Order of execution
FortiMail units perform each of the antispam scanning and other actions in the following sequence, from the top of the table towards the bottom. Disabled scans are skipped.
This table does not include everything the FortiMail unit does when a client connects to deliver email. Only the antispam techniques, and other functions having an effect on the antispam techniques, are included. Other non-antispam functions may be running in parallel to the ones in the table.
The PDF file type scan does not appear in this table. When enabled, the PDF file type converts the first page of any PDF attachments into to a format the heuristic, banned word, and image spam scanners can scan. If any of these scanners are enabled, they will scan the first page of the PDF at the same time they examine the message body, according to the sequence in the table below.
Table 2: Execution sequence of antispam techniques
| Check | Check Involves | Action If Positive | Action If Negative |
| Client initiates communication with the FortiMail unit | |||
| Sender reputation | Client IP address | If the client IP is in the sender reputation database, check the score and enable any appropriate restrictions, if any. | Add the IP address to the sender reputation database and keep a reputation score based on the email received.
Proceed to the next check. |
| FortiGuard black IP check | Client IP address | If the “Check FortiGuard Black IP at connection phase” is enabled in a session profile, FortiMail will check the client IP address against the FortiGuard black IP list. If positive, FortiMail rejects the email. | Proceed to the next check. |
| Endpoint reputation | Client endpoint ID | If the client endpoint ID is in the sender reputation database, check the score and enable any appropriate restrictions, if any. | Add the IP address to the endpoint reputation database and keep a reputation score based on the email received.
Proceed to the next check. |
| Sender rate control per connection | Client IP address | Apply any connection limitations specified in the session profile.
Proceed to the next check. |
In there are no connection
limitations, or if no session profile applies, proceed to the next check. |
| HELO/EHLO received from SMTP client | |||
| HELO/EHLO | Domain of the HELO/EHLO command | If invalid characters appear in the domain, reject the HELO/EHLO command. Session will not continue until a proper
HELO/EHLO command is received. |
Proceed to the next check. |
| MAIL FROM: and RCPT TO: commands received from SMTP client | |||
| Sender rate control per message | Client IP address | Apply any connection limitations specified in the session profile.
Proceed to the next check. |
In there are no connection
limitations, or if no session profile applies, proceed to the next check. |
| Sender domain check | Domain of envelope sender (MAIL FROM:) | If any of the domain checks (the Check sender domain and Reject empty domains checks listed in Unauthenticated Session Settings in the session profile) fail, an error is returned to the SMTP client. The error depends on which particular check failed. | Proceed to the next check. |
| System white
list (Phase I) |
Client IP address and email address/domain of the envelope sender
(MAIL FROM:) |
If the client IP or email address/domain of the sender appear in the system white list, deliver the email and cancel remaining antispam checks. | Proceed to the next check. |
| System black
list (Phase I) |
Client IP address and email address/domain of the envelope sender
(MAIL FROM:) |
If the client IP or email address/domain of the sender appear in the system black list, invoke the black list action for the email. | Proceed to the next check. |
| Session sender white list (Phase I) | Client IP address and email address/domain of the envelope sender
(MAIL FROM:) |
If the client IP or email address/domain of the sender appear in the session white list, deliver the message and cancel remaining antispam checks. | Proceed to the next check. |
| Session
sender black list (Phase I) |
Client IP address and email address/domain of the envelope sender
(MAIL FROM:) |
If the client IP or email address/domain of the sender appear in the session black list, invoke the black list action for the message. | Proceed to the next check. |
| Authentication
difference check |
Envelope sender (MAIL FROM:) | Checks to see if the sender email address in the SMTP envelope matches the authenticated user name. If not allowed in the IP-based policy, the email will be rejected. | Proceed to the next check. |
| Bounce
Verification |
Envelope recipient (RCPT TO:) | Apply actions specified in the bounce verification settings. | Proceed to the next check. |
| Access control rules | Client IP address, envelope sender and recipient (MAIL FROM: and RCPT TO:) | If the combination of client IP, the domain/email address of the sender, and the domain/email of the recipient matches an access control rule (Policy >
Access Control > Receive), the FortiMail unit performs the action selected in the access control rule, which is one of the following: • BYPASS: Accept and relay the email, skipping all subsequent antispam checks, except greylisting, if the sender or recipient belongs to a protected domain. • RELAY: Accept and relay the email if it passes subsequent antispam checks. Do not apply greylisting. • REJECT: Reject the email and return SMTP reply code 550 to the client. • DISCARD: Accept the email, but silently delete it instead of delivering it. Neither the sender nor the recipient are notified of the deletion. |
If a matching access control rule does not exist, and if the recipient is a member of a protected domain, the default action is RELAY; if the recipient is not a member of a protected domain, the default action is
REJECT. For more information, see “Configuring access control rules” on page 456. |
| Recipient domain check | Domain of
envelope recipient (RCPT TO:) |
If any of the domain checks (the
Check recipient domain and Reject if recipient and helo domain match but sender domain is different checks listed in Unauthenticated Session Settings in the session profile) fail, an error is returned to the SMTP client. The error depends on which check failed. |
Proceed to the next check. |
| Session recipient white
list |
Envelope recipient (RCPT TO:) | If the recipient appears in the
session recipient white list, deliver the message and cancel remaining antispam checks. |
Proceed to the next check. |
| Session recipient black
list |
Envelope recipient (RCPT TO:) | If the recipient appears in the session recipient black list, reject the message. | Proceed to the next check. |
| Greylist | Envelope sender (MAIL FROM:), envelope recipient (RCPT TO:), and
client IP subnet address |
If the sender is in the greylist database or if the client IP subnet appears in the greylist exempt list, the message is passed to the next check.
Note: This check is omitted if the access control rule’s action is RELAY. |
If the sender is not in the greylist database, a temporary failure code is returned to the SMTP client. |
| DATA command received from SMTP client | |||
| System white
list (Phase II) |
Message header sender (From:) | If the email address/domain of the sender appears in the system white list, deliver the message and cancel remaining antispam checks. | Proceed to the next check. |
| System black
list (Phase II) |
Message header sender (From:) | If the email address/domain of the sender appears in the system black list, invoke the black list action for the message. | Proceed to the next check. |
| Domain white
list |
Client IP, envelope sender (MAIL FROM:) and message header sender
(From:) |
If the client IP, email address/domain of the sender appears in the domain white list, deliver the message and cancel remaining antispam checks. | Proceed to the next check. |
| Domain black
list |
Client IP, envelope sender (MAIL FROM:) and message header sender
(From:) |
If the client IP, email address/domain of the sender appears in the domain white list, deliver the message and cancel remaining antispam checks. | Proceed to the next check. |
| Session
sender white list (Phase II) |
Message header sender (From:) | If the email address/domain of the sender appears in the session sender white list, deliver the message and cancel remaining antispam checks. | Proceed to the next check. |
| Session
sender black list (Phase II) |
Message header sender (From:) | If the email address/domain of the sender appears in the session sender black list, the black list action is invoked. | Proceed to the next check. |
| Personal white
list |
Client IP, envelope sender (MAIL FROM:) and message header sender
(From:) |
If the client IP, email address/domain of the sender appears in the personal white list, deliver the message and cancel remaining antispam checks. | Proceed to the next check. |
| Personal black
list |
Client IP, envelope sender (MAIL FROM:) and message header sender
(From:) |
If the client IP, email address/domain of the sender appears in the personal black list, the message is discarded. | Proceed to the next check. |
| End of message (EOM) command received from SMTP client | |||
| Antivirus | Message body and attachments | If an infected message is detected, and the antispam profile is configured to treat viruses as spam, the default spam action will be invoked on the infected message. | Proceed to the next check. |
| White List
Word |
Message subject and/or body | If the whitelisted word scanner determines that the message is not spam, deliver the message and cancel remaining antispam checks. | Proceed to the next check. |
| FortiGuard Antispam | Every URI in the message body
If Black IP scan is enabled, all IP addresses in the message header are also checked. |
If the FortiGuard scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
| Forged IP | Last hop IP address
If Black IP scan is enabled, all IP addresses in the message header are also checked. If Headers analysis is enabled, the entire header is examined for characteristics of spam. |
If the forged IP scanner determines the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
| DNSBL | Client IP address | If the DNSBL scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
| SURBL | Every URI in the message body | If the SURBL scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
| Heuristic | Message body | If the heuristic antispam scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
| Banned Word | Message subject and/or body | If the banned word scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
| Dictionary | Message body | If the dictionary scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
| Image Spam | Embedded images
If Aggressive scan is enabled, attached images are also examined. |
If the image spam scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
| SPF check | Client IP address | This option compares the client IP address to the IP addresses of authorized senders in the DNS record (RFC 4408).
If failed, treat the email as spam. |
Proceed to the next check. |
| Deep Header | Message header | If the deep header scan determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
| Bayesian | Message body | If the Bayesian scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
| Suspicious Newsletter | Message header and body | If the newsletter scan determines that the message is a newsletter, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
| Content | Attachments (for content scan) and message body (for content monitor scan) | If the content scanner determines that the message is spam or prohibited, the action configured in the content profile individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |