Configuring antispam profiles and antispam action profiles
The AntiSpam submenu lets you configure antispam profiles and related action profiles.
This section contains the following topics:
- Managing antispam profiles
- Configuring a FortiGuard URI filter profile
- Configuring antispam action profiles
Managing antispam profiles
The AntiSpam tab lets you manage and configure antispam profiles. Antispam profiles are sets of antispam scans that you can apply by selecting one in a policy.
FortiMail units can use various methods to detect spam, such as the FortiGuard Antispam service, DNSBL queries, Bayesian scanning, and heuristic scanning. Antispam profiles contain settings for these features that you may want to vary by policy. Depending on the feature, before you configure antispam policies, you may need to enable the feature or configure its system-wide settings.
For information on the order in which FortiMail units perform each type of antispam scan, see “Order of execution” on page 16.
Antispam profiles are created and applied separately based upon the incoming or outgoing directionality of the SMTP connection or email message. For more information, see “Incoming versus outgoing SMTP connections” on page 416.
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains” on page 290.
To view and manage incoming antispam profiles
- Go to Profile > AntiSpam > AntiSpam.
Figure 207:Viewing the list of antispam profiles
GUI item | Description |
Clone
(button) |
Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK. |
Batch Edit
(button) |
Edit several profiles simultaneously. See “Performing a batch edit” on page 516. |
Domain
(drop-down list) |
Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile. |
Profile Name | Displays the name of the profile. |
Domain Name
(column) |
Displays either System or a domain name. |
Direction | Displays either Incoming for a profile that can be used by an incoming policy, or Outgoing for a profile that can be used by an outgoing policy. |
(Green dot in column heading) | Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted. |
- Either click New to add a profile or double-click a profile to modify it.
A multisection dialog appears.
- Configure the following:
GUI item | Description |
Domain | Select the entire FortiMail unit (System) or name of a protected domain.You can see only the domains that are permitted by your administrator profile. For more information, see “About administrator account permissions and domains” on page 290. |
Profile name | For a new profile, enter the name of the profile. |
GUI item | Description |
Direction | Select either Incoming for a profile that can be used by an incoming policy, or Outgoing for a profile that can be used by an outgoing policy. For definitions of outgoing and incoming email, see “Incoming versus outgoing email messages” on page 454. |
Default action | See “Configuring antispam action profiles” on page 516.
You can choose to apply the default action without further scanning if the policy matches. |
Greylist | Enable to apply greylisting. For more information, see “Configuring greylisting” on page 624.
Note: Enabling greylisting can improve performance by blocking most spam before it undergoes other resource-intensive antispam scans. |
Treat SPF checking failed email as spam | If the sender domain DNS record lists SPF authorized IP addresses, use this option to compare the client IP address to the IP addresses of authorized senders in the DNS record (RFC 4408).
If the DNS record for the domain name of the sender does not publish SPF information, the FortiMail unit omits the SPF client IP address validation. If the client IP address fails the SPF check, FortiMail will take the antispam action configured in this antispam profile. But unlike SPF checking in a session profile, failed SPF checking in an antispam profile will not increase the client’s reputation score. For details, see “Enable SPF check” on page 490. Note: Before FortiMail 4.0 MR3 Patch 1 release, you must enable SPF checking in the session profile before SPF checking in the antispam profile takes effect. Starting from 4.0 MR3 Patch 2 release, SPF checking can be enabled in either a session profile or an antispam profile, or both profiles. Note: Before FortiMail 4.0 MR3 Patch 1 release, only SPF hardfailed (-all) email is treated as spam. Starting from 4.0 MR3 Patch 2 release, you can use a CLI command (set spf-checking {strict | aggressive} under config antispam settings) to control if the SPF softfailed (~all) email should also be treated as spam. For details, see the FortiMail CLI Guide. |
Suspicious newsletter | Although news letters and other marketing campaigns are not spam, some users may find them annoying.
Enable the detection of newsletters and select an action profile to deal with them. For example, you can tag newsletter email so that users can filter them in their email clients. |
Forged IP | Enable to convert the message sender’s IP address to a canonical host name and compare the IP addresses returned from a reverse DNS lookup of the host name to the client’s IP address. If the client’s IP address is not found, the FortiMail unit treats the email message as spam.
However, this also means that if the client IP address is valid but not listed in the DNS table, the IP address will be treated as forged; therefore, enabling this feature may cause some false positives. |
- Configure the following sections as needed:
- “Configuring FortiGuard options” on page 506
- “Configuring DNSBL options” on page 507
- “Configuring deep header options” on page 508
- “Configuring SURBL options” on page 509
- “Configuring Bayesian options” on page 509
- “Configuring heuristic options” on page 511
- “Configuring dictionary options” on page 512
- “Configuring banned word options” on page 512
- “Configuring whitelist word options” on page 513
- “Configuring image spam options” on page 514
- “Configuring scan conditions” on page 515
- “Configuring other antispam settings” on page 515
Hi, on these instructions it states “personal black lists and white lists” on page 620.”
Where can i get the book to view page 620??
https://docs.fortinet.com/d/fortimail-5.4.0-administration-guide
That is a PDF version of the FortiMail documentation. 620 is referenced there.
Hello,
What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…
Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.
Hello,
Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.
Hello,
Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.