Configuring deep header options
The Deep header section of an antispam profile lets you configure the FortiMail unit for more extensive inspection of message headers. Deep header scanning involves two separate checks:
- Black IP checking examines the Received: message header. The FortiMail unit then extracts any URIs or IPs from the header and passes them to the FortiGuard Antispam service, DNSBL, or SURBL servers for spam checking.
- Header analysis examines the entire message header for spam characteristics.
If the message header inspection indicates that the email message is spam, the FortiMail unit treats the email as spam and performs the associated action.
To configure deep header scan options
- When configuring an antispam profile, enable Deep header in the AntiSpam Profile dialog.
- Click the arrow to expand Deep header.
- From Action, select the action profile that you want the FortiMail unit to use if the deep header scan finds spam email.
For more information, see “Configuring antispam action profiles” on page 516.
- Enable Black IP to query for the blacklist status of the IP addresses of all SMTP servers appearing in the Received: lines of header lines.
- If this option is disabled, the FortiMail unit checks only the IP address of the current SMTP client.
- This option applies only if you have also configured either or both FortiGuard and DNSBL. For more information, see “Configuring FortiGuard options” on page 506 and “Configuring DNSBL options” on page 507.
- Enable Headers analysis to inspect all message headers for known spam characteristics.
If the FortiGuard is enabled, this option uses results from that scan, providing up-to-date header analysis. For more information, see “Configuring FortiGuard options” on page 506.
- Continue to the next section, or click Create or OK to save the antispam profile.
Configuring SURBL options
In addition to supporting Fortinet’s FortiGuard Antispam SURBL service, the FortiMail unit supports third-party Spam URI Realtime Block Lists (SURBL) servers. You can specify which public SURBL servers to use as part of an antispam profile. Consult the third-party SURBL service providers for any conditions and restrictions.
The SURBL section of antispam profiles lets you configure the FortiMail unit to query one or more SURBL servers to determine if any of the uniform resource identifiers (URI) in the message body are associated with spam. If a URI is blacklisted, the FortiMail unit treats the email as spam and performs the associated action. There are two types of URIs. For details, see “URI types” on page 507.
To configure SURBL scan options
- When configuring an antispam profile, enable SURBL in the AntiSpam Profile
- From Action, select the action profile that you want the FortiMail unit to use if the SURBL scan finds spam email.
For more information, see “Configuring antispam action profiles” on page 516.
- Next to SURBL click Configuration.
A pop-up window appears that displays the domain name of the SURBL servers.
- To add a new SURBL server address, click New and type the address in the field that appears.
Since the servers will be queried from top to bottom, you may want to put the reliable servers with less traffic to the top of the list. Click the drop-down menu in the title bar to sort the entries.
- Select a server and click OK.
The pop-up window closes.
- Continue to the next section, or click Create or OK to save the antispam profile.
Configuring Bayesian options
The Bayesian section of antispam profiles lets you configure the FortiMail unit to use Bayesian databases to determine if the email is likely to be spam. If the Bayesian scan indicates that the email is likely to be spam, the FortiMail unit treats the email as spam and performs the associated action.
FortiMail units can maintain multiple Bayesian databases: global, per-domain, and per-user.
- For outgoing email, the FortiMail unit uses the global Bayesian database.
- For incoming email, which database will be used when performing the Bayesian scan varies by configuration of the incoming antispam profile, configuration of the protected domain, and the maturity of the personal Bayesian database.
Before using Bayesian scans, you must train one or more Bayesian databases in order to teach the FortiMail unit which words indicate probable spam. If a Bayesian database is not sufficiently trained, it can increase false positive and/or false negative rates. You can train the Bayesian databases of your FortiMail unit in several ways. For more information, see “Training the Bayesian databases” on page 645.
To configure Bayesian scan options
- When configuring an antispam profile, enable Bayesian in the AntiSpam Profile dialog.
- Click the arrow to expand
- From Action, select the action profile that you want the FortiMail unit to use if the Bayesian scan finds spam email.
For more information, see “Configuring antispam action profiles” on page 516.
- Configure the following:
GUI item Description
Use personal database | Enable to use the per-user Bayesian databases instead of the global or per-domain Bayesian database, if the personal Bayesian database is mature. If the email user’s personal Bayesian database is not yet mature, the FortiMail unit will instead continue to use the global or per-domain Bayesian database.
Note: Bayesian scan results may be unreliable if the Bayesian database being used has not been sufficiently trained. For more information, see “Training the Bayesian databases” on page 645. Personal databases can provide better individual results because they are trained by the email user and therefore contain statistics derived exclusively from that email user’s messages. Disable to use either the global or per-domain Bayesian database. Whether the FortiMail will use the global or per-domain Bayesian database varies by your selection in the protected domain. This option is available only if Direction is Incoming. (Personal Bayesian databases cannot be used when the recipient does not belong to a protected domain, which defines outgoing email. |
Accept training
messages from users |
Enable to accept training messages from email users.
Training messages are email messages that email users forward to the email addresses of control accounts, such as is-spam@example.com, in order to train or correct Bayesian databases. For information on Bayesian control account email addresses, see “Configuring the quarantine control accounts” on page 612. FortiMail units apply training messages to either the global or per-domain Bayesian database depending on your configuration of the protected domain to which the email user belongs. If Use personal database is enabled, the FortiMail unit will also apply training messages to the email user’s personal Bayesian database. Disable to discard training messages. This option is available only if Direction is Incoming. (Personal and per-domain Bayesian databases cannot be used when the recipient does not belong to a protected domain, which defines outgoing email.) |
Use other techniques for auto training | Enable to use scan results from FortiGuard, SURBL, and per-user and system-wide white lists to train per-user Bayesian databases until those databases are considered to be mature. For information on database maturity, see “Backing up, batch training, and monitoring the Bayesian databases” on page 649.
This option is available only if Direction is Incoming. (Personal and per-domain Bayesian databases cannot be used when the recipient does not belong to a protected domain, which defines outgoing email.) |
- Continue to the next section, or click Create or OK to save the antispam profile.
Configuring heuristic options
The FortiMail unit includes rules used by the heuristic filter. Each rule has an individual score used to calculate the total score for an email. A threshold for the heuristic filter is set for each antispam profile. To determine if an email is spam, the heuristic filter examines an email message and adds the score for each rule that applies to get a total score for that email. For example, if the subject line of an email contains “As seen on national TV!”, it might match a heuristic rule that increases the heuristic scan score towards the threshold.
- Email is spam if the total score equals or exceeds the threshold.
- Email is not spam if the total score is less than the threshold.
The FortiMail unit comes with a default heuristic rule set. To ensure that the most up-to-date spam methods are included in the percentage of rules used to calculate the score, update your FortiGuard Antispam packages regularly. See “Configuring FortiGuard updates and antispam queries” on page 233.
To configure heuristic scan options
- When configuring an antispam profile, enable Heuristic in the AntiSpam Profile
- Click the arrow to expand Heuristic.
- From Action, select the action profile that you want the FortiMail unit to use if the heuristic scan finds spam email.
For more information, see “Configuring antispam action profiles” on page 516.
- In Threshold, enter the score at which the FortiMail unit considers an email to be spam. The default value is recommended.
- In the The percentage of rules used field, enter the percentage of the total number of heuristic rules to use to calculate the heuristic score for an email message.
- Continue to the next section, or click Create or OK to save the antispam profile.
Hi, on these instructions it states “personal black lists and white lists” on page 620.”
Where can i get the book to view page 620??
https://docs.fortinet.com/d/fortimail-5.4.0-administration-guide
That is a PDF version of the FortiMail documentation. 620 is referenced there.
Hello,
What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…
Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.
Hello,
Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.
Hello,
Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.