FortiGuard Antispam service
The FortiGuard Antispam service is a Fortinet-managed service that provides a three-element approach to screening email messages.
• The first element is a DNS Block List (DNSBL) which is a “living” list of known spam origins.
• The second element is in-depth email screening based on a Uniform Resource Identifier (URI) contained in the message body – commonly known as Spam URI Realtime Block Lists (SURBLs).
• The third element is the FortiGuard Antispam Spam Checksum Blocklist (SHASH) feature. Using SHASH, the FortiMail unit sends a hash of an email to the FortiGuard Antispam server which compares the hash to hashes of known spam messages stored in the FortiGuard Antispam database. If the hash results match, the email is flagged as spam.
FortiGuard query results can be cached in memory to save network bandwidth. For information on configuring caching and other FortiGuard Antispam services, see
“Configuring FortiGuard updates and antispam queries”.
FortiGuard Antispam DNSBL
To achieve up-to-date real-time identification, the FortiGuard Antispam service uses globally distributed spam probes that receive over one million spam messages per day. The FortiGuard Antispam service uses multiple layers of identification processes to produce an up-to-date list of spam origins. To further enhance the service and streamline performance, the FortiGuard Antispam service continuously retests each of the “known” identities in the list to determine the state of the origin (active or inactive). If a known spam origin has been decommissioned, the FortiGuard Antispam service removes the origin from the list, thus providing customers with both accuracy and performance.
The FortiMail FortiGuard Antispam DNSBL scanning process works this way:
1. Incoming email (SMTP) connections are directed to the FortiMail unit.
2. Upon receiving the inbound SMTP connection request, the FortiMail unit extracts the source information (sending server’s domain name and IP address).
3. The FortiMail unit transmits the extracted source information to Fortinet’s FortiGuard Antispam service using a secure communication method.
4. The FortiGuard Antispam service checks the sender’s source information against its DNSBL database of known spam sources and sends the results back to the FortiMail unit.
5. The results are cached on the FortiMail unit.
• If the results identify the source as a known spam source, the FortiMail unit acts according to its configured policy.
• The cache on the FortiMail unit is checked for additional connection attempts from the same source. The FortiMail unit does not need to contact the FortiGuard Antispam service if the results of a previous connection attempt are cached.
• Additional connection requests from the same source do not need to be submitted to the FortiGuard Antispam service again because the classification is stored in the system cache.
Once the incoming connection has passed the first pass scan (DNSBL), and has not been classified as spam, it will then go through a second pass scan (SURBL) if the administrator has configured the service.
FortiGuard Antispam SURBL
To detect spam based on the message body URIs (usually web sites), Fortinet uses FortiGuard Antispam SURBL technology. Complementing the DNSBL component, which blocks messages based on spam origin, SURBL technology blocks messages that have spam hosts mentioned in message bodies. By scanning the message body, SURBL is able to determine if the message is a known spam message regardless of origin. This augments the DNSBL technology by detecting spam messages from a spam source that may be dynamic, or a spam source that is yet unknown to the DNSBL service. The combination of both technologies provides a superior managed service with higher detection rates than traditional DNSBLs or SURBLs alone.
The FortiMail FortiGuard Antispam SURBL scanning process works this way:
1. After accepting an incoming SMTP connection (passed first-pass scan), the email message is received.
2. After an incoming SMTP connection has passed the DNSBL scan, the FortiMail unit accepts delivery of email messages.
3. The FortiMail unit generates a signature (URI) based on the contents of the received email message.
4. The FortiMail unit transmits the signature to the FortiGuard Antispam service.
5. The FortiGuard Antispam service checks the email signature against its SURBL database of known signatures and sends the results back to the FortiMail unit.
6. The results are cached on the FortiMail unit.
• If the results identify the signature as known spam email content, the FortiMail unit acts according to its configured policy.
• Additional connection requests with the same email signature do not need to be re-classified by the FortiGuard Antispam service, and can be checked against the classification in the system cache.
• Additional messages with the same signature do not need to be submitted to the FortiGuard Antispam service again because the signature classification is stored in the system cache.
Once the message has passed both elements (DNSBL and SURBL), it goes to the next layer of defense; the FortiMail unit that includes additional spam classification technologies.