Fortinet black logo

CLI Reference

Home FortiMail 7.4.2 CLI Reference
7.4.2
7.4.2
7.4.1
7.4.0
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.7
7.0.6
7.0.5
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.0
6.0.4
6.0.3
6.0.1
6.0.0
5.4.9
5.4.8
5.4.6
5.4.5
5.4.4
5.4.3
5.4.0

profile weighted-analysis

profile weighted-analysis

Use this command to configure weighted analysis profiles. To avoid false positives and false negatives, you can adjust ("weight") the scores of each type of suspicious behavior, and the total score threshold that an email must reach to be categorized as spam.

To use a weighted analysis profile, select it in an antispam profile.

Syntax

config profile weighted-analysis

edit <profile_name>

set comment <comment_str>

config rule

edit <order_index>

set name <rule_name>

set status {enable | disable}

set action <profile_name>

set threshold <score_float>

set cousin-domain-score <score_float>

set dictionary-profile <profile_name>

set dictionary-threshold <limit_int>

set action-keyword-score <score_float>

set intelligent-analysis-score <score_float>

set malformed-email-score <score_float>

set sender-alignment-score <score_float>

set suspicious-character-score <score_float>

set url-profile <profile_name>

set url-profile-score <score_float>

next

end

end

Variable

Description

Default

<profile_name>

Enter the name of the weighted-analysis profile.

comment <comment_str>

Enter a descriptive comment.

<order_index>

Enter the numerical order of the rule in the profile.

name <rule_name> Enter a name for the rule.

status {enable | disable}

Enable or disable the rule.

enable
action <profile_name> Enter the name of an action profile.

threshold <score_float>

Enter the minimum total score that triggers the action.

The total score is determined by adding all weighted scores in the rule (cousin-domain-score, etc.).

50.000000
cousin-domain-score <score_float> Enter a weight-adjusted score for domain name impersonation.

10.000000

dictionary-profile <profile_name>

Enter the name of a dictionary profile that contains words or phrases that typically only spam has.

Keywords are often a "call to action" that motivates the user to reply or click a hyperlink. For example, "Click here", "transfer", "money", "dollars", "bank account", "conference attendee", etc.

dictionary-threshold <limit_int>

Enter the threshold for dictionary profile matches.

When the dictionary profile scans an email, it counts the number of matching words or phrases, and adjusts this total according to pattern-weight <weight_int> and pattern-max-weight <weight_int>. If the result equals or exceeds this threshold, then FortiMail applies the weighted score defined in action-keyword-score <score_float>.

1
action-keyword-score <score_float> Enter a weight-adjusted score to apply if an email equals or exceeds the limit in dictionary-threshold <limit_int>.

10.000000

intelligent-analysis-score <score_float>

Enter a weight-adjusted score for intelligent analysis detections.

Multiple factors contribute to intelligent spam analysis in order to reduce false positives, including:

  • SPF
  • DKIM
  • DMARC
  • matching of sender addresses in the message headers (From: and Reply-To:)
  • newly registered domain names that do not have a FortiGuard Antispam rating yet
  • header analysis
  • malformed email detection

50.000000
malformed-email-score <score_float>

Enter a weight-adjusted score for malformed emails.

Malformed emails are those emails that contain malformed data in the email structure, header, or body. For more information, see RFC 7103.

10.000000

sender-alignment-score <score_float>

Enter a weight-adjusted score for sender domain mismatches.

Sender alignment compares the domain name of the sender email address in the message header (From:/Reply-To:) and SMTP envelope (MAIL FROM:) to look for a mismatch, which is typical of spam.

10.000000

suspicious-character-score <score_float>

Enter a weight-adjusted score for suspicious characters.

Detects internationalized domain name (IDN) homograph attacks. If domain names in URLs, sender email addresses, or recipient email addresses have Unicode characters that are from different languages yet look similar (for example, A looks similar in Cyrillic, Greek, and Latin alphabets), then an attacker could trick the user into using a fraudulent website or email. FortiMail detects these as suspicious.

10.000000

url-profile <profile_name>

Enter the name of a URL profile detect spam or phishing hyperlinks in email.

unrated
url-profile-score <score_float> Enter a weight-adjusted score for email with spam or phishing URLs.

10.000000

Related topics

profile antispam

profile cousin-domain

profile dictionary

profile url-filter

Previous
Next

profile weighted-analysis

Use this command to configure weighted analysis profiles. To avoid false positives and false negatives, you can adjust ("weight") the scores of each type of suspicious behavior, and the total score threshold that an email must reach to be categorized as spam.

To use a weighted analysis profile, select it in an antispam profile.

Syntax

config profile weighted-analysis

edit <profile_name>

set comment <comment_str>

config rule

edit <order_index>

set name <rule_name>

set status {enable | disable}

set action <profile_name>

set threshold <score_float>

set cousin-domain-score <score_float>

set dictionary-profile <profile_name>

set dictionary-threshold <limit_int>

set action-keyword-score <score_float>

set intelligent-analysis-score <score_float>

set malformed-email-score <score_float>

set sender-alignment-score <score_float>

set suspicious-character-score <score_float>

set url-profile <profile_name>

set url-profile-score <score_float>

next

end

end

Variable

Description

Default

<profile_name>

Enter the name of the weighted-analysis profile.

comment <comment_str>

Enter a descriptive comment.

<order_index>

Enter the numerical order of the rule in the profile.

name <rule_name> Enter a name for the rule.

status {enable | disable}

Enable or disable the rule.

enable
action <profile_name> Enter the name of an action profile.

threshold <score_float>

Enter the minimum total score that triggers the action.

The total score is determined by adding all weighted scores in the rule (cousin-domain-score, etc.).

50.000000
cousin-domain-score <score_float> Enter a weight-adjusted score for domain name impersonation.

10.000000

dictionary-profile <profile_name>

Enter the name of a dictionary profile that contains words or phrases that typically only spam has.

Keywords are often a "call to action" that motivates the user to reply or click a hyperlink. For example, "Click here", "transfer", "money", "dollars", "bank account", "conference attendee", etc.

dictionary-threshold <limit_int>

Enter the threshold for dictionary profile matches.

When the dictionary profile scans an email, it counts the number of matching words or phrases, and adjusts this total according to pattern-weight <weight_int> and pattern-max-weight <weight_int>. If the result equals or exceeds this threshold, then FortiMail applies the weighted score defined in action-keyword-score <score_float>.

1
action-keyword-score <score_float> Enter a weight-adjusted score to apply if an email equals or exceeds the limit in dictionary-threshold <limit_int>.

10.000000

intelligent-analysis-score <score_float>

Enter a weight-adjusted score for intelligent analysis detections.

Multiple factors contribute to intelligent spam analysis in order to reduce false positives, including:

  • SPF
  • DKIM
  • DMARC
  • matching of sender addresses in the message headers (From: and Reply-To:)
  • newly registered domain names that do not have a FortiGuard Antispam rating yet
  • header analysis
  • malformed email detection

50.000000
malformed-email-score <score_float>

Enter a weight-adjusted score for malformed emails.

Malformed emails are those emails that contain malformed data in the email structure, header, or body. For more information, see RFC 7103.

10.000000

sender-alignment-score <score_float>

Enter a weight-adjusted score for sender domain mismatches.

Sender alignment compares the domain name of the sender email address in the message header (From:/Reply-To:) and SMTP envelope (MAIL FROM:) to look for a mismatch, which is typical of spam.

10.000000

suspicious-character-score <score_float>

Enter a weight-adjusted score for suspicious characters.

Detects internationalized domain name (IDN) homograph attacks. If domain names in URLs, sender email addresses, or recipient email addresses have Unicode characters that are from different languages yet look similar (for example, A looks similar in Cyrillic, Greek, and Latin alphabets), then an attacker could trick the user into using a fraudulent website or email. FortiMail detects these as suspicious.

10.000000

url-profile <profile_name>

Enter the name of a URL profile detect spam or phishing hyperlinks in email.

unrated
url-profile-score <score_float> Enter a weight-adjusted score for email with spam or phishing URLs.

10.000000

Related topics

profile antispam

profile cousin-domain

profile dictionary

profile url-filter

Previous
Next