Chapter 15 Unified Threat Management for FortiOS 5.0 : Email filter : Configure local email filters : How content is evaluated
  
How content is evaluated
Every time the banned word filter detects a pattern in an email message, it adds the pattern score to the sum of scores for the message. You set this score when you create a new pattern to block content. The score can be any number from zero to 99999. Higher scores indicate more offensive content. When the total score equals or exceeds the threshold, the email message is considered as spam and treated according to the spam action configured in the email filter profile. The score for each pattern is counted only once, even if that pattern appears many times in the email message. The default score for banned word patterns is 10 and the default threshold is 10. This means that by default, an email message is blocked by a single match.
A pattern can be part of a word, a whole word, or a phrase. Multiple words entered as a pattern are treated as a phrase. The phrase must appear as entered to match. You can also use wildcards or regular expressions to have a pattern match multiple words or phrases.
For example, the FortiGate unit scans an email message that contains only this sentence: “The score for each word or phrase is counted only once, even if that word or phrase appears many times in the email message.”
 
Banned word
pattern
Pattern type
Assigned score
Score added to the sum for the entire page
Comment
word
Wildcard
20
20
The pattern appears twice but multiple occurrences are only counted once.
word phrase
Wildcard
20
0
Although each word in the phrase appears in the message, the words do not appear together as they do in the pattern. There are no matches.
word*phrase
Wildcard
20
20
The wildcard represents any number of any character. A match occurs as long as “word” appears before “phrase” regardless of what is in between them.
mail*age
Wildcard
20
20
Since the wildcard character can represent any characters, this pattern is a match because “email message” appears in the message.
In this example, the message is treated as spam if the banned word threshold is set to 60 or less.