antispam settings
Use these commands to configure global antispam settings.
Syntax
config antispam settings
set bayesian-is-not-spam <local-part_str>
set bayesian-is-spam <local-part_str>
set bayesian-learn-is-not-spam <local-part_str>
set bayesian-learn-is-spam <local-part_str>
set bayesian-training-group <local-part_str>
set blocklist-action {as-profile | discard | reject}
set bounce-verification-action {as-profile | discard | reject}
set bounce-verification-auto-delete-policy {never | one-month | one-year | six-months | three-months}
set bounce-verification-status {enable | disable}
set bounce-verification-tagexpiry <days_int>
set carrier-endpoint-acct-response {enable | disable}
set carrier-endpoint-acct-secret <password_str>
set carrier-endpoint-acct-validate {enable | disable}
set carrier-endpoint-attribute {Acct-Authentic ... Vendor-Specific)
set carrier-endpoint-blocklist-window-size {15m | 30m | 60m | 90m | 120m | 240m | 360m | 480m | 1440m}
set carrier-endpoint-framed-ip-order {host-order | network-order}
set carrier-endpoint-radius-port <port_int>
set carrier-endpoint-status {enable | disable}
set delete-ctrl-account <local_part_str>
set dmarc-policy-none-override {enable | disable}
set dynamic-safe-list-domain <domain_name_string>
set dynamic-safe-list-state {enable | disable}
set greylist-capacity <maximum_int>
set greylist-check-level {disable | enable | low | high}
set greylist-delay <1-120 minutes>
set greylist-init-expiry-period <window_int>
set impersonation-analysis {manual | dynamic}
set release-ctrl-account <local-part_str>
set safe-block-list-precedence {system session domain personal}
set safe-block-list-tracking {enable | disable}
set safelist-bypass-sender-auth {enable | disable}
set scan-action-preference {single-action | multi-action}
set session-profile-rate-control-interval <minutes>
set uri-checking {strict | aggressive | extreme}
end
Variable |
Description |
Default |
Enter the time of day at which the FortiMail unit will automatically remove invalid per-recipient quarantines. Use the format For example, to begin automatic invalid quarantine removal at 5:30 PM, enter |
4:0:0 |
|
Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that correct false positives. For example, if the local domain name of the FortiMail unit is example.com and you want to correct the assessment of a previously scanned spam that was actually legitimate email by sending control messages to is-not-spam@example.com, you would enter |
is-not-spam |
|
Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that correct false negatives. For example, if the local domain name of the FortiMail unit is example.com and you want to correct the assessment of a previously scanned email that was actually spam by sending control messages to is-spam@example.com, you would enter |
is-spam |
|
Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that train it to recognize legitimate email. Unlike the For example, if the local domain name of the FortiMail unit is example.com and you want to train the Bayesian database to recognize legitimate email by sending control messages to learn-is-not-spam@example.com, you would enter |
learn-is-not-spam |
|
Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that train it to recognize spam. Unlike the For example, if the local domain name of the FortiMail unit is example.com and you want to train the Bayesian database to recognize spam by sending control messages to learn-is-spam@example.com, you would enter |
learn-is-spam |
|
Enter the local-part portion of the email address that FortiMail administrators can use as their sender email address when forwarding email to the “learn is spam" email address or “learn is not spam" email address. Training messages sent from this sender email address will be used to train the global or per-domain Bayesian database (whichever is selected in the protected domain) but will not train any per-user Bayesian database. In contrast, if a FortiMail administrator were to forward email using their own email address (rather than the training group email address) as the sender email address, and per-user Bayesian databases were enabled in the corresponding incoming antispam profile, the FortiMail unit would also apply the training message to their own per-user Bayesian database. |
default-grp |
|
Use these commands to select the action that the FortiMail unit performs when an email message arrives from or, in the case of per-session profile recipient blocklists, is destined for a blocklisted email address, mail domain, or IP address. This setting affects email matching any system-wide, per-domain, per-session profile, or per-user blocklist. For email messages involving a blocklisted email address, domain, or IP address, select one of the following options:
|
discard |
|
Enter the action that the FortiMail unit will perform if it receives a bounce address tag that is invalid.
|
as-profile |
|
bounce-verification-auto-delete-policy {never | one-month | one-year | six-months | three-months} |
Inactive keys will be removed after being unused for the selected time period.
The active key will not be automatically removed. |
never |
Enable to activate bounce address tagging and verification. Tag verification can be bypassed in IP profiles and protected domains. |
disable |
|
Enter the number of days an email tag is valid. When this time elapses, the FortiMail unit will treat the tag as invalid. Valid range is from 3 to 30 days. |
7 |
|
Enable/disable endpoint account validation on the RADIUS server. |
disable |
|
Type the shared secret for RADIUS account response/request validation. |
|
|
Enable/disable validating shared secret of account requests. |
disable |
|
carrier-endpoint-attribute {Acct-Authentic ... Vendor-Specific) |
Type the RADIUS account attribute associated with the endpoint user ID. If you have more than one RADIUS server and each server uses different account attribute for the endpoint user ID, you can specify up to five attributes with this command. For example, a 3G network may use the “Calling-Station-ID” attribute while an ADSL network may use the “User-Name” attribute. A carrier end point is any device on the periphery of a carrier’s or Internet service provider’s (ISP) network. It could be a subscriber’s GSM cellular phone, wireless PDA, or computer using DSL service. Unlike MTAs, computers in homes and small offices and mobile devices such as laptops and cellular phones that send email may not have a static IP address. Cellular phones’ IP addresses especially may change very frequently. After a device leaves the network or changes its IP address, its dynamic IP address may be reused by another device. Because of this, a sender reputation score that is directly associated with an SMTP client’s IP address may not function well. A device sending spam could start again with a clean sender reputation score simply by rejoining the network to get another IP address, and an innocent device could be accidentally blocklisted when it receives an IP address that was previously used by a spammer. |
Calling-Station-Id (RADIUS attribute 31) |
carrier-endpoint-blocklist-window-size {15m | 30m | 60m | 90m | 120m | 240m | 360m | 480m | 1440m} |
Enter the amount of previous time, in minutes, whose score-increasing events will be used to calculate the current endpoint reputation score. For example, if the window is |
15m |
carrier-endpoint-framed-ip-attr {Framed-IP- |
Specify the RADIUS attribute whose value will be used as the endpoint user IP address. By default, the endpoint user IP address uses the value of RADIUS attribute 8 (framed IP address). However, if the endpoint IP address uses the value from different RADIUS attribute/number other than attribute 8, you can specify the corresponding attribute number with this command. You can use the “diagnose debug application msisdn” command to capture RADIUS packets and find out what attribute name/number is used to hold the IP address value. Note that you can specify multiple values, such as both IPv4 and IPv6 attributes. |
Framed-IP- |
carrier-endpoint-framed-ip-order {host-order | network-order} |
Select one of the following methods for endpoint IP address formatting: host-order: format an IP address in host order, that is, the host portion is at the beginning. For example, 1.1.168.192. network-order: sorts IP addresses in the network order, that is, the network portion is at the begging. For example, 192.168.1.1. |
host-order |
Type the RADIUS server port for carrier endpoint account requests. |
1813 |
|
Enable endpoint reputation scan for traffic examined by the session profile. This command starts the endpoint reputation daemon. You must start this daemon for the endpoint reputation feature to work. |
enable |
|
Use this command to configure the email addresses through which email users can delete email from their per-recipient quarantines. Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that control deletion of email from per-recipient quarantines. For example, if the local domain name of the FortiMail unit is example.com and you want to delete email by sending control messages to quar_delete@example.com, you would enter |
delete-ctrl |
|
Enable to override Domain-based Message Authentication, Reporting and Conformance (DMARC) p=none sender policy. When enabled, if DMARC failed and sender policy is none, FortiMail will still take the configured antispam profile action. |
disable |
|
Enter the domain name of the dynamic safe list. |
|
|
Enable the dynamic safe list. |
disable |
|
Enter the maximum number of greylist items in the greylist. New items that would otherwise cause the greylist database to grow larger than the capacity will instead overwrite the oldest item. To determine the default value and acceptable range for your FortiMail model, enter a question mark ( ? ). |
Varies by model |
|
Greylist scanning blocks spam based on the behavior of the sending server, rather than the content of the messages. When receiving an email from an unknown server, the FortiMail unit will temporarily reject the message. If the mail is legitimate, the originating server will try to send it again later (RFC 2821), at which time the FortiMail unit will accept it. Spammers will typically abandon further delivery attempts in order to maximize spam throughput. Enable/disable greylist check, or set how aggressively to perform greylist check: high or low. The high level setting greylists all messages from unknown MTAs, while the low level setting will selectively greylist based on the age and reputation of the MTAs -- the trusted MTAs will not be greylisted whereas the new untrusted MTAs wil be greylisted. |
high |
|
Enter the length in minutes of the greylist delay period. For the initial delivery attempt, if no manual greylist entry (exemption) matches the email message, the FortiMail unit creates a pending automatic greylist entry, and replies with a temporary failure code. During the greylist delay period after this initial delivery attempt, the FortiMail unit continues to reply to additional delivery attempts with a temporary failure code. After the greylist delay period elapses and before the pending entry expires (during the The valid range is between 1 and 120 minutes. |
10 |
|
Enter the period of time in hours after the The valid range is between 4 to 24 hours. |
4 |
|
Enter the time to live (TTL) that determines the maximum amount of time that unused automatic greylist entries will be retained. Expiration dates of automatic greylist entries are determined by adding the TTL to the date and time of the previous matching delivery attempt. Each time an email message matches the entry, the life of the entry is prolonged; in this way, entries that are in active use do not expire. If the TTL elapses without an email message matching the automatic greylist entry, the entry expires and the greylist scanner removes the entry. The valid range is between 1 to 60 days. |
30 |
|
Email impersonation is one of the email spoofing attacks. It forges the email header to deceive the recipient because the message appears to be from a different source than the actual address. To fight against email impersonation, you can map display names with email addresses and check email for the mapping. You can choose whether the impersonation analysis uses the manual mapping entries or dynamic entries. You can also use both types of entries. Manual uses the entries you manually entered under Profile > AntiSpam > Impersonation. Dynamic uses the entries automatically learned by the FortiMail mail statistics service. To enable this service, enable |
manual |
|
Use this command to configure the email addresses through which email users can release email from their per-recipient quarantines. Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that control deletion of email from per-recipient quarantines. For example, if the local domain name of the FortiMail unit is example.com and you want to delete email by sending control messages to quar_delete@example.com, you would enter |
|
|
By default, system safelists and blocklists have precedence over other safelists and blocklists. In some cases, you may want to change the precedence order. For example, you may want to allow a user to use their own lists to overwrite the system list. In this case, you can move “personal’ ahead of “system”. |
system session domain personal |
|
Enable to track various system safelist and blocklist statistics, including creation time, last hit time, and hit count. These statistics are tracked under Security > Block/Safe List > System and Security > Block/Safe List > Domain. |
disable |
|
Enable (by default) to bypass antispam authentication for safelisted senders. When disabled, if the scan result of SPF, DKIM, or DMARC is a failure, and the sender is safelisted, the result of SPF, DKIM, and DMARC takes precedence. |
enable |
|
Either apply only the first matching antispam filter, or multiple matching antispam filters, where each matching antispam filter action is applied until the final action is found. |
multi-action |
|
The rate control option enables you to control the rate at which email messages can be sent, by the number of connections, the number of messages, or the number recipients per client per period (in minutes). This command sets the time period. Other values are set under the |
30 |
|
When you configure an antispam profile under Profile > AntiSpam > AntiSpam, if you enable FortiGuard scan and SURBL scan, FortiMail will scan for blocklisted URIs in email bodies. There are two types of URIs:
In some cases, you may want to scans for both absolute and reference URIs to improve the catch rate. In some cases (for example, to lower false positive rates), you may want to scan for absolute URIs only.
|
strict |