profile antispam
Use this command to configure system-wide antispam profiles.
FortiMail can use many methods to detect spam, such as the FortiGuard Antispam service, DNSBL queries, Bayesian scanning, and heuristic scanning. Antispam profiles contain settings for these features that you may want to vary by policy. Depending on the feature, before you configure antispam policies, you may need to enable the feature or configure its system-wide settings.
Syntax
config profile antispam
edit <profile_name>
config bannedwords
edit <banned-word_str>
set subject {enable | disable}
config dnsbl-server
edit <dnsbl_name>
config safelistwords
edit <safelist-word_str>
config surbl-server
edit <surbl_name>
set action-banned-word <action-profile_name>
set action-bayesian <action-profile_name>
set action-behavior-analysis <action-profile_name>
set action-deep-header <action-profile_name>
set action-default <action-profile_name>
set action-dictionary <action-profile_name>
set action-dkim-fail <action-profile_name>
set action-dkim-none <action-profile_name>
set action-dkim-pass <action-profile_name>
set action-dkim-temp-error <action-profile_name>
set action-dmarc-fail <action-profile_name>
set action-dmarc-none <action-profile_name>
set action-dmarc-pass <action-profile_name>
set action-dmarc-temp-error <action-profile_name>
set action-fortiguard <action-profile_name>
set action-fortiguard-blockip <action-profile-name>
set action-fortiguard-phishing-url <action-profile-name>
set action-grey-list <action-profile_name>
set action-heuristic <action-profile_name>
set action-image-spam <action-profile_name>
set action-impersonation-analysis <action-profile_name>
set action-ip-reputation-level1 <action-profile_name>
set action-ip-reputation-level2 <action-profile_name>
set action-ip-reputation-level3 <action-profile_name>
set action-newsletter <action-profile_name>
set action-rbl <action-profile_name>
set action-spf-fail <action-profile_name>
set action-spf-neutral <action-profile_name>
set action-spf-none <action-profile_name>
set action-spf-pass <action-profile_name>
set action-spf-perm-error <action-profile_name>
set action-spf-sender-alignment <action-profile_name>
set action-spf-soft-fail <action-profile_name>
set action-spf-temp-error <action-profile_name>
set action-surbl <action-profile_name>
set action-suspicious-newsletter <action-profile_name>
set action-url-filter <action-profile_name>
set action-url-filter-secondary <action-profile_name>
set action-virus <action-profile_name>
set action-weighted-analysis <action-profile-name>
set aggressive {enable | disable}
set apply-action-default {enable | disable}
set banned-word {enable | disable}
set bayesian {enable | disable}
set bayesian-autotraining {enable | disable}
set bayesian-user-db {enable | disable}
set bayesian-usertraining {enable | disable}
set behavior-analysis {enable | disable}
set cousin-domain {enable | disable}
set cousin-domain-profile <cousin-profile_name>
set cousin-domain-scan-option {auto-detection body-detection header-detection}
set deepheader-analysis {enable | disable}
set deepheader-check-ip {enable | disable}
set dictionary {enable | disable}
set dictionary-profile <profile_name>
set dictionary-type {group | profile}
set dict-score <threshold_int>
set dkim-checking {enable | disable}
set dkim-fail-status {enable | disable}
set dkim-none-status {enable | disable}
set dkim-pass-status {enable | disable}
set dkim-temp-error-status {enable | disable}
set dmarc-checking {enable | disable}
set dmarc-fail-status {enable | disable}
set dmarc-none-status {enable | disable}
set dmarc-pass-status {enable | disable}
set dmarc-temp-error-status {enable | disable}
set fortiguard-antispam {enable | disable}
set fortiguard-check-ip {enable | disable}
set fortiguard-phishing-url {enable | disable}
set bayesian {enable | disable}
set heuristic {enable | disable}
set heuristic-lower <threshold_float>
set heuristic-rules-percent <percentage_int>
set heuristic-upper {threshold_float}
set image-spam {enable | disable}
set impersonation <profile_name>
set impersonation-analysis {enable | disable}
set impersonation-status {enable | disable}
set ip-reputation-level1-status {enable | disable}
set ip-reputation-level2-status {enable | disable}
set ip-reputation-level3-status {enable | disable}
set newsletter-status {enable | disable}
set safelist-enable {enable | disable}
set safelist-word {enable | disable}
set scan-bypass-on-auth {enable | disable}
set scan-pdf {enable | disable}
set spam-outbreak-protection {enable | disable | monitor-only}
set spf-checking {enable | disable}
set spf-fail-status {enable | disable}
set spf-neutral-status {enable | disable}
set spf-none-status {enable | disable}
set spf-pass-status {enable | disable}
set spf-sender-alignment-status {enable | disable}
set spf-perm-error-status {enable | disable}
set spf-soft-fail-status {enable | disable}
set spf-temp-error-status {enable | disable}
set suspicious-newsletter-status {enable | disable}
set url-filter-secondary <filter_name>
set url-filter-secondary-status {enable | disable}
set url-filter-status {enable | disable}
set weighted-analysis-status {enable | disable}
set weighted-analysis-profile <profile_name>
end
|
Variable |
Description |
Default |
|
Enter the name of the profile. |
|
|
|
Enter the banned word. You can use wildcards to match multiple banned words. Regular expressions are not supported. For more information about wildcards and regular expressions, see the FortiMail Administration Guide. |
|
|
|
Enable to scan the subject line for banned words. |
disable |
|
|
Enable to scan the message body for banned words. |
disable |
|
|
Enter a DNSBL server name to perform a DNSBL scan. The FortiMail unit will query DNS blocklist servers. |
|
|
|
Enter a SURBL server name to perform a SURBL scan. The FortiMail unit will query SURBL servers. |
|
|
|
Enter the safelisted word. You can use wildcards to match multiple safelisted words. Regular expressions are not supported. For more information about wildcards and regular expressions, see the FortiMail Administration Guide. |
|
|
|
Enable to scan the subject line for safelisted words. |
disable |
|
|
Enable to scan the message body for safelisted words. |
disable |
|
|
Enter the action profile that FortiMail uses if the banned word scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the Bayesian scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the behavior analysis scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the deep header scan determines that the email is spam. |
|
|
|
Enter the default action profile for scans. If you want a scan to use a different action profile, select it for that specific scan instead of accepting the default. |
|
|
|
Enter the action profile that FortiMail uses if the heuristic scan determines that the email is spam. |
|
|
| action-dkim-fail <action-profile_name> | Enter the action profile that FortiMail uses if an email does not pass the DKIM scan. |
|
| action-dkim-none <action-profile_name> | Enter the action profile that FortiMail uses if no DKIM DNS record is not found or parsed correctly. |
|
| Enter the action profile that FortiMail uses if an email passes the DKIM scan. |
|
|
|
Enter the action profile that FortiMail uses if the DNS server returns a temporary error when querying the DKIM record. |
|
|
| Enter the action profile that FortiMail uses if an email does not pass the DMARC scan. |
|
|
| Enter the action profile that FortiMail uses if no DMARC DNS record is not found or parsed correctly. |
|
|
| Enter the action profile that FortiMail uses if an email passes the DMARC scan. |
|
|
|
Enter the action profile that FortiMail uses if DNS server returns Temp error when querying the DMARC DNS record. |
|
|
|
Enter the action profile that FortiMail uses if the FortiGuard Antispam scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the FortiGuard block IP scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the FortiGuard phishing URL scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the greylist scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the heuristic scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if impersonation analysis determines that the email is from someone impersonating a known email address. |
|
|
|
Enter the action profile that FortiMail uses if the image scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the IP reputation scan results is level 1. See set ip-reputation-level1-status {enable | disable}. FortiGuard categorizes blocklisted IP addresses into three levels. Level 1 has the worst reputation and level 3 the best. |
|
|
|
Enter the action profile that FortiMail uses if the IP reputation scan result is level 2. See set ip-reputation-level2-status {enable | disable} |
|
|
|
Enter the action profile that FortiMail uses if the IP reputation scan result is level 3. See set ip-reputation-level3-status {enable | disable}. |
|
|
|
Enter the action profile that FortiMail uses if the newsletter scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the RBL scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the email does not pass the SPF scan, which means the host is not authorized to send messages. |
|
|
|
Enter the action profile that FortiMail uses if the SPF scan result is neutral, which means the SPF record is found but no definitive assertion. |
|
|
|
Enter the action profile that FortiMail uses if the SPF scan has no result, which means there is no SPF record. |
|
|
|
Enter the action profile that FortiMail uses if email passes the SPF scan, which means the host is authorized to send a message. |
|
|
|
Enter the action profile that FortiMail uses if the SPF scan has a permanent error, which means the SPF records are invalid. |
|
|
|
Enter the action profile that FortiMail uses if the email does not pass the SPF sender alignment scan. |
|
|
|
Enter the action profile that FortiMail uses if the SPF scan has a soft failure, which means the host is not authorized to send messages, but it's not a strong statement. |
|
|
|
Enter the action profile that FortiMail uses if the SPF scan has a temporary error, which means there is a processing error. |
|
|
|
Enter the action profile that FortiMail uses if the SURBL scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the suspicious newsletter scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the URL filter scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the URL filter scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the antivirus scan detects malware. |
|
|
|
Enter the action profile that FortiMail uses if weighted analysis determines that the email is spam. |
|
|
|
Enable this option to examine file attachments in addition to images embedded in the message body. Tip: To improve performance, enable this option only if you do not have a satisfactory spam detection rate. |
disable |
|
|
Enable this option to apply default action to all messages. |
disable | |
|
Enable to perform a banned words scan. |
disable |
|
|
Enable to perform a Bayesian scan. |
disable |
|
|
Enable to use FortiGuard Antispam and SURBL scan results to train per-user Bayesian databases that are not yet mature (that is, they have not yet been trained with 200 legitimate email and 100 spam in order to recognize spam). |
enable |
|
|
Enable to use per-user Bayesian databases. If disabled, the Bayesian scan will use either the global or the per-domain Bayesian database, whichever is selected for the protected domain. |
disable |
|
|
Enable to accept email forwarded from email users to the Bayesian control email addresses in order to train the Bayesian databases to recognize spam and legitimate email. |
enable |
|
|
Enable to analyze the similarities between uncertain email and known email in the behavior analysis (BA) database to determine whether the uncertain email is spam. To adjust the aggressiveness of the scan, see also antispam behavior-analysis |
disable |
|
|
Enable to perform a cousin domain (domain impersonation) scan. Note: For this setting to take effect, |
disable |
|
|
Enter the cousin domain profile to use. |
||
|
cousin-domain-scan-option {auto-detection body-detection header-detection} |
Select where in the email to scan for domain name impersonation, either automatically, within the email body, and/or the message header. |
header-detection body-detection auto-detection |
|
Enable to inspect all message headers for known spam characteristics. If the FortiGuard Antispam scan is enabled, this option uses results from that scan, providing up-to-date header analysis. For more information, see “set as profile modify fortishield" on page 184. |
disable |
|
|
Enable to query for the blocklist status of the IP addresses of all SMTP servers appearing in the If this option is disabled, the FortiMail unit examines only the IP address of the current SMTP client. This option requires that you also configure either or both FortiGuard Antispam scan and DNSBL scan. See “set as profile modify fortishield" on page 184and “set as profile modify dnsbl" on page 181. |
disable |
|
|
Enable to perform a dictionary scan. |
disable |
|
|
Enter the dictionary profile or group of dictionary profiles to use, depending on which is indicated by |
|
|
|
Select whether to apply a single dictionary profile, or a group of dictionary profiles. |
profile |
|
|
Enter the threshold for dictionary profile matches. When the dictionary profile scans an email, it counts the number of matching words or phrases, and adjusts this total according to pattern-weight <weight_int> and pattern-max-weight <weight_int>. If the result equals or exceeds this threshold, then FortiMail applies the action in action-dictionary <action-profile_name>. |
|
|
|
Enable to perform DKIM scan. If either SPF or DKIM scans pass, then the DMARC scan will pass. If both fail, then DMARC fails. |
disable |
|
|
Enable or disable checking invalid DKIM body hash or signature. |
enable |
|
|
Enable or disable checking for instances where the DNS server has no DKIM record, or the record could not be correctly parsed. |
disable |
|
|
Enable or disable DKIM check passing. |
disable |
|
|
Enable or disable checking for instances where DNS server returns a temporary error when querying the DKIM DNS record. |
disable |
|
|
Enable to have the unit perform email authentication with SPF and DKIM checking. If either SPF check or DKIM check passes, DMARC check will pass. If both fail, DMARC fails. |
enable |
|
|
Enable or disable DMARC check failing. |
enable |
|
|
Enable or disable checking for instances where no DMARC DNS record is found, or the record could not be correctly parsed. |
disable |
|
|
Enable or disable DMARC check passing. |
disable |
|
|
Enable or disable checking for instances where DNS server returns Temp error when querying the DMARC DNS record. |
disable |
|
|
Enable to perform a DNSBL scan. The FortiMail unit will query DNS blocklist servers defined using “set out_profile profile modify deepheader" on page 405. |
disable |
|
|
Enable for the FortiMail unit to query the FortiGuard Antispam service to determine if any of the uniform resource identifiers (URL) in the message body are associated with spam. If any URL is blocklisted, the FortiMail unit considers the email to be spam, and you can select the action that the FortiMail unit will perform. |
disable |
|
|
Enable to perform a scan for whether or not the IP address of the SMTP client is blocklisted in the FortiGuard Antispam query. |
disable |
|
|
Enable to perform a scan for whether or not the phishing URL is blocklisted in the FortiGuard Antispam query. |
disable |
|
|
Enable to perform a greylist scan. |
disable |
|
|
Enable to perform a heuristic scan. |
disable |
|
|
Enter the score equal to or below which the FortiMail unit considers an email to not be spam. |
‑20.000000 |
|
|
Enter the percentage of the total number of heuristic rules that will be used to calculate the heuristic score for an email message. The FortiMail unit compares this total score to the upper and lower level threshold to determine if an email is:
To improve system performance and resource efficiency, enter the lowest percentage of heuristic rules that results in a satisfactory spam detection rate. |
100 |
|
|
Enter the score equal to or above which the FortiMail unit considers an email to be spam. |
10.000000 |
|
|
Enable to perform an image spam scan. |
disable |
|
|
Enter the impersonation profile that FortiMail uses to prevent email spoofing attacks. |
|
|
|
Enable to perform a sender impersonation analysis scan. This automatically learns and tracks the mapping of display names and internal email addresses to prevent spoofing attacks. Note: For this setting to take effect, |
disable |
|
|
Enable to perform cousin domain, sender impersonation, and SPF sender alignment scans (if they are enabled). Note: When you enable this setting, |
disable |
|
|
Enable to query the FortiGuard Antispam service about the reputation of the public IP address of the SMTP client to determine if it is blocklisted. FortiGuard categorizes blocklisted IP addresses into three levels. Level 1 has the worst reputation and level 3 the best. |
disable |
|
|
Enable to query the FortiGuard Antispam service about the reputation of the public IP address of the SMTP client to determine if it is blocklisted. |
disable |
|
|
Enable to query the FortiGuard Antispam service about the reputation of the public IP address of the SMTP client to determine if it is blocklisted. |
disable |
|
|
Enable to detect newsletters and other marketing campaigns that are not spam. |
|
|
|
Enable to automatically update personal safelist database from sent email. |
disable |
|
|
Enable to perform a safelist word scan. The scan will examine the email for words configured in “set out_profile profile modify safelistwordlist" on page 426. |
disable |
|
|
Enable to omit antispam scans when an SMTP sender is authenticated. |
disable |
|
|
Enter the maximum size, in bytes, that the FortiMail unit will scan for spam. Messages exceeding the limit will not be scanned for spam. To scan all email regardless of size, enter |
|
|
|
Enable to scan the first page of PDF attachments using heuristic, banned word, and image spam scans, if they are enabled. |
disable |
|
|
Enable to temporarily hold suspicious email for a certain period of time (see outbreak-protection-period <minutes_int>) if the enabled FortiGuard Antispam check (block IP and/or URL filter) returns no result. After the specified time interval, FortiMail will query the FortiGuard server again. This provides an opportunity for the FortiGuard Antispam service to update its database when a spam outbreak occurs. When set to |
disable | |
|
Enable to have the FortiMail unit perform the action configured in this antispam profile, instead of the action configured in the session profile. See spf-validation {enable | disable}. You can specify different actions toward different SPF check results:
|
disable |
|
|
Enable to make the FortiMail unit check if the host is not authorized to send messages. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-fail. |
|
|
|
Enable to make the FortiMail unit check if the SPF record is found but no definitive assertion. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-neutral. |
|
|
|
Enable to make the FortiMail unit check if there is no SPF record. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-none. |
|
|
|
Enable to make the FortiMail unit check if the host is authorized to send messages. If the client IP address fails the SPF check, FortiMail takes the antispam action configured in action-spf-pass. |
|
|
|
Enable to make the FortiMail unit check if the header from the authorization domain is mismatched. If the client IP address fails the SPF check, FortiMail takes the desired action entered in action-spf-sender-alignment. Note: For this setting to take effect, |
|
|
|
Enable to make the FortiMail unit check if the SPF records are invalid. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-perm-error. |
|
|
|
Enable to make the FortiMail unit check if the host is not authorized to send messages but not a strong statement. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-soft-fail. |
enable |
|
|
Enable to make the FortiMail unit check if there is a processing error. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in |
|
|
|
Enable to perform a SURBL scan. The FortiMail unit will query SURBL servers defined using “set out_profile profile modify surblserver" on page 421. |
disable |
|
|
Enable the detection of newsletters. |
disable | |
|
Enter the URL filter to use. |
|
|
|
To take different actions towards different URL filters/categories, you can specify a primary and a secondary filter, and specify different actions for each filter. If both URL filters match an email message, the primary filter action will take precedence. |
|
|
|
Enable or disable the secondary URL filter scan. |
disable | |
|
Enable or disable URL filter scan. |
disable | |
|
Enable to treat email with viruses as spam. When enabled, instead of performing the action configured in the antivirus profile, the FortiMail unit will instead perform either the general or individualized action in the antispam profile. For details, see “set out_profile profile modify individualaction" on page 415and “set out_profile profile modify actions" on page 400. |
disable |
|
|
Enable or disable the weighted analysis profile (also called "business email compromise (BEC)") scan. |
disable |
|
|
Enter the weighted analysis profile to use. |
|