Fortinet white logo
Fortinet white logo

CLI Reference

profile antispam

profile antispam

Use this command to configure system-wide antispam profiles.

FortiMail units can use various methods to detect spam, such as the FortiGuard Antispam service, DNSBL queries, Bayesian scanning, and heuristic scanning. Antispam profiles contain settings for these features that you may want to vary by policy. Depending on the feature, before you configure antispam policies, you may need to enable the feature or configure its system-wide settings.

Syntax

config profile antispam

edit <profile_name>

config bannedwords

edit <word_str>

set subject {enable | disable}

set body {enable | disable}

config dnsbl-server

edit <server_name>

config surbl-server

edit <server_name>

config safelistwords

edit <word_str>

set subject {enable | disable}

set body {enable | disable}

set action-banned-word <action_profile>

set action-bayesian <action-profile_name>

set action-behavior-analysis <action-profile_name>

set action-deep-header <action-profile_name>

set action-default <action-profile_name>

set action-dictionary <action-profile_name>

set action-dkim <action-profile_name>

set action-dmarc <action-profile_name>

set action-fortiguard <action-profile_name>

set action-fortiguard-blockip <action-profile-name>

set action-fortiguard-phishing-uri <action-profile-name>

set action-grey-list <action-profile_name>

set action-heuristic <action-profile_name>

set action-image-spam <action-profile_name>

set action-impersonation-analysis <action>

set action-newsletter <action-profile_name>

set action-rbl <action-profile_name>

set action-spf-fail <action>

set action-spf-neutral <action>

set action-spf-none <action>

set action-spf-pass <action>

set action-spf-perm-error <action>

set action-spf-sender-alignment <action>

set action-spf-soft-fail <action>

set action-spf-temp-error <action>

set action-surbl <action-profile_name>

set action-suspicious-newsletter <action-profile_name>

set action-uri-filter <action-profile_name>

set action-uri-filter-secondary <action-profile_name>

set action-virus <action-profile_name>

set aggressive {enable | disable}

set apply-action-default {enable | disable}

set banned-word {enable | disable}

set bayesian {enable | disable}

set behavior-analysis {enable | disable}

set bayesian-autotraining {enable | disable}

set bayesian-user-db {enable | disable}

set bayesian-usertraining {enable | disable}

set behavior-analysis {enable | disable}

set cousin-domain {enable | disable}

set cousin-domain-profile <domain_name>

set cousin-domain-scan-option {auto-detection body-detection header-detection}

set deepheader-analysis {enable | disable}

set deepheader-check-ip {enable | disable}

set dict-score <score_int>

set dictionary {enable | disable}

set dictionary-profile

set dictionary-type

set dkim-status {enable | disable}

set dmarc-status {enable | disable}

set dnsbl {enable | disable}

set fortiguard-antispam {enable | disable}

set fortiguard-check-ip {enable | disable}

set fortiguard-phishing-uri {enable | disable}

set greylist {enable | disable}

set heuristic {enable | disable}

set heuristic-lower <threshold_int>

set heuristic-rules-percent <percentage_int>

set heuristic-upper {threshold_int}

set image-spam {enable | disable}

set impersonation <profile_name>

set impersonation-analysis {enable | disable}

set impersonation-status {enable | disable}

set ip-reputation-level1-status {enable | disable}

set ip-reputation-level2-status {enable | disable}

set ip-reputation-level3-status {enable | disable}

set newsletter-status {enable | disable}

set scan-bypass-on-auth {enable | disable}

set scan-max-size <bytes_int>

set scan-pdf {enable | disable}

set spam-outbreak-protection {enable | disable | monitor-only}

set spf-checking {enable | disable}

set spf-fail-status {enable | disable}

set spf-neutral-status {enable | disable}

set spf-none-status {enable | disable}

set spf-pass-status {enable | disable}

set spf-sender-alignment-status {enable | disable}

set spf-perm-error-status {enable | disable}

set spf-soft-fail-status {enable | disable}

set spf-temp-error-status {enable | disable}

set surbl {enable | disable}

set suspicious-newsletter-status {enable | disable}

set uri-filter <filter>

set uri-filter-secondary <filter>

set uri-filter-secondary-status {enable | disable}

set uri-filter-status {enable | disable}

set virus {enable | disable}

set safelist-enable {enable | disable}

set safelist-word {enable | disable}

end

Variable

Description

Default

<profile_name>

Enter the name of an antispam profile.

<word_str>

Enter the banned word. You can use wildcards in banned words. But regular expressions are not supported. For more information about wildcards and regular expressions, see the FortiMail Administration Guide.

subject {enable | disable}

Enable to check the subject line for the banned word.

disable

body {enable | disable}

Enable to check the message body for the banned word.

disable

<server_name>

Enter a DNSBL server name to perform a DNSBL scan. The FortiMail unit will query DNS blocklist servers.

<server_name>

Enter a SURBL server name to perform a SURBL scan. The FortiMail unit will query SURBL servers.

<word_str>

Enter the safelisted word to configure.

subject {enable | disable}

Enable to check the subject line for the safelisted word.

disable

body {enable | disable}

Enable to check the message body for the safelisted word.

disable

action-banned-word <action_profile>

Enter the action profile that you want the FortiMail unit to use if the banned word scan determines that the email is spam.

action-bayesian <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the Bayesian scan determines that the email is spam.

action-behavior-analysis <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the behavior analysis scan determines that the email is spam.

action-deep-header <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the deep header scan determines that the email is spam.

action-default <action-profile_name>

Enter the default action profile that you want all scanners of the FortiMail unit to use. However, if you choose an action profile other than “default" for a scanner, this scanner will use the chosen profile.

action-dictionary <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the heuristic scan determines that the email is spam.

action-dkim <action-profile_name>

Enter the action profile for DKIM checking. This option is only available when dkim-status is set to enable.

action-dmarc <action-profile_name>

Enter the action profile for DMARC check failure. If either SPF check or DKIM check passes, DMARC check will pass. If both fail, DMARC check fails.

action-fortiguard <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the FortiGuard Antispam scan determines that the email is spam.

action-fortiguard-blockip <action-profile-name>

Enter the action profile that you want the FortiMail unit to use if the FortiGuard block IP scan determines that the email is spam.

action-fortiguard-phishing-uri <action-profile-name>

Enter the action profile that you want the FortiMail unit to use if the FortiGuard phishing URI scan determines that the email is spam.

action-grey-list <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the grey list scan determines that the email is spam.

action-heuristic <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the heuristic scan determines that the email is spam.

action-impersonation-analysis <action>

Enter the action profile that you want the FortiMail unit to use if the impersonation alaysis determines the email is from someone impersonating a known email address.

action-image-spam <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the image scan determines that the email is spam.

action-newsletter <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the newsletter scan determines that the email is spam.

action-rbl <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the RBL scan determines that the email is spam.

action-spf-fail <action>

Enter the action FortiMail performs if the SPF fails, which means the host is not authorized to send messages.

action-spf-neutral <action>

Enter the action FortiMail performs if SPF neutral fails, which means the SPF record is found but no definitive assertion.

action-spf-none <action>

Enter the action FortiMail performs if SPF none fails, whichs means there is no SPF record.

action-spf-pass <action>

Enter the action FortiMail performs if SPF pass fails, which means it discovers the host is not authorized to send a message.

action-spf-perm-error <action>

Enter the action FortiMail performs if SPF perm error fails, which means the SPF records are invalid.

action-spf-sender-alignment <action>

Enter the action FortiMail performs if SPF sender alignment fails, which means the header from the subject authorization domain mismatch.

action-spf-soft-fail <action>

Enter the action Fortimail takes if spf soft fail fails, which means the host is not authorized to send messages but not a strong statement.

action-spf-temp-error <action>

Enter the action FortiMail performs if action SPF temp error fails, which means there is a processing error.

action-surbl <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the SURBL scan determines that the email is spam.

action-suspicious-newsletter <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the suspicious newsletter scan determines that the email is spam.

action-uri-filter <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the URI filter scan determines that the email is spam.

action-uri-filter-secondary <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the URI filter scan determines that the email is spam.

action-virus <action-profile_name>

Enter the action profile that requires the FortiMail unit to treat messages with viruses as spam.

aggressive {enable | disable}

Enable this option to examine file attachments in addition to embedded images.

To improve performance, enable this option only if you do not have a satisfactory spam detection rate.

disable

apply-action-default {enable | disable}

Enable this option to apply default action to all messages.

disable

banned-word {enable | disable}

Enable this option to scan banned words for this antispam profile.

disable

bayesian {enable | disable}

Enable this option to activate Bayesian scan for this antispam profile.

disable

behavior-analysis {enable | disable}

Enable this option to activate behavior analysis scan for this antispam profile.

disable

bayesian-autotraining {enable | disable}

Enable to use FortiGuard Antispam and SURBL scan results to train per-user Bayesian databases that are not yet mature (that is, they have not yet been trained with 200 legitimate email and 100 spam in order to recognize spam).

enable

bayesian-user-db {enable | disable}

Enable to use per-user Bayesian databases.

If disabled, the Bayesian scan will use either the global or the per-domain Bayesian database, whichever is selected for the protected domain.

disable

bayesian-usertraining {enable | disable}

Enable to accept email forwarded from email users to the Bayesian control email addresses in order to train the Bayesian databases to recognize spam and legitimate email.

enable

behavior-analysis {enable | disable}

Enable to analyze the similarities between uncertain email and known email in the behavior analysis (BA) database to determine whether the uncertain email is spam.

See also antispam behavior-analysis to adjust the BA aggressiveness level.

disable

cousin-domain {enable | disable}

Note: For this subcommand to take effect, impersonation-status must be set to enable.

Enable the cousin domain feature to mitigate business email compromise (BEC) email-impersonation risks due to domain names being deliberately misspelled.

disable

cousin-domain-profile <domain_name>

Enter the cousin domain profile used by this profile to prevent domain name impersonation.

cousin-domain-scan-option {auto-detection body-detection header-detection}

Enter cousin domain scan options for detecting misspelled domain names either automatically, within the email body, and/or the email header.

Separate each option with a space for multiple scan options.

header-detection body-detection auto-detection

deepheader-analysis {enable | disable}

Enable to inspect all message headers for known spam characteristics.

If the FortiGuard Antispam scan is enabled, this option uses results from that scan, providing up-to-date header analysis. For more information, see “set as profile modify fortishield" on page 184.

disable

deepheader-check-ip {enable | disable}

Enable to query for the blocklist status of the IP addresses of all SMTP servers appearing in the Received: lines of header lines.

If this option is disabled, the FortiMail unit checks only the IP address of the current SMTP client.

This option applies only if you have also configured either or both FortiGuard Antispam scan and DNSBL scan. For more information, see “set as profile modify fortishield" on page 184 and “set as profile modify dnsbl" on page 181.

disable

dict-score <score_int>

Enter the number of dictionary term matches above which the email will be considered to be spam.

dictionary {enable | disable}

Enable to perform a dictionary scan for this profile.

disable

dictionary-profile

Enter the dictionary profile name.

dictionary-type

Enter the type of dictionary profile.

dkim-status {enable | disable}

Enable to have the unit perform email authentication with DKIM checking. Once enabled, assign an appropriate action profile using action-dkim.

dmarc-status {enable | disable}

Enable to have the unit perform email authentication with SPF and DKIM checking. If either SPF check or DKIM check passes, DMARC check will pass. If both fail, DMARC fails.

disable

dnsbl {enable | disable}

Enable to perform a DNSBL scan for this profile. The FortiMail unit will query DNS blocklist servers defined using “set out_profile profile modify deepheader" on page 405.

disable

fortiguard-antispam {enable | disable}

Enable to let the FortiMail unit query the FortiGuard Antispam service to determine if any of the uniform resource identifiers (URI) in the message body are associated with spam. If any URI is blocklisted, the FortiMail unit considers the email to be spam, and you can select the action that the FortiMail unit will perform.

disable

fortiguard-check-ip {enable | disable}

Enable to include whether or not the IP address of the SMTP client is blocklisted in the FortiGuard Antispam query.

disable

fortiguard-phishing-uri {enable | disable}

Enable to include whether or not the phishing URI is blocklisted in the FortiGuard Antispam query.

disable

greylist {enable | disable}

Enable to perform a greylist scan.

disable

heuristic {enable | disable}

Enable to perform a heuristic scan.

disable

heuristic-lower <threshold_int>

Enter the score equal to or below which the FortiMail unit considers an email to not be spam.

-20.000000

heuristic-rules-percent <percentage_int>

Enter the percentage of the total number of heuristic rules that will be used to calculate the heuristic score for an email message.

The FortiMail unit compares this total score to the upper and lower level threshold to determine if an email is:

  • spam
  • not spam
  • indeterminable (score is between the upper and lower level thresholds)

To improve system performance and resource efficiency, enter the lowest percentage of heuristic rules that results in a satisfactory spam detection rate.

100

heuristic-upper {threshold_int}

Enter the score equal to or above which the FortiMail unit considers an email to be spam.

10.000000

image-spam {enable | disable}

Enable to perform an image spam scan.

disable

impersonation <profile_name>

Enter the impersonation profile used by this profile to prevent email spoofing attacks.

impersonation-analysis {enable | disable}

Note: For this subcommand to take effect, impersonation-status must be set to enable.

Enable sender impersonation analysis to automatically learn and track the mapping of display names and internal email addresses to prevent spoofing attacks.

disable

impersonation-status {enable | disable}

Enable the sender impersonation feature.

Once enabled, cousin-domain, impersonation-analysis, and spf-sender-alignment-status can take effect.

disable

ip-reputation-level1-status {enable | disable}

Enable IP reputation to enable the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted.

FortiGuard categorizes the blocklisted IP addresses into three levels, level 1 has the worst reputation and level 3 the best.

disable

ip-reputation-level2-status {enable | disable}

Enable IP reputation to enable the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted.

FortiGuard categorizes the blocklisted IP addresses into three levels, level 1 has the worst reputation and level 3 the best.

disable

ip-reputation-level3-status {enable | disable}

Enable IP reputation to enable the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted.

FortiGuard categorizes the blocklisted IP addresses into three levels, level 1 has the worst reputation and level 3 the best.

disable

newsletter-status {enable | disable}

Enable dection of newsletters to make sure newsletters and other marketing campaigns are not spam.

spf-fail-status {enable | disable}

Enable to make the FortiMail unit check if the host is not authorized to send messages.

If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-fail.

spf-neutral-status {enable | disable}

Enable to make the FortiMail unit check if the SPF record is found but no definitive assertion.

If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-neutral.

spf-none-status {enable | disable}

Enable to make the FortiMail unit check if there is no SPF record.

If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-none.

spf-pass-status {enable | disable}

Enable to make the FortiMail unit check if the host is authorized to send messages.

If the client IP address fails the SPF check, FortiMail takes the antispam action configured in action-spf-pass.

spf-sender-alignment-status {enable | disable}

Note: For this subcommand to take effect, impersonation-status must be set to enable.

Enable to make the FortiMail unit check if the header from the authorization domain is mismatched.

If the client IP address fails the SPF check, FortiMail takes the desired action entered in action-spf-sender-alignment.

spf-perm-error-status {enable | disable}

Enable to make the FortiMail unit check if the SPF records are invalid.

If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-perm-error.

spf-soft-fail-status {enable | disable}

Enable to make the FortiMail unit check if the host is not authorized to send messages but not a strong statement.

If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-soft-fail.

spf-temp-error-status {enable | disable}

Enable to make the FortiMail unit check if there is a processing error.

If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-temp-error.

scan-bypass-on-auth {enable | disable}

Enable to omit antispam scans when an SMTP sender is authenticated.

disable

scan-max-size <bytes_int>

Enter the maximum size, in bytes, that the FortiMail unit will scan for spam. Messages exceeding the limit will not be scanned for spam.

To scan all email regardless of size, enter 0.

1204 bytes for predefined profiles

600 bytes for user-defined profiles

scan-pdf {enable | disable}

Enable to scan the first page of PDF attachments using heuristic, banned word, and image spam scans, if they are enabled.

disable

spam-outbreak-protection {enable | disable | monitor-only}

Enable to temporarily hold suspicious email for a certain period of time (configurable with outbreak-protection-period under config system fortiguard antispam) if the enabled FortiGuard antispam check (block IP and/or URI filter) returns no result. After the specified time interval, FortiMail will query the FortiGuard server for the second time. This provides an opportunity for the FortiGuard antispam service to update its database in cases a spam outbreak occurs.

When set to monitor-only, email is not deferred. Instead, "X-FEAS-Spam-outbreak: monitor-only" is inserted as its header, and the email is logged.

disable

spf-checking {enable | disable}

Enable to have the FortiMail unit perform the action configured in this antispam profile, instead of the action configured in the session profile. See spf-validation {enable | disable}.

Starting from 6.0.3 release, you can also specify different actions toward defferent SPS check results:

  • spf-fail-status: the host is not authorized to send messages.
  • spf-soft-fail-status: the host is not authorized to send messages but not a strong statement.
  • spf-sender-alighnment-status: Header From and autorization domain mismatch.
  • spf-perm-error-status: the SPF records are invalid.
  • spf-temp-error-status: Temporary proccessing error.
  • spf-pass-status: the host is authorized to send messages.
  • spf-neutral-status: SPF record is found but no definitive assertion.
  • spf-none-status: No SPF record.

disable

surbl {enable | disable}

Enable to perform a SURBL scan. The FortiMail unit will query SURBL servers defined using “set out_profile profile modify surblserver" on page 421.

disable

suspicious-newsletter-status {enable | disable}

Enable the detection of newsletters.

disable

uri-filter <filter>

Specify the URI filter to use.

uri-filter-secondary <filter>

To take different actions towards different URI filters/categories, you can specify a primary and a secondary filter, and specify different actions for each filter. If both URI filters match an email message, the primary filter action will take precedence.

uri-filter-secondary-status {enable | disable}

Enable or disable the secondaryURI filter scan.

disable

uri-filter-status {enable | disable}

Enable or disable URI filter scan.

disable

virus {enable | disable}

Enable to treat email with viruses as spam. When enabled, instead of performing the action configured in the antivirus profile, the FortiMail unit will instead perform either the general or individualized action in the antispam profile. For details, see “set out_profile profile modify individualaction" on page 415 and “set out_profile profile modify actions" on page 400.

disable

safelist-enable {enable | disable}

Enable to automatically update personal safelist database from sent email.

disable

safelist-word {enable | disable}

Enable to perform a safelist word scan. The scan will examine the email for words configured in “set out_profile profile modify safelistwordlist" on page 426.

disable

Related topics

profile antispam-action

profile antivirus

profile antispam

profile antispam

Use this command to configure system-wide antispam profiles.

FortiMail units can use various methods to detect spam, such as the FortiGuard Antispam service, DNSBL queries, Bayesian scanning, and heuristic scanning. Antispam profiles contain settings for these features that you may want to vary by policy. Depending on the feature, before you configure antispam policies, you may need to enable the feature or configure its system-wide settings.

Syntax

config profile antispam

edit <profile_name>

config bannedwords

edit <word_str>

set subject {enable | disable}

set body {enable | disable}

config dnsbl-server

edit <server_name>

config surbl-server

edit <server_name>

config safelistwords

edit <word_str>

set subject {enable | disable}

set body {enable | disable}

set action-banned-word <action_profile>

set action-bayesian <action-profile_name>

set action-behavior-analysis <action-profile_name>

set action-deep-header <action-profile_name>

set action-default <action-profile_name>

set action-dictionary <action-profile_name>

set action-dkim <action-profile_name>

set action-dmarc <action-profile_name>

set action-fortiguard <action-profile_name>

set action-fortiguard-blockip <action-profile-name>

set action-fortiguard-phishing-uri <action-profile-name>

set action-grey-list <action-profile_name>

set action-heuristic <action-profile_name>

set action-image-spam <action-profile_name>

set action-impersonation-analysis <action>

set action-newsletter <action-profile_name>

set action-rbl <action-profile_name>

set action-spf-fail <action>

set action-spf-neutral <action>

set action-spf-none <action>

set action-spf-pass <action>

set action-spf-perm-error <action>

set action-spf-sender-alignment <action>

set action-spf-soft-fail <action>

set action-spf-temp-error <action>

set action-surbl <action-profile_name>

set action-suspicious-newsletter <action-profile_name>

set action-uri-filter <action-profile_name>

set action-uri-filter-secondary <action-profile_name>

set action-virus <action-profile_name>

set aggressive {enable | disable}

set apply-action-default {enable | disable}

set banned-word {enable | disable}

set bayesian {enable | disable}

set behavior-analysis {enable | disable}

set bayesian-autotraining {enable | disable}

set bayesian-user-db {enable | disable}

set bayesian-usertraining {enable | disable}

set behavior-analysis {enable | disable}

set cousin-domain {enable | disable}

set cousin-domain-profile <domain_name>

set cousin-domain-scan-option {auto-detection body-detection header-detection}

set deepheader-analysis {enable | disable}

set deepheader-check-ip {enable | disable}

set dict-score <score_int>

set dictionary {enable | disable}

set dictionary-profile

set dictionary-type

set dkim-status {enable | disable}

set dmarc-status {enable | disable}

set dnsbl {enable | disable}

set fortiguard-antispam {enable | disable}

set fortiguard-check-ip {enable | disable}

set fortiguard-phishing-uri {enable | disable}

set greylist {enable | disable}

set heuristic {enable | disable}

set heuristic-lower <threshold_int>

set heuristic-rules-percent <percentage_int>

set heuristic-upper {threshold_int}

set image-spam {enable | disable}

set impersonation <profile_name>

set impersonation-analysis {enable | disable}

set impersonation-status {enable | disable}

set ip-reputation-level1-status {enable | disable}

set ip-reputation-level2-status {enable | disable}

set ip-reputation-level3-status {enable | disable}

set newsletter-status {enable | disable}

set scan-bypass-on-auth {enable | disable}

set scan-max-size <bytes_int>

set scan-pdf {enable | disable}

set spam-outbreak-protection {enable | disable | monitor-only}

set spf-checking {enable | disable}

set spf-fail-status {enable | disable}

set spf-neutral-status {enable | disable}

set spf-none-status {enable | disable}

set spf-pass-status {enable | disable}

set spf-sender-alignment-status {enable | disable}

set spf-perm-error-status {enable | disable}

set spf-soft-fail-status {enable | disable}

set spf-temp-error-status {enable | disable}

set surbl {enable | disable}

set suspicious-newsletter-status {enable | disable}

set uri-filter <filter>

set uri-filter-secondary <filter>

set uri-filter-secondary-status {enable | disable}

set uri-filter-status {enable | disable}

set virus {enable | disable}

set safelist-enable {enable | disable}

set safelist-word {enable | disable}

end

Variable

Description

Default

<profile_name>

Enter the name of an antispam profile.

<word_str>

Enter the banned word. You can use wildcards in banned words. But regular expressions are not supported. For more information about wildcards and regular expressions, see the FortiMail Administration Guide.

subject {enable | disable}

Enable to check the subject line for the banned word.

disable

body {enable | disable}

Enable to check the message body for the banned word.

disable

<server_name>

Enter a DNSBL server name to perform a DNSBL scan. The FortiMail unit will query DNS blocklist servers.

<server_name>

Enter a SURBL server name to perform a SURBL scan. The FortiMail unit will query SURBL servers.

<word_str>

Enter the safelisted word to configure.

subject {enable | disable}

Enable to check the subject line for the safelisted word.

disable

body {enable | disable}

Enable to check the message body for the safelisted word.

disable

action-banned-word <action_profile>

Enter the action profile that you want the FortiMail unit to use if the banned word scan determines that the email is spam.

action-bayesian <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the Bayesian scan determines that the email is spam.

action-behavior-analysis <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the behavior analysis scan determines that the email is spam.

action-deep-header <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the deep header scan determines that the email is spam.

action-default <action-profile_name>

Enter the default action profile that you want all scanners of the FortiMail unit to use. However, if you choose an action profile other than “default" for a scanner, this scanner will use the chosen profile.

action-dictionary <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the heuristic scan determines that the email is spam.

action-dkim <action-profile_name>

Enter the action profile for DKIM checking. This option is only available when dkim-status is set to enable.

action-dmarc <action-profile_name>

Enter the action profile for DMARC check failure. If either SPF check or DKIM check passes, DMARC check will pass. If both fail, DMARC check fails.

action-fortiguard <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the FortiGuard Antispam scan determines that the email is spam.

action-fortiguard-blockip <action-profile-name>

Enter the action profile that you want the FortiMail unit to use if the FortiGuard block IP scan determines that the email is spam.

action-fortiguard-phishing-uri <action-profile-name>

Enter the action profile that you want the FortiMail unit to use if the FortiGuard phishing URI scan determines that the email is spam.

action-grey-list <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the grey list scan determines that the email is spam.

action-heuristic <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the heuristic scan determines that the email is spam.

action-impersonation-analysis <action>

Enter the action profile that you want the FortiMail unit to use if the impersonation alaysis determines the email is from someone impersonating a known email address.

action-image-spam <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the image scan determines that the email is spam.

action-newsletter <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the newsletter scan determines that the email is spam.

action-rbl <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the RBL scan determines that the email is spam.

action-spf-fail <action>

Enter the action FortiMail performs if the SPF fails, which means the host is not authorized to send messages.

action-spf-neutral <action>

Enter the action FortiMail performs if SPF neutral fails, which means the SPF record is found but no definitive assertion.

action-spf-none <action>

Enter the action FortiMail performs if SPF none fails, whichs means there is no SPF record.

action-spf-pass <action>

Enter the action FortiMail performs if SPF pass fails, which means it discovers the host is not authorized to send a message.

action-spf-perm-error <action>

Enter the action FortiMail performs if SPF perm error fails, which means the SPF records are invalid.

action-spf-sender-alignment <action>

Enter the action FortiMail performs if SPF sender alignment fails, which means the header from the subject authorization domain mismatch.

action-spf-soft-fail <action>

Enter the action Fortimail takes if spf soft fail fails, which means the host is not authorized to send messages but not a strong statement.

action-spf-temp-error <action>

Enter the action FortiMail performs if action SPF temp error fails, which means there is a processing error.

action-surbl <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the SURBL scan determines that the email is spam.

action-suspicious-newsletter <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the suspicious newsletter scan determines that the email is spam.

action-uri-filter <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the URI filter scan determines that the email is spam.

action-uri-filter-secondary <action-profile_name>

Enter the action profile that you want the FortiMail unit to use if the URI filter scan determines that the email is spam.

action-virus <action-profile_name>

Enter the action profile that requires the FortiMail unit to treat messages with viruses as spam.

aggressive {enable | disable}

Enable this option to examine file attachments in addition to embedded images.

To improve performance, enable this option only if you do not have a satisfactory spam detection rate.

disable

apply-action-default {enable | disable}

Enable this option to apply default action to all messages.

disable

banned-word {enable | disable}

Enable this option to scan banned words for this antispam profile.

disable

bayesian {enable | disable}

Enable this option to activate Bayesian scan for this antispam profile.

disable

behavior-analysis {enable | disable}

Enable this option to activate behavior analysis scan for this antispam profile.

disable

bayesian-autotraining {enable | disable}

Enable to use FortiGuard Antispam and SURBL scan results to train per-user Bayesian databases that are not yet mature (that is, they have not yet been trained with 200 legitimate email and 100 spam in order to recognize spam).

enable

bayesian-user-db {enable | disable}

Enable to use per-user Bayesian databases.

If disabled, the Bayesian scan will use either the global or the per-domain Bayesian database, whichever is selected for the protected domain.

disable

bayesian-usertraining {enable | disable}

Enable to accept email forwarded from email users to the Bayesian control email addresses in order to train the Bayesian databases to recognize spam and legitimate email.

enable

behavior-analysis {enable | disable}

Enable to analyze the similarities between uncertain email and known email in the behavior analysis (BA) database to determine whether the uncertain email is spam.

See also antispam behavior-analysis to adjust the BA aggressiveness level.

disable

cousin-domain {enable | disable}

Note: For this subcommand to take effect, impersonation-status must be set to enable.

Enable the cousin domain feature to mitigate business email compromise (BEC) email-impersonation risks due to domain names being deliberately misspelled.

disable

cousin-domain-profile <domain_name>

Enter the cousin domain profile used by this profile to prevent domain name impersonation.

cousin-domain-scan-option {auto-detection body-detection header-detection}

Enter cousin domain scan options for detecting misspelled domain names either automatically, within the email body, and/or the email header.

Separate each option with a space for multiple scan options.

header-detection body-detection auto-detection

deepheader-analysis {enable | disable}

Enable to inspect all message headers for known spam characteristics.

If the FortiGuard Antispam scan is enabled, this option uses results from that scan, providing up-to-date header analysis. For more information, see “set as profile modify fortishield" on page 184.

disable

deepheader-check-ip {enable | disable}

Enable to query for the blocklist status of the IP addresses of all SMTP servers appearing in the Received: lines of header lines.

If this option is disabled, the FortiMail unit checks only the IP address of the current SMTP client.

This option applies only if you have also configured either or both FortiGuard Antispam scan and DNSBL scan. For more information, see “set as profile modify fortishield" on page 184 and “set as profile modify dnsbl" on page 181.

disable

dict-score <score_int>

Enter the number of dictionary term matches above which the email will be considered to be spam.

dictionary {enable | disable}

Enable to perform a dictionary scan for this profile.

disable

dictionary-profile

Enter the dictionary profile name.

dictionary-type

Enter the type of dictionary profile.

dkim-status {enable | disable}

Enable to have the unit perform email authentication with DKIM checking. Once enabled, assign an appropriate action profile using action-dkim.

dmarc-status {enable | disable}

Enable to have the unit perform email authentication with SPF and DKIM checking. If either SPF check or DKIM check passes, DMARC check will pass. If both fail, DMARC fails.

disable

dnsbl {enable | disable}

Enable to perform a DNSBL scan for this profile. The FortiMail unit will query DNS blocklist servers defined using “set out_profile profile modify deepheader" on page 405.

disable

fortiguard-antispam {enable | disable}

Enable to let the FortiMail unit query the FortiGuard Antispam service to determine if any of the uniform resource identifiers (URI) in the message body are associated with spam. If any URI is blocklisted, the FortiMail unit considers the email to be spam, and you can select the action that the FortiMail unit will perform.

disable

fortiguard-check-ip {enable | disable}

Enable to include whether or not the IP address of the SMTP client is blocklisted in the FortiGuard Antispam query.

disable

fortiguard-phishing-uri {enable | disable}

Enable to include whether or not the phishing URI is blocklisted in the FortiGuard Antispam query.

disable

greylist {enable | disable}

Enable to perform a greylist scan.

disable

heuristic {enable | disable}

Enable to perform a heuristic scan.

disable

heuristic-lower <threshold_int>

Enter the score equal to or below which the FortiMail unit considers an email to not be spam.

-20.000000

heuristic-rules-percent <percentage_int>

Enter the percentage of the total number of heuristic rules that will be used to calculate the heuristic score for an email message.

The FortiMail unit compares this total score to the upper and lower level threshold to determine if an email is:

  • spam
  • not spam
  • indeterminable (score is between the upper and lower level thresholds)

To improve system performance and resource efficiency, enter the lowest percentage of heuristic rules that results in a satisfactory spam detection rate.

100

heuristic-upper {threshold_int}

Enter the score equal to or above which the FortiMail unit considers an email to be spam.

10.000000

image-spam {enable | disable}

Enable to perform an image spam scan.

disable

impersonation <profile_name>

Enter the impersonation profile used by this profile to prevent email spoofing attacks.

impersonation-analysis {enable | disable}

Note: For this subcommand to take effect, impersonation-status must be set to enable.

Enable sender impersonation analysis to automatically learn and track the mapping of display names and internal email addresses to prevent spoofing attacks.

disable

impersonation-status {enable | disable}

Enable the sender impersonation feature.

Once enabled, cousin-domain, impersonation-analysis, and spf-sender-alignment-status can take effect.

disable

ip-reputation-level1-status {enable | disable}

Enable IP reputation to enable the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted.

FortiGuard categorizes the blocklisted IP addresses into three levels, level 1 has the worst reputation and level 3 the best.

disable

ip-reputation-level2-status {enable | disable}

Enable IP reputation to enable the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted.

FortiGuard categorizes the blocklisted IP addresses into three levels, level 1 has the worst reputation and level 3 the best.

disable

ip-reputation-level3-status {enable | disable}

Enable IP reputation to enable the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted.

FortiGuard categorizes the blocklisted IP addresses into three levels, level 1 has the worst reputation and level 3 the best.

disable

newsletter-status {enable | disable}

Enable dection of newsletters to make sure newsletters and other marketing campaigns are not spam.

spf-fail-status {enable | disable}

Enable to make the FortiMail unit check if the host is not authorized to send messages.

If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-fail.

spf-neutral-status {enable | disable}

Enable to make the FortiMail unit check if the SPF record is found but no definitive assertion.

If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-neutral.

spf-none-status {enable | disable}

Enable to make the FortiMail unit check if there is no SPF record.

If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-none.

spf-pass-status {enable | disable}

Enable to make the FortiMail unit check if the host is authorized to send messages.

If the client IP address fails the SPF check, FortiMail takes the antispam action configured in action-spf-pass.

spf-sender-alignment-status {enable | disable}

Note: For this subcommand to take effect, impersonation-status must be set to enable.

Enable to make the FortiMail unit check if the header from the authorization domain is mismatched.

If the client IP address fails the SPF check, FortiMail takes the desired action entered in action-spf-sender-alignment.

spf-perm-error-status {enable | disable}

Enable to make the FortiMail unit check if the SPF records are invalid.

If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-perm-error.

spf-soft-fail-status {enable | disable}

Enable to make the FortiMail unit check if the host is not authorized to send messages but not a strong statement.

If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-soft-fail.

spf-temp-error-status {enable | disable}

Enable to make the FortiMail unit check if there is a processing error.

If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-temp-error.

scan-bypass-on-auth {enable | disable}

Enable to omit antispam scans when an SMTP sender is authenticated.

disable

scan-max-size <bytes_int>

Enter the maximum size, in bytes, that the FortiMail unit will scan for spam. Messages exceeding the limit will not be scanned for spam.

To scan all email regardless of size, enter 0.

1204 bytes for predefined profiles

600 bytes for user-defined profiles

scan-pdf {enable | disable}

Enable to scan the first page of PDF attachments using heuristic, banned word, and image spam scans, if they are enabled.

disable

spam-outbreak-protection {enable | disable | monitor-only}

Enable to temporarily hold suspicious email for a certain period of time (configurable with outbreak-protection-period under config system fortiguard antispam) if the enabled FortiGuard antispam check (block IP and/or URI filter) returns no result. After the specified time interval, FortiMail will query the FortiGuard server for the second time. This provides an opportunity for the FortiGuard antispam service to update its database in cases a spam outbreak occurs.

When set to monitor-only, email is not deferred. Instead, "X-FEAS-Spam-outbreak: monitor-only" is inserted as its header, and the email is logged.

disable

spf-checking {enable | disable}

Enable to have the FortiMail unit perform the action configured in this antispam profile, instead of the action configured in the session profile. See spf-validation {enable | disable}.

Starting from 6.0.3 release, you can also specify different actions toward defferent SPS check results:

  • spf-fail-status: the host is not authorized to send messages.
  • spf-soft-fail-status: the host is not authorized to send messages but not a strong statement.
  • spf-sender-alighnment-status: Header From and autorization domain mismatch.
  • spf-perm-error-status: the SPF records are invalid.
  • spf-temp-error-status: Temporary proccessing error.
  • spf-pass-status: the host is authorized to send messages.
  • spf-neutral-status: SPF record is found but no definitive assertion.
  • spf-none-status: No SPF record.

disable

surbl {enable | disable}

Enable to perform a SURBL scan. The FortiMail unit will query SURBL servers defined using “set out_profile profile modify surblserver" on page 421.

disable

suspicious-newsletter-status {enable | disable}

Enable the detection of newsletters.

disable

uri-filter <filter>

Specify the URI filter to use.

uri-filter-secondary <filter>

To take different actions towards different URI filters/categories, you can specify a primary and a secondary filter, and specify different actions for each filter. If both URI filters match an email message, the primary filter action will take precedence.

uri-filter-secondary-status {enable | disable}

Enable or disable the secondaryURI filter scan.

disable

uri-filter-status {enable | disable}

Enable or disable URI filter scan.

disable

virus {enable | disable}

Enable to treat email with viruses as spam. When enabled, instead of performing the action configured in the antivirus profile, the FortiMail unit will instead perform either the general or individualized action in the antispam profile. For details, see “set out_profile profile modify individualaction" on page 415 and “set out_profile profile modify actions" on page 400.

disable

safelist-enable {enable | disable}

Enable to automatically update personal safelist database from sent email.

disable

safelist-word {enable | disable}

Enable to perform a safelist word scan. The scan will examine the email for words configured in “set out_profile profile modify safelistwordlist" on page 426.

disable

Related topics

profile antispam-action

profile antivirus