Configuring antispam profiles and antispam action profiles
The AntiSpam submenu lets you configure antispam profiles and related action profiles.
This section contains the following topics:
- Managing antispam profiles
- Configuring email impersonation profiles
- Configuring cousin domain profiles
- Configuring Business Email Compromise profiles
- Configuring antispam action profiles
Managing antispam profiles
The AntiSpam tab lets you manage and configure antispam profiles. Antispam profiles are sets of antispam scans that you can apply by selecting one in a policy.
FortiMail units can use various methods to detect spam, such as the FortiGuard Antispam service, DNSBL queries, Bayesian scanning, and heuristic scanning. Antispam profiles contain settings for these features that you may want to vary by policy. Depending on the feature, before you configure antispam policies, you may need to enable the feature or configure its system-wide settings.
For information on the order in which FortiMail units perform each type of antispam scan, see Order of execution.
You can use an LDAP query to enable or disable antispam scanning on a per-user basis. For details, see Configuring LDAP profiles and Configuring scan override options. |
To view and manage incoming antispam profiles
- Go to Profile > AntiSpam > AntiSpam.
- Either click New to add a profile or double-click a profile to modify it.
- Configure the following:
- Fail: Select which Action to perform if SPF indicates that the SMTP client is not authorized to send email for that domain name.
- Soft Fail: Select which Action to perform if SPF indicates that the SMTP client is not authorized to send email for that domain name, but there is no strong statement.
- Permanent Error: Select which Action to perform if the DNS server returned an invalid SPF record when FortiMail made the DNS query.
- Temporary Error: Select which Action to perform if the DNS server returned
Temp error
when FortiMail made the DNS query. - Pass: Select which Action to perform if SPF verification succeeds, and the SMTP client is an authorized sender.
- Neutral: Select which Action to perform if a valid SPF record exists, but there is no definitive assertion.
- None: Select which Action to perform if a SPF record does not exist on the DNS server.
- Fail: Select which Action to perform if DKIM verification detects an invalid signature or body hash.
- None: Select which Action to perform if no DKIM information exists in the DNS record, or the record could not be parsed.
- Pass: Select which Action to perform if DKIM verification succeeds.
- Temporary Error: Select which Action to perform if the DNS server returned
Temp error
when FortiMail made the DNS query. - Fail: Select which Action to perform if DMARC verification fails.
- None: Select which Action to perform if no DMARC information exists in the DNS record, or the record could not be parsed.
- Pass: Select which Action to perform if DMARC verification succeeds.
- Temporary Error: elect which Action to perform if the DNS server returned
Temp error
when FortiMail made the DNS query. -
config antispam dmarc-report
-
config domain-setting
GUI item |
Description |
Clone (button) |
Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK. |
Batch Edit (button) |
Edit several profiles simultaneously. See Performing a batch edit. |
Domain (drop-down list) |
Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile. |
Profile Name |
Displays the name of the profile. The profile name is editable. |
Domain Name (column) |
Displays either System or a domain name. |
(Green dot in column heading) |
Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted. |
A multisection dialog appears.
GUI item |
Description |
||
Domain |
Select the entire FortiMail unit (System) or name of a protected domain. You can see only the domains that are permitted by your administrator profile. For more information, see About administrator account permissions and domains. |
||
Profile name |
For a new profile, enter the name of the profile. |
||
Select the default action to take when the policy matches. See Configuring antispam action profiles. |
|||
FortiGuard |
|||
Enable to apply greylisting. For more information, see Configuring greylisting. Note: Enabling greylisting can improve performance by blocking most spam before it undergoes other resource-intensive antispam scans. |
|||
If the DNS record lists IP addresses that are authorized to send email for the domain name, then you can enable SPF verification to compare the SMTP client's IP address to that DNS record (RFC 4408). If SPF information does not exist in the DNS record, then IP address validation is omitted. Unlike SPF verification by a session profile, SPF verification by an antispam profile does not increase the SMTP client’s reputation score if the check fails. SPF verifications do not examine private network addresses as defined in RFC 1918 because different private networks may use the same IP address ranges, and therefore it does not accurately identify specific SMTP clients. You can specify different actions towards different SPF check results: Note: If you select Bypass in the session profile (see Configuring sender validation options) or if a safe list matches (see Configuring the block lists and safe lists), then even if you enable SPF in the antispam profile, FortiMail skips SPF. |
|||
DomainKeys Identified Mail (DKIM) utilizes public and private keys to digitally sign outbound emails to prove that email has not been tampered with in transit. You can set different actions according to different DKIM check results: Note: If a safe list matches (see Configuring the block lists and safe lists), then even if you enable DKIM in the antispam profile, FortiMail skips DKIM. |
|||
Domain-based Message Authentication, Reporting & Conformance (DMARC) performs email authentication with SPF and DKIM. If either the SPF or DKIM verification succeeds, then DMARC verification succeeds. If both of them fail, then DMARC verification fails. FortiMail also verifies DMARC alignment, where at least one of the domains authenticated by SPF or DKIM must align with the sender domain in the message header ( You can set different actions according to different DMARC check results:
Starting from 7.0.1 release, you can generate DMARC reports with the following CLI command, from the system level and domain level, respectively: For more details, see the FortiMail CLI Reference. |
|||
Authenticated Received Chain (ARC) permits intermediate email servers (such as mailing lists or forwarding services) to sign an email's original authentication results. This allows a receiving service to validate an email, even if its SPF and DKIM records are rendered invalid by an intermediate server's processing. Successful ARC validation requires that the receiver trusts the ARC signer. For more information, see RFC 8617. If you enable ARC override for SPF, DKIM, and/or DMARC, then the ARC result has priority over them. |
|||
Behavior analysis |
Behavior analysis (BA) analyzes the similarities between the uncertain email and the known spam email in the BA database and determines if the uncertain email is spam. The BA database is a gathering of spam email caught by FortiGuard Antispam Service. Therefore, the accuracy of the FortiGuard Antispam Service has a direct impact on the BA accuracy. You can adjust the BA aggressiveness using the following CLI commands: config antispam behavior-analysis set analysis-level {high | medium | low} end The high setting means the most aggressive while the low setting means the least aggressive. The default setting is medium. You can also reset (empty) the BA database using the following CLI command: diagnose debug application mailfilterd behavior-analysis update |
||
Header analysis |
Enable this option to examine the entire message header for spam characteristics. |
||
Impersonation |
|||
Business email compromise |
Specify a profile and an action. See Configuring Business Email Compromise profiles. |
||
Heuristic |
|||
SURBL |
|||
DNSBL |
|||
Banned word |
|||
Safelist word |
|||
Dictionary |
|||
Image spam |
|||
Bayesian |
|||
Suspicious newsletter |
Suspicious newsletters are part of the newsletter category. But FortiMail may find them to be suspicious because they may actually be spam under the disguise of newsletters. Note that if you enable detection of both newsletters and suspicious newsletters and specify actions for both types, if a newsletter is found to be suspicious, the action towards suspicious newsletters will take effect, not the action towards newsletters. |
||
Newsletter |
Although newsletters and other marketing campaigns are not spam, some users may find them annoying. Enable detection of newsletters and select an action profile to deal with them. For example, you can tag newsletter email so that users can filter them in their email clients. |
||
Scan Options |
Configuring FortiGuard options
The FortiGuard section of antispam profiles lets you configure the FortiMail unit to query the FortiGuard Antispam service to check the following:
- IP Reputation: if the SMTP client IP address is a public one, the FortiMail unit will query the FortiGuard Antispam service to determine if the current SMTP client is blocklisted; if the SMTP client IP address is a private one, the FortiMail unit will query the FortiGuard Antispam service to determine if the first public IP address in the header is blocklisted. If the Extract IP from Received Header option is enabled, the FortiGuard scan will also examine the public IP addresses of all other SMTP servers that appear in the
Received:
lines of the message header. - URL category: this option determines if any uniform resource identifiers (URL) in the message body are associated with spam. FortiGuard URL filter groups URL into various categories, such as hacking, drug abuse and so on. You can configure the FortiGuard URL filter to check for certain categories only. If a URL is blocklisted, the FortiMail unit treats the email as spam and performs the associated action. You can also exempt URLs from spam filtering. For details, see Configuring the FortiGuard URL filter.
- Spam outbreak protection: enable this option to temporarily hold suspicious email for a certain period of time (configurable with CLI command
config profile antispam set spam-outbreak-protection
andconfig system fortiguard antispam set outbreak-protection-period
) if the enabled FortiGuard antispam check (block IP and/or URL filter) returns no result. After the specified time interval, FortiMail will query the FortiGuard server for the second time. This provides an opportunity for the FortiGuard antispam service to update its database in cases a spam outbreak occurs. To view the email on hold, go to Monitor > Mail Queue > Spam Outbreak.
FortiGuard Antispam scans do not examine private network addresses, as defined in RFC 1918.
To take different actions towards different URL filters/categories, you can specify a primary and a secondary filter, and specify different actions for each filter. If both URL filters match an email message, the primary filter action will take precedence.
To reduce false positives, unrated IP addresses will be ignored and no actions will be taken.
When set to Monitor only, email is not deferred. Instead, "X-FEAS-Spam-outbreak: monitor-only" is inserted as its header, and the email is logged.
Note: If email messages are temporarily held by FortiGuard spam outbreak protection, and the "reject" action is configured in the action profile, the actual action will fallback to "system quarantine" if spam is detected afterwards.
Note: Email from some sources, such as safelisted IP addresses and ACL relay rules, will be exempted from FortiGuard spam outbreak protection scan.
When FortiGuard detects spam for both IP reputation and URL category in an email, the URL category action will be taken and logged. For example, if the IP reputation action is "Tag" while the URL category action is "Reject", the email will be rejected. Before v6.4.3, the IP Reputation action will be taken and logged instead. |
Before enabling FortiGuard, you must enable and configure FortiGuard Antispam rating queries.
FortiGuard URL filter and URL scanning have two levels of control: strict or aggressive. For details see URL types. Aggressive setting also scans the domain part of envelope |
If the FortiGuard option is enabled, you may improve performance and the spam catch rate by also enabling Block IP. |
To configure FortiGuard scan options
- When configuring an antispam profile, select the FortiGuard check box in the AntiSpam Profile dialog. This is the main switch to turn on/off all the sub items. If disabled, all the sub items under the FortiGuard category are also disabled.
- From Action, select the action profile that you want the FortiMail unit to use if the FortiGuard Antispam scan finds spam email. This action is the default action for all the FortiGuard filters, including IP reputation, URL filter, and spam outbreak protection.
- If you want the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted, enable IP Reputation. If the SMTP client IP address is a private one, the FortiMail unit will query the FortiGuard Antispam service to determine if the first public IP address in the header is blocklisted.
- If you want to use the FortiGuard URL filter service, select a URL category profile from the Primary or Secondary URL Category list. For details, see Configuring heuristic options. Then select an action profile. The default action means to use the FortiGuard action, not the antispam profile action.
- If you want to use the spam outbreak protection feature, enable it. Then select an action profile. The default action means to use the FortiGuard action, not the antispam profile action.
- Continue to the next section, or click Create to save the antispam profile.
If the action is set to "None" for FortiGuard, FortiGuard antispam checks are still performed and logged, but no action will be taken. IP Reputation and WebFilter checks are still performed as well and the specified action will be applied. |
For more information about action profiles, see Configuring antispam action profiles.
FortiGuard categorizes the blocklisted IP addresses into three levels -- level 3 has bad reputation; level 2 has worse reputation; and level 1 has the worst reputation. To help prevent false positives, you can choose to take different actions towards different IP reputation levels. Usually you should take strict actions, such as reject or discard, towards level 1 IP addresses while take loose actions, such as quarantine or tag, towards level 3 IP addresses. Using default actions for level 1, 2, and 3 means to use the IP Reputation action; using the default action for IP reputation means to use the FortiGuard action; and using the FortiGuard default action means to use the antispam profile action.1
If you want to check all SMTP servers in the Received:
lines of the message header, enable the Extract IP from Received Header option.
Note: If the secondary URL category is matched, the email will be deferred in the spam outbreak queue if the spam outbreak protection is enabled.
Configuring impersonation options
The FortiMail unit includes rules used by the impersonation filter to determine whether messages are spam, and takes action according to the configured actions specified. If the individual action is set to default, then the antispam profile default action is used.
The antispam profile impersonation filter is comprised of sender alignment, impersonation analysis and cousin domain profiles. Sender alignment is an SPF related function that performs a comparison check between "Envelope Sender & Mail From" and "Mail From & Reply-To" headers and triggers the corresponding action when there is a mismatch in either one.
Impersonation profiles and cousin domain profiles check for appropriate display and domain names respectively.
To configure impersonation scan options
-
When configuring an antispam profile, enable Impersonation under Scan Configurations.
-
Click the plus to expand Impersonation.
- Enable Sender Alignment to check for a Header From and Envelope From domain mismatch.
- Enable Impersonation analysis to automatically learn and track the mapping of display names and internal email addresses to prevent spoofing attacks.
- Click the plus to expand Impersonation analysis, and select an Impersonation profile to apply to the antispam profile.
- Enable Cousin Domain to scan for domain names that are deliberately misspelled in order to appear to come from a trusted domain.
- Click the plus to expand Cousin Domain, and select a Cousin Domain profile to apply to the antispam profile.
- Additionally, enable the various cousin domain scan options if you wish to scan for cousin domain names either within the email header, the email body, and/or automatically.
- Continue to the next section, or click Create or OK to save the antispam profile.
From Action, select the action profile that you want the FortiMail unit to use if a mismatch occurs.
From Action, select the action profile that you want the FortiMail unit to use if the addresses do not match.
For more information, see Configuring email impersonation profiles.
From Action, select the action profile that you want the FortiMail unit to use if the cousin domain scan is triggered.
For more information, see Configuring cousin domain profiles.
Configuring heuristic options
The FortiMail unit includes rules used by the heuristic filter. Each rule has an individual score used to calculate the total score for an email. A threshold for the heuristic filter is set for each antispam profile. To determine if an email is spam, the heuristic filter examines an email message and adds the score for each rule that applies to get a total score for that email. For example, if the subject line of an email contains “As seen on national TV!”, it might match a heuristic rule that increases the heuristic scan score towards the threshold.
- Email is spam if the total score equals or exceeds the threshold.
- Email is not spam if the total score is less than the threshold.
The FortiMail unit comes with a default heuristic rule set. To ensure that the most up-to-date spam methods are included in the percentage of rules used to calculate the score, update your FortiGuard Antispam packages regularly.
To configure heuristic scan options
- When configuring an antispam profile, enable Heuristic under Scan Configurations.
- Click the plus to expand Heuristic.
- From Action, select the action profile that you want the FortiMail unit to use if the heuristic scan finds spam email.
- In Threshold, enter the score at which the FortiMail unit considers an email to be spam. The default value is recommended.
- In the The percentage of rules used field, enter the percentage of the total number of heuristic rules to use to calculate the heuristic score for an email message.
- Continue to the next section, or click Create or OK to save the antispam profile.
For more information, see Configuring antispam action profiles.
Heuristic scanning is resource intensive. If spam detection rates are acceptable without heuristic scanning, consider disabling it or limiting its application to policies for problematic hosts. |
You can also apply this scan to PDF attachments. For more information, see Configuring scan options. |
See also
Configuring antispam action profiles
Configuring SURBL options
In addition to supporting Fortinet’s FortiGuard Antispam SURBL service, the FortiMail unit supports third-party Spam URL Realtime Block Lists (SURBL) servers. You can specify which public SURBL servers to use as part of an antispam profile. Consult the third-party SURBL service providers for any conditions and restrictions.
The SURBL section of antispam profiles lets you configure the FortiMail unit to query one or more SURBL servers to determine if any of the uniform resource identifiers (URL) in the message body are associated with spam. If a URL is blocklisted, the FortiMail unit treats the email as spam and performs the associated action. There are two types of URLs. For details, see URL types.
To configure SURBL scan options
- When configuring an antispam profile, enable SURBL in the AntiSpam Profile dialog.
- From Action, select the action profile that you want the FortiMail unit to use if the SURBL scan finds spam email.
- Next to SURBL click Configuration.
- To add a new SURBL server address, click New and type the address in the field that appears.
- Select a server and click OK.
- Continue to the next section, or click Create or OK to save the antispam profile.
For more information, see Configuring antispam action profiles.
A pop-up window appears that displays the domain name of the SURBL servers.
Since the servers will be queried from top to bottom, you may want to put the reliable servers with less traffic to the top of the list. Click the drop-down menu in the title bar to sort the entries.
The pop-up window closes.
Closing the pop-up window does not save the antispam profile and its associated SURBL server list. To save changes to the SURBL server list, in the antispam profile, click OK before navigating away to another part of the web UI. |
Configuring DNSBL options
In addition to supporting Fortinet’s FortiGuard Antispam DNSBL service, the FortiMail unit supports third-party DNS blocklist servers. You can enable DNSBL filtering as part of the antispam profile, and define multiple DNSBL servers for each antispam profile. Consult the third-party DNSBL service providers for any conditions and restrictions.
It is advised to exercise diligence on your DNSBL providers and their operations. Fortinet recommends all email administrators utilize services which have clearly defined and rational listing policies and do not charge for delisting. Services that block whole subnets and AS numbers and have a business model which charges for delisting should be viewed with heavy caution. Fortinet cannot delist the IP addresses once they are blocklisted by such vendors. |
DNSBL scans examine the IP address of the SMTP client that is currently delivering the email message. If the Enable Block IP to query for the blocklist status of the IP addresses of all SMTP servers appearing in the Received: lines of header lines. option located in the Deep header section is enabled, DNSBL scan will also examine the IP addresses of all other SMTP servers that appear in the Received:
lines of the message header. For more information, see Configuring FortiGuard options.
DNSBL scans do not examine private network addresses, which are defined in RFC 1918.
The DNSBL section of antispam profiles lets you configure the FortiMail unit to query one or more servers to determine if the IP address of the SMTP client has been blocklisted. If the IP address is blocklisted, the FortiMail unit treats the email as spam and performs the associated action.
To configure DNSBL scan options
- When configuring an antispam profile, enable DNSBL in the AntiSpam Profile dialog.
- From Action, select the action profile that you want the FortiMail unit to use if the DNSBL scan finds spam email.
- Next to DNSBL click Configuration.
- To add a new DNSBL server address, click New and type the address in the field that appears.
- Select a server from the list and click OK.
- Continue to the next section, or click Create or OK to save the antispam profile.
For more information, see Configuring antispam action profiles.
A pop-up window appears where you can enter the domain names of DNSBL servers to use with this profile.
Since the servers are queried from top to bottom, you may want to put the reliable servers with less traffic to the top of the list. Click the drop-down menu in the title bar to sort the entries.
The pop-up window closes.
Closing the pop-up window does not save the antispam profile and its associated DNSBL server list. To save changes to the DNSBL server list, in the antispam profile, click OK before navigating away to another part of the web UI. |
Configuring banned word options
The Banned word section of antispam profiles lets you configure the FortiMail unit to consider email messages as spam if the subject line and/or message body contain a prohibited word. When a banned word is found, the FortiMail unit treats the email as spam and performs the associated action.
When banned word scanning is enabled and an email is found to contain a banned word, the FortiMail unit adds X-FEAS-BANNEDWORD:
to the message header, followed by the banned word found in the email. The header may be useful for troubleshooting purposes, when determining which banned word or phrase caused an email to be blocked.
You can use wildcards in banned words. But unlike dictionary scans, banned word scans do not support regular expressions. For details about wildcards and regular expressions, see Appendix D: Wildcards and regular expressions.
You can also apply this scan to PDF attachments. For more information, see Configuring scan options. |
To configure banned word scan options
- When configuring an antispam profile, enable Banned word in the AntiSpam Profile dialog.
- From Action, select the action profile that you want the FortiMail unit to use if the banned word scan finds spam email.
- Next to Banned word, click Configuration.
- Click New, then enter the banned word in the field that appears.
- Select Subject to have the subject line inspected for the banned word. If the check box is clear, the subject line is not inspected.
- Select Body to have the message body inspected for the banned word. If the check box is clear, the message body is not inspected.
- Click OK.
- Continue to the next section, or click Create or OK to save the antispam profile.
For more information, see Configuring antispam action profiles.
A pop-up window appears, showing the words or phrases that will be prohibited by this profile. You can add or delete words on this window.
The pop-up window closes.
Configuring safelist word options
The Safelist word section of antispam profiles lets you configure the FortiMail unit to consider email messages whose subject line and/or message body contain a safelisted word to be indisputably not spam. If the email message contains a safelisted word, the FortiMail unit does not consider the email to be spam.
You can use wildcards in safelisted words. But unlike dictionary scans, safelist word scans do not support regular expressions. For details about wildcards and regular expressions, see Appendix D: Wildcards and regular expressions.
To configure safe list scan options
- When configuring an antispam profile, enable Safelist word in the AntiSpam Profile dialog.
- Next to Safelist word, click Configuration.
- Click New, then enter the allowed word in the field that appears.
- Select Subject to have the subject line inspected for the allowed word. If the check box is clear, the subject line is not inspected.
- Select Body to have the message body inspected for the allowed word. If the check box is clear, the message body is not inspected.
- Click OK.
- Continue to the next section, or click Create or OK to save the antispam profile.
A pop-up window appears, showing the words or phrases that are allowed by this profile. You can add or delete words on this window.
The pop-up window closes.
Configuring dictionary options
The Dictionary section of antispam profiles lets you configure the FortiMail unit to use dictionary profiles to determine if the email is likely to be spam. If the FortiMail unit considers email to be spam, it performs the associated action.
Before you can use this feature, you must have existing dictionary profiles. For information on creating dictionary profiles, see Configuring dictionary profiles.
When dictionary scanning is enabled and an email is found to contain a dictionary word, FortiMail units add X-FEAS-DICTIONARY:
to the message header, followed by the dictionary word or pattern found in the email. The header may be useful for troubleshooting purposes, when determining which dictionary word or pattern caused an email to be blocked.
Unlike banned word scans, dictionary scans are more resource-intensive. If you do not require dictionary features such as regular expressions, consider using a banned word scan instead.
To configure dictionary scan options
- When configuring an antispam profile, enable Dictionary in the AntiSpam Profile dialog.
- Click the plus to expand Dictionary.
- From Action, select the action profile that you want the FortiMail unit to use if the dictionary scan finds spam email.
- From the With dictionary group drop-down list, select the name of a group of dictionary profiles to use with the dictionary scan. Or, from the With dictionary profile drop-down list, select the name of a dictionary profile to use with the dictionary scan.
- In the Minimum dictionary score field, enter the number of dictionary term matches above which the email will be considered to be spam. Note that the score value is based on individual dictionary profile matches, not the dictionary group matches.
- Continue to the next section, or click Create or OK to save the antispam profile.
For more information, see Configuring antispam action profiles.
Configuring image spam options
The Image spam section of antispam profiles lets you configure the FortiMail unit to analyze the contents of GIF, JPG, and PNG graphics to determine if the email is spam. If the email message contains a spam image, the FortiMail unit treats the email as spam and performs the associated action.
Image spam scanning may be useful when, for example, the message body of an email contains graphics but no text, and text-based antispam scans are therefore unable to determine whether or not an email is spam.
To configure image scan options
- When configuring an antispam profile, enable Image spam in the AntiSpam Profile dialog.
- From Action, select the action profile that you want the FortiMail unit to use if the image scan finds spam email.
- Enable Aggressive scan to inspect image file attachments in addition to embedded graphics.
- Continue to the next section, or click Create or OK to save the antispam profile.
For more information, see Configuring antispam action profiles.
Enabling this option increases workload when scanning email messages that contain image file attachments. If you do not require this feature, disable this option to improve performance.
This Aggressive scan option applies only if you enable PDF scanning. For more information, see Configuring scan options.
See also
Configuring antispam action profiles
Configuring Bayesian options
The Bayesian section of antispam profiles lets you configure the FortiMail unit to use Bayesian databases to determine if the email is likely to be spam. If the Bayesian scan indicates that the email is likely to be spam, the FortiMail unit treats the email as spam and performs the associated action.
FortiMail units can maintain two Bayesian databases: global and per-domain.
- For outgoing email, the FortiMail unit uses the global Bayesian database.
- For incoming email, which database will be used when performing the Bayesian scan varies by configuration of the incoming antispam profile and the configuration of the protected domain.
Before using Bayesian scans, you must train one or more Bayesian databases in order to teach the FortiMail unit which words indicate probable spam. If a Bayesian database is not sufficiently trained, it can increase false positive and/or false negative rates. You can train the Bayesian databases of your FortiMail unit in several ways. For more information, see Training the Bayesian databases.
Be aware that, without ongoing training, Bayesian scanning will become significantly less effective over time and thus Fortinet does not recommend enabling the Bayesian scanning feature. |
To configure Bayesian scan options
- When configuring an antispam profile, enable Bayesian in the AntiSpam Profile dialog.
- Click the plus to expand Bayesian.
- From Action, select the action profile that you want the FortiMail unit to use if the Bayesian scan finds spam email.
- Configure the following:
- Continue to the next section, or click Create or OK to save the antispam profile.
For more information, see Configuring antispam action profiles.
GUI item |
Description |
---|---|
Enable to accept training messages from email users. Training messages are email messages that email users forward to the email addresses of control accounts, such as FortiMail units apply training messages to either the global or per-domain Bayesian database depending on your configuration of the protected domain to which the email user belongs. Disable to discard training messages. This option is available only if Direction is Incoming (per-domain Bayesian databases cannot be used when the recipient does not belong to a protected domain, which defines outgoing email). |
|
Enable to use scan results from FortiGuard, SURBL, and per-user and system-wide safe lists to train the Bayesian databases. This option is available only if Direction is Incoming (domain-level Bayesian databases cannot be used when the recipient does not belong to a protected domain, which defines outgoing email). |
Configuring scan options
The Scan Conditions section of antispam profiles lets you configure conditions that cause the FortiMail unit to omit antispam scans, or to apply some antispam scans to PDF attachments.
To configure scan options
- When configuring an antispam profile, Click the plus to expand Scan Options in the AntiSpam Profile dialog.
- Configure the following:
GUI item |
Description |
Enter the maximum size of email messages, in bytes, that the FortiMail unit will scan for spam. Messages larger than the set size are not scanned for spam. To disable the size limit, causing all messages to be scanned, regardless of size, enter Note: Resource requirements for scanning messages increase with the size of the email message. If the spam you receive tends not to be smaller than a certain size, consider limiting antispam scanning to messages under this size to improve performance. |
|
Enable to bypass spam scanning for authenticated SMTP connections. This option is enabled by default. Note: If you can trust that authenticating SMTP clients are not a source of spam, consider enabling this option to improve performance. |
|
Spammers may attach a PDF file to an otherwise empty message to get their email messages past spam safeguards. The PDF file contains the spam information. Since the message body contains no text, antispam scanners cannot determine if the message is spam. Enable this option to use the heuristic, banned word, and image spam scans to inspect the first page of PDF attachments. This option applies only if you have enabled and configured heuristic, banned word, and/or image spam scans. For information on configuring those scans, see Configuring heuristic options, Configuring banned word options, and Configuring image spam options. |
|
Apply default action without scan upon policy match |
Select this option to take the default antispam action right away without applying other antispam filters if the email matches the relevant IP or recipient policy. |
Performing a batch edit
You can apply changes to multiple profiles at once.
- Go to Profile > AntiSpam > AntiSpam.
- In the row corresponding to existing profiles whose settings you want to modify, hold Ctrl and select the profiles you want to edit.
- Click Batch Edit.
- Modify the profile, as explained in Managing antispam profiles, changing only those settings that you want to apply to all selected profiles.
- Click Apply To All to save the changes and remain on the dialog, or click OK to save the changes and return to the AntiSpam tab.
The ability to batch edit antispam profiles does not apply to predefined profiles.
The AntiSpam Profile dialog appears.
Configuring email impersonation profiles
Email impersonation, or Business Email Compromise (BEC), is one of the email spoofing attacks. It forges the email header to deceive the recipient because the message appears to be from a different source than the actual address.
To use this feature, you must have a license for the Fortinet Enterprise Advanced Threat Protection (ATP) bundle. |
To fight against email impersonation, you can map high valued target display names with correct email addresses and FortiMail can check for the mapping. For example, an external spammer wants to impersonate the CEO of your company(ceo@company.com). The spammer will put "CEO ABC <ceo@external.com>" in the email Header From, and send such email to a user(victim@company.com). If FortiMail has been configured with a manual entry "CEO ABC"/"ceo@company.com" in an impersonation analysis profile to indicate the correct display name/email pair, or it has learned display name/email pair through the dynamic process, then such email will be detected by impersonation analysis, because the spammer uses an external email address and an internal user's display name.
There are two ways to do the mapping:
- Manual: you manually enter mapping entries and create impersonation analysis profiles as described below. Then you enable the impersonation profile in an antispam profile (Managing antispam profiles). Eventually, you will apply the antispam profile in the IP-based or recipient-based policies (Controlling email based on IP addresses and Controlling email based on sender and recipient addresses).
- Dynamic: FortiMail Mail Statistics Service can automatically learn the mapping. See details below.
Impersonation analysis checks both the Header From and Reply-To fields. |
You can also add exempt entries so that FortiMail will skip the impersonation analysis check.
To avoid false positives, impersonation analysis also follows some other exempt rules. |
To create an impersonation analysis profile
- Go to Profile > AntiSpam > Impersonation.
- Click New to create a new profile.
- Enter a profile name.
- Select a domain or System from the dropdown list. The profile will be applied to your selection.
- Under Impersonation, select Match Rule or Exempt Rule.
- Click New to add an entry.
GUI item |
Description |
Display name pattern |
Enter the display name to be mapped to the email address. You can use wildcard or regular expression. |
Pattern type |
Either wildcard or regular expression. |
Email address |
Enter the email address to be mapped to the display name. The email address can be from protected/internal domains or unprotected/external domains. If the email address is from an external domain, such as gmail.com or hotmail.com, the display name matching the external email address will be passed. Otherwise, it will be caught by impersonation analysis. |
Enabling impersonation analysis dynamic scanning
In addition to manually entering mapping entries and creating impersonation analysis profiles, FortiMail Mail Statistics Service can automatically/dynamicaly learn and track the mapping of display names and internal email addresses.
To use the FortiMail manual, dynamic, or both manual and dynamic impersonation analysis scanning, use the following command:
config antispam settings
set impersonation-analysis dynamic manual
end
By default, FortiMail uses manual analysis only.
Also enable the FortiMail Mail Statistics Service with the following command. This service is disabled by default:
config system global
set mailstat-service enable
end
After the service is enabled, you can search the dynamic database by going to Profile > AntiSpam > Impersonation and clicking Impersonation Lookup. If the record exists in the database, after you enter the email address, the corresponding display name will be displayed.
Configuring cousin domain profiles
Similar to impersonation profiles, cousin domain profiles help to mitigate BEC email-impersonation risks. Similar to impersonation profiles that map display names, cousin domain profiles map sender domain names to either be scanned or exempt from scanning. Domain names may be deliberately misspelled, either by character removal, substitution, and/or transposition, in order to make emails look as though they originate from trusted internal sources.
For example, if you configure an entry for sender domain f?rtinet.com
(regex), f0rtinet.com
will be caught, but the legitimate and trusted sender domain fortinet.com
will also be caught as a cousin domain. To avoid this, you can add fortinet.com
into the exempt rules setting to exempt it from being caught.
Cousin domain scan options, such as auto detection, are configured within antispam profiles. See Configuring impersonation options for more information.
To create a cousin domain profile
- Go to Profile > AntiSpam > Cousin Domain.
- Either click New to add a profile or double-click an existing profile to modify it. You can also select multiple profiles and batch edit them.
- Enter a profile name.
- Select a domain or System from the dropdown list. The profile will be applied to your selection.
- Under Cousin Domain, select Match Rule or Exempt Rule.
- Click New to add an entry.
GUI item |
Description |
Domain name pattern |
Enter the domain name to be mapped to the email address. You can use wildcard or regular expression. |
Pattern type |
Either wildcard or regular expression. |
Configuring Business Email Compromise profiles
To better protect against Business Email Compromise (BEC) spam attacks, FortiMail allows you to enable scanning of the most common BEC attack types, such as cousin domains, suspicious characters, sender alignment, action keywords, and URL categories. To avoid false positives and false negatives, you can adjust the weight allocated to each type with a scoring system. You can also use different actions according to the scores. For example, for the suspicious email, you may want to insert a warning in the header only; for the more certain spam email, you may want to quarantine or reject them.
The BEC profiles are used in the antispam profiles. For details about antispam profiles, see Managing antispam profiles.
To configure Business Email Compromise profiles
- Go to Profile > AntiSpam > Business Email Compromise.
- Either click New to add a profile or double-click an existing profile to modify it. You can also select multiple profiles and batch edit them.
- Select a domain or System from the dropdown list. The profile will be applied to your selection.
- Enter a profile name.
- Enter a comment.
- Under Rule, click New to add an entry. A profile can have multiple rules.
- Configure the following:
- Cousin domain: For details, see Configuring cousin domain profiles.
- Suspicious character: The use of suspicious characters, which are not Unicode highly restricted, in an email domain or IDN homographs in URLs within the email body are treated as suspicious to protect against IDN homograph attacks.
- Sender alignment: Check for a Header From and Envelope From domain mismatch.
- Action keyword: The email body contains a selection of actions which need to be fulfilled. For example, "Click here", "Transfer", "Money", "Dollars", "Bank account", and other similar action words.
- URL category: Analyze the phishing URLs contained in the email.
- Malformed email: A malformed email message has malformed data in the email structure, header, or body (see RFC 7103).
GUI item |
Description |
Status |
Enable or disable the rule in the profile. |
Name |
Enter a rule name. |
Action |
Specify an action for the rule. |
Threshold |
This is the threshold to take actions. This score will be allocated to the six categories below. |
Score Allocation |
Depending on your requirements and experiments, you can assign equal or different scores to the following categories: |
Configuring antispam action profiles
The Action tab in the AntiSpam submenu lets you define one or more things that the FortiMail unit should do if the antispam profile determines that an email is spam.
For example, assume you configured a default antispam action profile, named quar_and_tag_profile
, that both tags the subject line and quarantines email detected to be spam. In general, all antispam profiles using the default action profile will quarantine the email and tag it as spam. However, you can decide that email failing to pass the dictionary scan is always spam and should be rejected so that it does not consume quarantine disk space. Therefore, for the antispam profiles that apply a dictionary scan, you could override the default action by configuring and using a second action profile, named rejection_profile
, which rejects such email.
The specific action profile will override the default action profile when mailfilterd scans the email and take disposition (action) against the email. When the email is out of the process of mailfilterd, any remaining actions, such as spam report, web release, and sender safelisting, will still be taken based on the default action profile. |
To view and configure antispam action profiles
- Go to Profile > AntiSpam > Action.
- Either click New to add a profile or double-click an existing profile to modify it. You can also select multiple profiles and batch edit them.
- Configure the following:
- None: No change.
- Prefix: Prepend the part with text that you have entered in the With field.
- Suffix: Append the part with the text you have entered in the With field.
- Replace: Substitute the part with the text you have entered in the With field.
- Click Create or OK.
GUI item |
Description |
Domain (drop-down list) |
Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile. |
Profile Name |
Displays the name of the profile. |
Domain (column) |
Displays either System or a domain name. |
(Green dot in column heading) |
Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted. |
A dialog appears.
GUI item |
Description |
|
Domain |
Select if the action profile will be system-wide or domain-wide. You can see only the domains that are permitted by your administrator profile. |
|
Profile name |
For a new profile, enter a name. |
|
Enable and enter the text that appears in the subject line of the email, such as Many email clients can sort incoming email messages into separate mailboxes, including a spam mailbox, based on text appearing in various parts of email messages, including the subject line. For details, see the documentation for your email client. |
||
Enable and enter the message header key in the field, and the values in the With value field. The FortiMail unit adds this text to the message header of the email before forwarding it to the recipient. Many email clients can sort incoming email messages into separate mailboxes, including a spam mailbox, based on text appearing in various parts of email messages, including the message header. For details, see the documentation for your email client. Message header lines are composed of two parts: a key and a value, which are separated by a colon. For example, you might enter: X-Custom-Header: Detected as spam by profile 22. If you enter a header line that does not include a colon, the FortiMail unit will automatically append a colon, causing the entire text that you enter to be the key. Note: Do not enter spaces in the key portion of the header line, as these are forbidden by RFC 2822. Starting from 6.0.1 release, you can add multiple headers by adding them to the header table. You can also insert the predefined variables to the header value. |
||
Insert disclaimer |
Starting from 6.0.1 release, you can insert disclaimer as an action. You can modify the default discaimer or add new disclaimers by going to System > Customization > Custom Message > Email Content Resources > Disclaimer insertion message. |
|
Enable to route the email to a specific SMTP server or relay, then type the fully qualified domain name (FQDN) or IP address of the destination. You can choose to deliver the original email or the modified email. Note: If you enable this setting, the FortiMail unit uses this destination for all email that matches the profile and ignores Relay server name and Use this domain’s SMTP server to deliver the mail. |
||
Deliver to original host |
Enable to deliver email to the original host. |
|
BCC |
Enable to send a blind carbon copy (BCC) of the email. You can specify an Envelope from address so that, in the case the email is not deliverable and bounced back, it will be returned to the specified envelope from address, instead of the original sender. This is helpful when you want to use a specific email to collect bounce notifications. Click New to add BCC recipients. |
|
Archive to account |
Enable to send the email to an archiving account. Click New to create a new archiving account or click Edit to modify an existing account. For details about archiving accounts, see Email archiving workflow. |
|
Notify with profile |
Enable and select a notification profile to send a notification email to the sender, recipient, or any other people as you configure in the notification profile. The notification email is customizable and will tell the users what happened to the email message. For details about notification profiles and email templates, see Configuring notification profiles and Customizing email templates. |
|
Final action |
For details about final and non-final actions, see Order of execution. |
|
|
Enable to accept the email, but then delete it instead of delivering the email, without notifying the SMTP client. |
|
|
Enable to reject the email and reply to the SMTP client with SMTP reply code 550. However, if email messages are held for FortiGuard spam outbreak protection or FortiGuard virus outbreak protection, or sent to FortiSandbox, the actual action will fallback to "system quarantine". |
|
|
Personal quarantine
|
For incoming email, enable to redirect the email to the recipient’s personal quarantine. For more information, see Managing the personal quarantines. For outgoing email, this action will fallback to the system quarantine. You can choose to quarantine the original email or the modified email. |
|
|
Enable to redirect spam to the system quarantine folder. For more information, see Managing the system quarantine. You can choose to quarantine the original email or the modified email. |
|
Domain quarantine |
Enable to redirect spam to the domain quarantine folder. For more information, see Managing the domain quarantines. |
|
Rewrite recipient email address
|
Enable to change the recipient address of any email message detected as spam. Configure rewrites separately for the local-part (the portion of the email address before the '@' symbol, typically a user name) and the domain part (the portion of the email address after the '@' symbol). For each part, select either: |
To apply an antispam action profile, select it in one or more antispam profiles. For details, see Managing antispam profiles.