Configuring antispam action profiles
The Action tab in the AntiSpam submenu lets you define one or more things that the FortiMail unit should do if the antispam profile determines that an email is spam. For example, assume you configured an antispam action profile, named
quar_and_tag_profile, that both tags the subject line and quarantines email detected to be spam. In general, all antispam profiles using quar_and_tag_profile will quarantine the email and tag it as spam. However, you can decide that email that does not pass the dictionary scan is always spam and should be rejected so that it does not consume quarantine disk space. Therefore, for the antispam profiles that apply a dictionary scan, you could override the action profile’s default action by configuring and using a second action profile, named rejection_profile, which rejects such email.
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains” on page 290.
To view and configure antispam action profiles
- Go to Profile > AntiSpam > Action.
Figure 211:Viewing the list of antispam action profiles
GUI item | Description |
Domain
(drop-down list) |
Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile. |
Profile Name | Displays the name of the profile. |
Domain
(column) |
Displays either System or a domain name. |
Direction | Displays either Incoming for a profile that can be used by an incoming policy, or Outgoing for a profile that can be used by an outgoing policy. |
(Green dot in column heading) | Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted. |
- Either click New to add a profile or double-click an existing profile to modify it.
A dialog appears.
Figure 212:Configuring an antispam action profile
- Configure the following:
GUI item | Description |
Domain | Select if the action profile will be system-wide or domain-wide.
You can see only the domains that are permitted by your administrator profile. |
Profile name | For a new profile, enter a name. |
Direction | Specify either Incoming for a profile that can be used by an incoming antispam profile, or Outgoing for a profile that can be used by an outgoing antispam profile. For definitions of outgoing and incoming email, see “Incoming versus outgoing email messages” on page 454. |
Tag email’s subject line | Enable and enter the text that appears in the subject line of the email, such as [spam], in the With value field. The FortiMail unit will prepend this text to the subject line of spam before forwarding it to the recipient.
Many email clients can sort incoming email messages into separate mailboxes, including a spam mailbox, based on text appearing in various parts of email messages, including the subject line. For details, see the documentation for your email client. |
Insert new header | Enable and enter the message header key in the field, and the values in the With value field. The FortiMail unit adds this text to the message header of the email before forwarding it to the recipient.
Many email clients can sort incoming email messages into separate mailboxes, including a spam mailbox, based on text appearing in various parts of email messages, including the message header. For details, see the documentation for your email client. Message header lines are composed of two parts: a key and a value, which are separated by a colon. For example, you might enter: X-Custom-Header: Detected as spam by profile 22. If you enter a header line that does not include a colon, the FortiMail unit will automatically append a colon, causing the entire text that you enter to be the key. Note: Do not enter spaces in the key portion of the header line, as these are forbidden by RFC 2822. |
Deliver to alternate host | Enable to route the email to a specific SMTP server or relay, then type the fully qualified domain name (FQDN) or IP address of the destination.
Note: If you enable this setting, the FortiMail unit uses this destination for all email that matches the profile and ignores Relay server name and Use this domain’s SMTP server to deliver the mail. |
GUI item | Description |
BCC | Enable to send a blind carbon copy (BCC) of the email.
Configure BCC recipient email addresses by entering each one and clicking Create in the BCC area. |
Archive to account | Enable to send the email to an archiving account.
Click New to create a new archiving account or click Edit to modify an existing account. For details about archiving accounts, see “Email archiving workflow” on page 656. |
Notify with profile | Enable and select a notification profile to send a notification email to the sender, recipient, or any other people as you configure in the notification profile. The notification email is customizable and will tell the users what happened to the email message. For details about notification profiles and email templates, see “Configuring notification profiles” on page 600 and “Customizing email templates” on page 288. |
Reject | Enable to reject the email and reply to the SMTP client with SMTP reply code 550. |
Discard | Enable to accept the email, but then delete it instead of delivering the email, without notifying the SMTP client. |
Personal quarantine | Enable to redirect spam to the per-recipient quarantine. For more information, see “Managing the personal quarantines” on page 182.
This option is available only for incoming profiles. |
Send quarantine report | Enable this option before the FortiMail unit can send out quarantine reports according to the report schedule. For more information, see “Configuring email quarantines and quarantine reports” on page 601.
Note: When sending a quarantine report to an email recipient, the FortiMail unit checks the recipients in the recipient-based policy list from top to bottom and takes the action defined in the action profile used by the recipient’s first policy. For example, if recipient user1@example has two policies: • The first policy uses an non-scanning antispam profile for sender pattern *@example2.com. • The second policy uses a more strict antispam profile for all other senders (sender pattern *@*). In this case, if you do not enable the Send a quarantine report option for the first policy, while enabling the option for the second policy, user1@example.com will not get quarantine reports because the FortiMail unit takes actions according to the action profile used in the first matching policy. Therefore, if the recipient has more than one policy, you must use the same antispam action profile to avoid the above problem. |
GUI item | Description |
Email release | Enable to allow email users to remotely release email from their quarantine by sending email to quarantine control account email addresses. For more information, see “Configuring the quarantine control accounts” on page 612. |
Web release | Enable to allow email users to remotely release email from their quarantine by selecting the Release link in a quarantine report. For |
more information, see “About the HTML formatted quarantine report” on page 607.
BCC released email | Enable to send a blind carbon copy (BCC) of the released email when a message is released from quarantine.
Configure BCC recipient email addresses by entering each one and clicking Create in the BCC area. This is useful for the administrators to measure false positives and adjust policies, because email users may not submit false positive messages. |
Whitelist sender of released messages | Enable to, when an email user releases an email from the quarantine, automatically add the sender email address of the quarantined email to the email user’s personal white list if the option is also enabled in the email user’s preferences. For more information, see “Configuring the personal black lists and white lists” on page 620.
Email users’ preferences can be configured from both the Preferences tab of FortiMail webmail and from the web UI. For more information, see “Configuring user preferences” on page 428. |
Delete messages
after |
Enter the number of days you want to keep the quarantined email. Enter a small enough value to prevent the size of the quarantine from exceeding the available disk space. If you enter 0 to prevent automatic deletion of quarantined files, you must periodically manually remove old files. |
GUI item Description
System quarantine Enable to redirect spam to the system quarantine. For more information, see “Managing the system quarantine” on page 188.
The two quarantine options are mutually exclusive.
Rewrite recipient email address | Enable to change the recipient address of any email message detected as spam.
Configure rewrites separately for the local-part (the portion of the email address before the ‘@’ symbol, typically a user name) and the domain part (the portion of the email address after the ‘@’ symbol). For each part, select either: • None: No change. • Prefix: Prepend the part with text that you have entered in the With field. • Suffix: Append the part with the text you have entered in the With field. • Replace: Substitute the part with the text you have entered in the With field. |
- Click Create or OK.
To apply an antispam action profile, select it in one or more antispam profiles. For details, see “Managing antispam profiles” on page 503.
Hi, on these instructions it states “personal black lists and white lists” on page 620.”
Where can i get the book to view page 620??
https://docs.fortinet.com/d/fortimail-5.4.0-administration-guide
That is a PDF version of the FortiMail documentation. 620 is referenced there.
Hello,
What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…
Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.
Hello,
Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.
Hello,
Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.