Fortinet black logo

Handbook

Filtering order

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:443630
Download PDF

Filtering order

The FortiGate unit checks for spam using various filtering techniques. The order in which the FortiGate unit uses these filters depends on the mail protocol used.

Filters requiring a query to a server and a reply (FortiGuard Anti-Spam service and DNSBL/ORDBL) are run simultaneously. To avoid delays, queries are sent while other filters are running. The first reply to trigger a spam action takes effect as soon as the reply is received.

Each spam filter passes the email to the next if no matches or problems are found. If the action in the filter is Mark as Spam, the FortiGate unit tags the email as spam according to the settings in the email filter profile.

For SMTP and SMTPS, if the action is Discard, the email message is discarded or dropped.

If the action in the filter is Mark as Clear, the email is exempt from any remaining filters. If the action in the filter is Mark as Reject, the email session is dropped.

Order of SMTP and SMTPS spam filtering

The FortiGate unit scans SMTP and SMTPS email for spam in a specific order, depending on whether or not the local override feature has been enabled. By default, local override is disabled on the FortiGate. Enabling local override will give priority to local spam filters.

You can enable local override with the CLI command set local-override {enable | disable} when configuring a spamfilter profile. Enable this command to override SMTP or SMTPS remote check, which includes IP RBL check, IP FortiGuard AntiSpam check and HELO DNS check, with the locally defined antispam block/allowlist.

SMTPS spam filtering is available on FortiGate units that support SSL content scanning and inspection.

Enabling local override of Anti-Spam filter

CLI Syntax

config spamfilter profile

edit <filter_name>

set spam-filtering enable

set options spambwl spamfsip spamfsurl spamhelodns spamfsphish

config smtp

set local-override enable

end

set spam-bwl-table 1

next

end

Order of SMTP and SMTPS spam filtering with local-override disabled

  1. HELO DNS Lookup, Last Hop IP check against ORDBL
  2. Return email DNS check, FortiGuard email checksum check, FortiGuard URL check, FortiGuard IP address check, Phishing URLs detection
  3. Last Hop IP check local block/allowlist
  4. Envelope Address check local block/allowlist
  5. Headers IPs local block/allowlist
  6. Headers email address local block/allowlist, MIME header checks based on local list of patterns (mheader)
  7. Banned words (subject first, then body) based on local block/allowlist (bword)

Order of SMTP and SMTPS spam filtering with local-override enabled

  1. Last Hop IP check local block/allowlist
  2. Envelope Address check local block/allowlist
  3. Headers IPs local block/allowlist, MIME header checks based on local list of patterns (mheader)
  4. Headers email address local block/allowlist
  5. Banned words (subject first, then body) based on local list of patterns (bword)
  6. HELO DNS Lookup, Last Hop IP check against ORDBL
  7. Return email DNS check, FortiGuard email checksum check, FortiGuard URL check, FortiGuard IP address checks, Phishing URLs detection

Order of IMAP, POP3, IMAPS and POP3S spam filtering

The FortiGate unit scans IMAP, POP3, IMAPS and POP3S email for spam in the order given below. IMAPS and POP3S spam filtering is available on FortiGate units that support SSL content scanning and inspection.

  1. MIME headers check, E-mail address block/allowlist check
  2. Banned word check on email subject
  3. IP block/allowlist check
  4. Banned word check on email body
  5. Return email DNS check, FortiGuard Antispam email checksum check, FortiGuard Antispam URL check, DNSBL & ORDBL check.

Filtering order

The FortiGate unit checks for spam using various filtering techniques. The order in which the FortiGate unit uses these filters depends on the mail protocol used.

Filters requiring a query to a server and a reply (FortiGuard Anti-Spam service and DNSBL/ORDBL) are run simultaneously. To avoid delays, queries are sent while other filters are running. The first reply to trigger a spam action takes effect as soon as the reply is received.

Each spam filter passes the email to the next if no matches or problems are found. If the action in the filter is Mark as Spam, the FortiGate unit tags the email as spam according to the settings in the email filter profile.

For SMTP and SMTPS, if the action is Discard, the email message is discarded or dropped.

If the action in the filter is Mark as Clear, the email is exempt from any remaining filters. If the action in the filter is Mark as Reject, the email session is dropped.

Order of SMTP and SMTPS spam filtering

The FortiGate unit scans SMTP and SMTPS email for spam in a specific order, depending on whether or not the local override feature has been enabled. By default, local override is disabled on the FortiGate. Enabling local override will give priority to local spam filters.

You can enable local override with the CLI command set local-override {enable | disable} when configuring a spamfilter profile. Enable this command to override SMTP or SMTPS remote check, which includes IP RBL check, IP FortiGuard AntiSpam check and HELO DNS check, with the locally defined antispam block/allowlist.

SMTPS spam filtering is available on FortiGate units that support SSL content scanning and inspection.

Enabling local override of Anti-Spam filter

CLI Syntax

config spamfilter profile

edit <filter_name>

set spam-filtering enable

set options spambwl spamfsip spamfsurl spamhelodns spamfsphish

config smtp

set local-override enable

end

set spam-bwl-table 1

next

end

Order of SMTP and SMTPS spam filtering with local-override disabled

  1. HELO DNS Lookup, Last Hop IP check against ORDBL
  2. Return email DNS check, FortiGuard email checksum check, FortiGuard URL check, FortiGuard IP address check, Phishing URLs detection
  3. Last Hop IP check local block/allowlist
  4. Envelope Address check local block/allowlist
  5. Headers IPs local block/allowlist
  6. Headers email address local block/allowlist, MIME header checks based on local list of patterns (mheader)
  7. Banned words (subject first, then body) based on local block/allowlist (bword)

Order of SMTP and SMTPS spam filtering with local-override enabled

  1. Last Hop IP check local block/allowlist
  2. Envelope Address check local block/allowlist
  3. Headers IPs local block/allowlist, MIME header checks based on local list of patterns (mheader)
  4. Headers email address local block/allowlist
  5. Banned words (subject first, then body) based on local list of patterns (bword)
  6. HELO DNS Lookup, Last Hop IP check against ORDBL
  7. Return email DNS check, FortiGuard email checksum check, FortiGuard URL check, FortiGuard IP address checks, Phishing URLs detection

Order of IMAP, POP3, IMAPS and POP3S spam filtering

The FortiGate unit scans IMAP, POP3, IMAPS and POP3S email for spam in the order given below. IMAPS and POP3S spam filtering is available on FortiGate units that support SSL content scanning and inspection.

  1. MIME headers check, E-mail address block/allowlist check
  2. Banned word check on email subject
  3. IP block/allowlist check
  4. Banned word check on email body
  5. Return email DNS check, FortiGuard Antispam email checksum check, FortiGuard Antispam URL check, DNSBL & ORDBL check.