Configuring profiles : Configuring antispam profiles and antispam action profiles : Managing antispam profiles
Managing antispam profiles
The AntiSpam tab lets you manage and configure antispam profiles. Antispam profiles are sets of antispam scans that you can apply by selecting one in a policy.
FortiMail units can use various methods to detect spam, such as the FortiGuard Antispam service, DNSBL queries, Bayesian scanning, and heuristic scanning. Antispam profiles contain settings for these features that you may want to vary by policy. Depending on the feature, before you configure antispam policies, you may need to enable the feature or configure its system-wide settings.
For information on the order in which FortiMail units perform each type of antispam scan, see “Order of execution”.
Antispam profiles are created and applied separately based upon the incoming or outgoing directionality of the SMTP connection or email message. For more information, see “Incoming versus outgoing SMTP connections”.
 
You can use an LDAP query to enable or disable antispam scanning on a per-user basis. For details, see “Configuring LDAP profiles” and “Enable LDAP scan override”.
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains”.
To view and manage incoming antispam profiles
1. Go to Profile > AntiSpam > AntiSpam.
 
GUI item
Description
Clone
(button)
Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK.
Batch Edit
(button)
Edit several profiles simultaneously. See “Performing a batch edit”.
Domain
(drop-down list)
Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.
Profile Name
Displays the name of the profile.
Domain Name
(column)
Displays either System or a domain name.
Direction
Displays either Incoming for a profile that can be used by an incoming policy, or Outgoing for a profile that can be used by an outgoing policy.
(Green dot in column heading)
Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.
2. Either click New to add a profile or double-click a profile to modify it.
A multisection dialog appears.
3. Configure the following:
GUI item
Description
Domain
Select the entire FortiMail unit (System) or name of a protected domain.You can see only the domains that are permitted by your administrator profile. For more information, see “About administrator account permissions and domains”.
Profile name
For a new profile, enter the name of the profile.
Direction
Select either Incoming for a profile that can be used by an incoming policy, or Outgoing for a profile that can be used by an outgoing policy. For definitions of outgoing and incoming email, see “Incoming versus outgoing email messages”.
Default action
Select the default action to take when the policy matches. See “Configuring antispam action profiles”.
FortiGuard
See “Configuring FortiGuard options”.
Greylist
Enable to apply greylisting. For more information, see “Configuring greylisting”.
Note: Enabling greylisting can improve performance by blocking most spam before it undergoes other resource-intensive antispam scans.
SPF check
If the sender domain DNS record lists SPF authorized IP addresses, use this option to compare the client IP address to the IP addresses of authorized senders in the DNS record (RFC 4408).
If the DNS record for the domain name of the sender does not publish SPF information, the FortiMail unit omits the SPF client IP address validation.
If the client IP address fails the SPF check, FortiMail will take the antispam action configured in this antispam profile. But unlike SPF checking in a session profile, failed SPF checking in an antispam profile will not increase the client’s reputation score.
Note: Before FortiMail 4.0 MR3 Patch 1 release, you must enable SPF checking in the session profile before SPF checking in the antispam profile takes effect. Starting from 4.0 MR3 Patch 2 release, SPF checking can be enabled in either a session profile or an antispam profile, or both profiles. However, if you select to Bypass SPF checking in the session profile (see “Configuring sender validation options”), SPF checking will be bypassed even though you enable it in the antispam profile.
Note: Before FortiMail 4.0 MR3 Patch 1 release, only SPF hardfailed
(-all) email is treated as spam. Starting from 4.0 MR3 Patch 2 release, you can use a CLI command (set spf-checking {strict | aggressive} under config antispam settings) to control if the SPF softfailed (~all) email should also be treated as spam. For details, see the FortiMail CLI Guide.
Behavior analysis
Behavior analysis (BA) analyzes the similarities between the uncertain email and the known spam email in the BA database and determines if the uncertain email is spam.
The BA database is a gathering of spam email caught by FortiGuard Antispam Service. Therefore, the accuracy of the FortiGuard Antispam Service has a direct impact on the BA accuracy.
You can adjust the BA aggressiveness using the following CLI commands:
config antispam behavior-analysis
set analysis-level {high | medium | low}
end
The high setting means the most aggressive while the low setting means the least aggressive. The default setting is medium.
You can also reset (empty) the BA database using the following CLI command:
diagnose debug application mailfilterd behavior-analysis update
Header analysis
Enable this option to examine the entire message header for spam characteristics.
Heuristic
See “Configuring heuristic options”.
SURBL
See “Configuring SURBL options”.
DNSBL
See “Configuring DNSBL options”.
Banned word
See “Configuring banned word options”.
Safelist word
See “Configuring safelist word options”.
Dictionary
See “Configuring dictionary options”.
Image spam
See “Configuring image spam options”.
Bayesian
See “Configuring Bayesian options”.
Suspicious newsletter
Suspicious newsletters are part of the newsletter category. But FortiMail may find them to be suspicious because they may actually be spam under the disguise of newsletters.
Note that if you enable detection of both newsletters and suspicious newsletters and specify actions for both types, if a newsletter is found to be suspicious, the action towards suspicious newsletters will take effect, not the action towards newsletters.
Newsletter
Although newsletters and other marketing campaigns are not spam, some users may find them annoying.
Enable detection of newsletters and select an action profile to deal with them. For example, you can tag newsletter email so that users can filter them in their email clients.
Scan Conditions
See “Configuring scan conditions”.
Other Settings
See “Configuring other antispam settings”.