system : replacemsg mail
 
replacemsg mail
Use this command to change default replacement messages added to email messages when the antivirus engine blocks a file either because of a matching file pattern or because a virus is detected; or when spam filter blocks an email.
By default, these are text messages with an 8-bit header.
Syntax
config system replacemsg mail <message-type>
set buffer <message>
set format <format>
set header <header_type>
end
Variable
Description
Default
<message-type>
mail replacement message type. See Table 15.
No default.
buffer <message>
Type a new replacement message to replace the current replacement message. Maximum length 8 192 characters.
Depends on message type.
format <format>
Set the format of the message:
html
text
none
No default
header <header_type>
Set the format of the message header:
8bit
http
none
Depends on message type.
Table 15: mail message types
Message name
Description
email-block
The antivirus File Filter is enabled for an email protocol deletes a file that matches an entry in the selected file filter list. The file is blocked and the email is replaced with the email-block message.
email-dlp-ban
In a DLP sensor, a rule with action set to Ban replaces a blocked email message with this message. This message also replaces any additional email messages that the banned user sends until they are removed from the banned user list.
email-dl-ban-sender
In a DLP sensor, a rule with action set to Ban Sender replaces a blocked email message with this message. The email-dlp-ban message also replaces any additional email messages that the banned user sends until the user is removed from the banned user list.
email-dlp-subject
The email-dlp-subject message is added to the subject field of all email messages replaced by the DLP sensor Block, Ban, Ban Sender, Quarantine IP address, and Quarantine interface actions.
email-filesize
When the antivirus Oversized File/Email is set to Block for an email protocol removes an oversized file from an email message, the file is replaced with the email-filesize message.
partial
Antivirus Pass Fragmented Emails is not enabled so a fragmented email is blocked. The partial message replaces the first fragment of the fragmented email.
smtp-block
Splice mode is enabled and the antivirus file filter deleted a file from an SMTP email message. The FortiGate unit aborts the SMTP session and returns a 554 SMTP error message to the sender that includes the smtp-block replacement message.
smtp-filesize
Splice mode is enabled and antivirus Oversized File/Email is set to Block. When the FortiGate unit blocks an oversize SMTP email message, the FortiGate unit aborts the SMTP session and returns a 554 SMTP error message to the sender that includes the smtp-filesize replacement message.
Replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.
Table 16: Replacement message tags
Tag
Description
%%FILE%%
The name of a file that has been removed from a content stream. This could be a file that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be used in virus and file block messages.
%%VIRUS%%
The name of a virus that was found in a file by the antivirus system. %%VIRUS%% can be used in virus messages
%%QUARFILENAME%%
The name of a file that has been removed from a content stream and added to the quarantine. This could be a file that contained a virus or was blocked by antivirus file blocking. %%QUARFILENAME%% can be used in virus and file block messages. Quarantining is only available on FortiGate units with a local disk.
%%PROTOCOL%%
The protocol (HTTP, FTP, POP3, IMAP, SMTP) in which a virus was detected. %%PROTOCOL%% is added to alert email virus messages.
%%SOURCE_IP%%
IP address of the email server that sent the email containing the virus.
%%DEST_IP%%
IP address of the user’s computer that attempted to download the message from which the file was removed.
%%EMAIL_FROM%%
The email address of the sender of the message from which the file was removed.
%%EMAIL_TO%%
The email address of the intended receiver of the message from which the file was removed.