Configuring profiles : Configuring antispam profiles and antispam action profiles : Managing antispam profiles : Configuring FortiGuard options
Configuring FortiGuard options
The FortiGuard section of antispam profiles lets you configure the FortiMail unit to query the FortiGuard Antispam service to check the following:
Block IP: if the SMTP client IP address is a public one, the FortiMail unit will query the FortiGuard Antispam service to determine if the current SMTP client is blocklisted; if the SMTP client IP address is a private one, the FortiMail unit will query the FortiGuard Antispam service to determine if the first public IP address in the header is blocklisted. If the Extract IP from Received Header option is enabled, the FortiGuard scan will also examine the public IP addresses of all other SMTP servers that appear in the Received: lines of the message header.
FortiGuard Antispam scans do not examine private network addresses, as defined in RFC 1918.
URI filter: this option determines if any uniform resource identifiers (URI) in the message body are associated with spam. FortiGuard URI filter groups URI into various categories, such as hacking, drug abuse and so on. You can configure the FortiGuard URI filter to check for certain categories only. For details, see “Configuring a FortiGuard URI filter profile”. If a URI is blocklisted, the FortiMail unit treats the email as spam and performs the associated action. You can also exempt URLs from spam filtering. For details, see “Configuring the URL exempt list”.
Spam outbreak protection: enable this option to temporarily hold suspicious email for a certain period of time (configuragle with CLI command config system fortiguard antispam set outbreak-protection-period) if the enabled FortiGuard antispam check (block IP and/or URI filter) returns no result. After the specified time interval, FortiMail will query the FortiGuard server for the second time. This provides an opportunity for the FortiGuard antispam service to update its database in cases a spam outbreak occurs. To view the email on hold, go to Monitor > Mail Queue > FortiGuard Outbreak Protection.
Before enabling FortiGuard, you must enable and configure FortiGuard Antispam rating queries. For more information, see “Verifying connectivity with FortiGuard services”.
 
If the FortiGuard option is enabled, you may improve performance and the spam catch rate by also enabling Block IP and caching. For details on enabling caching, see “Configuring FortiGuard updates and antispam queries”.
To configure FortiGuard scan options
1. When configuring an antispam profile, select the FortiGuard check box in the AntiSpam Profile dialog.
2. From Action, select the action profile that you want the FortiMail unit to use if the FortiGuard Antispam scan finds spam email.
For more information, see “Configuring antispam action profiles”.
3. If you want the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted, enable Block IP. If the SMTP client IP address is a private one, the FortiMail unit will query the FortiGuard Antispam service to determine if the first public IP address in the header is blocklisted
If you want to check all SMTP servers in the Received: lines of the message header, enable the Extract IP from Received Header option.
4. If you want to use the FortiGuard URI filter service, select a filter profile from the URI filter list. For details, see “Configuring a FortiGuard URI filter profile”.
5. From Action, select the action profile that you want the FortiMail unit to use if the FortiGuard Antispam scan finds spam email.
6. If you want use the spam outbreak protection feature, enable it.
7. Continue to the next section, or click Create or OK to save the antispam profile.
Configuring a FortiGuard URI filter profile
FortiGuard URI filter service allows you choose which categories of URI in the email body you want to check and block. Then you can use the filters in the antispam profiles. For details, see “Configuring FortiGuard options”.
To configure a URI filter profile
1. Go to Profile > AntiSpam > URI Filter.
2. Click Create New.
3. Enter a profile name.
4. Select the URI categories you want to check in the email body.
5. Click Create.
URI types
There are two types of URIs:
Absolute URIs strictly follow the URI syntax and include the URI scheme names, such as “http”, “https”, and “ftp”. For instance, http://www.example.com.
Reference URIs do not contain the scheme names. For instance, example.com.
By default, FortiMail scans for both absolute and reference URIs.
In some cases (for example, to lower false positive rates), you may want to scan for absolute URIs only. To do this, you can use the following CLI command to change the default setting:
config antispam settings
set uri-checking {aggressive | strict}
end
aggressive: Choose this option to scan for both the absolute and reference URIs.
strict: Choose this option to scan for absolute URIs only. Note that web sites without “http” or “https” but starting with “www” are also treated as absolute URIs. For instance, www.example.com.
For more information about this command, see FortiMail CLI Reference.