Configuring content monitor and filtering
The following procedure is part of the content profile configuration process. For general procedures about how to configure a content profile, see “Configuring content profiles and content action profiles” on page 526.
The monitor profile uses the dictionary profile tdetermine matching email messages, and the actions that will be performed if a match is found.
You can also select to scan MS Office, PDF, or archived email attachments.
To configure a content monitor profile
- Go to Profile > Content.
- Click New to create a new profile or double click on an existing profile to edit it.
- Click the arrow to expand Content Monitor and Filtering.
GUI item | Description |
Move
(button) |
Mark a check box to select a content monitor profile, then click this button. Choose Up or Down from the pop-up menu.
Content monitor profiles are evaluated for a match in order of their appearance in this list. Usually, content monitor profiles should be ordered from most specific to most general, and from accepting or quarantining to rejecting. |
Delete
(button) |
Mark a check box to select a content monitor profile, then click this button to remove it.
Note: Deletion does not take effect immediately; it occurs when you save the content profile. |
Enable | Select or clear the check box to enable or disable a content monitor. |
Click New for a new monitor profile or double-click an existing profile to modify it.
A dialog appears.
Figure 218:Content Monitor Profile dialog
- Configure the following:
GUI item | Description | |||
Enable | Enable to use the content monitor to inspect email for matching email and perform the configured action. | |||
Dictionary | Select either Profile or Group, then select the name of a dictionary profile or group from the drop-down list next to it.
If no profile or group exists, click New to create one, or select an existing profile or group and click Edit to modify it. A dialog appears. For information on creating and editing dictionary profiles and groups, see “Configuring dictionary profiles” on page 586. |
|||
Minimum score | Displays the number of times that an email must match the dictionary profile before it will receive the action configured in Action. Note that the score value is based on individual dictionary profile matches, not the dictionary group matches. | |||
GUI item | Description | |||
Action | Displays action that the FortiMail unit will perform if the content of the email message matches words or patterns from the dictionary profile.
If no action exists, click New to create one, or select an existing action and click Edit to modify it. A dialog appears. For information on action profiles, see “Configuring content action profiles” on page 535. |
|||
Scan Condition | Specify the content type to scan:
• PDF files • Microsoft Office files • Archived PDF and MS Office files. If you select this option, you can also use the following CLI commands to specify the maximum levels to decompress and the maximum file size to decompress: config mailsetting mail-scan-options set decompress-max-level <level_1-16> set decompress-max-size <size_in_MB> end |
|||
- Click Create or OK on the Content Monitor Profile dialog to save and close it.
Configuring content action profiles
The Action tab in the Content submenu lets you define content action profiles. Use these profiles to apply content-based encryption.
Alternatively, content action profiles can define one or more things that the FortiMail unit should do if the content profile determines that an email contains prohibited words or phrases, file names, or file types.
For example, you might have configured most content profiles to match prohibited content, and therefore to use a content action profile named quar_profile which quarantines email to the system quarantine for review.
However, you have decided that email that does not pass the dictionary scan named financial_terms is always prohibited, and should be rejected so that it does not require manual review. To do this, first configure a second action profile, named rejection_profile, which rejects email. You would then override quar_profile specifically for the dictionary-based content scan in each profile by selecting rejection_profile for content that matches financial_terms.
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains” on page 290.
To view and manage the list of content action profiles
- Go to Profile >Content > Action.
Figure 219:Viewing the list of content action profiles
GUI item | Description |
Domain
(drop-down list) |
Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile. |
Profile Name | Displays the name of the profile. |
Domain
(column) |
Displays either System or a domain name. |
Direction | Displays either Incoming for a profile that can be used by an incoming policy, or Outgoing for a profile that can be used by an outgoing policy. |
(Green dot in column heading) | Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted. |
- Either click New to add a profile or double-click an existing profile to modify it.
A dialog appears.
- Configure the following:
GUI item | Description |
Domain | For a new profile, select either System to apply the profile to the entire FortiMail unit, or select a protected domain name to apply it to that domain. You can see only the domains that are permitted by your administrator profile. |
Profile name | For a new profile, enter its name. |
Direction | For a new profile, select either Incoming for a profile that can be used by an incoming policy, or Outgoing for a profile that can be used by an outgoing policy. For definitions of outgoing and incoming email, see “Incoming versus outgoing email messages” on page 454. |
Tag email’s subject line | Enable and enter the text that will appear in the subject line of the email, such as “[PROHIBITED-CONTENT]”, in the With value field. The FortiMail unit prepends this text to the subject line of the email before forwarding it to the recipient.
Many email clients can sort incoming email messages into separate mailboxes based on text appearing in various parts of email messages, including the subject line. For details, see the documentation for your email client. |
Insert new header | Enable and enter the message header key in the field, and the values in the With value field. The FortiMail unit adds this text to the message header of the email before forwarding it to the recipient.
Many email clients can sort incoming email messages into separate mailboxes based on text appearing in various parts of email messages, including the message header. For details, see the documentation for your email client. Message header lines are composed of two parts: a key and a value, which are separated by a colon. For example, you might enter: X-Content-Filter: Contains banned word. If you enter a header line that does not include a colon, the FortiMail unit will automatically append a colon, causing the entire text that you enter to be the key. Note: Do not enter spaces in the key portion of the header line, as these are forbidden by RFC 2822. |
Deliver to alternate host | Enable to route the email to a specific SMTP server or relay, then type the fully qualified domain name (FQDN) or IP address of the destination.
Note: If you enable this setting, for all email that matches the profile, the FortiMail unit will use this destination and ignore Relay server name and Use this domain’s SMTP server to deliver the mail. |
BCC | Enable to send a blind carbon copy (BCC) of the email.
Configure BCC recipient email addresses by entering each one and clicking Create in the BCC area. |
GUI item | Description | |||
Archive to account | Enable to send the email to an archiving account. As long as this action is enabled, no matter if the email is delivered or rejected, it will still be archived.
Click New to create a new archiving account or click Edit to modify an existing account. For details about archiving accounts, see “Email archiving workflow” on page 656. |
|||
Notify with profile | Enable and select a notification profile to send a notification email to the sender, recipient, or any other people as you configure in the notification profile. The notification email is customizable and will tell the users what happened to the email message. For details about notification profiles and email templates, see “Configuring notification profiles” on page 600 and “Customizing email templates” on page 288. | |||
Treat as spam | Enable to perform the Actions selected in the antispam profile of the policy that matches the email. For more information, see “Configuring antispam action profiles” on page 516. | |||
Reject | Enable to reject the email and reply to the SMTP client with SMTP reply code 550. | |||
Discard | Enable to accept the email, but then delete it instead of delivering the email, without notifying the SMTP client. | |||
Replace | Enable to replace the email’s contents with a replacement message, and, if you have enabled Remove hidden HTML content, to strip HTML tags. For more information, see “Customizing GUI, replacement messages and email templates” on page 276. | |||
Personal quarantine | Enable to redirect the email to the per-recipient quarantine. For more information, see “Managing the personal quarantines” on page 182.
This option is available only for incoming profiles. |
|||
System quarantine | Enable to redirect the email to the system quarantine. For more information, see “Managing the system quarantine” on page 188.
The two quarantine options are mutually exclusive. |
|||
GUI item | Description | |||
Rewrite recipient email address | Enable to change the recipient address of any email that matches the content profile.
Configure rewrites separately for the local-part (the portion of the email address before the ‘@’ symbol, typically a user name) and the domain part (the portion of the email address after the ‘@’ symbol). For each part, select either: • None: No change. • Prefix: Prepend the part with text that you have entered in the With field. • Suffix: Append the part with the text you have entered in the With field. • Replace: Substitute the part with the text you have entered in the With field. |
|||
Encrypt with profile | Enable to apply an encryption profile, then select which encryption profile to use. For details, see “Configuring encryption profiles” on page 594.
Note that If you select an IBE encryption profile, it will be overridden if either S/MIME or TLS or both are selected in the message delivery rule configuration (Policy > Access control > Delivery > New). For information about message delivery rules, see “Configuring delivery rules” on page 464. |
|||
To apply a content action profile, select it in the Action drop-down list of one or more antispam profiles. For details, see “Managing antispam profiles” on page 503.
Hi, on these instructions it states “personal black lists and white lists” on page 620.”
Where can i get the book to view page 620??
https://docs.fortinet.com/d/fortimail-5.4.0-administration-guide
That is a PDF version of the FortiMail documentation. 620 is referenced there.
Hello,
What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…
Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.
Hello,
Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.
Hello,
Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.