Fortinet white logo
Fortinet white logo

CLI Reference

antispam settings

antispam settings

Use these commands to configure global antispam settings.

Syntax

config antispam settings

set backend-verify <time_str>

set bayesian-is-not-spam <local-part_str>

set bayesian-is-spam <local-part_str>

set bayesian-learn-is-not-spam <local-part_str>

set bayesian-learn-is-spam <local-part_str>

set bayesian-training-group <local-part_str>

set blocklist-action {as-profile | discard | reject}

set bounce-verification-action {as-profile | discard | reject}

set bounce-verification-auto-delete-policy {never | one-month | one-year | six-months | three-months}

set bounce-verification-status {enable | disable}

set bounce-verification-tagexpiry <days_int>

set carrier-endpoint-acct-response {enable | disable}

set carrier-endpoint-acct-secret <password_str>

set carrier-endpoint-acct-validate {enable | disable}

set carrier-endpoint-attribute {Acct-Authentic ... Vendor-Specific)

set carrier-endpoint-blocklist-window-size {15m | 30m | 60m | 90m | 120m | 240m | 360m | 480m | 1440m}

set carrier-endpoint-framed-ip-attr {Framed-IP-Address | Login-IP-Host | Login-IPv6-Host | NAS-IP-Address | NAS-IPv6-Address}

set carrier-endpoint-framed-ip-order {host-order | network-order}

set carrier-endpoint-radius-port <port_int>

set carrier-endpoint-status {enable | disable}

set delete-ctrl-account <local_part_str>

set dmarc-failure-action {use-policy-action | use-profile-action | use-profile-action-with-none}

set dynamic-safe-list-domain <domain_str>

set dynamic-safe-list-state {enable | disable}

set greylist-capacity <maximum_int>

set greylist-check-level {disable | enable | low | high}

set greylist-delay <minutes_int>

set greylist-init-expiry-period <hours_int>

set greylist-ttl <ttl_int>

set impersonation-analysis {manual | dynamic}

set impersonation-analysis-level {aggressive | strict}

set qr-code-image-max-size <kb_int>

set qr-code-url-scan-option {attachment-image inline-image}

set qr-code-url-scan-status {enable | disable}

set release-ctrl-account <local-part_str>

set safe-block-list-entry-auto-aging-status {enable | disable}

set safe-block-list-entry-retention safe <days>

set safe-block-list-precedence {system session domain personal}

set safe-block-list-tracking {enable | disable}

set safelist-bypass-sender-auth {enable | disable}

set scan-action-preference {single-action | multi-action}

set session-profile-rate-control-interval <minutes_int>

set url-checking {aggressive | extreme | strict}

end

Variable

Description

Default

backend-verify <time_str>

Enter the time of day at which the FortiMail unit will automatically remove invalid per-recipient quarantines. Use the format hh:mm:ss, where hh is the hour according to a 24-hour clock, mm is the minute, and ss is the second.

For example, to begin automatic invalid quarantine removal at 5:30 PM, enter 17:30:00.

4:0:0

bayesian-is-not-spam <local-part_str>

Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that correct false positives.

For example, if the local domain name of the FortiMail unit is example.com and you want to correct the assessment of a previously scanned spam that was actually legitimate email by sending control messages to is-not-spam@example.com, you would enter is-not-spam.

is-not-spam

bayesian-is-spam <local-part_str>

Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that correct false negatives.

For example, if the local domain name of the FortiMail unit is example.com and you want to correct the assessment of a previously scanned email that was actually spam by sending control messages to is-spam@example.com, you would enter is-spam.

is-spam

bayesian-learn-is-not-spam <local-part_str>

Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that train it to recognize legitimate email.

Unlike the is-not-spam email address, this email address will receive email that has not been previously seen by the Bayesian scanner.

For example, if the local domain name of the FortiMail unit is example.com and you want to train the Bayesian database to recognize legitimate email by sending control messages to learn-is-not-spam@example.com, you would enter learn-is-not-spam.

learn-is-not-spam

bayesian-learn-is-spam <local-part_str>

Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that train it to recognize spam.

Unlike the is-spam email address, this email address will receive spam that has not been previously seen by the Bayesian scanner.

For example, if the local domain name of the FortiMail unit is example.com and you want to train the Bayesian database to recognize spam by sending control messages to learn-is-spam@example.com, you would enter learn-is-spam.

learn-is-spam

bayesian-training-group <local-part_str>

Enter the local-part portion of the email address that FortiMail administrators can use as their sender email address when forwarding email to the “learn is spam" email address or “learn is not spam" email address. Training messages sent from this sender email address will be used to train the global or per-domain Bayesian database (whichever is selected in the protected domain) but will not train any per-user Bayesian database.

In contrast, if a FortiMail administrator were to forward email using their own email address (rather than the training group email address) as the sender email address, and per-user Bayesian databases were enabled in the corresponding incoming antispam profile, the FortiMail unit would also apply the training message to their own per-user Bayesian database.

default-grp

blocklist-action {as-profile | discard | reject}

Use these commands to select the action that the FortiMail unit performs when an email message arrives from or, in the case of per-session profile recipient blocklists, is destined for a blocklisted email address, mail domain, or IP address.

This setting affects email matching any system-wide, per-domain, per-session profile, or per-user blocklist.

For email messages involving a blocklisted email address, domain, or IP address, select one of the following options:

  • as-profile: Apply the action selected in the antispam profile being applied to the email message. For details, see profile antispam-action.

  • discard: Accept the message but delete and do not deliver it, without notifying the SMTP client.

  • reject: Reject the message, returning an SMTP error code to the SMTP client.

discard

bounce-verification-action {as-profile | discard | reject}

Enter the action that the FortiMail unit will perform if it receives a bounce address tag that is invalid.

  • as-profile: Perform the action selected in the antispam profile.

  • discard: Accept the message but then delete it without notifying the SMTP client.

  • reject: Reject the message, replying to the SMTP client with an SMTP rejection code.

as-profile

bounce-verification-auto-delete-policy {never | one-month | one-year | six-months | three-months}

Inactive keys will be removed after being unused for the selected time period.

  • never: Never automatically delete an unused key.

  • one-month: Delete a key when it hasn’t been used for 1 month.

  • three-months: Delete a key when it hasn’t been used for 3 months.

  • six-months: Delete a key when it hasn’t been used for 6 months.

  • one-year: Delete a key when it hasn’t been used for 12 months.

The active key will not be automatically removed.

never

bounce-verification-status {enable | disable}

Enable to activate bounce address tagging and verification.

Tag verification can be bypassed in IP profiles and protected domains.

disable

bounce-verification-tagexpiry <days_int>

Enter the number of days an email tag is valid. When this time elapses, the FortiMail unit will treat the tag as invalid.

Valid range is from 3 to 30 days.

7

carrier-endpoint-acct-response {enable | disable}

Enable/disable endpoint account validation on the RADIUS server.

disable

carrier-endpoint-acct-secret <password_str>

Type the shared secret for RADIUS account response and request validation.

carrier-endpoint-acct-validate {enable | disable}

Enable/disable validating shared secret of account requests.

disable

carrier-endpoint-attribute {Acct-Authentic ... Vendor-Specific)

Type the RADIUS account attribute associated with the endpoint user ID. If you have more than one RADIUS server and each server uses different account attribute for the endpoint user ID, you can specify up to five attributes with this command. For example, a 3G mobile network may use the “Calling-Station-ID” attribute while an ADSL network may use the “User-Name” attribute.

A carrier end point is any device on the periphery of a carrier’s or Internet service provider’s (ISP) network. It could be a subscriber’s GSM cellular phone, wireless PDA, or computer using DSL service.

Unlike MTAs, computers in homes and small offices and mobile devices such as laptops and cellular phones that send email may not have a static IP address. Cellular phones’ IP addresses especially may change very frequently. After a device leaves the network or changes its IP address, its dynamic IP address may be reused by another device. Because of this, a sender reputation score that is directly associated with an SMTP client’s IP address may not function well. A device sending spam could start again with a clean sender reputation score simply by rejoining the network to get another IP address, and an innocent device could be accidentally blocklisted when it receives an IP address that was previously used by a spammer.

Calling-Station-Id (RADIUS attribute 31)

carrier-endpoint-blocklist-window-size {15m | 30m | 60m | 90m | 120m | 240m | 360m | 480m | 1440m}

Enter the amount of previous time, in minutes, whose score-increasing events will be used to calculate the current endpoint reputation score.

For example, if the window is 15m (15 minutes), detections of spam or viruses 0-15 minutes ago would count towards the current score; detections of spam or viruses older than 15 minutes ago would not count towards the current score.

15m

carrier-endpoint-framed-ip-attr {Framed-IP-
Address | Login-IP-Host | Login-IPv6-Host | NAS-IP-Address | NAS-IPv6-Address}

Specify the RADIUS attribute whose value will be used as the endpoint user IP address.

By default, the endpoint user IP address uses the value of RADIUS attribute 8 (framed IP address).

However, if the endpoint IP address uses the value from different RADIUS attribute name/number other than attribute 8, you can specify the corresponding attribute number with this command.

You can use the command diagnose debug application msisdn to capture RADIUS packets and find out what attribute name/number is used to hold the IP address value.

Note that you can specify multiple values, such as both IPv4 and IPv6 attributes.

Framed-IP-
Address

carrier-endpoint-framed-ip-order {host-order | network-order}

Select one of the following methods for endpoint IP address formatting:

  • host-order: format an IP address in host order, that is, the host portion is at the beginning. For example, 1.1.168.192.
  • network-order: sorts IP addresses in the network order, that is, the network portion is at the begging. For example, 192.168.1.1.

host-order

carrier-endpoint-radius-port <port_int>

Type the RADIUS server port for carrier endpoint account requests.

1813

carrier-endpoint-status {enable | disable}

Enable endpoint reputation scan for traffic examined by the session profile.

This command starts the endpoint reputation daemon. You must start this daemon for the endpoint reputation feature to work.

enable

delete-ctrl-account <local_part_str>

Use this command to configure the email addresses through which email users can delete email from their per-recipient quarantines.

Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that control deletion of email from per-recipient quarantines.

For example, if the local domain name of the FortiMail unit is example.com and you want to delete email by sending control messages to quar_delete@example.com, you would enter quar_delete.

delete-ctrl

dmarc-failure-action {use-policy-action | use-profile-action | use-profile-action-with-none}

Select either:

  • use-policy-action: Use the actions specified in policy option of the sender's DMARC record.

  • use-profile-action: Use the action specified in the antispam profile.

  • use-profile-action-with-none: If the policy option in the sender's DMARC record is p=none, use that action. Else use the action in the antispam profile.

use-profile-action-with-none

dynamic-safe-list-domain <domain_str>

Enter the domain name of the dynamic safe list.

dynamic-safe-list-state {enable | disable}

Enable the dynamic safe list.

disable

greylist-capacity <maximum_int>

Enter the maximum number of greylist items in the greylist. New items that would otherwise cause the greylist database to grow larger than the capacity will instead overwrite the oldest item.

To determine the default value and acceptable range for your FortiMail model, enter a question mark ( ? ).

Varies by model

greylist-check-level {disable | enable | low | high}

Greylist scanning blocks spam based on the behavior of the sending server, rather than the content of the messages. When receiving an email from an unknown server, the FortiMail unit will temporarily reject the message. If the mail is legitimate, the originating server will try to send it again later (RFC 2821), at which time the FortiMail unit will accept it. Spammers will typically abandon further delivery attempts in order to maximize spam throughput.

Enable/disable greylist check, or set how aggressively to perform greylist check: high or low.

The high level setting greylists all messages from unknown MTAs, while the low level setting will selectively greylist based on the age and reputation of the MTAs: the trusted MTAs will not be greylisted whereas the new untrusted MTAs will be greylisted.

high

greylist-delay <minutes_int>

Enter the length in minutes of the greylist delay period.

For the initial delivery attempt, if no manual greylist entry (exemption) matches the email message, the FortiMail unit creates a pending automatic greylist entry, and replies with a temporary failure code. During the greylist delay period after this initial delivery attempt, the FortiMail unit continues to reply to additional delivery attempts with a temporary failure code.

After the greylist delay period elapses and before the pending entry expires (during the initial_expiry_period, also known as the greylist window), any additional delivery attempts will confirm the entry and convert it to an individual automatic greylist entry. The greylist scanner will then allow delivery of subsequent matching email messages.

The valid range is between 1 and 120 minutes.

10

greylist-init-expiry-period <hours_int>

Enter the period of time in hours after the greylistperiod, during which pending greylist entries will be confirmed and converted into automatic greylist entries if the SMTP client retries delivery.

The valid range is between 4 to 24 hours.

4

greylist-ttl <ttl_int>

Enter the time to live (TTL) that determines the maximum amount of time that unused automatic greylist entries will be retained.

Expiration dates of automatic greylist entries are determined by adding the TTL to the date and time of the previous matching delivery attempt. Each time an email message matches the entry, the life of the entry is prolonged; in this way, entries that are in active use do not expire.

If the TTL elapses without an email message matching the automatic greylist entry, the entry expires and the greylist scanner removes the entry.

The valid range is between 1 to 60 days.

30

impersonation-analysis {manual | dynamic}

Email impersonation is one of the email spoofing attacks. It forges the email header to deceive the recipient because the message appears to be from a different source than the actual address.

To fight against email impersonation, you can map display names with email addresses and check email for the mapping.

You can choose whether the impersonation analysis uses the manual mapping entries or dynamic entries. You can also use both types of entries.

  • manual: Use the entries you manually entered under Profile > AntiSpam > Impersonation.

  • dynamic: Use the entries automatically learned by the FortiMail mail statistics service. To enable this service, enable mailstat-service under config system global.

manual

impersonation-analysis-level {aggressive | strict}

  • aggressive: Choose this option to check the display name email domain part in Header From.

  • strict: Choose this option not to check the display name email domain.

For example, when you set an IA entry as:

Display name: John Smith

Email address: john.smith@example.com

while example.com is a protected domain, the aggressive setting will block all of the following senders:

  • "John Smith" <spammer@example.net>
  • "John.Smith@example.com" <spammer@example.net>
  • "OtherUser@example.com" <spammer@example.net>

but the strict setting will only block the first two senders.

aggressive

qr-code-image-max-size <kb_int>

Enter the maximum size (in kilobytes) to scan for QR code images that contain known spam URLs.

1000

qr-code-url-scan-option {attachment-image inline-image}

Select which location(s) to scan for QR code images that contain known spam URLs.

  • inline-image: Embedded inline, in the email body.
  • attachment-image: Email attachments.

qr-code-url-scan-status {enable | disable}

Enable to scan for QR code images that contain known spam URLs.

disable

release-ctrl-account <local-part_str>

Use this command to configure the email addresses through which email users can release email from their per-recipient quarantines.

Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that control deletion of email from per-recipient quarantines.

For example, if the local domain name of the FortiMail unit is example.com and you want to delete email by sending control messages to quar_delete@example.com, you would enter quar_delete.

safe-block-list-entry-auto-aging-status {enable | disable}

Enable to apply automatic purging of system and domain block and safe lists that are listed for a defined retention period (see safe-block-list-entry-retention safe <days>).

enable

safe-block-list-entry-retention safe <days>

Enter the retention period in days for safe and block list entries before they are automatically removed. Set the value between 1-365.

120

safe-block-list-precedence {system session domain personal}

By default, system safelists and blocklists have precedence over other safelists and blocklists. In some cases, you may want to change the precedence order. For example, you may want to allow a user to use their own lists to overwrite the system list. In this case, you can move “personal’ ahead of “system”.

system session domain personal

safe-block-list-tracking {enable | disable}

Enable to track various system safelist and blocklist statistics, including creation time, last hit time, and hit count.

These statistics are tracked on Security >Block/Safe List > System and Security > Block/Safe List > Domain.

disable

safelist-bypass-sender-auth {enable | disable}

Enable to bypass sender authentication mechanism (SPF/DMARC/DKIM) for safelisted senders.

When disabled, if the scan result of SPF, DKIM, or DMARC is a failure, and the sender is safelisted, the result of SPF, DKIM, and DMARC takes precedence.

enable

scan-action-preference {single-action | multi-action}

Either apply only the first matching antispam filter, or multiple matching antispam filters, where each matching antispam filter action is applied until the final action is found.

multi-action

session-profile-rate-control-interval <minutes_int>

The rate control option enables you to control the rate at which email messages can be sent, by the number of connections, the number of messages, or the number recipients per client per period (in minutes).

This command sets the time period. Other settings are in config profile session.

30

url-checking {aggressive | extreme | strict}

If you enable a FortiGuard scan or SURBL scan in an antispam profile, then FortiMail scans for blocklisted URLs in the email message body.

Types of URLs that URL filtering can scan include:

  • Absolute URLs — URL syntax with scheme name (protocol), such as http, https, and ftp. They often only include a domain name. Example: http://www.example.com
  • Reference URLs — No scheme name. Example: example.com

URLs in email can also be written in plain text instead of as clickable HTML links. While not technically a URL, the domain name of the sender can also be inspected.

By default, FortiMail scans for absolute URLs only. If you need to improve the spam catch rate or reduce false positives, you can change this. Select which to scan for.

  • strict: Absolute URLs only.

    Note: Websites without “http” or “https” but starting with “www” are also treated as absolute URLs. Example: www.example.com

  • aggressive: Like strict, but also inspect reference URLs. Also check the domain name of the sender in the SMTP envelope (MAIL FROM:) and message header (From: and Reply-To:).

  • extreme: Like aggressive, but also inspect URLs in plain text format.

strict

Related topics

antispam bounce-verification

antispam deepheader-analysis

antispam greylist exempt

antispam quarantine-report

antispam trusted

antispam settings

antispam settings

Use these commands to configure global antispam settings.

Syntax

config antispam settings

set backend-verify <time_str>

set bayesian-is-not-spam <local-part_str>

set bayesian-is-spam <local-part_str>

set bayesian-learn-is-not-spam <local-part_str>

set bayesian-learn-is-spam <local-part_str>

set bayesian-training-group <local-part_str>

set blocklist-action {as-profile | discard | reject}

set bounce-verification-action {as-profile | discard | reject}

set bounce-verification-auto-delete-policy {never | one-month | one-year | six-months | three-months}

set bounce-verification-status {enable | disable}

set bounce-verification-tagexpiry <days_int>

set carrier-endpoint-acct-response {enable | disable}

set carrier-endpoint-acct-secret <password_str>

set carrier-endpoint-acct-validate {enable | disable}

set carrier-endpoint-attribute {Acct-Authentic ... Vendor-Specific)

set carrier-endpoint-blocklist-window-size {15m | 30m | 60m | 90m | 120m | 240m | 360m | 480m | 1440m}

set carrier-endpoint-framed-ip-attr {Framed-IP-Address | Login-IP-Host | Login-IPv6-Host | NAS-IP-Address | NAS-IPv6-Address}

set carrier-endpoint-framed-ip-order {host-order | network-order}

set carrier-endpoint-radius-port <port_int>

set carrier-endpoint-status {enable | disable}

set delete-ctrl-account <local_part_str>

set dmarc-failure-action {use-policy-action | use-profile-action | use-profile-action-with-none}

set dynamic-safe-list-domain <domain_str>

set dynamic-safe-list-state {enable | disable}

set greylist-capacity <maximum_int>

set greylist-check-level {disable | enable | low | high}

set greylist-delay <minutes_int>

set greylist-init-expiry-period <hours_int>

set greylist-ttl <ttl_int>

set impersonation-analysis {manual | dynamic}

set impersonation-analysis-level {aggressive | strict}

set qr-code-image-max-size <kb_int>

set qr-code-url-scan-option {attachment-image inline-image}

set qr-code-url-scan-status {enable | disable}

set release-ctrl-account <local-part_str>

set safe-block-list-entry-auto-aging-status {enable | disable}

set safe-block-list-entry-retention safe <days>

set safe-block-list-precedence {system session domain personal}

set safe-block-list-tracking {enable | disable}

set safelist-bypass-sender-auth {enable | disable}

set scan-action-preference {single-action | multi-action}

set session-profile-rate-control-interval <minutes_int>

set url-checking {aggressive | extreme | strict}

end

Variable

Description

Default

backend-verify <time_str>

Enter the time of day at which the FortiMail unit will automatically remove invalid per-recipient quarantines. Use the format hh:mm:ss, where hh is the hour according to a 24-hour clock, mm is the minute, and ss is the second.

For example, to begin automatic invalid quarantine removal at 5:30 PM, enter 17:30:00.

4:0:0

bayesian-is-not-spam <local-part_str>

Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that correct false positives.

For example, if the local domain name of the FortiMail unit is example.com and you want to correct the assessment of a previously scanned spam that was actually legitimate email by sending control messages to is-not-spam@example.com, you would enter is-not-spam.

is-not-spam

bayesian-is-spam <local-part_str>

Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that correct false negatives.

For example, if the local domain name of the FortiMail unit is example.com and you want to correct the assessment of a previously scanned email that was actually spam by sending control messages to is-spam@example.com, you would enter is-spam.

is-spam

bayesian-learn-is-not-spam <local-part_str>

Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that train it to recognize legitimate email.

Unlike the is-not-spam email address, this email address will receive email that has not been previously seen by the Bayesian scanner.

For example, if the local domain name of the FortiMail unit is example.com and you want to train the Bayesian database to recognize legitimate email by sending control messages to learn-is-not-spam@example.com, you would enter learn-is-not-spam.

learn-is-not-spam

bayesian-learn-is-spam <local-part_str>

Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that train it to recognize spam.

Unlike the is-spam email address, this email address will receive spam that has not been previously seen by the Bayesian scanner.

For example, if the local domain name of the FortiMail unit is example.com and you want to train the Bayesian database to recognize spam by sending control messages to learn-is-spam@example.com, you would enter learn-is-spam.

learn-is-spam

bayesian-training-group <local-part_str>

Enter the local-part portion of the email address that FortiMail administrators can use as their sender email address when forwarding email to the “learn is spam" email address or “learn is not spam" email address. Training messages sent from this sender email address will be used to train the global or per-domain Bayesian database (whichever is selected in the protected domain) but will not train any per-user Bayesian database.

In contrast, if a FortiMail administrator were to forward email using their own email address (rather than the training group email address) as the sender email address, and per-user Bayesian databases were enabled in the corresponding incoming antispam profile, the FortiMail unit would also apply the training message to their own per-user Bayesian database.

default-grp

blocklist-action {as-profile | discard | reject}

Use these commands to select the action that the FortiMail unit performs when an email message arrives from or, in the case of per-session profile recipient blocklists, is destined for a blocklisted email address, mail domain, or IP address.

This setting affects email matching any system-wide, per-domain, per-session profile, or per-user blocklist.

For email messages involving a blocklisted email address, domain, or IP address, select one of the following options:

  • as-profile: Apply the action selected in the antispam profile being applied to the email message. For details, see profile antispam-action.

  • discard: Accept the message but delete and do not deliver it, without notifying the SMTP client.

  • reject: Reject the message, returning an SMTP error code to the SMTP client.

discard

bounce-verification-action {as-profile | discard | reject}

Enter the action that the FortiMail unit will perform if it receives a bounce address tag that is invalid.

  • as-profile: Perform the action selected in the antispam profile.

  • discard: Accept the message but then delete it without notifying the SMTP client.

  • reject: Reject the message, replying to the SMTP client with an SMTP rejection code.

as-profile

bounce-verification-auto-delete-policy {never | one-month | one-year | six-months | three-months}

Inactive keys will be removed after being unused for the selected time period.

  • never: Never automatically delete an unused key.

  • one-month: Delete a key when it hasn’t been used for 1 month.

  • three-months: Delete a key when it hasn’t been used for 3 months.

  • six-months: Delete a key when it hasn’t been used for 6 months.

  • one-year: Delete a key when it hasn’t been used for 12 months.

The active key will not be automatically removed.

never

bounce-verification-status {enable | disable}

Enable to activate bounce address tagging and verification.

Tag verification can be bypassed in IP profiles and protected domains.

disable

bounce-verification-tagexpiry <days_int>

Enter the number of days an email tag is valid. When this time elapses, the FortiMail unit will treat the tag as invalid.

Valid range is from 3 to 30 days.

7

carrier-endpoint-acct-response {enable | disable}

Enable/disable endpoint account validation on the RADIUS server.

disable

carrier-endpoint-acct-secret <password_str>

Type the shared secret for RADIUS account response and request validation.

carrier-endpoint-acct-validate {enable | disable}

Enable/disable validating shared secret of account requests.

disable

carrier-endpoint-attribute {Acct-Authentic ... Vendor-Specific)

Type the RADIUS account attribute associated with the endpoint user ID. If you have more than one RADIUS server and each server uses different account attribute for the endpoint user ID, you can specify up to five attributes with this command. For example, a 3G mobile network may use the “Calling-Station-ID” attribute while an ADSL network may use the “User-Name” attribute.

A carrier end point is any device on the periphery of a carrier’s or Internet service provider’s (ISP) network. It could be a subscriber’s GSM cellular phone, wireless PDA, or computer using DSL service.

Unlike MTAs, computers in homes and small offices and mobile devices such as laptops and cellular phones that send email may not have a static IP address. Cellular phones’ IP addresses especially may change very frequently. After a device leaves the network or changes its IP address, its dynamic IP address may be reused by another device. Because of this, a sender reputation score that is directly associated with an SMTP client’s IP address may not function well. A device sending spam could start again with a clean sender reputation score simply by rejoining the network to get another IP address, and an innocent device could be accidentally blocklisted when it receives an IP address that was previously used by a spammer.

Calling-Station-Id (RADIUS attribute 31)

carrier-endpoint-blocklist-window-size {15m | 30m | 60m | 90m | 120m | 240m | 360m | 480m | 1440m}

Enter the amount of previous time, in minutes, whose score-increasing events will be used to calculate the current endpoint reputation score.

For example, if the window is 15m (15 minutes), detections of spam or viruses 0-15 minutes ago would count towards the current score; detections of spam or viruses older than 15 minutes ago would not count towards the current score.

15m

carrier-endpoint-framed-ip-attr {Framed-IP-
Address | Login-IP-Host | Login-IPv6-Host | NAS-IP-Address | NAS-IPv6-Address}

Specify the RADIUS attribute whose value will be used as the endpoint user IP address.

By default, the endpoint user IP address uses the value of RADIUS attribute 8 (framed IP address).

However, if the endpoint IP address uses the value from different RADIUS attribute name/number other than attribute 8, you can specify the corresponding attribute number with this command.

You can use the command diagnose debug application msisdn to capture RADIUS packets and find out what attribute name/number is used to hold the IP address value.

Note that you can specify multiple values, such as both IPv4 and IPv6 attributes.

Framed-IP-
Address

carrier-endpoint-framed-ip-order {host-order | network-order}

Select one of the following methods for endpoint IP address formatting:

  • host-order: format an IP address in host order, that is, the host portion is at the beginning. For example, 1.1.168.192.
  • network-order: sorts IP addresses in the network order, that is, the network portion is at the begging. For example, 192.168.1.1.

host-order

carrier-endpoint-radius-port <port_int>

Type the RADIUS server port for carrier endpoint account requests.

1813

carrier-endpoint-status {enable | disable}

Enable endpoint reputation scan for traffic examined by the session profile.

This command starts the endpoint reputation daemon. You must start this daemon for the endpoint reputation feature to work.

enable

delete-ctrl-account <local_part_str>

Use this command to configure the email addresses through which email users can delete email from their per-recipient quarantines.

Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that control deletion of email from per-recipient quarantines.

For example, if the local domain name of the FortiMail unit is example.com and you want to delete email by sending control messages to quar_delete@example.com, you would enter quar_delete.

delete-ctrl

dmarc-failure-action {use-policy-action | use-profile-action | use-profile-action-with-none}

Select either:

  • use-policy-action: Use the actions specified in policy option of the sender's DMARC record.

  • use-profile-action: Use the action specified in the antispam profile.

  • use-profile-action-with-none: If the policy option in the sender's DMARC record is p=none, use that action. Else use the action in the antispam profile.

use-profile-action-with-none

dynamic-safe-list-domain <domain_str>

Enter the domain name of the dynamic safe list.

dynamic-safe-list-state {enable | disable}

Enable the dynamic safe list.

disable

greylist-capacity <maximum_int>

Enter the maximum number of greylist items in the greylist. New items that would otherwise cause the greylist database to grow larger than the capacity will instead overwrite the oldest item.

To determine the default value and acceptable range for your FortiMail model, enter a question mark ( ? ).

Varies by model

greylist-check-level {disable | enable | low | high}

Greylist scanning blocks spam based on the behavior of the sending server, rather than the content of the messages. When receiving an email from an unknown server, the FortiMail unit will temporarily reject the message. If the mail is legitimate, the originating server will try to send it again later (RFC 2821), at which time the FortiMail unit will accept it. Spammers will typically abandon further delivery attempts in order to maximize spam throughput.

Enable/disable greylist check, or set how aggressively to perform greylist check: high or low.

The high level setting greylists all messages from unknown MTAs, while the low level setting will selectively greylist based on the age and reputation of the MTAs: the trusted MTAs will not be greylisted whereas the new untrusted MTAs will be greylisted.

high

greylist-delay <minutes_int>

Enter the length in minutes of the greylist delay period.

For the initial delivery attempt, if no manual greylist entry (exemption) matches the email message, the FortiMail unit creates a pending automatic greylist entry, and replies with a temporary failure code. During the greylist delay period after this initial delivery attempt, the FortiMail unit continues to reply to additional delivery attempts with a temporary failure code.

After the greylist delay period elapses and before the pending entry expires (during the initial_expiry_period, also known as the greylist window), any additional delivery attempts will confirm the entry and convert it to an individual automatic greylist entry. The greylist scanner will then allow delivery of subsequent matching email messages.

The valid range is between 1 and 120 minutes.

10

greylist-init-expiry-period <hours_int>

Enter the period of time in hours after the greylistperiod, during which pending greylist entries will be confirmed and converted into automatic greylist entries if the SMTP client retries delivery.

The valid range is between 4 to 24 hours.

4

greylist-ttl <ttl_int>

Enter the time to live (TTL) that determines the maximum amount of time that unused automatic greylist entries will be retained.

Expiration dates of automatic greylist entries are determined by adding the TTL to the date and time of the previous matching delivery attempt. Each time an email message matches the entry, the life of the entry is prolonged; in this way, entries that are in active use do not expire.

If the TTL elapses without an email message matching the automatic greylist entry, the entry expires and the greylist scanner removes the entry.

The valid range is between 1 to 60 days.

30

impersonation-analysis {manual | dynamic}

Email impersonation is one of the email spoofing attacks. It forges the email header to deceive the recipient because the message appears to be from a different source than the actual address.

To fight against email impersonation, you can map display names with email addresses and check email for the mapping.

You can choose whether the impersonation analysis uses the manual mapping entries or dynamic entries. You can also use both types of entries.

  • manual: Use the entries you manually entered under Profile > AntiSpam > Impersonation.

  • dynamic: Use the entries automatically learned by the FortiMail mail statistics service. To enable this service, enable mailstat-service under config system global.

manual

impersonation-analysis-level {aggressive | strict}

  • aggressive: Choose this option to check the display name email domain part in Header From.

  • strict: Choose this option not to check the display name email domain.

For example, when you set an IA entry as:

Display name: John Smith

Email address: john.smith@example.com

while example.com is a protected domain, the aggressive setting will block all of the following senders:

  • "John Smith" <spammer@example.net>
  • "John.Smith@example.com" <spammer@example.net>
  • "OtherUser@example.com" <spammer@example.net>

but the strict setting will only block the first two senders.

aggressive

qr-code-image-max-size <kb_int>

Enter the maximum size (in kilobytes) to scan for QR code images that contain known spam URLs.

1000

qr-code-url-scan-option {attachment-image inline-image}

Select which location(s) to scan for QR code images that contain known spam URLs.

  • inline-image: Embedded inline, in the email body.
  • attachment-image: Email attachments.

qr-code-url-scan-status {enable | disable}

Enable to scan for QR code images that contain known spam URLs.

disable

release-ctrl-account <local-part_str>

Use this command to configure the email addresses through which email users can release email from their per-recipient quarantines.

Enter the local-part portion of the email address at which the FortiMail unit will receive email messages that control deletion of email from per-recipient quarantines.

For example, if the local domain name of the FortiMail unit is example.com and you want to delete email by sending control messages to quar_delete@example.com, you would enter quar_delete.

safe-block-list-entry-auto-aging-status {enable | disable}

Enable to apply automatic purging of system and domain block and safe lists that are listed for a defined retention period (see safe-block-list-entry-retention safe <days>).

enable

safe-block-list-entry-retention safe <days>

Enter the retention period in days for safe and block list entries before they are automatically removed. Set the value between 1-365.

120

safe-block-list-precedence {system session domain personal}

By default, system safelists and blocklists have precedence over other safelists and blocklists. In some cases, you may want to change the precedence order. For example, you may want to allow a user to use their own lists to overwrite the system list. In this case, you can move “personal’ ahead of “system”.

system session domain personal

safe-block-list-tracking {enable | disable}

Enable to track various system safelist and blocklist statistics, including creation time, last hit time, and hit count.

These statistics are tracked on Security >Block/Safe List > System and Security > Block/Safe List > Domain.

disable

safelist-bypass-sender-auth {enable | disable}

Enable to bypass sender authentication mechanism (SPF/DMARC/DKIM) for safelisted senders.

When disabled, if the scan result of SPF, DKIM, or DMARC is a failure, and the sender is safelisted, the result of SPF, DKIM, and DMARC takes precedence.

enable

scan-action-preference {single-action | multi-action}

Either apply only the first matching antispam filter, or multiple matching antispam filters, where each matching antispam filter action is applied until the final action is found.

multi-action

session-profile-rate-control-interval <minutes_int>

The rate control option enables you to control the rate at which email messages can be sent, by the number of connections, the number of messages, or the number recipients per client per period (in minutes).

This command sets the time period. Other settings are in config profile session.

30

url-checking {aggressive | extreme | strict}

If you enable a FortiGuard scan or SURBL scan in an antispam profile, then FortiMail scans for blocklisted URLs in the email message body.

Types of URLs that URL filtering can scan include:

  • Absolute URLs — URL syntax with scheme name (protocol), such as http, https, and ftp. They often only include a domain name. Example: http://www.example.com
  • Reference URLs — No scheme name. Example: example.com

URLs in email can also be written in plain text instead of as clickable HTML links. While not technically a URL, the domain name of the sender can also be inspected.

By default, FortiMail scans for absolute URLs only. If you need to improve the spam catch rate or reduce false positives, you can change this. Select which to scan for.

  • strict: Absolute URLs only.

    Note: Websites without “http” or “https” but starting with “www” are also treated as absolute URLs. Example: www.example.com

  • aggressive: Like strict, but also inspect reference URLs. Also check the domain name of the sender in the SMTP envelope (MAIL FROM:) and message header (From: and Reply-To:).

  • extreme: Like aggressive, but also inspect URLs in plain text format.

strict

Related topics

antispam bounce-verification

antispam deepheader-analysis

antispam greylist exempt

antispam quarantine-report

antispam trusted