: lines of the message header. For more information, see Configuring FortiGuard options.

DNSBL scans do not examine private network addresses, which are defined in RFC 1918.

The DNSBL section of antispam profiles lets you configure the FortiMail unit to query one or more servers to determine if the IP address of the SMTP client has been blocklisted. If the IP address is blocklisted, the FortiMail unit treats the email as spam and performs the associated action.

To configure DNSBL scan options

1. When configuring an antispam profile, enable DNSBL in the AntiSpam Profile dialog.
2. From Action, select the action profile that you want the FortiMail unit to use if the DNSBL scan finds spam email.

For more information, see Configuring antispam action profiles.

3. Next to DNSBL click Configuration.

A pop-up window appears where you can enter the domain names of DNSBL servers to use with this profile.

4. To add a new DNSBL server address, click New and type the address in the field that appears.

Since the servers are queried from top to bottom, you may want to put the reliable servers with less traffic to the top of the list. Click the drop-down menu in the title bar to sort the entries.

5. Select a server from the list and click OK.

The pop-up window closes.

Closing the pop-up window does not save the antispam profile and its associated DNSBL server list. To save changes to the DNSBL server list, in the antispam profile, click OK before navigating away to another part of the web UI.

6. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring banned word options

The Banned word section of antispam profiles lets you configure the FortiMail unit to consider email messages as spam if the subject line and/or message body contain a prohibited word. When a banned word is found, the FortiMail unit treats the email as spam and performs the associated action.

When banned word scanning is enabled and an email is found to contain a banned word, the FortiMail unit adds X-FEAS-BANNEDWORD: to the message header, followed by the banned word found in the email. The header may be useful for troubleshooting purposes, when determining which banned word or phrase caused an email to be blocked.

You can use wildcards in banned words. But unlike dictionary scans, banned word scans do not support regular expressions. For details about wildcards and regular expressions, see Appendix D: Wildcards and regular expressions.

You can also apply this scan to PDF attachments. For more information, see Configuring scan options.

To configure banned word scan options

1. When configuring an antispam profile, enable Banned word in the AntiSpam Profile dialog.
2. From Action, select the action profile that you want the FortiMail unit to use if the banned word scan finds spam email.

For more information, see Configuring antispam action profiles.

3. Next to Banned word, click Configuration.

A pop-up window appears, showing the words or phrases that will be prohibited by this profile. You can add or delete words on this window.

4. Click New, then enter the banned word in the field that appears.
5. Select Subject to have the subject line inspected for the banned word. If the check box is clear, the subject line is not inspected.
6. Select Body to have the message body inspected for the banned word. If the check box is clear, the message body is not inspected.
7. Click OK.

The pop-up window closes.

8. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring safelist word options

The Safelist word section of antispam profiles lets you configure the FortiMail unit to consider email messages whose subject line and/or message body contain a safelisted word to be indisputably not spam. If the email message contains a safelisted word, the FortiMail unit does not consider the email to be spam.

You can use wildcards in safelisted words. But unlike dictionary scans, safelist word scans do not support regular expressions. For details about wildcards and regular expressions, see Appendix D: Wildcards and regular expressions.

To configure safe list scan options

1. When configuring an antispam profile, enable Safelist word in the AntiSpam Profile dialog.
2. Next to Safelist word, click Configuration.

A pop-up window appears, showing the words or phrases that are allowed by this profile. You can add or delete words on this window.

3. Click New, then enter the allowed word in the field that appears.
4. Select Subject to have the subject line inspected for the allowed word. If the check box is clear, the subject line is not inspected.
5. Select Body to have the message body inspected for the allowed word. If the check box is clear, the message body is not inspected.
6. Click OK.

The pop-up window closes.

7. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring dictionary options

The Dictionary section of antispam profiles lets you configure the FortiMail unit to use dictionary profiles to determine if the email is likely to be spam. If the FortiMail unit considers email to be spam, it performs the associated action.

Before you can use this feature, you must have existing dictionary profiles. For information on creating dictionary profiles, see Configuring dictionary profiles.

When dictionary scanning is enabled and an email is found to contain a dictionary word, FortiMail units add X-FEAS-DICTIONARY: to the message header, followed by the dictionary word or pattern found in the email. The header may be useful for troubleshooting purposes, when determining which dictionary word or pattern caused an email to be blocked.

Unlike banned word scans, dictionary scans are more resource-intensive. If you do not require dictionary features such as regular expressions, consider using a banned word scan instead.

To configure dictionary scan options

1. When configuring an antispam profile, enable Dictionary in the AntiSpam Profile dialog.
2. Click the plus to expand Dictionary.
3. From Action, select the action profile that you want the FortiMail unit to use if the dictionary scan finds spam email.

For more information, see Configuring antispam action profiles.

4. From the With dictionary group drop-down list, select the name of a group of dictionary profiles to use with the dictionary scan. Or, from the With dictionary profile drop-down list, select the name of a dictionary profile to use with the dictionary scan.
5. In the Minimum dictionary score field, enter the number of dictionary term matches above which the email will be considered to be spam. Note that the score value is based on individual dictionary profile matches, not the dictionary group matches.
6. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring image spam options

The Image spam section of antispam profiles lets you configure the FortiMail unit to analyze the contents of GIF, JPG, and PNG graphics to determine if the email is spam. If the email message contains a spam image, the FortiMail unit treats the email as spam and performs the associated action.

Image spam scanning may be useful when, for example, the message body of an email contains graphics but no text, and text-based antispam scans are therefore unable to determine whether or not an email is spam.

To configure image scan options

1. When configuring an antispam profile, enable Image spam in the AntiSpam Profile dialog.
2. From Action, select the action profile that you want the FortiMail unit to use if the image scan finds spam email.

For more information, see Configuring antispam action profiles.

3. Enable Aggressive scan to inspect image file attachments in addition to embedded graphics.

Enabling this option increases workload when scanning email messages that contain image file attachments. If you do not require this feature, disable this option to improve performance.

This Aggressive scan option applies only if you enable PDF scanning. For more information, see Configuring scan options.

4. Continue to the next section, or click Create or OK to save the antispam profile.

See also

Managing antispam profiles

Configuring antispam action profiles

Configuring Bayesian options

The Bayesian section of antispam profiles lets you configure the FortiMail unit to use Bayesian databases to determine if the email is likely to be spam. If the Bayesian scan indicates that the email is likely to be spam, the FortiMail unit treats the email as spam and performs the associated action.

FortiMail units can maintain two Bayesian databases: global and per-domain.

• For outgoing email, the FortiMail unit uses the global Bayesian database.
• For incoming email, which database will be used when performing the Bayesian scan varies by configuration of the incoming antispam profile and the configuration of the protected domain.

Before using Bayesian scans, you must train one or more Bayesian databases in order to teach the FortiMail unit which words indicate probable spam. If a Bayesian database is not sufficiently trained, it can increase false positive and/or false negative rates. You can train the Bayesian databases of your FortiMail unit in several ways. For more information, see Training the Bayesian databases.

Be aware that, without ongoing training, Bayesian scanning will become significantly less effective over time and thus Fortinet does not recommend enabling the Bayesian scanning feature.

To configure Bayesian scan options

1. When configuring an antispam profile, enable Bayesian in the AntiSpam Profile dialog.
2. Click the plus to expand Bayesian.
3. From Action, select the action profile that you want the FortiMail unit to use if the Bayesian scan finds spam email.

For more information, see Configuring antispam action profiles.

4. Configure the following:

GUI item	Description
Accept training messages from users	Enable to accept training messages from email users. Training messages are email messages that email users forward to the email addresses of control accounts, such as is‑spam@example.com, in order to train or correct Bayesian databases. For information on Bayesian control account email addresses, see Configuring the quarantine control options. FortiMail units apply training messages to either the global or per-domain Bayesian database depending on your configuration of the protected domain to which the email user belongs. Disable to discard training messages. This option is available only if Direction is Incoming (per-domain Bayesian databases cannot be used when the recipient does not belong to a protected domain, which defines outgoing email).
Use other techniques for auto training	Enable to use scan results from FortiGuard, SURBL, and per-user and system-wide safe lists to train the Bayesian databases. This option is available only if Direction is Incoming (domain-level Bayesian databases cannot be used when the recipient does not belong to a protected domain, which defines outgoing email).

5. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring scan options

The Scan Conditions section of antispam profiles lets you configure conditions that cause the FortiMail unit to omit antispam scans, or to apply some antispam scans to PDF attachments.

To configure scan options

1. When configuring an antispam profile, Click the plus to expand Scan Options in the AntiSpam Profile dialog.
2. Configure the following:

GUI item	Description
Max message size to scan	Enter the maximum size of email messages, in bytes, that the FortiMail unit will scan for spam. Messages larger than the set size are not scanned for spam. To disable the size limit, causing all messages to be scanned, regardless of size, enter 0. Note: Resource requirements for scanning messages increase with the size of the email message. If the spam you receive tends not to be smaller than a certain size, consider limiting antispam scanning to messages under this size to improve performance.
Bypass scan on SMTP authentication	Enable to bypass spam scanning for authenticated SMTP connections. This option is enabled by default. Note: If you can trust that authenticating SMTP clients are not a source of spam, consider enabling this option to improve performance.
Scan PDF attachment	Spammers may attach a PDF file to an otherwise empty message to get their email messages past spam safeguards. The PDF file contains the spam information. Since the message body contains no text, antispam scanners cannot determine if the message is spam. Enable this option to use the heuristic, banned word, and image spam scans to inspect the first page of PDF attachments. This option applies only if you have enabled and configured heuristic, banned word, and/or image spam scans. For information on configuring those scans, see Configuring heuristic options, Configuring banned word options, and Configuring image spam options.
Apply default action without scan upon policy match	Select this option to take the default antispam action right away without applying other antispam filters if the email matches the relevant IP or recipient policy.

Performing a batch edit

You can apply changes to multiple profiles at once.

1. Go to Profile > AntiSpam > AntiSpam.
2. In the row corresponding to existing profiles whose settings you want to modify, hold Ctrl and select the profiles you want to edit.

The ability to batch edit antispam profiles does not apply to predefined profiles.

3. Click Batch Edit.

The AntiSpam Profile dialog appears.

4. Modify the profile, as explained in Managing antispam profiles, changing only those settings that you want to apply to all selected profiles.
5. Click Apply To All to save the changes and remain on the dialog, or click OK to save the changes and return to the AntiSpam tab.

Configuring email impersonation profiles

Email impersonation, or Business Email Compromise (BEC), is one of the email spoofing attacks. It forges the email header to deceive the recipient because the message appears to be from a different source than the actual address.

To use this feature, you must have a license for the Fortinet Enterprise Advanced Threat Protection (ATP) bundle.

To fight against email impersonation, you can map high valued target display names with correct email addresses and FortiMail can check for the mapping. For example, an external spammer wants to impersonate the CEO of your company(ceo@company.com). The spammer will put "CEO ABC <ceo@external.com>" in the Email header From, and send such email to a user(victim@company.com). If FortiMail has been configured with a manual entry "CEO ABC"/"ceo@company.com" in an impersonation analysis profile to indicate the correct display name/email pair, or it has learned display name/email pair through the dynamic process, then such email will be detected by impersonation analysis, because the spammer uses an external email address and an internal user's display name.

There are two ways to do the mapping:

• Manual: you manually enter mapping entries and create impersonation analysis profiles as described below. Then you enable the impersonation profile in an antispam profile (Managing antispam profiles). Eventually, you will apply the antispam profile in the IP-based or recipient-based policies (Controlling email based on IP addresses and Controlling email based on sender and recipient addresses).
• Dynamic: FortiMail Mail Statistics Service can automatically learn the mapping. See details below.

Impersonation analysis checks both the Header From and Reply-To fields.

You can also add exempt entries so that FortiMail will skip the impersonation analysis check.

To avoid false positives, impersonation analysis also follows some other exempt rules.

To create an impersonation analysis profile

1. Go to Profile > AntiSpam > Impersonation.
2. Click New to create a new profile.
3. Enter a profile name.
4. Select a domain or System from the dropdown list. The profile will be applied to your selection.
5. Under Impersonation, select Match Rule or Exempt Rule.
6. Click New to add an entry.

GUI item	Description
Display name pattern	Enter the display name to be mapped to the email address. You can use wildcard or regular expression.
Pattern type	Either wildcard or regular expression.
Email address	Enter the email address to be mapped to the display name. The email address can be from protected/internal domains or unprotected/external domains. If the email address is from an external domain, such as gmail.com or hotmail.com, the display name matching the external email address will be passed. Otherwise, it will be caught by impersonation analysis.

7. Click Create.

Enabling impersonation analysis dynamic scanning

In addition to manually entering mapping entries and creating impersonation analysis profiles, FortiMail Mail Statistics Service can automatically/dynamicaly learn and track the mapping of display names and internal email addresses.

To use the FortiMail manual, dynamic, or both manual and dynamic impersonation analysis scanning, use the following command:

config antispam settings

set impersonation-analysis dynamic manual

end

By default, FortiMail uses manual analysis only.

Also enable the FortiMail Mail Statistics Service with the following command. This service is disabled by default:

config system global

set mailstat-service enable

end

After the service is enabled, you can search the dynamic database by going to Profile > AntiSpam > Impersonation and clicking Impersonation Lookup. If the record exists in the database, after you enter the email address, the corresponding display name will be displayed.

Configuring cousin domain profiles

The Cousin Domain tab lets you manage and configure cousin domain profiles.

Similar to impersonation profiles, cousin domain profiles help to mitigate BEC email-impersonation risks. Similar to impersonation profiles that map display names, cousin domain profiles map sender domain names to either be scanned or exempt from scanning. Domain names may be deliberately misspelled, either by character removal, substitution, and/or transposition, in order to make emails look as though they originate from trusted internal sources.

For example, if you configure an entry for sender domain f?rtinet.com (regex), f0rtinet.com will be caught, but the legitimate and trusted sender domain fortinet.com will also be caught as a cousin domain. To avoid this, you can add fortinet.com into the exempt rules setting to exempt it from being caught.

Cousin domain scan options, such as auto detection, are configured within antispam profiles. See Configuring impersonation options for more information.

To create a cousin domain profile

1. Go to Profile > AntiSpam > Cousin Domain.
2. Click New to create a new profile.
3. Enter a profile name.
4. Select a domain or System from the dropdown list. The profile will be applied to your selection.
5. Under Cousin Domain, select Match Rule or Exempt Rule.
6. Click New to add an entry.

GUI item	Description
Domain name pattern	Enter the domain name to be mapped to the email address. You can use wildcard or regular expression.
Pattern type	Either wildcard or regular expression.

7. Click Create.

Configuring antispam action profiles

The Action tab in the AntiSpam submenu lets you define one or more things that the FortiMail unit should do if the antispam profile determines that an email is spam.

For example, assume you configured a default antispam action profile, named quar_and_tag_profile, that both tags the subject line and quarantines email detected to be spam. In general, all antispam profiles using the default action profile will quarantine the email and tag it as spam. However, you can decide that email failing to pass the dictionary scan is always spam and should be rejected so that it does not consume quarantine disk space. Therefore, for the antispam profiles that apply a dictionary scan, you could override the default action by configuring and using a second action profile, named rejection_profile, which rejects such email.

The specific action profile will override the default action profile when mailfilterd scans the email and take disposition (action) against the email. When the email is out of the process of mailfilterd, any remaining actions, such as spam report, web release, and sender safelisting, will still be taken based on the default action profile.

To view and configure antispam action profiles

1. Go to Profile > AntiSpam > Action.

GUI item	Description
Domain (drop-down list)	Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.
Profile Name	Displays the name of the profile.
Domain (column)	Displays either System or a domain name.
(Green dot in column heading)	Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

2. Either click New to add a profile or double-click an existing profile to modify it. You can also select multiple profiles and batch edit them.

A dialog appears.

3. Configure the following:

GUI item		Description
Domain		Select if the action profile will be system-wide or domain-wide. You can see only the domains that are permitted by your administrator profile.
Profile name		For a new profile, enter a name.
Tag subject		Enable and enter the text that appears in the subject line of the email, such as [spam], in the With value field. The FortiMail unit will prepend this text to the subject line of spam before forwarding it to the recipient. Many email clients can sort incoming email messages into separate mailboxes, including a spam mailbox, based on text appearing in various parts of email messages, including the subject line. For details, see the documentation for your email client.
Insert header		Enable and enter the message header key in the field, and the values in the With value field. The FortiMail unit adds this text to the message header of the email before forwarding it to the recipient. Many email clients can sort incoming email messages into separate mailboxes, including a spam mailbox, based on text appearing in various parts of email messages, including the message header. For details, see the documentation for your email client. Message header lines are composed of two parts: a key and a value, which are separated by a colon. For example, you might enter: X-Custom-Header: Detected as spam by profile 22. If you enter a header line that does not include a colon, the FortiMail unit will automatically append a colon, causing the entire text that you enter to be the key. Note: Do not enter spaces in the key portion of the header line, as these are forbidden by RFC 2822. Starting from 6.0.1 release, you can add multiple headers by adding them to the header table. You can also insert the predefined variables to the header value.
Insert disclaimer		Starting from 6.0.1 release, you can insert disclaimer as an action. You can modify the default discaimer or add new disclaimers by going to System > Customization > Custom Message > Email Content Resources > Disclaimer insertion message.
Deliver to alternate host		Enable to route the email to a specific SMTP server or relay, then type the fully qualified domain name (FQDN) or IP address of the destination. You can choose to deliver the original email or the modified email. Note: If you enable this setting, the FortiMail unit uses this destination for all email that matches the profile and ignores Relay server name and Use this domain’s SMTP server to deliver the mail.
Deliver to original host		Enable to deliver email to the original host.
BCC		Enable to send a blind carbon copy (BCC) of the email. You can specify an Envelope from address so that, in the case the email is not deliverable and bounced back, it will be returned to the specified envelope from address, instead of the original sender. This is helpful when you want to use a specific email to collect bounce notifications. Click New to add BCC recipients.
Archive to account		Enable to send the email to an archiving account. Click New to create a new archiving account or click Edit to modify an existing account. For details about archiving accounts, see Email archiving workflow.
Notify with profile		Enable and select a notification profile to send a notification email to the sender, recipient, or any other people as you configure in the notification profile. The notification email is customizable and will tell the users what happened to the email message. For details about notification profiles and email templates, see Configuring notification profiles and Customizing email templates.
Final action		For details about final and non-final actions, see Order of execution.
	Discard	Enable to accept the email, but then delete it instead of delivering the email, without notifying the SMTP client.
	Reject	Enable to reject the email and reply to the SMTP client with SMTP reply code 550. However, if email messages are held for FortiGuard spam outbreak protection or sent to FortiSandbox, the actual action will fallback to "system quarantine" if spam or viruses are detected afterwards.
	Personal quarantine	For incoming email, enable to redirect the email to the recipient’s personal quarantine. For more information, see Managing the personal quarantines. For outgoing email, this action will fallback to the system quarantine. You can choose to quarantine the original email or the modified email.
	System quarantine	Enable to redirect spam to the system quarantine folder. For more information, see Managing the system quarantine. You can choose to quarantine the original email or the modified email.
	Domain quarantine	Enable to redirect spam to the domain quarantine folder. For more information, see Managing the domain quarantines.
	Rewrite recipient email address	Enable to change the recipient address of any email message detected as spam. Configure rewrites separately for the local-part (the portion of the email address before the '@' symbol, typically a user name) and the domain part (the portion of the email address after the '@' symbol). For each part, select either: None: No change. Prefix: Prepend the part with text that you have entered in the With field. Suffix: Append the part with the text you have entered in the With field. Replace: Substitute the part with the text you have entered in the With field.

4. Click Create or OK.

To apply an antispam action profile, select it in one or more antispam profiles. For details, see Managing antispam profiles.