Configuring antispam profiles

FortiMail units can use many methods to detect spam, such as the FortiGuard Antispam service, DNSBL queries, and more. Antispam profiles can save you time: you can configure a group of scans in a profile, and then reuse that profile in multiple policies.

For information on the order in which FortiMail units perform each type of antispam scan, see Order of execution.

You can use an LDAP query to enable or disable antispam scanning on a per-user basis. For details, see Configuring LDAP profiles and Configuring scan override options.

To manage incoming antispam profiles

1. Depending on the type of antispam scan, before you select it in a profile, you may need to enable the feature, validate its license, or configure its system-wide settings. See Configuring FortiGuard services and licensed features.

2. Go to Profile > AntiSpam > AntiSpam.

3. Either click New or Clone to add a profile, or double-click a profile to modify it.

   Alternatively, see Batch editing antispam profiles.

4. Configure the following:

   GUI item	Description
   Domain	Select which protected domain this profile belongs to, or System (all protected domains can use this profile). You can only see the domains that are permitted by your administrator profile. See About administrator account permissions and domains.
   Name	Enter a unique name for the profile.
   Comment	Enter a comment or description.
   Default action	Select the action profile to apply when the antispam profile detects spam. For each scan in the antispam profile, you can use its Action setting to override this default and select a more specific behavior. See also Configuring antispam action profiles.

5. Depending on which scans you want to use, enable and expand to configure the following:

   • FortiGuard section
   • Greylist section
   • SPF section
   • DKIM section
   • DMARC section
   • ARC section
   • Behavior analysis section
   • Header analysis section
   • Business email compromise section
   • Heuristic section
   • SURBL section
   • DNSBL section
   • Banned word section
   • Safelist word section
   • Dictionary section
   • Image spam section
   • Bayesian section
   • Newsletter and suspicious newsletter sections

6. Expand the Scan Option section, and configure the following:

   GUI item	Description
   Max message size to scan	Enter the maximum size of each email, in bytes, that the FortiMail unit will scan for spam. Larger email are not scanned for spam. To disable the limit so that all email are scanned, enter 0. If spam is usually smaller, then you can reduce this limit to improve performance. (More system resources are required to scan larger email.)
   Bypass scan on SMTP authentication	Enable to bypass spam scanning for authenticated SMTP connections. This option is enabled by default. If authenticated SMTP clients are not a source of spam, then you can enable this option to improve performance.
   Scan PDF attachment	Enable to inspect PDF attachments with the heuristic, banned word, and/or image spam scans (if you have enabled them). See also Heuristic section, Banned word section, and Image spam section. If Attachment images is enabled in QR code URL scan, then FortiMail also scans QR code images in the PDF. See Configuring preferences. Spammers may attach a PDF file to an email with an empty body to try to bypass spam scans. Because the body has no text to scan, it cannot determine spam status. However the PDF content is still spam. This option detects this type of spam.
   Apply default action without scan upon policy match	Enable to perform the action in Default action immediately, without applying other antispam filters, if the email matches the IP or recipient policy.

7. Click Create or OK.

8. To apply the antispam profile, select it in a policy.

FortiGuard section

The FortiMail unit can query the FortiGuard Antispam service and custom threat feeds to determine spam status. Before you select FortiGuard scans in an antispam profile, you must enable and configure FortiGuard Antispam rating queries.

In general, for the FortiGuard section, if Action is None, then by default, for all sub-scans, FortiMail still scans and logs FortiGuard Antispam results, but does not perform an action. However if you then select a different specific action for sub-scans such as IP Reputation, then it overrides and FortiMaildoes apply that action. When both IP Reputation and URL Category scans detect spam, then the URL category's action takes precedence. For example, if the Action is Tag for IP Reputation, but Reject for URL Category, then the email is rejected.

If the FortiGuardscans are enabled, you may improve performance and the spam catch rate by also enabling Block IP.

GUI item		Description
IP Reputation		Examine if the SMTP client's IP address is blocklisted.
	Level 1 Level 2 Level 3	FortiGuard Antispam service categorizes blocklisted IP addresses into: Level 3: Bad reputation. Level 2: Worse reputation. Level 1: Worst reputation. Enable each level that you want to apply an Action to. To avoid false positives, you can select a different action for each level. Strict actions, such as reject or discard, are usually effective for Level 1, but less strict actions, such as quarantine or tag, usually can be used with Level 3.
	Threat feed	Use custom lists of IP addresses that are known sources of spam, and then select an Action. For details, see Configuring a threat feed.
	Extract IP from Received Header	If the SMTP client has a private network IP address (which is not guaranteed to be a unique identifier), then the FortiMail unit will query about the first public IP address in the header instead. (If you want to examine all public IP addresses in the Received: lines of the message header, enable Extract IP from Received Header.) FortiGuard Antispam scans do not examine private network addresses as defined in RFC 1918 because different private networks may use the same IP address ranges, and therefore it does not accurately identify specific SMTP clients.
URL Category		Determine if any uniform resource identifiers (URI) in the message body are associated with spam. FortiGuard groups URLs into various rating categories, such as phishing, drug abuse, etc. If you have configured custom categories, these can also be used. You can configure how FortiMail detects URLs. For details see About URL types.
	Primary Secondary	You can split categories into Primary and Secondary to select a separate Action for each, such as to exempt URLs from spam filtering. For details, see Configuring URL filter profiles. If an email matches URL categories in both Primary and Secondary, then the Action that you select for Primary takes precedence. To reduce false positives, unrated IP addresses are ignored.
Spam outbreak protection		Select Enable to temporarily hold suspicious email if the FortiGuard Antispam scan for blocklisted IP addresses and/or URL category returns no result. This provides an opportunity for the FortiGuard Antispam service to update its database if a spam outbreak has just started and is not yet confirmed. To configure the hold time period, enter the CLI commands: config profile antispam set spam-outbreak-protection config system fortiguard antispam set outbreak-protection-period To view the email currently being held, go to Monitor > Mail Queue > Spam Outbreak. After the time interval, FortiMail queries the FortiGuard server again to determine the final result and apply the matching action. Spam outbreak protection uses the Action that you select for FortiGuard, not the Default action for the whole antispam profile. If spam outbreak protection needs to temporarily hold the email (so the SMTP client is no longer connected and a Reject action is not technically possible anymore), and spam status is confirmed later, then the FortiMail instead applies the System Quarantine action. If the Secondary URL category is matched, then the email will be deferred in the spam outbreak queue. If you select Monitor only, then email is not deferred. Instead, FortiMail logs the email and inserts this message header: X-FEAS-Spam-outbreak: monitor-only

Greylist section

See Configuring greylisting.

Greylisting can improve performance by blocking most spam before it undergoes other resource-intensive antispam scans.

SPF section

If the DNS record lists IP addresses that are authorized to send email for the domain name, then you can enable SPF verification to compare the SMTP client's IP address to that DNS record (RFC 4408). If SPF information does not exist in the DNS record, then IP address validation is omitted.

Unlike SPF verification by a session profile, SPF verification by an antispam profile does not increase the SMTP client’s reputation score if the check fails.

SPF verifications do not examine private network addresses as defined in RFC 1918 because different private networks may use the same IP address ranges, and therefore it does not accurately identify specific SMTP clients.

If you select Bypass in the session profile (see Configuring sender validation options) or if a safe list matches (see Configuring the block lists and safe lists), then even if you enable SPF in the antispam profile, FortiMail skips SPF.

GUI item	Description
Fail	Select which Action to perform if SPF indicates that the SMTP client is not authorized to send email for that domain name.
Soft Fail	Select which Action to perform if SPF indicates that the SMTP client is not authorized to send email for that domain name, but there is no strong statement.
Permanent Error	Select which Action to perform if the DNS server returned an invalid SPF record when FortiMail made the DNS query.
Temporary Error	Select which Action to perform if the DNS server returned Temp error when FortiMail made the DNS query.
Pass	Select which Action to perform if SPF verification succeeds, and the SMTP client is an authorized sender.
Neutral	Select which Action to perform if a valid SPF record exists, but there is no definitive assertion.
None	Select which Action to perform if a SPF record does not exist on the DNS server.

DKIM section

DomainKeys Identified Mail (DKIM) utilizes public and private keys to digitally sign outbound emails to prove that email has not been tampered with in transit.

If a safe list matches (see Configuring the block lists and safe lists), then even if you enable DKIM in the antispam profile, FortiMail skips DKIM.

GUI item	Description
Fail	Select which Action to perform if DKIM verification detects an invalid signature or body hash.
Temporary Error	Select which Action to perform if the DNS server returned Temp error when FortiMail made the DNS query.
Pass	Select which Action to perform if DKIM verification succeeds.
None	Select which Action to perform if no DKIM information exists in the DNS record, or the record could not be parsed.

DMARC section

Domain-based Message Authentication, Reporting & Conformance (DMARC) performs email authentication with SPF and DKIM.

If either the SPF or DKIM verification succeeds, then DMARC verification succeeds. If both of them fail, then DMARC verification fails.

FortiMail also verifies DMARC alignment, where at least one of the domains authenticated by SPF or DKIM must align with the sender domain in the message header (From:). If they do not align, then the DMARC check fails. See also RFC 7489.

GUI item	Description
Fail	Select which Action to perform if DMARC verification fails.
Temporary Error	Select which Action to perform if the DNS server returned Temp error when FortiMail made the DNS query.
Pass	Select which Action to perform if DMARC verification succeeds.
None	Select which Action to perform if no DMARC information exists in the DNS record, or the record could not be parsed.
DMARC override	Enable SPF and/or DKIM if you want the DMARC result to take precedence over SPF and DKIM results. For example, if DMARC verification succeeds, then the SPF fail and soft fail won't take effect anymore.

FortiMail combines non-final actions set in the antispam profile with the actions set in the DMARC DNS record policy. If the antispam profile DMARC actions are non-final, such as Tag subject and Notify, then they are combined with the actions in the DMARC DNS record policy: none, reject, or quarantine. This happens when DMARC failure action is either Action profile or, if the policy option in the sender's DMARC record is p=none, Action profile with none.

You can generate DMARC reports automatically, or manually (on demand), or administrators can log into FortiMail to view current statistics. See Viewing DMARC report statistics.

ARC section

Authenticated Received Chain (ARC) permits intermediate email servers (such as mailing lists or forwarding services) to sign an email's original authentication results. This allows a receiving service to validate an email, even if its SPF and DKIM records are rendered invalid by an intermediate server's processing. Successful ARC validation requires that the receiver trusts the ARC signer. For more information, see RFC 8617.

If you enable ARC override for SPF, DKIM, and/or DMARC, then the ARC result has priority over them.

Behavior analysis section

Behavior analysis (BA) uses a database to analyze similarities between known spam and undetermined email to determine if an email is spam.

The BA database is a gathering of spam email caught by FortiGuard Antispam service. Therefore, the accuracy of the FortiGuard Antispam service has a direct impact on the BA accuracy.

You can adjust the BA aggressiveness using the following CLI commands:

config antispam behavior-analysis

set analysis-level {high | medium | low}

end

The high setting means the most aggressive while the low setting means the least aggressive. The default setting is medium.

You can also reset (empty) the BA database using the following CLI command:

diagnose debug application mailfilterd behavior-analysis update

Header analysis section

Enable this option to examine the entire message header for spam characteristics.

Business email compromise section

To better protect against business email compromise (BEC) spam attacks, FortiMail can scan for cousin domains, suspicious characters, sender alignment, action keywords, and URL categories. To avoid false positives and false negatives, you can adjust ("weight") the scores of each type of suspicious behavior, and the total score threshold that an email must reach to be categorized as spam.

GUI item	Description
Weighted analysis	Enable to apply a weighted analysis profile and assign an appropriate action. See also Configuring weighted analysis profiles.
Impersonation analysis	Enable to automatically learn and track the mapping of display names and internal email addresses to prevent spoofing attacks. See also Configuring impersonation profiles.
Cousin domain	Enable to scan for domain names that are deliberately misspelled in order to appear to come from a trusted domain. Additionally, enable Header Detection, Body Detection, and/or Auto Detection if you wish to scan for cousin domain names either within the email header, the email body, and/or automatically (respectively). See also Configuring cousin domain profiles.
Sender alignment	Enable to scan for sender email address and name mismatches. Sender alignment compares the message header (From: (and any others you select in Apply to) with the SMTP envelope (MAIL FROM:) to look for a mismatch, which is typical of spam.

Heuristic section

Heuristic scans can use many rules. Each rule has an individual score used to calculate the total score for an email. If an email matches the rule, then its score is added to the total. For example, if the subject line of an email contains “As seen on national TV!”, then it might match a heuristic rule that increases the heuristic scan score towards the threshold.

• Spam: Total score equals or exceeds the threshold.
• Not spam: Total score is less than the threshold.

A default heuristic rule set is included with the firmware. Update your FortiGuard Antispam packages regularly to get current heuristic rules for the most accurate heuristic score.

Heuristic scanning is resource intensive. If spam detection rates are acceptable without heuristic scanning, consider disabling it or limiting its application to policies for problematic hosts. You can also apply heuristic scans to PDF attachments. See Scan PDF attachment.

GUI item	Description
Threshold	Enter the score at which the FortiMail unit considers an email to be spam. The default value is recommended.
The percentage of rules used	Enter the percentage of the total number of heuristic rules to use to calculate the heuristic score for an email.

SURBL section

In addition to supporting Fortinet’s FortiGuard Antispam SURBL service, the FortiMail unit supports third-party Spam URL Realtime Block Lists (SURBL) servers. You can specify which public SURBL servers to use as part of an antispam profile. Consult the third-party SURBL service providers for any conditions and restrictions.

The SURBL section of antispam profiles lets you configure the FortiMail unit to query one or more SURBL servers to determine if any of the uniform resource identifiers (URL) in the message body are associated with spam. If a URL is blocklisted, the FortiMail unit treats the email as spam and performs the associated action. You can configure how FortiMail detects URLs. See About URL types.

To add a SURBL server

1. In the SURBL section of an antispam profile, click Configuration.

   A pop-up window appears that displays a list of SURBL servers.

2. Click New and type the address of a SURBL server.

   Servers are queried from top to bottom. Therefore you may want to put the reliable servers with less traffic at the top of the list.

3. Click OK.

   The pop-up window closes.

   When you close the pop-up window, it does not save. Before navigating to another part of the GUI, you must click OK in the antispam profile in order to save it and the list.

4. Click Create or OK.

DNSBL section

In addition to supporting Fortinet’s FortiGuard Antispam DNSBL service, the FortiMail unit can query third-party DNS blocklist servers to determine if an SMTP client is blocklisted. Consult the third-party DNSBL service providers for any conditions and restrictions.

Carefully select your DNSBL providers and review their operations. Fortinet recommends that all email administrators utilize services which have clearly defined and rational listing policies and do not charge for delisting. Services that block whole subnets and AS numbers and have a business model which charges for delisting should be viewed with heavy caution. Fortinet cannot delist IP addresses blocklisted by other vendors.

DNSBL scans examine the IP address of the SMTP client that is currently delivering the email message. If the Enable Block IP to query for the blocklist status of the IP addresses of all SMTP servers appearing in the Received: lines of header lines. option in the Deep header section is enabled, DNSBL scan will also examine the IP addresses of all other SMTP servers that appear in the Received: lines of the message header.See FortiGuard section.

DNSBL scans do not examine private network addresses as defined in RFC 1918 because different private networks may use the same IP address ranges, and therefore it does not accurately identify specific SMTP clients.

To add a DNSBL server

1. In the DNSBL section of an antispam profile, click Configuration.

   A pop-up window appears that displays a list of DNSBL servers.

2. Click New and type the address of a DNSBL server.

   Servers are queried from top to bottom. Therefore you may want to put the reliable servers with less traffic at the top of the list.

3. Click OK.

   The pop-up window closes.

   When you close the pop-up window, it does not save. Before navigating to another part of the GUI, you must click OK in the antispam profile in order to save it and the list.

4. Click Create or OK.

Banned word section

The Banned word section of antispam profiles lets you configure the FortiMail unit to consider email messages as spam if the subject line and/or message body contain a prohibited word.

When banned word scanning is enabled and an email is found to contain a banned word, the FortiMail unit adds X-FEAS-BANNEDWORD: to the message header, followed by the banned word found in the email. The header may be useful for troubleshooting purposes, when determining which banned word or phrase caused an email to be blocked.

You can use wildcards in banned words. But unlike dictionary scans, banned word scans do not support regular expressions. For details, see Appendix D: Wildcards and regular expressions.

You can also apply this scan to PDF attachments. See Scan PDF attachment.

To add banned words

1. In the Banned word section of an antispam profile, click Configuration.

   A pop-up window appears that displays a list of banned words.

2. Click New.

3. In Banned Word, enter the word or phrase.

   If you want to scan email subject lines for the word, enable Subject. If you want to scan the message body, enable Body.

4. Repeat the previous step until you have added all of the words.

5. Click OK.

   The pop-up window closes.

   When you close the pop-up window, it does not save. Before navigating to another part of the GUI, you must click OK in the antispam profile in order to save it and the list.

6. Click Create or OK.

Safelist word section

Safelist word scans let you exempt email from being categorized as spam if they contain specific key words or phrases.

You can use wildcards to match multiple safelist words. Unlike dictionary scans, safelist word scans do not support regular expressions. For details, see Appendix D: Wildcards and regular expressions.

To configure safelist words

1. In the Safelist word section of an antispam profile, click Configuration.

   A pop-up window appears that displays a list of banned words.

2. Click New.

3. In Safelist Word, enter the word or phrase.

   If you want to scan email subject lines for the word, enable Subject. If you want to scan the message body, enable Body.

4. Repeat the previous step until you have added all of the words.

5. Click OK.

   The pop-up window closes.

   When you close the pop-up window, it does not save. Before navigating to another part of the GUI, you must click OK in the antispam profile in order to save it and the list.

6. Click Create or OK.

Dictionary section

Dictionary scans use dictionary profiles (see Configuring dictionary profiles.) to determine if the email is spam.

If an email has a dictionary word, FortiMail units add X-FEAS-DICTIONARY: to the message header, followed by the dictionary word or pattern found in the email. The header may be useful for troubleshooting purposes, when determining which dictionary word or pattern caused an email to be blocked.

Compared to banned word scans, dictionary scans are more resource-intensive. If you do not require dictionary features such as regular expressions, consider using a banned word scan instead.

GUI item	Description
With dictionary group	Select the name of a group of dictionary profiles to use with the dictionary scan. Alternatively, configure With dictionary profile.
With dictionary profile	Select the name of a dictionary profile to use with the dictionary scan.
Minimum dictionary score	Enter the number of dictionary term matches above which the email will be considered to be spam. Note: Score value is based on individual dictionary profile matches, not the dictionary group matches.

Image spam section

Image spam scans analyze the contents of GIF, JPG, and PNG graphics to determine if the email is spam. This may be useful if the message body of an email contains graphics but no text, and therefore text-based antispam scans cannot determine spam status.

GUI item	Description
Aggressive	Enable to inspect image file attachments in addition to embedded graphics. If you do not require this feature, disable it to improve performance. Enabling this option increases workload when scanning email messages that contain image file attachments. This option applies only if you enable Scan PDF attachment.

Bayesian section

Bayesian scans use a trained database to determine if the email is spam.FortiMail units can maintain multiple Bayesian databases: global, and specific to each protected domain.

• For outgoing email, the FortiMail unit uses the global Bayesian database.
• For incoming email, which database will be used when performing the Bayesian scan varies by configuration of the incoming antispam profile and the configuration of the protected domain.

Before using Bayesian scans, you must train one or more Bayesian databases in order to teach the FortiMail unit which words indicate probable spam. If a Bayesian database is not sufficiently trained, it can increase false positive and/or false negative rates. You can train the Bayesian databases of your FortiMail unit in several ways. For more information, see Training the Bayesian databases.

If you do not continue to train it, Bayesian scanning becomes significantly less effective over time. Therefore Fortinet does not recommend enabling this feature.

GUI item	Description
Accept training messages from user	Enable to accept training messages from email users. Training messages are email messages that email users forward to the email addresses of control accounts, such as is‑spam@example.com, in order to train or correct Bayesian databases. For information on Bayesian control account email addresses, see Configuring the quarantine control options. FortiMail units apply training messages to either the global or per-domain Bayesian database depending on your configuration of the protected domain to which the email user belongs. Disable to discard training messages. This option is available only if Direction is Incoming (per-domain Bayesian databases cannot be used when the recipient does not belong to a protected domain, which defines outgoing email).
Use other techniques for auto training	Enable to use scan results from FortiGuard, SURBL, and per-user and system-wide safelists to train the Bayesian databases. This option is available only if Direction is Incoming (domain-level Bayesian databases cannot be used when the recipient does not belong to a protected domain, which defines outgoing email).

Newsletter and suspicious newsletter sections

Although newsletters and marketing campaigns are often opt-in and therefore are technically not spam in some geographic regions, some users may find them annoying. It can save time to tag the subject line, so that they can apply rules in their email client to filter out newsletters. Administrators may not want to waste system resources on processing or storing newsletters, either. Some newsletters are suspicious, too, because they may actually be disguised spam.

Enable these options to detect both real and fake newsletters, and then in Action, select an action profile. If both types are enabled, and if a FortiMail detects that an email is suspicious, then it applies the action for suspicious newsletters only.