profile antispam
Use this command to configure system-wide (or, if these commands are run from inside config domain, domain-specific) antispam profiles.
FortiMail can use many methods to detect spam, such as the FortiGuard Antispam service, DNSBL queries, Bayesian scanning, and heuristic scanning. Antispam profiles contain settings for these features that you may want to vary by policy. Depending on the feature, before you configure antispam policies, you may need to enable the feature or configure its system-wide settings.
Syntax
config profile antispam
edit <profile_name>
[set comment "<comment_str>"]
set action-default <action-profile_name>
set apply-action-default {enable | disable}
set scan-bypass-on-auth {enable | disable}
set scan-pdf {enable | disable}
set fortiguard-antispam {enable | disable}
set action-fortiguard <action-profile_name>
set fortiguard-check-ip {enable | disable}
set action-fortiguard-blockip <action-profile-name>
set ip-reputation-level1-status {enable | disable}
set ip-reputation-level2-status {enable | disable}
set ip-reputation-level3-status {enable | disable}
set action-ip-reputation-level1 <action-profile_name>
set action-ip-reputation-level2 <action-profile_name>
set action-ip-reputation-level3 <action-profile_name>
set url-filter-status {enable | disable}
set url-filter-secondary <filter_name>
set url-filter-secondary-status {enable | disable}
set action-url-filter <action-profile_name>
set action-url-filter-secondary <action-profile_name>
set spam-outbreak-protection {enable | disable | monitor-only}
set greylist {enable | disable}
set action-grey-list <action-profile_name>
set spf-checking {enable | disable}
set spf-fail-status {enable | disable}
set spf-neutral-status {enable | disable}
set spf-none-status {enable | disable}
set spf-pass-status {enable | disable}
set spf-perm-error-status {enable | disable}
set spf-soft-fail-status {enable | disable}
set spf-temp-error-status {enable | disable}
set action-spf-fail <action-profile_name>
set action-spf-neutral <action-profile_name>
set action-spf-none <action-profile_name>
set action-spf-pass <action-profile_name>
set action-spf-perm-error <action-profile_name>
set action-spf-soft-fail <action-profile_name>
set action-spf-temp-error <action-profile_name>
set dkim-checking {enable | disable}
set dkim-fail-status {enable | disable}
set dkim-none-status {enable | disable}
set dkim-pass-status {enable | disable}
set dkim-temp-error-status {enable | disable}
set action-dkim-fail <action-profile_name>
set action-dkim-none <action-profile_name>
set action-dkim-pass <action-profile_name>
set action-dkim-temp-error <action-profile_name>
set dmarc-checking {enable | disable}
set dmarc-fail-status {enable | disable}
set dmarc-none-status {enable | disable}
set dmarc-pass-status {enable | disable}
set dmarc-temp-error-status {enable | disable}
set action-dmarc-fail <action-profile_name>
set action-dmarc-none <action-profile_name>
set action-dmarc-pass <action-profile_name>
set action-dmarc-temp-error <action-profile_name>
set behavior-analysis {enable | disable}
set action-behavior-analysis <action-profile_name>
set bec-scan-status {enable | disable}
set weighted-analysis-status {enable | disable}
set weighted-analysis-profile <profile_name>
set action-weighted-analysis <action-profile-name>
set impersonation-analysis {enable | disable}
set impersonation <profile_name>
set action-impersonation-analysis <action-profile_name>
set cousin-domain {enable | disable}
set cousin-domain-profile <cousin-profile_name>
set cousin-domain-scan-option {auto-detection body-detection header-detection}
set action-cousin-domain <action-profile_name>
set sender-alignment-status {enable | disable}
set action-sender-alignment <action-profile_name>
set heuristic {enable | disable}
set heuristic-rules-percent <percentage_int>
set heuristic-lower <threshold_float>
set heuristic-upper {threshold_float}
set action-heuristic <action-profile_name>
config surbl-server
edit <surbl_name>
end
set action-surbl <action-profile_name>
config dnsbl-server
edit <dnsbl_name>
end
set action-rbl <action-profile_name>
set deepheader-analysis {enable | disable}
set deepheader-check-ip {enable | disable}
set action-deep-header <action-profile_name>
set banned-word {enable | disable}
config bannedwords
edit <word_str>
set subject {enable | disable}
next
end
set action-banned-word <action-profile_name>
set safelist-word {enable | disable}
config safelistwords
edit <word_str>
set subject {enable | disable}
next
end
set dictionary {enable | disable}
set dictionary-type {group | profile}
set dictionary-profile <profile_name>
set dictionary-group <group-name>
set dict-score <threshold_int>
set action-dictionary <action-profile_name>
set image-spam {enable | disable}
set aggressive {enable | disable}
set action-image-spam <action-profile_name>
set bayesian {enable | disable}
set bayesian-usertraining {enable | disable}
set bayesian-autotraining {enable | disable}
set bayesian-user-db {enable | disable}
set action-bayesian <action-profile_name>
set suspicious-newsletter-status {enable | disable}
set action-suspicious-newsletter <action-profile_name>
set newsletter-status {enable | disable}
set action-newsletter <action-profile_name>
end
|
Variable |
Description |
Default |
|
Enter a DNSBL server name to perform a DNSBL scan. The FortiMail unit will query DNS blocklist servers. |
|
|
|
Enter the name of the profile. |
|
|
|
Enter a SURBL server name to perform a SURBL scan. The FortiMail unit will query SURBL servers. |
|
|
|
Enter the word to scan for. You can use wildcards to match multiple words. Regular expressions are not supported. For more information about wildcards and regular expressions, see the FortiMail Administration Guide. |
|
|
|
Enter the action profile that FortiMail uses if the banned word scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the Bayesian scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the behavior analysis scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the cousin domain scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the deep header scan determines that the email is spam. |
|
|
|
Enter the default action profile for scans. If you want a scan to use a different action profile, select it for that specific scan instead of accepting the default. |
|
|
|
Enter the action profile that FortiMail uses if the heuristic scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if an email does not pass the DKIM scan. |
|
|
|
Enter the action profile that FortiMail uses if no DKIM DNS record is not found or parsed correctly. |
|
|
|
Enter the action profile that FortiMail uses if an email passes the DKIM scan. |
|
|
|
Enter the action profile that FortiMail uses if the DNS server returns a temporary error when querying the DKIM record. |
|
|
|
Enter the action profile that FortiMail uses if an email does not pass the DMARC scan. |
|
|
|
Enter the action profile that FortiMail uses if no DMARC DNS record is not found or parsed correctly. |
|
|
|
Enter the action profile that FortiMail uses if an email passes the DMARC scan. |
|
|
|
Enter the action profile that FortiMail uses if DNS server returns Temp error when querying the DMARC DNS record. |
|
|
|
Enter the action profile that FortiMail uses if the FortiGuard block IP scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the FortiGuard phishing URL scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the FortiGuard Antispam scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the greylist scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the heuristic scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the image scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if impersonation analysis determines that the email is from someone impersonating a known email address. |
|
|
|
Enter the action profile that FortiMail uses if the IP reputation scan result is level 1. |
|
|
|
Enter the action profile that FortiMail uses if the IP reputation scan result is level 2. |
|
|
|
Enter the action profile that FortiMail uses if the IP reputation scan result is level 3. |
|
|
|
Enter the action profile that FortiMail uses if the newsletter scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the DNSBL scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the email does not pass the sender alignment scan. |
|
|
|
Enter the action profile that FortiMail uses if the email does not pass the SPF scan, which means the host is not authorized to send messages. |
|
|
|
Enter the action profile that FortiMail uses if the SPF scan result is neutral, which means the SPF record is found but no definitive assertion. |
|
|
|
Enter the action profile that FortiMail uses if the SPF scan has no result, which means there is no SPF record. |
|
|
|
Enter the action profile that FortiMail uses if email passes the SPF scan, which means the host is authorized to send a message. |
|
|
|
Enter the action profile that FortiMail uses if the SPF scan has a permanent error, which means the SPF records are invalid. |
|
|
|
Enter the action profile that FortiMail uses if the SPF scan has a soft failure, which means the host is not authorized to send messages, but it's not a strong statement. |
|
|
|
Enter the action profile that FortiMail uses if the SPF scan has a temporary error, which means there is a processing error. |
|
|
|
Enter the action profile that FortiMail uses if the SURBL scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the suspicious newsletter scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the URL filter scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the URL filter scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if weighted analysis determines that the email is spam. |
|
|
|
Enable this option to examine file attachments in addition to images embedded in the message body. Tip: To improve performance, enable this option only if you do not have a satisfactory spam detection rate. |
disable |
|
|
Enable to perform the action in |
disable | |
|
Enable to perform a banned words scan. |
disable |
|
|
Enable to use FortiGuard Antispam and SURBL scan results to train per-user Bayesian databases that are not yet mature (that is, they have not yet been trained with 200 legitimate email and 100 spam in order to recognize spam). |
enable |
|
|
Enable to use per-user Bayesian databases. If disabled, the Bayesian scan will use either the global or the per-domain Bayesian database, whichever is selected for the protected domain. |
disable |
|
|
Enable to accept email forwarded from email users to the Bayesian control email addresses in order to train the Bayesian databases to recognize spam and legitimate email. |
enable |
|
|
Enable to perform a Bayesian scan. |
disable |
|
|
Enable to perform a business email compromise (BEC) scan. Then configure which scans in |
disable |
|
|
Enable to analyze the similarities between uncertain email and known email in the behavior analysis (BA) database to determine whether the uncertain email is spam. To adjust the aggressiveness of the scan, see also antispam behavior-analysis |
disable |
|
|
Enable to scan the email message bodies for the word. |
disable |
|
|
Enter a description or comment. |
|
|
|
Select which cousin domain profile to use. This setting takes effect if |
||
|
cousin-domain-scan-option {auto-detection body-detection header-detection} |
Select where in the email to scan for domain name impersonation, either automatically, within the email body, and/or the message headers. This setting takes effect if |
header-detection body-detection auto-detection |
|
Enable to perform a cousin domain (domain impersonation) scan. This detects domain names that are deliberately misspelled in order to appear to come from a trusted domain. Then also configure This setting takes effect if |
disable |
|
|
Enable to inspect all message headers for known spam characteristics. If the FortiGuard Antispam scan is enabled, this option uses results from that scan, providing up-to-date header analysis. |
disable |
|
|
Enable to query for the blocklist status of the IP addresses of all SMTP servers appearing in the If this setting is disabled, the FortiMail unit examines only the IP address of the current SMTP client. This setting requires that you also configure either or both FortiGuard Antispam scan and DNSBL scan. |
disable |
|
|
Enter the threshold for dictionary profile matches. When the dictionary profile scans an email, it counts the number of matching words or phrases, and adjusts this total according to |
|
|
|
Select which dictionary profile group to use. This setting is available if |
|
|
|
Select which dictionary profile to use. This setting is available if |
|
|
|
Select whether to use a single dictionary profile, or a group of dictionary profiles. Then also configure |
profile |
|
|
Enable to perform a dictionary scan. Also configure |
disable |
|
|
Enable to perform a DKIM scan. Also configure related options for each possible DKIM result, such as If either SPF or DKIM scans pass, then the DMARC scan will pass. If both fail, then DMARC fails. |
disable |
|
|
Enable or disable checking invalid DKIM body hash or signature. |
enable |
|
|
Enable or disable checking for instances where the DNS server has no DKIM record, or the record could not be correctly parsed. |
disable |
|
|
Enable or disable DKIM check passing. |
disable |
|
|
Enable or disable checking for instances where DNS server returns a temporary error when querying the DKIM DNS record. |
disable |
|
|
Enable to have the unit perform email authentication with SPF and DKIM checking. If either SPF check or DKIM check passes, DMARC check will pass. If both fail, DMARC fails. |
enable |
|
|
Enable or disable DMARC check failing. |
enable |
|
|
Enable or disable checking for instances where no DMARC DNS record is found, or the record could not be correctly parsed. |
disable |
|
|
Select if you want the DMARC result to take precedence over SPF and/or DKIM results. For example, if DMARC verification succeeds, then the SPF fail and soft fail won't take effect anymore. |
|
|
|
Enable or disable performing an action when the DMARC check result is a pass. Also configure |
disable |
|
|
Enable or disable checking for instances where DNS server returns Temp error when querying the DMARC DNS record. Also configure |
disable |
|
|
Enable to perform a DNSBL scan. The FortiMail unit will query DNS blocklist servers defined using |
disable |
|
|
Enable for the FortiMail unit to query the FortiGuard Antispam service to determine if any of the uniform resource locators (URL) in the message body are associated with spam. If any URL is blocklisted, the FortiMail unit considers the email to be spam, and you can select the action that the FortiMail unit will perform. |
disable |
|
|
Enable to perform a scan for whether or not the IP address of the SMTP client is blocklisted in the FortiGuard Antispam query. |
disable |
|
|
Enable to perform a greylist scan. |
disable |
|
|
Enter the score equal to or below which the FortiMail unit considers an email to not be spam. |
-20.000000 |
|
|
Enter the percentage of the total number of heuristic rules that will be used to calculate the heuristic score for an email message. The FortiMail unit compares this total score to the upper and lower level threshold to determine if an email is:
To improve system performance and resource efficiency, enter the lowest percentage of heuristic rules that results in a satisfactory spam detection rate. |
25 |
|
|
Enter the score equal to or above which the FortiMail unit considers an email to be spam. |
3.500000 |
|
|
Enable to perform a heuristic scan. |
disable |
|
|
Enable to perform an image spam scan. |
disable |
|
|
Enable to perform an image spam scan. |
disable |
|
|
Enable to perform a sender impersonation analysis scan. This automatically learns and tracks the mapping of display names and internal email addresses to prevent spoofing attacks. Then also configure This setting takes effect if |
disable |
|
|
Select which impersonation profile to use. This setting takes effect if |
disable |
|
|
Enable to query the FortiGuard Antispam service about the reputation of the public IP address of the SMTP client to determine if it is blocklisted. |
disable |
|
|
Enable to query the FortiGuard Antispam service about the reputation of the public IP address of the SMTP client to determine if it is blocklisted. |
disable |
|
|
Enable to query the FortiGuard Antispam service about the reputation of the public IP address of the SMTP client to determine if it is blocklisted. FortiGuard categorizes blocklisted IP addresses into three levels. Level 1 has the worst reputation and level 3 the best. |
disable |
|
|
Enable to detect newsletters and other marketing campaigns that are not spam. |
|
|
|
Enable to automatically update personal safelist database from sent email. |
disable |
|
|
Enable to perform a safelist word scan. Also configure |
disable |
|
|
Enable to omit antispam scans when an SMTP sender is authenticated. |
disable |
|
|
Enter the maximum size, in bytes, that the FortiMail unit will scan for spam. Messages exceeding the limit will not be scanned for spam. To scan all email regardless of size, enter |
|
|
|
Enable to scan the first page of PDF attachments using heuristic, banned word, and image spam scans, if they are enabled. |
disable |
|
|
Enable to scan for sender email address and name mismatches. Sender alignment compares the sender email address in the message header ( If the sender email address fails the check, FortiMail takes the action in This setting takes effect if |
disable |
|
|
Enable to temporarily hold suspicious email for a certain period of time (outbreak-protection-period <minutes_int>) if the enabled FortiGuard Antispam check (block IP and/or URL filter) returns no result. After the specified time interval, FortiMail will query the FortiGuard server again. This provides an opportunity for the FortiGuard Antispam service to update its database when a spam outbreak occurs. When set to |
disable | |
|
Enable to have the FortiMail unit perform the action configured in this antispam profile, instead of the action configured in the session profile. See You can specify different actions toward different SPF check results:
|
disable |
|
|
Enable to make the FortiMail unit check if the host is not authorized to send messages. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-fail. |
|
|
|
Enable to make the FortiMail unit check if the SPF record is found but no definitive assertion. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-neutral. |
|
|
|
Enable to make the FortiMail unit check if there is no SPF record. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-none. |
|
|
|
Enable to make the FortiMail unit check if the host is authorized to send messages. If the client IP address fails the SPF check, FortiMail takes the antispam action configured in action-spf-pass. |
|
|
|
Enable to make the FortiMail unit check if the SPF records are invalid. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-perm-error. |
|
|
|
Enable to make the FortiMail unit check if the host is not authorized to send messages but not a strong statement. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-soft-fail. |
enable |
|
|
Enable to make the FortiMail unit check if there is a processing error. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in |
|
|
|
Enable to scan subject lines for the word. |
disable |
|
|
Enable to perform a SURBL scan. The FortiMail unit will query SURBL servers defined using |
disable |
|
|
Enable the detection of newsletters. |
disable | |
|
Enable or disable the secondary URL filter scan. |
disable | |
|
To take different actions towards different URL filters/categories, you can specify a primary and a secondary filter, and specify different actions for each filter. If both URL filters match an email message, the primary filter action will take precedence. |
|
|
|
Enable or disable URL filter scan. |
disable | |
|
Enter the URL filter to use. |
|
|
|
Enter the weighted analysis profile to use. This setting takes effect if |
|
|
|
Enable or disable the weighted analysis profile scan. Then also configure This setting takes effect if |
disable |