Configuring weighted analysis profiles

You can create weighted analysis profiles containing of one or more score weighted rules configured to scan for various categories, including intelligent analysis.

To create a weighted analysis profile

1. Go to Profile > AntiSpam > Weighted Analysis.

2. Either click New or Clone to add a profile, or double-click a profile to modify it.

   Alternatively, see Batch editing antispam profiles.

3. Configure the following:

   GUI item		Description
   Domain		Select which protected domain this profile belongs to, or System (all protected domains can use this profile). You can only see the domains that are permitted by your administrator profile. See About administrator account permissions and domains.
   Name		Enter a unique name for the profile.
   Comment		Enter a comment or description.

4. In the Rule section, click Newand then configure the following:

   GUI item	Description
   Status	Enable or disable the rule.
   Name	Enter the name of the rule.
   Action (dropdown list)	Specify an action for the rule.
   Threshold	Enter the threshold at which the current rule is to be triggered. This score will be allocated to the categories below.
   Score Weight	Enter the score weight thresholds of the following factors: Relationship strength: Set score for strong or weak relation result obtained from querying FortiGuard Sender and Recipient Relation (SRR). FortiGuard Social Database contains the social mapping of the email communication flow. For example, if user1@example1.com and user2@exmaple2.com have regular communication, then their SRR is strong; if user1 and user2 have no history of communication before, then their SRR is weak. Intelligent analysis: Multiple factors contribute to intelligent analysis in order to reduce false positives, including: SPF DKIM DMARC matching of sender addresses in the message headers (From: and Reply-To:) newly registered domain names that do not have a FortiGuard Antispam rating yet header analysis malformed email detection Cousin domain: Detects domain impersonation. See Configuring cousin domain profiles. Suspicious character: Detects internationalized domain name (IDN) homograph attacks. If domain names in URLs, sender email addresses, or recipient email addresses have Unicode characters that are from different languages yet look similar (for example, A looks similar in Cyrillic, Greek, and Latin alphabets), then an attacker could trick the user into using a fraudulent website or email. FortiMail detects these as suspicious. Sender alignment: Compares the domain name of the sender email address in the message header (From:) and SMTP envelope (MAIL FROM:) to look for a mismatch, which is typical of spam. Action keyword: Select the name of a dictionary profile that contains words or phrases that typically only spam has. Keywords are often a "call to action" that motivates the user to reply or click a hyperlink. For example, "Click here", "transfer", "money", "dollars", "bank account", "conference attendee", etc. Dictionary profile: Select the dictionary profile. See Configuring dictionary profiles. Minimum dictionary score: Enter the threshold for dictionary profile matches. When the dictionary profile scans an email, it counts the number of matching words or phrases, and adjusts this total according to the pattern weight and maximum pattern weight in the dictionary profile. If the result equals or exceeds this threshold, then FortiMail applies the weighted score defined in Action keyword. URL category: Detects spam or phishing URLs in the email. Malformed email: Detects malformed data in the email structure, header, or body. For more information, see RFC 7103.

5. Repeat the previous step until all rules are configured.

6. Click Create or OK.

7. To apply a weighted analysis profile, select it in an antispam profile. See Business email compromise section.