Fortinet white logo
Fortinet white logo

Administration Guide

Configuring antispam profiles and antispam action profiles

Configuring antispam profiles and antispam action profiles

The AntiSpam submenu lets you configure antispam profiles and related action profiles.

This section contains the following topics:

Managing antispam profiles

The AntiSpam tab lets you manage and configure antispam profiles. Antispam profiles are sets of antispam scans that you can apply by selecting one in a policy.

FortiMail units can use various methods to detect spam, such as the FortiGuard Antispam service, DNSBL queries, Bayesian scanning, and heuristic scanning. Antispam profiles contain settings for these features that you may want to vary by policy. Depending on the feature, before you configure antispam policies, you may need to enable the feature or configure its system-wide settings.

For information on the order in which FortiMail units perform each type of antispam scan, see Order of execution.

Note

You can use an LDAP query to enable or disable antispam scanning on a per-user basis. For details, see Configuring LDAP profiles and Configuring scan override options.

To view and manage incoming antispam profiles
  1. Go to Profile > AntiSpam > AntiSpam.
  2. GUI item

    Description

    Clone

    (button)

    Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.

    Batch Edit

    (button)

    Edit several profiles simultaneously. See Performing a batch edit.

    Domain

    (dropdown list)

    Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.

    Profile Name

    Displays the name of the profile. The profile name is editable.

    Domain Name

    (column)

    Displays either System or a domain name.

    (Green dot in column heading)

    Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

  3. Either click New to add a profile or double-click a profile to modify it.
  4. A multisection dialog appears.

  5. Configure the following:
  6. GUI item

    Description

    Domain

    Select the entire FortiMail unit (System) or name of a protected domain. You can see only the domains that are permitted by your administrator profile. For more information, see About administrator account permissions and domains.

    Profile name

    For a new profile, enter the name of the profile.

    Default action

    Select the default action to take when the policy matches. See Configuring antispam action profiles.

    FortiGuard

    See Configuring FortiGuard options.

    Greylist

    Enable to apply greylisting. For more information, see Configuring greylisting.

    Note: Enabling greylisting can improve performance by blocking most spam before it undergoes other resource-intensive antispam scans.

    SPF

    If the sender domain DNS record lists SPF authorized IP addresses, use this option to compare the client IP address to the IP addresses of authorized senders in the DNS record (RFC 4408).

    If the DNS record for the domain name of the sender does not publish SPF information, the FortiMail unit omits the SPF client IP address validation.

    If the client IP address fails the SPF check, FortiMail will take the antispam action configured in this antispam profile. But unlike SPF checking in a session profile, failed SPF checking in an antispam profile will not increase the client’s reputation score.

    Select the action to perform for each SPF scan result:

    • Fail: Host is not authorized to send messages.
    • Soft Fail: Host is not authorized to send messages but not a strong statement.
    • Permanent Error: The SPF records are invalid.
    • Temporary Error: Processing error.
    • Pass: Host is authorized to send messages.
    • Neutral: SPF records exist, but there is no definitive assertion.
    • None: No SPF record exists.

    Note: No SPF scan is performed for direct connections from RFC 1918 private network IPv4 addresses.

    Note: If you select Bypass for the SPF scan in the session profile (see Configuring sender validation options), then it will not be used, even if you enable the SPF scan in the antispam profile.

    DKIM

    Domain Keys Identified Mail (DKIM) checking utilizes public and private keys to digitally sign outbound emails to prove that email has not been tampered with in transit.

    Starting from 7.2.1 release, you can set different actions according to different DKIM check results:

    • Fail: DKIM invalid body hash or invalid signature.
    • None: No DKIM DNS record found or the record could not be correctly parsed.
    • Pass: DKIM check passed.
    • Temporary Error: DNS server returned Temp error when querying DKIM DNS record.

    DMARC

    Domain-based Message Authentication, Reporting & Conformance (DMARC) performs email authentication with SPF and DKIM checking.

    If either SPF check or DKIM check passes, DMARC check will pass. If both of them fails, DMARC check fails.

    FortiMail also conducts DMARC alignment, whereby at least one of the domains authenticated by SPF or DKIM must align with the header-from domain. If alignment check fails, DMARC check will fail. For more information, see RFC 7489.

    Starting from 7.2.1 release, you can set different actions according to different DMARC check results:

    • Fail: DMARC check failed.
    • None: No DMARC DNS record found or the record could not be correctly parsed.
    • Pass: DMARC check passed.
    • Temporary Error: DNS server returned Temp error when querying DMARC DNS record.
    Note

    FortiMail combines non-final actions set in the antispam profile with the actions set in the DMARC DNS record policy.

    If the antispam profile DMARC actions are non-final, such as "Tag subject" and "Notify", they are combined with the actions in the DMARC DNS record policy: None, Reject, or Quarantine.

    This happens when:

    config antispam settings

    set dmarc-failure-action use-profile-action-with-none (and the sender's DMARC record policy is 'p=none')

    Or

    set dmarc-failure-action use-policy-action

    end

    Starting from 7.0.1 release, you can generate DMARC reports with the following CLI command, from the system level and domain level, respectively:

    • config antispam dmarc-report

    • config domain-setting

    For more details, see the FortiMail CLI Reference.

    ARC

    Authenticated Received Chain (ARC) permits intermediate email servers (such as mailing lists or forwarding services) to sign an email's original authentication results. This allows a receiving service to validate an email, in the event the email's SPF and DKIM records are rendered invalid by an intermediate server's processing. For more information, see RFC 8617.

    Enable the service, and enable ARC to override SPF, DKIM, and/or DMARC.

    Behavior analysis

    Behavior analysis (BA) analyzes the similarities between the uncertain email and the known spam email in the BA database and determines if the uncertain email is spam.

    The BA database is a gathering of spam email caught by FortiGuard Antispam Service. Therefore, the accuracy of the FortiGuard Antispam Service has a direct impact on the BA accuracy.

    You can adjust the BA aggressiveness using the following CLI commands:

    config antispam behavior-analysis

    set analysis-level {high | medium | low}

    end

    The high setting means the most aggressive while the low setting means the least aggressive. The default setting is medium.

    You can also reset (empty) the BA database using the following CLI command:

    diagnose debug application mailfilterd behavior-analysis update

    Header analysis

    Enable this option to examine the entire message header for spam characteristics.

    Business email compromise

    Expand to specify a profile and an action for each category. See Configuring Business Email Compromise.

    Heuristic

    See Configuring heuristic options.

    SURBL

    See Configuring SURBL options.

    DNSBL

    See Configuring DNSBL options.

    Banned word

    See Configuring banned word options.

    Safelist word

    See Configuring safelist word options.

    Dictionary

    See Configuring dictionary options.

    Image spam

    See Configuring image spam options.

    Bayesian

    See Configuring Bayesian options.

    Suspicious newsletter

    Suspicious newsletters are part of the newsletter category. But FortiMail may find them to be suspicious because they may actually be spam under the disguise of newsletters.

    Note that if you enable detection of both newsletters and suspicious newsletters and specify actions for both types, if a newsletter is found to be suspicious, the action towards suspicious newsletters will take effect, not the action towards newsletters.

    Newsletter

    Although newsletters and other marketing campaigns are not spam, some users may find them annoying.

    Enable detection of newsletters and select an action profile to deal with them. For example, you can tag newsletter email so that users can filter them in their email clients.

    Scan Options

    See Configuring scan options.

Configuring FortiGuard options

The FortiGuard section of antispam profiles lets you configure the FortiMail unit to query the FortiGuard Antispam service to check the following:

  • IP Reputation: if the SMTP client IP address is a public one, the FortiMail unit will query the FortiGuard Antispam service to determine if the current SMTP client is blocklisted; if the SMTP client IP address is a private one, the FortiMail unit will query the FortiGuard Antispam service to determine if the first public IP address in the header is blocklisted. If the Extract IP from Received Header option is enabled, the FortiGuard scan will also examine the public IP addresses of all other SMTP servers that appear in the Received: lines of the message header.
  • FortiGuard Antispam scans do not examine private network addresses, as defined in RFC 1918.

  • URL category: this option determines if any uniform resource identifiers (URL) in the message body are associated with spam. FortiGuard URL filter groups URL into various categories, such as hacking, drug abuse and so on. You can configure the FortiGuard URL filter to check for certain categories only. For details, see Configuring the FortiGuard URL filter. If a URL is blocklisted, the FortiMail unit treats the email as spam and performs the associated action. You can also exempt URLs from spam filtering.
  • To take different actions towards different URL filters or categories, you can specify a primary and a secondary filter, and specify different actions for each filter. If both URL filters match an email message, the primary filter action will take precedence.

    To reduce false positives, unrated IP addresses will be ignored and no actions will be taken.

  • Spam outbreak protection: enable this option to temporarily hold suspicious email for a certain period of time (configurable with CLI command config profile antispam set spam-outbreak-protection and config system fortiguard antispam set outbreak-protection-period) if the enabled FortiGuard antispam check (block IP and/or URL filter) returns no result. After the specified time interval, FortiMail will query the FortiGuard server for the second time. This provides an opportunity for the FortiGuard antispam service to update its database in cases a spam outbreak occurs. To view the email on hold, go to Monitor > Mail Queue > Spam Outbreak.
  • When set to Monitor only, email is not deferred. Instead, X-FEAS-Spam-outbreak: monitor-only is inserted in the message headers, and the email is logged.

    Note: If email messages are temporarily held by FortiGuard spam outbreak protection, and the "reject" action is configured in the action profile, the actual action will fallback to "system quarantine" if spam is detected later.

    Note: Email from some sources, such as safelisted IP addresses and ACL relay rules, will be exempted from FortiGuard spam outbreak protection scan.

Note

When FortiGuard detects spam for both IP reputation and URL category in an email, the URL category action will be taken and logged. For example, if the IP reputation action is "Tag" while the URL category action is "Reject", the email will be rejected. Before v6.4.3, the IP Reputation action will be taken and logged instead.

Before enabling FortiGuard, you must enable and configure FortiGuard Antispam rating queries.

Note

FortiGuard URL filter and URL scanning have two levels of control: strict or aggressive. For details see URL types.

The aggressive setting also scans the domain part of envelope MAIL FROM, header From, and Reply-To addresses. If the domains are identified as spam, the configured antispam actions will be applied.

Note

If the FortiGuardoption is enabled, you may improve performance and the spam catch rate by also enabling Block IP and caching.

To configure FortiGuard scan options
  1. When configuring an antispam profile, select the FortiGuard check box in the AntiSpam Profile dialog. This is the main switch to turn on/off all the sub items. If disabled, all the sub items under the FortiGuard category are also disabled.
  2. From Action, select the action profile that you want the FortiMail unit to use if the FortiGuard Antispam scan finds spam email. This action is the default action for all the FortiGuard filters, including IP reputation, URL filter, and spam outbreak protection.
  3. Note

    If the action is set to "None" for FortiGuard, FortiGuard antispam checks are still performed and logged, but no action will be taken. IP Reputation and WebFilter checks are still performed as well and the specified action will be applied.

    For more information about action profiles, see Configuring antispam action profiles.

  4. If you want the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted, enable IP Reputation. If the SMTP client IP address is a private one, the FortiMail unit will query the FortiGuard Antispam service to determine if the first public IP address in the header is blocklisted.
  5. FortiGuard categorizes the blocklisted IP addresses into three levels -- level 3 has bad reputation; level 2 has worse reputation; and level 1 has the worst reputation. To help prevent false positives, you can choose to take different actions towards different IP reputation levels. Usually you should take strict actions, such as reject or discard, towards level 1 IP addresses while take loose actions, such as quarantine or tag, towards level 3 IP addresses. Using default actions for level 1, 2, and 3 means to use the IP Reputation action; using the default action for IP reputation means to use the FortiGuard action; and using the FortiGuard default action means to use the antispam profile action.

    If you want to check all SMTP servers in the Received: lines of the message header, enable the Extract IP from Received Header option.

  6. If you want to use the FortiGuard URL filter service, select a URL category profile from the Primary or Secondary URL Category list. For details, see Configuring heuristic options. Then select an action profile. The default action means to use the FortiGuard action, not the antispam profile action.
  7. Note: If the secondary URL category is matched, the email will be deferred in the spam outbreak queue if the spam outbreak protection is enabled.

  8. If you want to use the spam outbreak protection feature, enable it. Then select an action profile. The default action means to use the FortiGuard action, not the antispam profile action.
  9. Continue to the next section, or click Create to save the antispam profile.

Configuring Business Email Compromise

To better protect against business email compromise (BEC) spam attacks, FortiMail can scan for the most common BEC attack types, such as cousin domains, suspicious characters, sender alignment, action keywords, and URL categories. To avoid false positives and false negatives, you can adjust ("weight") the scores of each type of suspicious behavior, and the total score threshold that an email must reach to be categorized as spam.

BEC is configurable in antispam profiles. For details about antispam profiles, see Managing antispam profiles.

To configure Business Email Compromise
  1. Go to Profile > AntiSpam > AntiSpam.
  2. Either click New to add a profile or double-click an existing profile to modify it. You can also select multiple profiles and batch edit them.
  3. Select a domain or System from the dropdown list. The profile will be applied to your selection.
  4. Enter a Profile name.
  5. Enter a Comment.
  6. Under Scan Configurations, enable Business email compromise, and configure the following:

    GUI item

    Description

    Weighted analysis

    Enable to apply a weighted analysis profile and assign an appropriate action.

    For more information, see Configuring weighted analysis profiles.

    Impersonation analysis

    Enable to automatically learn and track the mapping of display names and internal email addresses to prevent spoofing attacks.

    Select the action if the addresses do not match.

    For more information, see Configuring impersonation profiles.

    Cousin domain

    Enable to scan for domain names that are deliberately misspelled in order to appear to come from a trusted domain.

    Additionally, enable Header Detection, Body Detection, and/or Auto Detection if you wish to scan for cousin domain names either within the email header, the email body, and/or automatically (respectively).

    Select the action if the cousin domain scan is triggered.

    For more information, see Configuring cousin domain profiles.

    Sender alignment

    Enable to scan for sender email address mismatches.

    Sender alignment compares the domain name of the sender email address in the message header (From:/Reply-To:) and SMTP envelope (MAIL FROM:) to look for a mismatch, which is typical of spam.

    Select the action if a mismatch occurs.

Configuring heuristic options

The FortiMail unit includes rules used by the heuristic filter. Each rule has an individual score used to calculate the total score for an email. A threshold for the heuristic filter is set for each antispam profile. To determine if an email is spam, the heuristic filter examines an email message and adds the score for each rule that applies to get a total score for that email. For example, if the subject line of an email contains “As seen on national TV!”, it might match a heuristic rule that increases the heuristic scan score towards the threshold.

  • Email is spam if the total score equals or exceeds the threshold.
  • Email is not spam if the total score is less than the threshold.

The FortiMail unit comes with a default heuristic rule set. To ensure that the most up-to-date spam methods are included in the percentage of rules used to calculate the score, update your FortiGuard Antispam packages regularly.

To configure heuristic scan options
  1. When configuring an antispam profile, enable Heuristic under Scan Configurations.
  2. Click the plus to expand Heuristic.
  3. From Action, select the action profile that you want the FortiMail unit to use if the heuristic scan finds spam email.
  4. For more information, see Configuring antispam action profiles.

  5. In Threshold, enter the score at which the FortiMail unit considers an email to be spam. The default value is recommended.
  6. In the The percentage of rules used field, enter the percentage of the total number of heuristic rules to use to calculate the heuristic score for an email message.
  7. Continue to the next section, or click Create or OK to save the antispam profile.
Note

Heuristic scanning is resource intensive. If spam detection rates are acceptable without heuristic scanning, consider disabling it or limiting its application to policies for problematic hosts.

Note

You can also apply this scan to PDF attachments. For more information, see Configuring scan options.

Configuring SURBL options

In addition to supporting Fortinet’s FortiGuard Antispam SURBL service, the FortiMail unit supports third-party Spam URL Realtime Block Lists (SURBL) servers. You can specify which public SURBL servers to use as part of an antispam profile. Consult the third-party SURBL service providers for any conditions and restrictions.

The SURBL section of antispam profiles lets you configure the FortiMail unit to query one or more SURBL servers to determine if any of the uniform resource identifiers (URL) in the message body are associated with spam. If a URL is blocklisted, the FortiMail unit treats the email as spam and performs the associated action. There are two types of URLs. For details, see URL types.

To configure SURBL scan options
  1. When configuring an antispam profile, enable SURBL in the AntiSpam Profile dialog.
  2. From Action, select the action profile that you want the FortiMail unit to use if the SURBL scan finds spam email.
  3. For more information, see Configuring antispam action profiles.

  4. Next to SURBL click Configuration.
  5. A pop-up window appears that displays the domain name of the SURBL servers.

  6. To add a new SURBL server address, click New and type the address in the field that appears.
  7. Since the servers will be queried from top to bottom, you may want to put the reliable servers with less traffic to the top of the list. Click the dropdown menu in the title bar to sort the entries.

  8. Select a server and click OK.
  9. The pop-up window closes.

  10. Continue to the next section, or click Create or OK to save the antispam profile.
Caution

Closing the pop-up window does not save the antispam profile and its associated SURBL server list. To save changes to the SURBL server list, in the antispam profile, click OK before navigating away to another part of the web UI.

Configuring DNSBL options

In addition to supporting Fortinet’s FortiGuard Antispam DNSBL service, the FortiMail unit supports third-party DNS blocklist servers. You can enable DNSBL filtering as part of the antispam profile, and define multiple DNSBL servers for each antispam profile. Consult the third-party DNSBL service providers for any conditions and restrictions.

Caution

It is advised to exercise diligence on your DNSBL providers and their operations. Fortinet recommends all email administrators utilize services which have clearly defined and rational listing policies and do not charge for delisting. Services that block whole subnets and AS numbers and have a business model which charges for delisting should be viewed with heavy caution. Fortinet cannot delist the IP addresses once they are blocklisted by such vendors.

DNSBL scans examine the IP address of the SMTP client that is currently delivering the email message. If the Enable Block IP to query for the blocklist status of the IP addresses of all SMTP servers appearing in the Received: lines of header lines. option located in the Deep header section is enabled, DNSBL scan will also examine the IP addresses of all other SMTP servers that appear in the Received: lines of the message header. For more information, see Configuring FortiGuard options.

DNSBL scans do not examine private network addresses, which are defined in RFC 1918.

The DNSBL section of antispam profiles lets you configure the FortiMail unit to query one or more servers to determine if the IP address of the SMTP client has been blocklisted. If the IP address is blocklisted, the FortiMail unit treats the email as spam and performs the associated action.

To configure DNSBL scan options
  1. When configuring an antispam profile, enable DNSBL in the AntiSpam Profile dialog.
  2. From Action, select the action profile that you want the FortiMail unit to use if the DNSBL scan finds spam email.
  3. For more information, see Configuring antispam action profiles.

  4. Next to DNSBL click Configuration.
  5. A pop-up window appears where you can enter the domain names of DNSBL servers to use with this profile.

  6. To add a new DNSBL server address, click New and type the address in the field that appears.
  7. Since the servers are queried from top to bottom, you may want to put the reliable servers with less traffic to the top of the list. Click the dropdown menu in the title bar to sort the entries.

  8. Select a server from the list and click OK.
  9. The pop-up window closes.

    Caution

    Closing the pop-up window does not save the antispam profile and its associated DNSBL server list. To save changes to the DNSBL server list, in the antispam profile, click OK before navigating away to another part of the web UI.

  10. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring banned word options

The Banned word section of antispam profiles lets you configure the FortiMail unit to consider email messages as spam if the subject line and/or message body contain a prohibited word. When a banned word is found, the FortiMail unit treats the email as spam and performs the associated action.

When banned word scanning is enabled and an email is found to contain a banned word, the FortiMail unit adds X-FEAS-BANNEDWORD: to the message header, followed by the banned word found in the email. The header may be useful for troubleshooting purposes, when determining which banned word or phrase caused an email to be blocked.

You can use wildcards in banned words. But unlike dictionary scans, banned word scans do not support regular expressions. For details about wildcards and regular expressions, see Appendix D: Wildcards and regular expressions.

Note

You can also apply this scan to PDF attachments. For more information, see Configuring scan options.

To configure banned word scan options
  1. When configuring an antispam profile, enable Banned word in the AntiSpam Profile dialog.
  2. From Action, select the action profile that you want the FortiMail unit to use if the banned word scan finds spam email.
  3. For more information, see Configuring antispam action profiles.

  4. Next to Banned word, click Configuration.
  5. A pop-up window appears, showing the words or phrases that will be prohibited by this profile. You can add or delete words on this window.

  6. Click New, then enter the banned word in the field that appears.
  7. Select Subject to have the subject line inspected for the banned word. If the check box is clear, the subject line is not inspected.
  8. Select Body to have the message body inspected for the banned word. If the check box is clear, the message body is not inspected.
  9. Click OK.
  10. The pop-up window closes.

  11. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring safelist word options

The Safelist word section of antispam profiles lets you configure the FortiMail unit to consider email messages whose subject line and/or message body contain a safelisted word to be indisputably not spam. If the email message contains a safelisted word, the FortiMail unit does not consider the email to be spam.

You can use wildcards in safelisted words. But unlike dictionary scans, safelist word scans do not support regular expressions. For details about wildcards and regular expressions, see Appendix D: Wildcards and regular expressions.

To configure safe list scan options
  1. When configuring an antispam profile, enable Safelist word in the AntiSpam Profile dialog.
  2. Next to Safelist word, click Configuration.
  3. A pop-up window appears, showing the words or phrases that are allowed by this profile. You can add or delete words on this window.

  4. Click New, then enter the allowed word in the field that appears.
  5. Select Subject to have the subject line inspected for the allowed word. If the check box is clear, the subject line is not inspected.
  6. Select Body to have the message body inspected for the allowed word. If the check box is clear, the message body is not inspected.
  7. Click OK.
  8. The pop-up window closes.

  9. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring dictionary options

The Dictionary section of antispam profiles lets you configure the FortiMail unit to use dictionary profiles to determine if the email is likely to be spam. If the FortiMail unit considers email to be spam, it performs the associated action.

Before you can use this feature, you must have existing dictionary profiles. For information on creating dictionary profiles, see Configuring dictionary profiles.

When dictionary scanning is enabled and an email is found to contain a dictionary word, FortiMail units add X-FEAS-DICTIONARY: to the message header, followed by the dictionary word or pattern found in the email. The header may be useful for troubleshooting purposes, when determining which dictionary word or pattern caused an email to be blocked.

Unlike banned word scans, dictionary scans are more resource-intensive. If you do not require dictionary features such as regular expressions, consider using a banned word scan instead.

To configure dictionary scan options
  1. When configuring an antispam profile, enable Dictionary in the AntiSpam Profile dialog.
  2. Click the plus to expand Dictionary.
  3. From Action, select the action profile that you want the FortiMail unit to use if the dictionary scan finds spam email.
  4. For more information, see Configuring antispam action profiles.

  5. From the With dictionary group dropdown list, select the name of a group of dictionary profiles to use with the dictionary scan. Or, from the With dictionary profile dropdown list, select the name of a dictionary profile to use with the dictionary scan.
  6. In the Minimum dictionary score field, enter the number of dictionary term matches above which the email will be considered to be spam. Note that the score value is based on individual dictionary profile matches, not the dictionary group matches.
  7. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring image spam options

The Image spam section of antispam profiles lets you configure the FortiMail unit to analyze the contents of GIF, JPG, and PNG graphics to determine if the email is spam. If the email message contains a spam image, the FortiMail unit treats the email as spam and performs the associated action.

Image spam scanning may be useful when, for example, the message body of an email contains graphics but no text, and text-based antispam scans are therefore unable to determine whether or not an email is spam.

To configure image spam options
  1. When configuring an antispam profile, enable Image spam in the AntiSpam Profile dialog.
  2. From Action, select the action profile that you want the FortiMail unit to use if the image scan finds spam email.
  3. For more information, see Configuring antispam action profiles.

  4. Enable Aggressive scan to inspect image file attachments in addition to embedded graphics.
  5. Enabling this option increases workload when scanning email messages that contain image file attachments. If you do not require this feature, disable this option to improve performance.

    This Aggressive scan option applies only if you enable PDF scanning. For more information, see Configuring scan options.

  6. Continue to the next section, or click Create or OK to save the antispam profile.
See also

Managing antispam profiles

Configuring antispam action profiles

Configuring Bayesian options

The Bayesian section of antispam profiles lets you configure the FortiMail unit to use Bayesian databases to determine if the email is likely to be spam. If the Bayesian scan indicates that the email is likely to be spam, the FortiMail unit treats the email as spam and performs the associated action.

FortiMail units can maintain two Bayesian databases: global and per-domain.

  • For outgoing email, the FortiMail unit uses the global Bayesian database.
  • For incoming email, which database will be used when performing the Bayesian scan varies by configuration of the incoming antispam profile and the configuration of the protected domain.

Before using Bayesian scans, you must train one or more Bayesian databases in order to teach the FortiMail unit which words indicate probable spam. If a Bayesian database is not sufficiently trained, it can increase false positive and/or false negative rates. You can train the Bayesian databases of your FortiMail unit in several ways. For more information, see Training the Bayesian databases.

Caution

Be aware that, without ongoing training, Bayesian scanning will become significantly less effective over time and thus Fortinet does not recommend enabling the Bayesian scanning feature.

To configure Bayesian scan options
  1. When configuring an antispam profile, enable Bayesian in the AntiSpam Profile dialog.
  2. Click the plus to expand Bayesian.
  3. From Action, select the action profile that you want the FortiMail unit to use if the Bayesian scan finds spam email.
  4. For more information, see Configuring antispam action profiles.

  5. Configure the following:
  6. GUI item

    Description

    Accept training messages from users

    Enable to accept training messages from email users.

    Training messages are email messages that email users forward to the email addresses of control accounts, such as is‑spam@example.com, in order to train or correct Bayesian databases. For information on Bayesian control account email addresses, see Configuring the quarantine control options.

    FortiMail units apply training messages to either the global or per-domain Bayesian database depending on your configuration of the protected domain to which the email user belongs.

    Disable to discard training messages.

    This option is available only if Direction is Incoming (per-domain Bayesian databases cannot be used when the recipient does not belong to a protected domain, which defines outgoing email).

    Use other techniques for auto training

    Enable to use scan results from FortiGuard, SURBL, and per-user and system-wide safe lists to train the Bayesian databases.

    This option is available only if Direction is Incoming (domain-level Bayesian databases cannot be used when the recipient does not belong to a protected domain, which defines outgoing email).

  7. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring scan options

The Scan Conditions section of antispam profiles lets you configure conditions that cause the FortiMail unit to omit antispam scans, or to apply some antispam scans to PDF attachments.

To configure scan options
  1. When configuring an antispam profile, Click the plus to expand Scan Options in the AntiSpam Profile dialog.
  2. Configure the following:

GUI item

Description

Max message size to scan

Enter the maximum size of email messages, in bytes, that the FortiMail unit will scan for spam. Messages larger than the set size are not scanned for spam.

To disable the size limit, causing all messages to be scanned, regardless of size, enter 0.

Note: Resource requirements for scanning messages increase with the size of the email message. If the spam you receive tends not to be smaller than a certain size, consider limiting antispam scanning to messages under this size to improve performance.

Bypass scan on SMTP authentication

Enable to bypass spam scanning for authenticated SMTP connections. This option is enabled by default.

Note: If you can trust that authenticating SMTP clients are not a source of spam, consider enabling this option to improve performance.

Scan PDF attachment

Spammers may attach a PDF file to an otherwise empty message to get their email messages past spam safeguards. The PDF file contains the spam information. Since the message body contains no text, antispam scanners cannot determine if the message is spam.

Enable this option to use the heuristic, banned word, and image spam scans to inspect the first page of PDF attachments.

This option applies only if you have enabled and configured heuristic, banned word, and/or image spam scans. For information on configuring those scans, see Configuring heuristic options, Configuring banned word options, and Configuring image spam options.

Apply default action without scan upon policy match

Select this option to take the default antispam action right away without applying other antispam filters if the email matches the relevant IP or recipient policy.

Performing a batch edit

You can apply changes to multiple profiles at once.

  1. Go to Profile > AntiSpam > AntiSpam.
  2. In the row corresponding to existing profiles whose settings you want to modify, hold Ctrl and select the profiles you want to edit.
  3. The ability to batch edit antispam profiles does not apply to predefined profiles.

  4. Click Batch Edit.
  5. The AntiSpam Profile dialog appears.

  6. Modify the profile, as explained in Managing antispam profiles, changing only those settings that you want to apply to all selected profiles.
  7. Click Apply To All to save the changes and remain on the dialog, or click OK to save the changes and return to the AntiSpam tab.

Configuring impersonation profiles

Email impersonation is one of the email spoofing attacks. It forges the email header to deceive the recipient because the message appears to be from a different source than the actual address.

Note

To use this feature, you must have a license for the Fortinet Enterprise Advanced Threat Protection (ATP) bundle.

To fight against email impersonation, you can map high valued target display names with correct email addresses and FortiMail can check for the mapping. For example, an external spammer wants to impersonate the CEO of your company(ceo@company.com). The spammer will put "CEO ABC <ceo@external.com>" in the email Header From, and send such email to a user(victim@company.com). If FortiMail has been configured with a manual entry "CEO ABC"/"ceo@company.com" in an impersonation analysis profile to indicate the correct display name/email pair, or it has learned display name/email pair through the dynamic process, then such email will be detected by impersonation analysis, because the spammer uses an external email address and an internal user's display name.

There are two ways to do the mapping:

Note

Impersonation analysis checks both the Header From and Reply-To fields.

You can also add exempt entries so that FortiMail will skip the impersonation analysis check.

Note

To avoid false positives, impersonation analysis also follows some other exempt rules.

To create an impersonation analysis profile
  1. Go to Profile > AntiSpam > Impersonation.
  2. Click New to create a new profile.
  3. Enter a profile name.
  4. Select a domain or System from the dropdown list. The profile will be applied to your selection.
  5. Under Impersonation, select Match Rule or Exempt Rule.
  6. Click New to add an entry.
  7. GUI item

    Description

    Display name pattern

    Enter the display name to be mapped to the email address. You can use wildcard or regular expression.

    Pattern type

    Either wildcard or regular expression.

    Email address

    Enter the email address to be mapped to the display name. The email address can be from protected/internal domains or unprotected/external domains.

    If the email address is from an external domain, such as gmail.com or hotmail.com, the display name matching the external email address will be passed. Otherwise, it will be caught by impersonation analysis.

Enabling impersonation analysis dynamic scanning

In addition to manually entering mapping entries and creating impersonation analysis profiles, FortiMail Mail Statistics Service can automatically, dynamically learn and track the mapping of display names and internal email addresses.

To use the FortiMail manual, dynamic, or both manual and dynamic impersonation analysis scanning, use the following command:

config antispam settings

set impersonation-analysis dynamic manual

end

By default, FortiMail uses manual analysis only.

Also enable the FortiMail Mail Statistics Service with the following command. This service is disabled by default:

config system global

set mailstat-service enable

end

After the service is enabled, you can search the dynamic database by going to Profile > AntiSpam > Impersonation and clicking Impersonation Lookup. If the record exists in the database, after you enter the email address, the corresponding display name will be displayed.

Configuring cousin domain profiles

Similar to impersonation profiles, cousin domain profiles help to mitigate domain impersonation risks. Similar to impersonation profiles that map display names, cousin domain profiles can map both inbound and outbound domain names to either be scanned or exempt from scanning. Domain names may be deliberately misspelled, either by character removal, substitution, and/or transposition, in order to make emails look as though they originate from trusted internal sources.

For example, if you configure a regular expression for the sender domain f?rtinet.com, it will match f0rtinet.com, but the legitimate and trusted sender domain fortinet.com will also be detected as a cousin domain. To avoid this, you can add fortinet.com into the exempt rules setting to avoid detecting it as spam.

Cousin domain scan options, such as auto detection, are configured within antispam profiles. See Managing antispam profiles for more information.

To create a cousin domain profile
  1. Go to Profile > AntiSpam > Cousin Domain.
  2. Either click New to add a profile or double-click an existing profile to modify it. You can also select multiple profiles and batch edit them.
  3. Select a domain or System from the dropdown list. The profile will be applied to your selection.
  4. Enter a profile name.
  5. Under Domain Pattern, select From, To, or Exempt.
  6. Click New to add an entry.
  7. GUI item

    Description

    Domain name pattern

    Enter the domain name to be mapped to the email address. You can use wildcard or regular expression.

    Pattern type

    Either wildcard, regular expression, or look-alike.

    A look-alike pattern can be configured to specifically check for instances of recipient domain typos. For example, if a domain such as fortinet.com is configured with pattern type set to look-alike, any similar misspelled domains, such as fort1net.com, are caught.

    Note

    Since auto-detection is not applicable to outgoing policies, look-alike patterns are best suited for catching misspelled domains.

  8. Click Create or OK.

Configuring weighted analysis profiles

The Weighted Analysis tab in the AntiSpam submenu allows you to create profiles with custom weighted scores for various antispam scans, including intelligent analysis, in order to fine tune your spam catch rate while minimizing false positives.

To configure a weighted analysis profile
  1. Go to Profile > AntiSpam > Weighted Analysis.

  2. Either click New to add a profile or double-click an existing profile to modify it.

  3. From Domain, select if the weighted analysis profile will be system-wide or apply only to a specific domain. You can see only the domains that are permitted by your administrator profile.

  4. In Name, enter a unique name for the profile.

  5. Optionally, in the Comment field, enter a descriptive comment.
  6. Under Rule, click New.

    A dialog appears.

  7. Configure the following settings:

  8. GUI item

    Description

    Status

    Enable or disable the rule.

    Name Enter the name of the rule.

    Action

    (dropdown list)

    Specify an action for the rule.
    Threshold Enter the threshold at which the current rule is to be triggered. This score will be allocated to the seven categories below.
    Score Weight

    Enter the score weight thresholds of the following factors:

    • Intelligent analysis: Multiple factors contribute to intelligent analysis in order to reduce false positives, including:

      • SPF
      • DKIM
      • DMARC
      • matching of sender addresses in the message headers (From: and Reply-To:)
      • newly registered domain names that do not have a FortiGuard Antispam rating yet
      • header analysis
      • malformed email detection
    • Cousin domain: Detects domain impersonation. See Configuring cousin domain profiles.

    • Suspicious character: Detects internationalized domain name (IDN) homograph attacks. If domain names in URLs, sender email addresses, or recipient email addresses have Unicode characters that are from different languages yet look similar (for example, A looks similar in Cyrillic, Greek, and Latin alphabets), then an attacker could trick the user into using a fraudulent website or email. FortiMail detects these as suspicious.

    • Sender alignment: Compares the domain name of the sender email address in the message header (From:) and SMTP envelope (MAIL FROM:) to look for a mismatch, which is typical of spam.

    • Action keyword: Select the name of a dictionary profile that contains words or phrases that typically only spam has.

      Keywords are often a "call to action" that motivates the user to reply or click a hyperlink. For example, "Click here", "transfer", "money", "dollars", "bank account", "conference attendee", etc.

      • Dictionary profile: Select the dictionary profile. See Configuring dictionary profiles.

      • Minimum dictionary score: Enter the threshold for dictionary profile matches.

        When the dictionary profile scans an email, it counts the number of matching words or phrases, and adjusts this total according to the pattern weight and maximum pattern weight in the dictionary profile. If the result equals or exceeds this threshold, then FortiMail applies the weighted score defined in Action keyword.

    • URL category: Detects spam or phishing URLs in the email.

    • Malformed email: Detects malformed data in the email structure, header, or body. For more information, see RFC 7103.

  9. Click Create or OK.

  10. To apply a weighted analysis profile, select it in one or more antispam profiles under Business email compromise. For details, see Managing antispam profiles.

Configuring antispam action profiles

The Action tab in the AntiSpam submenu lets you define one or more things that the FortiMail unit should do if the antispam profile determines that an email is spam.

For example, assume you configured a default antispam action profile, named quar_and_tag_profile, that both tags the subject line and quarantines email detected to be spam. In general, all antispam profiles using the default action profile will quarantine the email and tag it as spam. However, you can decide that email failing to pass the dictionary scan is always spam and should be rejected so that it does not consume quarantine disk space. Therefore, for the antispam profiles that apply a dictionary scan, you could override the default action by configuring and using a second action profile, named rejection_profile, which rejects such email.

Note

The specific action profile will override the default action profile when mailfilterd scans the email and take disposition (action) against the email. When the email is out of the process of mailfilterd, any remaining actions, such as spam report, web release, and sender safelisting, will still be taken based on the default action profile.

To view and configure antispam action profiles
  1. Go to Profile > AntiSpam > Action.
  2. GUI item

    Description

    Domain

    (dropdown list)

    Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.

    Profile Name

    Displays the name of the profile.

    Domain

    (column)

    Displays either System or a domain name.

    (Green dot in column heading)

    Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

  3. Either click New to add a profile or double-click an existing profile to modify it. You can also select multiple profiles and batch edit them.
  4. A dialog appears.

  5. Configure the following:
  6. GUI item

    Description

    Domain

    Select if the action profile will be system-wide or domain-wide.

    You can see only the domains that are permitted by your administrator profile.

    Profile name

    For a new profile, enter a name.

    Tag subject

    Enable and enter the text that appears in the subject line of the email, such as [spam]. The FortiMail unit will prepend this text to the subject line of spam before forwarding it to the recipient.

    Many email clients can sort incoming email messages into separate mailboxes, including a spam mailbox, based on text appearing in various parts of email messages, including the subject line. For details, see the documentation for your email client.

    Insert header

    Enable and enter the message header key in the field, and the values in the With value field. The FortiMail unit adds this text to the message header of the email before forwarding it to the recipient.

    Many email clients can sort incoming email messages into separate mailboxes, including a spam mailbox, based on text appearing in various parts of email messages, including the message header. For details, see the documentation for your email client.

    Message header lines are composed of two parts: a key and a value, which are separated by a colon. For example, you might enter:

    X-Custom-Header: Detected as spam by profile 22.

    If you enter a header line that does not include a colon, the FortiMail unit will automatically append a colon, causing the entire text that you enter to be the key.

    Note: Do not enter spaces in the key portion of the header line, as these are forbidden by RFC 2822.

    You can add multiple headers by adding them to the header table. You can also insert the predefined variables to the header value.

    Insert disclaimer

    Insert disclaimer as an action, and select whether you want to insert the disclaimer at the start of the message, end of the message, or at the location of the custom message.

    You can modify the default disclaimer or add new disclaimers by going to System > Mail Setting > Disclaimer.

    Deliver to alternate host

    Enable to route the email to a specific SMTP server or relay, then type the fully qualified domain name (FQDN) or IP address of the destination.

    You can choose to deliver the original email or the modified email.

    Note: If you enable this setting, the FortiMail unit uses this destination for all email that matches the profile and ignores Relay server name and Use this domain’s SMTP server to deliver the mail.

    Deliver to original host

    Enable to deliver email to the original host.

    FortiGuard spam outbreak protection

    Enable to manually defer emails and place email in the spam defer queue.

    Note: The Spam outbreak protection option in the FortiGuard settings under Profile > AntiSpam > AntiSpam does not affect this feature.

    Defer delivery

    Enable to defer delivery of emails that may be resource intensive and reduce performance of the mail server, such as large email messages, or lower priority email from certain senders (for example, marketing campaign email and mass mailing).

    BCC

    Enable to send a blind carbon copy (BCC) of the email.

    You can specify an Envelope from address so that, in the case the email is not deliverable and bounced back, it will be returned to the specified envelope from address, instead of the original sender. This is helpful when you want to use a specific email to collect bounce notifications.

    Click New to add BCC recipients.

    Archive to account

    Enable to send the email to an archiving account.

    Click New to create a new archiving account or click Edit to modify an existing account. For details about archiving accounts, see Email archiving workflow.

    Notify with profile

    Enable and select a notification profile to send a notification email to the sender, recipient, or any other people as you configure in the notification profile. The notification email is customizable and will tell the users what happened to the email message. For details about notification profiles and email templates, see Configuring notification profiles and Customizing email templates.

    Final action

    For details about final and non-final actions, see Order of execution.

    Discard

    Enable to accept the email, but then delete it instead of delivering the email, without notifying the SMTP client.

    Reject

    Enable to reject the email and reply to the SMTP client with SMTP reply code 550.

    However, if email messages are held for FortiGuard spam outbreak protection or FortiGuard virus outbreak protection, or sent to FortiSandbox, the actual action will fallback to "system quarantine".

    If a message has multiple recipients in the same SMTP session, the Reject action may fallback to System Quarantine, if other recipients have final action other than reject.

    Personal quarantine

    For incoming email, enable to redirect the email to the recipient’s personal quarantine. For more information, see Managing the personal quarantines.

    For outgoing email, this action will fallback to the system quarantine.

    You can choose to quarantine the original email or the modified email.

    System quarantine

    Enable to redirect spam to the system quarantine folder. For more information, see Managing the system quarantine.

    You can choose to quarantine the original email or the modified email.

    Domain quarantine

    Enable to redirect spam to the domain quarantine folder. For more information, see Managing the domain quarantines.

    Rewrite recipient email address

    Enable to change the recipient address of any email message detected as spam.

    Configure rewrites separately for the local-part (the portion of the email address before the '@' symbol, typically a user name) and the domain part (the portion of the email address after the '@' symbol). For each part, select either:

    • None: No change.
    • Prefix: Prepend the part with text that you have entered in the With field.
    • Suffix: Append the part with the text you have entered in the With field.
    • Replace: Substitute the part with the text you have entered in the With field.
  7. Click Create or OK.

To apply an antispam action profile, select it in one or more antispam profiles. For details, see Managing antispam profiles.

Configuring antispam profiles and antispam action profiles

Configuring antispam profiles and antispam action profiles

The AntiSpam submenu lets you configure antispam profiles and related action profiles.

This section contains the following topics:

Managing antispam profiles

The AntiSpam tab lets you manage and configure antispam profiles. Antispam profiles are sets of antispam scans that you can apply by selecting one in a policy.

FortiMail units can use various methods to detect spam, such as the FortiGuard Antispam service, DNSBL queries, Bayesian scanning, and heuristic scanning. Antispam profiles contain settings for these features that you may want to vary by policy. Depending on the feature, before you configure antispam policies, you may need to enable the feature or configure its system-wide settings.

For information on the order in which FortiMail units perform each type of antispam scan, see Order of execution.

Note

You can use an LDAP query to enable or disable antispam scanning on a per-user basis. For details, see Configuring LDAP profiles and Configuring scan override options.

To view and manage incoming antispam profiles
  1. Go to Profile > AntiSpam > AntiSpam.
  2. GUI item

    Description

    Clone

    (button)

    Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.

    Batch Edit

    (button)

    Edit several profiles simultaneously. See Performing a batch edit.

    Domain

    (dropdown list)

    Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.

    Profile Name

    Displays the name of the profile. The profile name is editable.

    Domain Name

    (column)

    Displays either System or a domain name.

    (Green dot in column heading)

    Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

  3. Either click New to add a profile or double-click a profile to modify it.
  4. A multisection dialog appears.

  5. Configure the following:
  6. GUI item

    Description

    Domain

    Select the entire FortiMail unit (System) or name of a protected domain. You can see only the domains that are permitted by your administrator profile. For more information, see About administrator account permissions and domains.

    Profile name

    For a new profile, enter the name of the profile.

    Default action

    Select the default action to take when the policy matches. See Configuring antispam action profiles.

    FortiGuard

    See Configuring FortiGuard options.

    Greylist

    Enable to apply greylisting. For more information, see Configuring greylisting.

    Note: Enabling greylisting can improve performance by blocking most spam before it undergoes other resource-intensive antispam scans.

    SPF

    If the sender domain DNS record lists SPF authorized IP addresses, use this option to compare the client IP address to the IP addresses of authorized senders in the DNS record (RFC 4408).

    If the DNS record for the domain name of the sender does not publish SPF information, the FortiMail unit omits the SPF client IP address validation.

    If the client IP address fails the SPF check, FortiMail will take the antispam action configured in this antispam profile. But unlike SPF checking in a session profile, failed SPF checking in an antispam profile will not increase the client’s reputation score.

    Select the action to perform for each SPF scan result:

    • Fail: Host is not authorized to send messages.
    • Soft Fail: Host is not authorized to send messages but not a strong statement.
    • Permanent Error: The SPF records are invalid.
    • Temporary Error: Processing error.
    • Pass: Host is authorized to send messages.
    • Neutral: SPF records exist, but there is no definitive assertion.
    • None: No SPF record exists.

    Note: No SPF scan is performed for direct connections from RFC 1918 private network IPv4 addresses.

    Note: If you select Bypass for the SPF scan in the session profile (see Configuring sender validation options), then it will not be used, even if you enable the SPF scan in the antispam profile.

    DKIM

    Domain Keys Identified Mail (DKIM) checking utilizes public and private keys to digitally sign outbound emails to prove that email has not been tampered with in transit.

    Starting from 7.2.1 release, you can set different actions according to different DKIM check results:

    • Fail: DKIM invalid body hash or invalid signature.
    • None: No DKIM DNS record found or the record could not be correctly parsed.
    • Pass: DKIM check passed.
    • Temporary Error: DNS server returned Temp error when querying DKIM DNS record.

    DMARC

    Domain-based Message Authentication, Reporting & Conformance (DMARC) performs email authentication with SPF and DKIM checking.

    If either SPF check or DKIM check passes, DMARC check will pass. If both of them fails, DMARC check fails.

    FortiMail also conducts DMARC alignment, whereby at least one of the domains authenticated by SPF or DKIM must align with the header-from domain. If alignment check fails, DMARC check will fail. For more information, see RFC 7489.

    Starting from 7.2.1 release, you can set different actions according to different DMARC check results:

    • Fail: DMARC check failed.
    • None: No DMARC DNS record found or the record could not be correctly parsed.
    • Pass: DMARC check passed.
    • Temporary Error: DNS server returned Temp error when querying DMARC DNS record.
    Note

    FortiMail combines non-final actions set in the antispam profile with the actions set in the DMARC DNS record policy.

    If the antispam profile DMARC actions are non-final, such as "Tag subject" and "Notify", they are combined with the actions in the DMARC DNS record policy: None, Reject, or Quarantine.

    This happens when:

    config antispam settings

    set dmarc-failure-action use-profile-action-with-none (and the sender's DMARC record policy is 'p=none')

    Or

    set dmarc-failure-action use-policy-action

    end

    Starting from 7.0.1 release, you can generate DMARC reports with the following CLI command, from the system level and domain level, respectively:

    • config antispam dmarc-report

    • config domain-setting

    For more details, see the FortiMail CLI Reference.

    ARC

    Authenticated Received Chain (ARC) permits intermediate email servers (such as mailing lists or forwarding services) to sign an email's original authentication results. This allows a receiving service to validate an email, in the event the email's SPF and DKIM records are rendered invalid by an intermediate server's processing. For more information, see RFC 8617.

    Enable the service, and enable ARC to override SPF, DKIM, and/or DMARC.

    Behavior analysis

    Behavior analysis (BA) analyzes the similarities between the uncertain email and the known spam email in the BA database and determines if the uncertain email is spam.

    The BA database is a gathering of spam email caught by FortiGuard Antispam Service. Therefore, the accuracy of the FortiGuard Antispam Service has a direct impact on the BA accuracy.

    You can adjust the BA aggressiveness using the following CLI commands:

    config antispam behavior-analysis

    set analysis-level {high | medium | low}

    end

    The high setting means the most aggressive while the low setting means the least aggressive. The default setting is medium.

    You can also reset (empty) the BA database using the following CLI command:

    diagnose debug application mailfilterd behavior-analysis update

    Header analysis

    Enable this option to examine the entire message header for spam characteristics.

    Business email compromise

    Expand to specify a profile and an action for each category. See Configuring Business Email Compromise.

    Heuristic

    See Configuring heuristic options.

    SURBL

    See Configuring SURBL options.

    DNSBL

    See Configuring DNSBL options.

    Banned word

    See Configuring banned word options.

    Safelist word

    See Configuring safelist word options.

    Dictionary

    See Configuring dictionary options.

    Image spam

    See Configuring image spam options.

    Bayesian

    See Configuring Bayesian options.

    Suspicious newsletter

    Suspicious newsletters are part of the newsletter category. But FortiMail may find them to be suspicious because they may actually be spam under the disguise of newsletters.

    Note that if you enable detection of both newsletters and suspicious newsletters and specify actions for both types, if a newsletter is found to be suspicious, the action towards suspicious newsletters will take effect, not the action towards newsletters.

    Newsletter

    Although newsletters and other marketing campaigns are not spam, some users may find them annoying.

    Enable detection of newsletters and select an action profile to deal with them. For example, you can tag newsletter email so that users can filter them in their email clients.

    Scan Options

    See Configuring scan options.

Configuring FortiGuard options

The FortiGuard section of antispam profiles lets you configure the FortiMail unit to query the FortiGuard Antispam service to check the following:

  • IP Reputation: if the SMTP client IP address is a public one, the FortiMail unit will query the FortiGuard Antispam service to determine if the current SMTP client is blocklisted; if the SMTP client IP address is a private one, the FortiMail unit will query the FortiGuard Antispam service to determine if the first public IP address in the header is blocklisted. If the Extract IP from Received Header option is enabled, the FortiGuard scan will also examine the public IP addresses of all other SMTP servers that appear in the Received: lines of the message header.
  • FortiGuard Antispam scans do not examine private network addresses, as defined in RFC 1918.

  • URL category: this option determines if any uniform resource identifiers (URL) in the message body are associated with spam. FortiGuard URL filter groups URL into various categories, such as hacking, drug abuse and so on. You can configure the FortiGuard URL filter to check for certain categories only. For details, see Configuring the FortiGuard URL filter. If a URL is blocklisted, the FortiMail unit treats the email as spam and performs the associated action. You can also exempt URLs from spam filtering.
  • To take different actions towards different URL filters or categories, you can specify a primary and a secondary filter, and specify different actions for each filter. If both URL filters match an email message, the primary filter action will take precedence.

    To reduce false positives, unrated IP addresses will be ignored and no actions will be taken.

  • Spam outbreak protection: enable this option to temporarily hold suspicious email for a certain period of time (configurable with CLI command config profile antispam set spam-outbreak-protection and config system fortiguard antispam set outbreak-protection-period) if the enabled FortiGuard antispam check (block IP and/or URL filter) returns no result. After the specified time interval, FortiMail will query the FortiGuard server for the second time. This provides an opportunity for the FortiGuard antispam service to update its database in cases a spam outbreak occurs. To view the email on hold, go to Monitor > Mail Queue > Spam Outbreak.
  • When set to Monitor only, email is not deferred. Instead, X-FEAS-Spam-outbreak: monitor-only is inserted in the message headers, and the email is logged.

    Note: If email messages are temporarily held by FortiGuard spam outbreak protection, and the "reject" action is configured in the action profile, the actual action will fallback to "system quarantine" if spam is detected later.

    Note: Email from some sources, such as safelisted IP addresses and ACL relay rules, will be exempted from FortiGuard spam outbreak protection scan.

Note

When FortiGuard detects spam for both IP reputation and URL category in an email, the URL category action will be taken and logged. For example, if the IP reputation action is "Tag" while the URL category action is "Reject", the email will be rejected. Before v6.4.3, the IP Reputation action will be taken and logged instead.

Before enabling FortiGuard, you must enable and configure FortiGuard Antispam rating queries.

Note

FortiGuard URL filter and URL scanning have two levels of control: strict or aggressive. For details see URL types.

The aggressive setting also scans the domain part of envelope MAIL FROM, header From, and Reply-To addresses. If the domains are identified as spam, the configured antispam actions will be applied.

Note

If the FortiGuardoption is enabled, you may improve performance and the spam catch rate by also enabling Block IP and caching.

To configure FortiGuard scan options
  1. When configuring an antispam profile, select the FortiGuard check box in the AntiSpam Profile dialog. This is the main switch to turn on/off all the sub items. If disabled, all the sub items under the FortiGuard category are also disabled.
  2. From Action, select the action profile that you want the FortiMail unit to use if the FortiGuard Antispam scan finds spam email. This action is the default action for all the FortiGuard filters, including IP reputation, URL filter, and spam outbreak protection.
  3. Note

    If the action is set to "None" for FortiGuard, FortiGuard antispam checks are still performed and logged, but no action will be taken. IP Reputation and WebFilter checks are still performed as well and the specified action will be applied.

    For more information about action profiles, see Configuring antispam action profiles.

  4. If you want the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted, enable IP Reputation. If the SMTP client IP address is a private one, the FortiMail unit will query the FortiGuard Antispam service to determine if the first public IP address in the header is blocklisted.
  5. FortiGuard categorizes the blocklisted IP addresses into three levels -- level 3 has bad reputation; level 2 has worse reputation; and level 1 has the worst reputation. To help prevent false positives, you can choose to take different actions towards different IP reputation levels. Usually you should take strict actions, such as reject or discard, towards level 1 IP addresses while take loose actions, such as quarantine or tag, towards level 3 IP addresses. Using default actions for level 1, 2, and 3 means to use the IP Reputation action; using the default action for IP reputation means to use the FortiGuard action; and using the FortiGuard default action means to use the antispam profile action.

    If you want to check all SMTP servers in the Received: lines of the message header, enable the Extract IP from Received Header option.

  6. If you want to use the FortiGuard URL filter service, select a URL category profile from the Primary or Secondary URL Category list. For details, see Configuring heuristic options. Then select an action profile. The default action means to use the FortiGuard action, not the antispam profile action.
  7. Note: If the secondary URL category is matched, the email will be deferred in the spam outbreak queue if the spam outbreak protection is enabled.

  8. If you want to use the spam outbreak protection feature, enable it. Then select an action profile. The default action means to use the FortiGuard action, not the antispam profile action.
  9. Continue to the next section, or click Create to save the antispam profile.

Configuring Business Email Compromise

To better protect against business email compromise (BEC) spam attacks, FortiMail can scan for the most common BEC attack types, such as cousin domains, suspicious characters, sender alignment, action keywords, and URL categories. To avoid false positives and false negatives, you can adjust ("weight") the scores of each type of suspicious behavior, and the total score threshold that an email must reach to be categorized as spam.

BEC is configurable in antispam profiles. For details about antispam profiles, see Managing antispam profiles.

To configure Business Email Compromise
  1. Go to Profile > AntiSpam > AntiSpam.
  2. Either click New to add a profile or double-click an existing profile to modify it. You can also select multiple profiles and batch edit them.
  3. Select a domain or System from the dropdown list. The profile will be applied to your selection.
  4. Enter a Profile name.
  5. Enter a Comment.
  6. Under Scan Configurations, enable Business email compromise, and configure the following:

    GUI item

    Description

    Weighted analysis

    Enable to apply a weighted analysis profile and assign an appropriate action.

    For more information, see Configuring weighted analysis profiles.

    Impersonation analysis

    Enable to automatically learn and track the mapping of display names and internal email addresses to prevent spoofing attacks.

    Select the action if the addresses do not match.

    For more information, see Configuring impersonation profiles.

    Cousin domain

    Enable to scan for domain names that are deliberately misspelled in order to appear to come from a trusted domain.

    Additionally, enable Header Detection, Body Detection, and/or Auto Detection if you wish to scan for cousin domain names either within the email header, the email body, and/or automatically (respectively).

    Select the action if the cousin domain scan is triggered.

    For more information, see Configuring cousin domain profiles.

    Sender alignment

    Enable to scan for sender email address mismatches.

    Sender alignment compares the domain name of the sender email address in the message header (From:/Reply-To:) and SMTP envelope (MAIL FROM:) to look for a mismatch, which is typical of spam.

    Select the action if a mismatch occurs.

Configuring heuristic options

The FortiMail unit includes rules used by the heuristic filter. Each rule has an individual score used to calculate the total score for an email. A threshold for the heuristic filter is set for each antispam profile. To determine if an email is spam, the heuristic filter examines an email message and adds the score for each rule that applies to get a total score for that email. For example, if the subject line of an email contains “As seen on national TV!”, it might match a heuristic rule that increases the heuristic scan score towards the threshold.

  • Email is spam if the total score equals or exceeds the threshold.
  • Email is not spam if the total score is less than the threshold.

The FortiMail unit comes with a default heuristic rule set. To ensure that the most up-to-date spam methods are included in the percentage of rules used to calculate the score, update your FortiGuard Antispam packages regularly.

To configure heuristic scan options
  1. When configuring an antispam profile, enable Heuristic under Scan Configurations.
  2. Click the plus to expand Heuristic.
  3. From Action, select the action profile that you want the FortiMail unit to use if the heuristic scan finds spam email.
  4. For more information, see Configuring antispam action profiles.

  5. In Threshold, enter the score at which the FortiMail unit considers an email to be spam. The default value is recommended.
  6. In the The percentage of rules used field, enter the percentage of the total number of heuristic rules to use to calculate the heuristic score for an email message.
  7. Continue to the next section, or click Create or OK to save the antispam profile.
Note

Heuristic scanning is resource intensive. If spam detection rates are acceptable without heuristic scanning, consider disabling it or limiting its application to policies for problematic hosts.

Note

You can also apply this scan to PDF attachments. For more information, see Configuring scan options.

Configuring SURBL options

In addition to supporting Fortinet’s FortiGuard Antispam SURBL service, the FortiMail unit supports third-party Spam URL Realtime Block Lists (SURBL) servers. You can specify which public SURBL servers to use as part of an antispam profile. Consult the third-party SURBL service providers for any conditions and restrictions.

The SURBL section of antispam profiles lets you configure the FortiMail unit to query one or more SURBL servers to determine if any of the uniform resource identifiers (URL) in the message body are associated with spam. If a URL is blocklisted, the FortiMail unit treats the email as spam and performs the associated action. There are two types of URLs. For details, see URL types.

To configure SURBL scan options
  1. When configuring an antispam profile, enable SURBL in the AntiSpam Profile dialog.
  2. From Action, select the action profile that you want the FortiMail unit to use if the SURBL scan finds spam email.
  3. For more information, see Configuring antispam action profiles.

  4. Next to SURBL click Configuration.
  5. A pop-up window appears that displays the domain name of the SURBL servers.

  6. To add a new SURBL server address, click New and type the address in the field that appears.
  7. Since the servers will be queried from top to bottom, you may want to put the reliable servers with less traffic to the top of the list. Click the dropdown menu in the title bar to sort the entries.

  8. Select a server and click OK.
  9. The pop-up window closes.

  10. Continue to the next section, or click Create or OK to save the antispam profile.
Caution

Closing the pop-up window does not save the antispam profile and its associated SURBL server list. To save changes to the SURBL server list, in the antispam profile, click OK before navigating away to another part of the web UI.

Configuring DNSBL options

In addition to supporting Fortinet’s FortiGuard Antispam DNSBL service, the FortiMail unit supports third-party DNS blocklist servers. You can enable DNSBL filtering as part of the antispam profile, and define multiple DNSBL servers for each antispam profile. Consult the third-party DNSBL service providers for any conditions and restrictions.

Caution

It is advised to exercise diligence on your DNSBL providers and their operations. Fortinet recommends all email administrators utilize services which have clearly defined and rational listing policies and do not charge for delisting. Services that block whole subnets and AS numbers and have a business model which charges for delisting should be viewed with heavy caution. Fortinet cannot delist the IP addresses once they are blocklisted by such vendors.

DNSBL scans examine the IP address of the SMTP client that is currently delivering the email message. If the Enable Block IP to query for the blocklist status of the IP addresses of all SMTP servers appearing in the Received: lines of header lines. option located in the Deep header section is enabled, DNSBL scan will also examine the IP addresses of all other SMTP servers that appear in the Received: lines of the message header. For more information, see Configuring FortiGuard options.

DNSBL scans do not examine private network addresses, which are defined in RFC 1918.

The DNSBL section of antispam profiles lets you configure the FortiMail unit to query one or more servers to determine if the IP address of the SMTP client has been blocklisted. If the IP address is blocklisted, the FortiMail unit treats the email as spam and performs the associated action.

To configure DNSBL scan options
  1. When configuring an antispam profile, enable DNSBL in the AntiSpam Profile dialog.
  2. From Action, select the action profile that you want the FortiMail unit to use if the DNSBL scan finds spam email.
  3. For more information, see Configuring antispam action profiles.

  4. Next to DNSBL click Configuration.
  5. A pop-up window appears where you can enter the domain names of DNSBL servers to use with this profile.

  6. To add a new DNSBL server address, click New and type the address in the field that appears.
  7. Since the servers are queried from top to bottom, you may want to put the reliable servers with less traffic to the top of the list. Click the dropdown menu in the title bar to sort the entries.

  8. Select a server from the list and click OK.
  9. The pop-up window closes.

    Caution

    Closing the pop-up window does not save the antispam profile and its associated DNSBL server list. To save changes to the DNSBL server list, in the antispam profile, click OK before navigating away to another part of the web UI.

  10. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring banned word options

The Banned word section of antispam profiles lets you configure the FortiMail unit to consider email messages as spam if the subject line and/or message body contain a prohibited word. When a banned word is found, the FortiMail unit treats the email as spam and performs the associated action.

When banned word scanning is enabled and an email is found to contain a banned word, the FortiMail unit adds X-FEAS-BANNEDWORD: to the message header, followed by the banned word found in the email. The header may be useful for troubleshooting purposes, when determining which banned word or phrase caused an email to be blocked.

You can use wildcards in banned words. But unlike dictionary scans, banned word scans do not support regular expressions. For details about wildcards and regular expressions, see Appendix D: Wildcards and regular expressions.

Note

You can also apply this scan to PDF attachments. For more information, see Configuring scan options.

To configure banned word scan options
  1. When configuring an antispam profile, enable Banned word in the AntiSpam Profile dialog.
  2. From Action, select the action profile that you want the FortiMail unit to use if the banned word scan finds spam email.
  3. For more information, see Configuring antispam action profiles.

  4. Next to Banned word, click Configuration.
  5. A pop-up window appears, showing the words or phrases that will be prohibited by this profile. You can add or delete words on this window.

  6. Click New, then enter the banned word in the field that appears.
  7. Select Subject to have the subject line inspected for the banned word. If the check box is clear, the subject line is not inspected.
  8. Select Body to have the message body inspected for the banned word. If the check box is clear, the message body is not inspected.
  9. Click OK.
  10. The pop-up window closes.

  11. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring safelist word options

The Safelist word section of antispam profiles lets you configure the FortiMail unit to consider email messages whose subject line and/or message body contain a safelisted word to be indisputably not spam. If the email message contains a safelisted word, the FortiMail unit does not consider the email to be spam.

You can use wildcards in safelisted words. But unlike dictionary scans, safelist word scans do not support regular expressions. For details about wildcards and regular expressions, see Appendix D: Wildcards and regular expressions.

To configure safe list scan options
  1. When configuring an antispam profile, enable Safelist word in the AntiSpam Profile dialog.
  2. Next to Safelist word, click Configuration.
  3. A pop-up window appears, showing the words or phrases that are allowed by this profile. You can add or delete words on this window.

  4. Click New, then enter the allowed word in the field that appears.
  5. Select Subject to have the subject line inspected for the allowed word. If the check box is clear, the subject line is not inspected.
  6. Select Body to have the message body inspected for the allowed word. If the check box is clear, the message body is not inspected.
  7. Click OK.
  8. The pop-up window closes.

  9. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring dictionary options

The Dictionary section of antispam profiles lets you configure the FortiMail unit to use dictionary profiles to determine if the email is likely to be spam. If the FortiMail unit considers email to be spam, it performs the associated action.

Before you can use this feature, you must have existing dictionary profiles. For information on creating dictionary profiles, see Configuring dictionary profiles.

When dictionary scanning is enabled and an email is found to contain a dictionary word, FortiMail units add X-FEAS-DICTIONARY: to the message header, followed by the dictionary word or pattern found in the email. The header may be useful for troubleshooting purposes, when determining which dictionary word or pattern caused an email to be blocked.

Unlike banned word scans, dictionary scans are more resource-intensive. If you do not require dictionary features such as regular expressions, consider using a banned word scan instead.

To configure dictionary scan options
  1. When configuring an antispam profile, enable Dictionary in the AntiSpam Profile dialog.
  2. Click the plus to expand Dictionary.
  3. From Action, select the action profile that you want the FortiMail unit to use if the dictionary scan finds spam email.
  4. For more information, see Configuring antispam action profiles.

  5. From the With dictionary group dropdown list, select the name of a group of dictionary profiles to use with the dictionary scan. Or, from the With dictionary profile dropdown list, select the name of a dictionary profile to use with the dictionary scan.
  6. In the Minimum dictionary score field, enter the number of dictionary term matches above which the email will be considered to be spam. Note that the score value is based on individual dictionary profile matches, not the dictionary group matches.
  7. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring image spam options

The Image spam section of antispam profiles lets you configure the FortiMail unit to analyze the contents of GIF, JPG, and PNG graphics to determine if the email is spam. If the email message contains a spam image, the FortiMail unit treats the email as spam and performs the associated action.

Image spam scanning may be useful when, for example, the message body of an email contains graphics but no text, and text-based antispam scans are therefore unable to determine whether or not an email is spam.

To configure image spam options
  1. When configuring an antispam profile, enable Image spam in the AntiSpam Profile dialog.
  2. From Action, select the action profile that you want the FortiMail unit to use if the image scan finds spam email.
  3. For more information, see Configuring antispam action profiles.

  4. Enable Aggressive scan to inspect image file attachments in addition to embedded graphics.
  5. Enabling this option increases workload when scanning email messages that contain image file attachments. If you do not require this feature, disable this option to improve performance.

    This Aggressive scan option applies only if you enable PDF scanning. For more information, see Configuring scan options.

  6. Continue to the next section, or click Create or OK to save the antispam profile.
See also

Managing antispam profiles

Configuring antispam action profiles

Configuring Bayesian options

The Bayesian section of antispam profiles lets you configure the FortiMail unit to use Bayesian databases to determine if the email is likely to be spam. If the Bayesian scan indicates that the email is likely to be spam, the FortiMail unit treats the email as spam and performs the associated action.

FortiMail units can maintain two Bayesian databases: global and per-domain.

  • For outgoing email, the FortiMail unit uses the global Bayesian database.
  • For incoming email, which database will be used when performing the Bayesian scan varies by configuration of the incoming antispam profile and the configuration of the protected domain.

Before using Bayesian scans, you must train one or more Bayesian databases in order to teach the FortiMail unit which words indicate probable spam. If a Bayesian database is not sufficiently trained, it can increase false positive and/or false negative rates. You can train the Bayesian databases of your FortiMail unit in several ways. For more information, see Training the Bayesian databases.

Caution

Be aware that, without ongoing training, Bayesian scanning will become significantly less effective over time and thus Fortinet does not recommend enabling the Bayesian scanning feature.

To configure Bayesian scan options
  1. When configuring an antispam profile, enable Bayesian in the AntiSpam Profile dialog.
  2. Click the plus to expand Bayesian.
  3. From Action, select the action profile that you want the FortiMail unit to use if the Bayesian scan finds spam email.
  4. For more information, see Configuring antispam action profiles.

  5. Configure the following:
  6. GUI item

    Description

    Accept training messages from users

    Enable to accept training messages from email users.

    Training messages are email messages that email users forward to the email addresses of control accounts, such as is‑spam@example.com, in order to train or correct Bayesian databases. For information on Bayesian control account email addresses, see Configuring the quarantine control options.

    FortiMail units apply training messages to either the global or per-domain Bayesian database depending on your configuration of the protected domain to which the email user belongs.

    Disable to discard training messages.

    This option is available only if Direction is Incoming (per-domain Bayesian databases cannot be used when the recipient does not belong to a protected domain, which defines outgoing email).

    Use other techniques for auto training

    Enable to use scan results from FortiGuard, SURBL, and per-user and system-wide safe lists to train the Bayesian databases.

    This option is available only if Direction is Incoming (domain-level Bayesian databases cannot be used when the recipient does not belong to a protected domain, which defines outgoing email).

  7. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring scan options

The Scan Conditions section of antispam profiles lets you configure conditions that cause the FortiMail unit to omit antispam scans, or to apply some antispam scans to PDF attachments.

To configure scan options
  1. When configuring an antispam profile, Click the plus to expand Scan Options in the AntiSpam Profile dialog.
  2. Configure the following:

GUI item

Description

Max message size to scan

Enter the maximum size of email messages, in bytes, that the FortiMail unit will scan for spam. Messages larger than the set size are not scanned for spam.

To disable the size limit, causing all messages to be scanned, regardless of size, enter 0.

Note: Resource requirements for scanning messages increase with the size of the email message. If the spam you receive tends not to be smaller than a certain size, consider limiting antispam scanning to messages under this size to improve performance.

Bypass scan on SMTP authentication

Enable to bypass spam scanning for authenticated SMTP connections. This option is enabled by default.

Note: If you can trust that authenticating SMTP clients are not a source of spam, consider enabling this option to improve performance.

Scan PDF attachment

Spammers may attach a PDF file to an otherwise empty message to get their email messages past spam safeguards. The PDF file contains the spam information. Since the message body contains no text, antispam scanners cannot determine if the message is spam.

Enable this option to use the heuristic, banned word, and image spam scans to inspect the first page of PDF attachments.

This option applies only if you have enabled and configured heuristic, banned word, and/or image spam scans. For information on configuring those scans, see Configuring heuristic options, Configuring banned word options, and Configuring image spam options.

Apply default action without scan upon policy match

Select this option to take the default antispam action right away without applying other antispam filters if the email matches the relevant IP or recipient policy.

Performing a batch edit

You can apply changes to multiple profiles at once.

  1. Go to Profile > AntiSpam > AntiSpam.
  2. In the row corresponding to existing profiles whose settings you want to modify, hold Ctrl and select the profiles you want to edit.
  3. The ability to batch edit antispam profiles does not apply to predefined profiles.

  4. Click Batch Edit.
  5. The AntiSpam Profile dialog appears.

  6. Modify the profile, as explained in Managing antispam profiles, changing only those settings that you want to apply to all selected profiles.
  7. Click Apply To All to save the changes and remain on the dialog, or click OK to save the changes and return to the AntiSpam tab.

Configuring impersonation profiles

Email impersonation is one of the email spoofing attacks. It forges the email header to deceive the recipient because the message appears to be from a different source than the actual address.

Note

To use this feature, you must have a license for the Fortinet Enterprise Advanced Threat Protection (ATP) bundle.

To fight against email impersonation, you can map high valued target display names with correct email addresses and FortiMail can check for the mapping. For example, an external spammer wants to impersonate the CEO of your company(ceo@company.com). The spammer will put "CEO ABC <ceo@external.com>" in the email Header From, and send such email to a user(victim@company.com). If FortiMail has been configured with a manual entry "CEO ABC"/"ceo@company.com" in an impersonation analysis profile to indicate the correct display name/email pair, or it has learned display name/email pair through the dynamic process, then such email will be detected by impersonation analysis, because the spammer uses an external email address and an internal user's display name.

There are two ways to do the mapping:

Note

Impersonation analysis checks both the Header From and Reply-To fields.

You can also add exempt entries so that FortiMail will skip the impersonation analysis check.

Note

To avoid false positives, impersonation analysis also follows some other exempt rules.

To create an impersonation analysis profile
  1. Go to Profile > AntiSpam > Impersonation.
  2. Click New to create a new profile.
  3. Enter a profile name.
  4. Select a domain or System from the dropdown list. The profile will be applied to your selection.
  5. Under Impersonation, select Match Rule or Exempt Rule.
  6. Click New to add an entry.
  7. GUI item

    Description

    Display name pattern

    Enter the display name to be mapped to the email address. You can use wildcard or regular expression.

    Pattern type

    Either wildcard or regular expression.

    Email address

    Enter the email address to be mapped to the display name. The email address can be from protected/internal domains or unprotected/external domains.

    If the email address is from an external domain, such as gmail.com or hotmail.com, the display name matching the external email address will be passed. Otherwise, it will be caught by impersonation analysis.

Enabling impersonation analysis dynamic scanning

In addition to manually entering mapping entries and creating impersonation analysis profiles, FortiMail Mail Statistics Service can automatically, dynamically learn and track the mapping of display names and internal email addresses.

To use the FortiMail manual, dynamic, or both manual and dynamic impersonation analysis scanning, use the following command:

config antispam settings

set impersonation-analysis dynamic manual

end

By default, FortiMail uses manual analysis only.

Also enable the FortiMail Mail Statistics Service with the following command. This service is disabled by default:

config system global

set mailstat-service enable

end

After the service is enabled, you can search the dynamic database by going to Profile > AntiSpam > Impersonation and clicking Impersonation Lookup. If the record exists in the database, after you enter the email address, the corresponding display name will be displayed.

Configuring cousin domain profiles

Similar to impersonation profiles, cousin domain profiles help to mitigate domain impersonation risks. Similar to impersonation profiles that map display names, cousin domain profiles can map both inbound and outbound domain names to either be scanned or exempt from scanning. Domain names may be deliberately misspelled, either by character removal, substitution, and/or transposition, in order to make emails look as though they originate from trusted internal sources.

For example, if you configure a regular expression for the sender domain f?rtinet.com, it will match f0rtinet.com, but the legitimate and trusted sender domain fortinet.com will also be detected as a cousin domain. To avoid this, you can add fortinet.com into the exempt rules setting to avoid detecting it as spam.

Cousin domain scan options, such as auto detection, are configured within antispam profiles. See Managing antispam profiles for more information.

To create a cousin domain profile
  1. Go to Profile > AntiSpam > Cousin Domain.
  2. Either click New to add a profile or double-click an existing profile to modify it. You can also select multiple profiles and batch edit them.
  3. Select a domain or System from the dropdown list. The profile will be applied to your selection.
  4. Enter a profile name.
  5. Under Domain Pattern, select From, To, or Exempt.
  6. Click New to add an entry.
  7. GUI item

    Description

    Domain name pattern

    Enter the domain name to be mapped to the email address. You can use wildcard or regular expression.

    Pattern type

    Either wildcard, regular expression, or look-alike.

    A look-alike pattern can be configured to specifically check for instances of recipient domain typos. For example, if a domain such as fortinet.com is configured with pattern type set to look-alike, any similar misspelled domains, such as fort1net.com, are caught.

    Note

    Since auto-detection is not applicable to outgoing policies, look-alike patterns are best suited for catching misspelled domains.

  8. Click Create or OK.

Configuring weighted analysis profiles

The Weighted Analysis tab in the AntiSpam submenu allows you to create profiles with custom weighted scores for various antispam scans, including intelligent analysis, in order to fine tune your spam catch rate while minimizing false positives.

To configure a weighted analysis profile
  1. Go to Profile > AntiSpam > Weighted Analysis.

  2. Either click New to add a profile or double-click an existing profile to modify it.

  3. From Domain, select if the weighted analysis profile will be system-wide or apply only to a specific domain. You can see only the domains that are permitted by your administrator profile.

  4. In Name, enter a unique name for the profile.

  5. Optionally, in the Comment field, enter a descriptive comment.
  6. Under Rule, click New.

    A dialog appears.

  7. Configure the following settings:

  8. GUI item

    Description

    Status

    Enable or disable the rule.

    Name Enter the name of the rule.

    Action

    (dropdown list)

    Specify an action for the rule.
    Threshold Enter the threshold at which the current rule is to be triggered. This score will be allocated to the seven categories below.
    Score Weight

    Enter the score weight thresholds of the following factors:

    • Intelligent analysis: Multiple factors contribute to intelligent analysis in order to reduce false positives, including:

      • SPF
      • DKIM
      • DMARC
      • matching of sender addresses in the message headers (From: and Reply-To:)
      • newly registered domain names that do not have a FortiGuard Antispam rating yet
      • header analysis
      • malformed email detection
    • Cousin domain: Detects domain impersonation. See Configuring cousin domain profiles.

    • Suspicious character: Detects internationalized domain name (IDN) homograph attacks. If domain names in URLs, sender email addresses, or recipient email addresses have Unicode characters that are from different languages yet look similar (for example, A looks similar in Cyrillic, Greek, and Latin alphabets), then an attacker could trick the user into using a fraudulent website or email. FortiMail detects these as suspicious.

    • Sender alignment: Compares the domain name of the sender email address in the message header (From:) and SMTP envelope (MAIL FROM:) to look for a mismatch, which is typical of spam.

    • Action keyword: Select the name of a dictionary profile that contains words or phrases that typically only spam has.

      Keywords are often a "call to action" that motivates the user to reply or click a hyperlink. For example, "Click here", "transfer", "money", "dollars", "bank account", "conference attendee", etc.

      • Dictionary profile: Select the dictionary profile. See Configuring dictionary profiles.

      • Minimum dictionary score: Enter the threshold for dictionary profile matches.

        When the dictionary profile scans an email, it counts the number of matching words or phrases, and adjusts this total according to the pattern weight and maximum pattern weight in the dictionary profile. If the result equals or exceeds this threshold, then FortiMail applies the weighted score defined in Action keyword.

    • URL category: Detects spam or phishing URLs in the email.

    • Malformed email: Detects malformed data in the email structure, header, or body. For more information, see RFC 7103.

  9. Click Create or OK.

  10. To apply a weighted analysis profile, select it in one or more antispam profiles under Business email compromise. For details, see Managing antispam profiles.

Configuring antispam action profiles

The Action tab in the AntiSpam submenu lets you define one or more things that the FortiMail unit should do if the antispam profile determines that an email is spam.

For example, assume you configured a default antispam action profile, named quar_and_tag_profile, that both tags the subject line and quarantines email detected to be spam. In general, all antispam profiles using the default action profile will quarantine the email and tag it as spam. However, you can decide that email failing to pass the dictionary scan is always spam and should be rejected so that it does not consume quarantine disk space. Therefore, for the antispam profiles that apply a dictionary scan, you could override the default action by configuring and using a second action profile, named rejection_profile, which rejects such email.

Note

The specific action profile will override the default action profile when mailfilterd scans the email and take disposition (action) against the email. When the email is out of the process of mailfilterd, any remaining actions, such as spam report, web release, and sender safelisting, will still be taken based on the default action profile.

To view and configure antispam action profiles
  1. Go to Profile > AntiSpam > Action.
  2. GUI item

    Description

    Domain

    (dropdown list)

    Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.

    Profile Name

    Displays the name of the profile.

    Domain

    (column)

    Displays either System or a domain name.

    (Green dot in column heading)

    Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

  3. Either click New to add a profile or double-click an existing profile to modify it. You can also select multiple profiles and batch edit them.
  4. A dialog appears.

  5. Configure the following:
  6. GUI item

    Description

    Domain

    Select if the action profile will be system-wide or domain-wide.

    You can see only the domains that are permitted by your administrator profile.

    Profile name

    For a new profile, enter a name.

    Tag subject

    Enable and enter the text that appears in the subject line of the email, such as [spam]. The FortiMail unit will prepend this text to the subject line of spam before forwarding it to the recipient.

    Many email clients can sort incoming email messages into separate mailboxes, including a spam mailbox, based on text appearing in various parts of email messages, including the subject line. For details, see the documentation for your email client.

    Insert header

    Enable and enter the message header key in the field, and the values in the With value field. The FortiMail unit adds this text to the message header of the email before forwarding it to the recipient.

    Many email clients can sort incoming email messages into separate mailboxes, including a spam mailbox, based on text appearing in various parts of email messages, including the message header. For details, see the documentation for your email client.

    Message header lines are composed of two parts: a key and a value, which are separated by a colon. For example, you might enter:

    X-Custom-Header: Detected as spam by profile 22.

    If you enter a header line that does not include a colon, the FortiMail unit will automatically append a colon, causing the entire text that you enter to be the key.

    Note: Do not enter spaces in the key portion of the header line, as these are forbidden by RFC 2822.

    You can add multiple headers by adding them to the header table. You can also insert the predefined variables to the header value.

    Insert disclaimer

    Insert disclaimer as an action, and select whether you want to insert the disclaimer at the start of the message, end of the message, or at the location of the custom message.

    You can modify the default disclaimer or add new disclaimers by going to System > Mail Setting > Disclaimer.

    Deliver to alternate host

    Enable to route the email to a specific SMTP server or relay, then type the fully qualified domain name (FQDN) or IP address of the destination.

    You can choose to deliver the original email or the modified email.

    Note: If you enable this setting, the FortiMail unit uses this destination for all email that matches the profile and ignores Relay server name and Use this domain’s SMTP server to deliver the mail.

    Deliver to original host

    Enable to deliver email to the original host.

    FortiGuard spam outbreak protection

    Enable to manually defer emails and place email in the spam defer queue.

    Note: The Spam outbreak protection option in the FortiGuard settings under Profile > AntiSpam > AntiSpam does not affect this feature.

    Defer delivery

    Enable to defer delivery of emails that may be resource intensive and reduce performance of the mail server, such as large email messages, or lower priority email from certain senders (for example, marketing campaign email and mass mailing).

    BCC

    Enable to send a blind carbon copy (BCC) of the email.

    You can specify an Envelope from address so that, in the case the email is not deliverable and bounced back, it will be returned to the specified envelope from address, instead of the original sender. This is helpful when you want to use a specific email to collect bounce notifications.

    Click New to add BCC recipients.

    Archive to account

    Enable to send the email to an archiving account.

    Click New to create a new archiving account or click Edit to modify an existing account. For details about archiving accounts, see Email archiving workflow.

    Notify with profile

    Enable and select a notification profile to send a notification email to the sender, recipient, or any other people as you configure in the notification profile. The notification email is customizable and will tell the users what happened to the email message. For details about notification profiles and email templates, see Configuring notification profiles and Customizing email templates.

    Final action

    For details about final and non-final actions, see Order of execution.

    Discard

    Enable to accept the email, but then delete it instead of delivering the email, without notifying the SMTP client.

    Reject

    Enable to reject the email and reply to the SMTP client with SMTP reply code 550.

    However, if email messages are held for FortiGuard spam outbreak protection or FortiGuard virus outbreak protection, or sent to FortiSandbox, the actual action will fallback to "system quarantine".

    If a message has multiple recipients in the same SMTP session, the Reject action may fallback to System Quarantine, if other recipients have final action other than reject.

    Personal quarantine

    For incoming email, enable to redirect the email to the recipient’s personal quarantine. For more information, see Managing the personal quarantines.

    For outgoing email, this action will fallback to the system quarantine.

    You can choose to quarantine the original email or the modified email.

    System quarantine

    Enable to redirect spam to the system quarantine folder. For more information, see Managing the system quarantine.

    You can choose to quarantine the original email or the modified email.

    Domain quarantine

    Enable to redirect spam to the domain quarantine folder. For more information, see Managing the domain quarantines.

    Rewrite recipient email address

    Enable to change the recipient address of any email message detected as spam.

    Configure rewrites separately for the local-part (the portion of the email address before the '@' symbol, typically a user name) and the domain part (the portion of the email address after the '@' symbol). For each part, select either:

    • None: No change.
    • Prefix: Prepend the part with text that you have entered in the With field.
    • Suffix: Append the part with the text you have entered in the With field.
    • Replace: Substitute the part with the text you have entered in the With field.
  7. Click Create or OK.

To apply an antispam action profile, select it in one or more antispam profiles. For details, see Managing antispam profiles.