Configuring Profiles

Configuring FortiGuard options

The FortiGuard section of antispam profiles lets you configure the FortiMail unit to query the FortiGuard Antispam service to check the following:

  • Back IP: If you enable the Black IP option, the FortiMail unit will query the FortiGuard Antispam service to determine if the IP address of the current SMTP client is blacklisted. If the Black IP option located in the Deep header section is enabled, the FortiGuard scan will also examine the IP addresses of all other SMTP servers that appear in the Received: lines of the message header. For more information, see “Configuring deep header options” on page 508.

FortiGuard Antispam scans do not examine private network addresses, as defined in RFC 1918.

  • URI filter: this option determines if any uniform resource identifiers (URI) in the message body are associated with spam. FortiGuard URI filter groups URI into various categories, such as hacking, drug abuse and so on. You can configure the FortiGuard URI filter to check for certain categories only. For details, see “Configuring a FortiGuard URI filter profile” on page 507. If a URI is blacklisted, the FortiMail unit treats the email as spam and performs the associated action.

Before enabling FortiGuard, you must enable and configure FortiGuard Antispam rating queries. For more information, see “Verifying connectivity with FortiGuard services” on page 237.

If the FortiGuard option is enabled, you may improve performance and the spam catch rate by also enabling Black IP and caching. For details on enabling caching, see ““Configuring FortiGuard updates and antispam queries” on page 233.

To configure FortiGuard scan options

  1. When configuring an antispam profile, select the FortiGuard check box in the AntiSpam Profile
  2. From Action, select the action profile that you want the FortiMail unit to use if the FortiGuard Antispam scan finds spam email.

For more information, see “Configuring antispam action profiles” on page 516.

  1. If you want the FortiMail unit to query the FortiGuard Antispam service to determine if the IP address of the SMTP server is blacklisted, enable Black IP.

Whether the FortiMail unit queries for the blacklist status of the IP address of only the most recent SMTP server or of all SMTP servers in the Received: lines of the message header varies by the configuration of Deep header. For more information, see “Configuring deep header options” on page 508.

  1. If you want to use the FortiGuard URI filter service, select a filter profile from the URI filter For details, see “Configuring a FortiGuard URI filter profile” on page 507.
  2. From Action, select the action profile that you want the FortiMail unit to use if the FortiGuard Antispam scan finds spam email.
  3. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring a FortiGuard URI filter profile

FortiGuard URI filter service allows you choose which categories of URI in the email body you want to check and block. Then you can use the filters in the antispam profiles. For details, see “Configuring FortiGuard options” on page 506.

To configure a URI filter profile 1. Go to Profile > AntiSpam > URI Filter.

  1. Click Create New.
  2. Enter a profile name.
  3. Select the URI categories you want to check in the email body.
  4. Click Create.

URI types

There are two types of URIs:

  • Absolute URIs strictly follow the URI syntax and include the URI scheme names, such as “http”, “https”, and “ftp”. For instance, http://www.example.com.
  • Reference URIs do not contain the scheme names. For instance, example.com.

By default, FortiMail scans for both absolute and reference URIs.

In some cases (for example, to lower false positive rates), you may want to scan for absolute URIs only. To do this, you can use the following CLI command to change the default setting:

config antispam settings

set uri-checking {aggressive | strict}

end

  • aggressive: Choose this option to scan for both the absolute and reference URIs.
  • strict: Choose this option to scan for absolute URIs only. Note that web sites without

“http” or “https” but starting with “www” are also treated as absolute URIs. For instance, www.example.com.

For more information about this command, see FortiMail CLI Reference.

Configuring DNSBL options

In addition to supporting Fortinet’s FortiGuard Antispam DNSBL service, the FortiMail unit supports third-party DNS blacklist servers. You can enable DNSBL filtering as part of the antispam profile, and define multiple DNSBL servers for each antispam profile. Consult the third-party DNSBL service providers for any conditions and restrictions.

DNSBL scans examine the IP address of the SMTP client that is currently delivering the email message. If the Enable Black IP to query for the blacklist status of the IP addresses of all SMTP servers appearing in the Received: lines of header lines. option located in the Deep header section is enabled, DNSBL scan will also examine the IP addresses of all other SMTP servers that appear in the Received: lines of the message header. For more information, see ““Configuring deep header options” on page 508.

DNSBL scans do not examine private network addresses, which are defined in RFC 1918.

The DNSBL section of antispam profiles lets you configure the FortiMail unit to query one or more DNS black list (DNSBL) servers to determine if the IP address of the SMTP client has been blacklisted. If the IP address is blacklisted, the FortiMail unit treats the email as spam and performs the associated action.

To configure DNSBL scan options

  1. When configuring an antispam profile, enable DNSBL in the AntiSpam Profile
  2. From Action, select the action profile that you want the FortiMail unit to use if the DNSBL scan finds spam email.

For more information, see “Configuring antispam action profiles” on page 516.

  1. Next to DNSBL click Configuration.

A pop-up window appears where you can enter the domain names of DNSBL servers to use with this profile.

  1. To add a new DNSBL server address, click New and type the address in the field that appears.

Since the servers are queried from top to bottom, you may want to put the reliable servers with less traffic to the top of the list. Click the drop-down menu in the title bar to sort the entries.

  1. Select a server from the list and click OK.

The pop-up window closes.

Closing the pop-up window does not save the antispam profile and its associated DNSBL server list. To save changes to the DNSBL server list, in the antispam profile, click OK before navigating away to another part of the web UI.

  1. Continue to the next section, or click Create or OK to save the antispam profile.

6 thoughts on “Configuring Profiles

  1. Steve

    Hi, on these instructions it states “personal black lists and white lists” on page 620.”

    Where can i get the book to view page 620??

    Reply
  2. Laurent

    Hello,
    What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…

    Reply
    1. Mike Post author

      Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.

      Reply
  3. Dormond

    Hello,
    Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.

    Reply
  4. Laurent

    Hello,

    Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.