This table does not include everything the FortiMail unit does when a client connects to deliver email. Only the antispam techniques, and other functions having an effect on the antispam techniques, are included. Other non-antispam functions may be running in parallel to the ones in the table. |
The PDF file type scan does not appear in this table. When enabled, the PDF file type converts the first page of any PDF attachments into to a format the heuristic, banned word, and image spam scanners can scan. If any of these scanners are enabled, they will scan the first page of the PDF at the same time they examine the message body, according to the sequence in the table below. |
Check | Check Involves | Action If Positive | Action If Negative |
Client initiates communication with the FortiMail unit | |||
Sender reputation | Client IP address | If the client IP is in the sender reputation database, check the score and enable any appropriate restrictions, if any. | Add the IP address to the sender reputation database and keep a reputation score based on the email received. Proceed to the next check. |
FortiGuard block IP check | Client IP address | If the “Check FortiGuard Block IP at connection phase” is enabled in a session profile, FortiMail will check the client IP address against the FortiGuard block IP list. If positive, FortiMail rejects the email. | Proceed to the next check. |
Endpoint reputation | Client endpoint ID | If the client endpoint ID is in the sender reputation database, check the score and enable any appropriate restrictions, if any. | Add the IP address to the endpoint reputation database and keep a reputation score based on the email received. Proceed to the next check. |
Sender rate control per connection | Client IP address | Apply any connection limitations specified in the session profile. Proceed to the next check. | In there are no connection limitations, or if no session profile applies, proceed to the next check. |
HELO/EHLO received from SMTP client | |||
HELO/EHLO | Domain of the HELO/EHLO command | If invalid characters appear in the domain, reject the HELO/EHLO command. Session will not continue until a proper HELO/EHLO command is received. | Proceed to the next check. |
MAIL FROM: and RCPT TO: commands received from SMTP client | |||
Sender rate control per message | Client IP address | Apply any connection limitations specified in the session profile. Proceed to the next check. | In there are no connection limitations, or if no session profile applies, proceed to the next check. |
Sender domain check | Domain of envelope sender (MAIL FROM:) | If any of the domain checks (the Check sender domain and Reject empty domains checks listed in Unauthenticated Session Settings in the session profile) fail, an error is returned to the SMTP client. The error depends on which particular check failed. | Proceed to the next check. |
System safe list (Phase I) | Client IP address and email address/domain of the envelope sender (MAIL FROM:) | If the client IP or email address/domain of the sender appear in the system safe list, deliver the email and cancel remaining antispam checks (but not the antivirus and content checks). | Proceed to the next check. |
System block list (Phase I) | Client IP address and email address/domain of the envelope sender (MAIL FROM:) | If the client IP or email address/domain of the sender appear in the system block list, invoke the block list action for the email. | Proceed to the next check. |
Session sender safe list (Phase I) | Client IP address and email address/domain of the envelope sender (MAIL FROM:) | If the client IP or email address/domain of the sender appear in the session safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks). | Proceed to the next check. |
Session sender block list (Phase I) | Client IP address and email address/domain of the envelope sender (MAIL FROM:) | If the client IP or email address/domain of the sender appear in the session block list, invoke the block list action for the message. | Proceed to the next check. |
Authentication difference check | Envelope sender (MAIL FROM:) | Checks to see if the sender email address in the SMTP envelope matches the authenticated user name. If not allowed in the IP-based policy, the email will be rejected. | Proceed to the next check. |
Bounce Verification | Envelope recipient (RCPT TO:) | Apply actions specified in the bounce verification settings. | Proceed to the next check. |
Access control rules | Client IP address, envelope sender and recipient (MAIL FROM: and RCPT TO:) | If the combination of client IP, the domain/email address of the sender, and the domain/email of the recipient matches an access control rule (Policy > Access Control > Receive), the FortiMail unit performs the action selected in the access control rule, which is one of the following: • BYPASS: Accept and relay the email, skipping all subsequent antispam checks, except greylisting, if the sender or recipient belongs to a protected domain. • RELAY: Accept and relay the email if it passes subsequent antispam checks. Do not apply greylisting. • REJECT: Reject the email and return SMTP reply code 550 to the client. • DISCARD: Accept the email, but silently delete it instead of delivering it. Neither the sender nor the recipient are notified of the deletion. | If a matching access control rule does not exist, and if the recipient is a member of a protected domain, the default action is RELAY; if the recipient is not a member of a protected domain, the default action is REJECT. For more information, see “Configuring access control rules”. |
Recipient domain check | Domain of envelope recipient (RCPT TO:) | If any of the domain checks (the Check recipient domain and Reject if recipient and helo domain match but sender domain is different checks listed in Unauthenticated Session Settings in the session profile) fail, an error is returned to the SMTP client. The error depends on which check failed. | Proceed to the next check. |
Session recipient safe list | Envelope recipient (RCPT TO:) | If the recipient appears in the session recipient safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks). | Proceed to the next check. |
Session recipient block list | Envelope recipient (RCPT TO:) | If the recipient appears in the session recipient block list, reject the message. | Proceed to the next check. |
Recipient verification | Envelope recipient (RCPT TO:) | If the recipient is unknown, reject the message. | Proceed to the next check. |
Greylist | Envelope sender (MAIL FROM:), envelope recipient (RCPT TO:), and client IP subnet address | If the sender is in the greylist database or if the client IP subnet appears in the greylist exempt list, the message is passed to the next check. Note: This check is omitted if the access control rule’s action is RELAY. | If the sender is not in the greylist database, a temporary failure code is returned to the SMTP client. |
DATA command received from SMTP client | |||
System safe list (Phase II) | Message header sender (From:) | If the email address/domain of the sender appears in the system safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks). | Proceed to the next check. |
System block list (Phase II) | Message header sender (From:) | If the email address/domain of the sender appears in the system block list, invoke the block list action for the message. | Proceed to the next check. |
Domain safe list | Client IP, envelope sender (MAIL FROM:) and message header sender (From:) | If the client IP, email address/domain of the sender appears in the domain safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks). | Proceed to the next check. |
Domain block list | Client IP, envelope sender (MAIL FROM:) and message header sender (From:) | If the client IP, email address/domain of the sender appears in the domain block list, invoke the block list action for the message. | Proceed to the next check. |
Session sender safe list (Phase II) | Message header sender (From:) | If the email address/domain of the sender appears in the session sender safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks). | Proceed to the next check. |
Session sender block list (Phase II) | Message header sender (From:) | If the email address/domain of the sender appears in the session sender block list, the block list action is invoked. | Proceed to the next check. |
Personal safe list | Client IP, envelope sender (MAIL FROM:) and message header sender (From:) | If the client IP, email address/domain of the sender appears in the personal safe list, deliver the message and cancel remaining antispam checks (but not the antivirus and content checks). | Proceed to the next check. |
Personal block list | Client IP, envelope sender (MAIL FROM:) and message header sender (From:) | If the client IP, email address/domain of the sender appears in the personal block list, the message is discarded. | Proceed to the next check. |
End of message (EOM) command received from SMTP client | |||
Antivirus | Message body and attachments | If an infected message is detected, and the antispam profile is configured to treat viruses as spam, the default spam action will be invoked on the infected message. | Proceed to the next check. |
Safe List Word | Message subject and/or body | If the safelisted word scanner determines that the message is not spam, deliver the message and cancel remaining antispam checks. | Proceed to the next check. |
FortiGuard Antispam | Message header and body | If the FortiGuard scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
Behavior analysis | Message body | If the scanner determines the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
DNSBL | Client IP address | If the DNSBL scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
SURBL | Every URI in the message body | If the SURBL scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
Heuristic | Message body | If the heuristic antispam scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
Banned Word | Message subject and/or body | If the banned word scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
Dictionary | Message body | If the dictionary scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
Image Spam | Embedded images If Aggressive scan is enabled, attached images are also examined. | If the image spam scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
SPF check | Client IP address | This option compares the client IP address to the IP addresses of authorized senders in the DNS record (RFC 4408). If failed, treat the email as spam. | Proceed to the next check. |
Header analysis | Message header | If the header analysis scan determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
Bayesian | Message body | If the Bayesian scanner determines that the message is spam, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
Suspicious Newsletter | Message header and body | If the newsletter scan determines that the message is a newsletter, the configured individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |
Content | Attachments (for content scan) and message body (for content monitor scan) | If the content scanner determines that the message is spam or prohibited, the action configured in the content profile individual action is invoked. If the individual action is set to default, then the antispam profile default action is used. | Proceed to the next check. |