profile antispam
Use this command to configure system-wide (or, if these commands are run from inside config domain, domain-specific) antispam profiles.
FortiMail can use many methods to detect spam, such as the FortiGuard Antispam service, DNSBL queries, Bayesian scanning, and heuristic scanning. Antispam profiles contain settings for these features that you may want to vary by policy. Depending on the feature, before you configure antispam policies, you may need to enable the feature or configure its system-wide settings.
Syntax
config profile antispam
edit <profile_name>
set action-default <action-profile_name>
set apply-action-default {enable | disable}
set scan-bypass-on-auth {enable | disable}
set scan-pdf {enable | disable}
set fortiguard-antispam {enable | disable}
set action-fortiguard <action-profile_name>
set fortiguard-check-ip {enable | disable}
set action-fortiguard-blockip <action-profile-name>
set fortiguard-phishing-url {enable | disable}
set action-fortiguard-phishing-url <action-profile-name>
set ip-reputation-level1-status {enable | disable}
set ip-reputation-level2-status {enable | disable}
set ip-reputation-level3-status {enable | disable}
set action-ip-reputation-level1 <action-profile_name>
set action-ip-reputation-level2 <action-profile_name>
set action-ip-reputation-level3 <action-profile_name>
set url-filter-status {enable | disable}
set url-filter-secondary-status {enable | disable}
set url-filter-secondary <filter>
set action-url-filter <action-profile_name>
set action-url-filter-secondary <action-profile_name>
set spam-outbreak-protection {enable | disable | monitor-only}
set greylist {enable | disable}
set action-grey-list <action-profile_name>
set spf-checking {enable | disable}
set spf-fail-status {enable | disable}
set spf-neutral-status {enable | disable}
set spf-none-status {enable | disable}
set spf-pass-status {enable | disable}
set spf-perm-error-status {enable | disable}
set spf-soft-fail-status {enable | disable}
set spf-temp-error-status {enable | disable}
set action-spf-fail <action-profile_name>
set action-spf-neutral <action>
set action-spf-none <action-profile_name>
set action-spf-pass <action-profile_name>
set action-spf-perm-error <action-profile_name>
set action-spf-soft-fail <action-profile_name>
set action-spf-temp-error <action-profile_name>
set dkim-checking {enable | disable}
set dkim-fail-status {enable | disable}
set dkim-none-status {enable | disable}
set dkim-pass-status {enable | disable}
set dkim-temp-error-status {enable | disable}
set action-dkim-fail <action-profile_name>
set action-dkim-none <action-profile_name>
set action-dkim-pass <action-profile_name>
set action-dkim-temp-error <action-profile_name>
set dmarc-checking {enable | disable}
set dmarc-fail-status {enable | disable}
set dmarc-none-status {enable | disable}
set dmarc-pass-status {enable | disable}
set dmarc-temp-error-status {enable | disable}
set action-dmarc-fail <action-profile_name>
set action-dmarc-none <action-profile_name>
set action-dmarc-pass <action-profile_name>
set action-dmarc-temp-error <action-profile_name>
set behavior-analysis {enable | disable}
set behavior-analysis {enable | disable}
set action-behavior-analysis <action-profile_name>
set bec-scan-status {enable | disable}
set impersonation-analysis {enable | disable}
set impersonation <profile_name>
set action-impersonation-analysis <action-profile_name>
set cousin-domain {enable | disable}
set cousin-domain-profile <cousin-profile_name>
set cousin-domain-scan-option {auto-detection body-detection header-detection}
set action-cousin -domain <action-profile-name>
set sender-alignment-status {enable | disable}
set action-sender-alignment <action-profile_name>
set heuristic {enable | disable}
set heuristic-rules-percent <percentage_int>
set heuristic-lower <threshold_int>
set heuristic-upper {threshold_int}
set action-heuristic <action-profile_name>
config surbl-server
edit <server_name>
set action-surbl <action-profile_name>
config dnsbl-server
edit <server_name>
set action-rbl <action-profile_name>
set deepheader-analysis {enable | disable}
set deepheader-check-ip {enable | disable}
set action-deep-header <action-profile_name>
set banned-word {enable | disable}
config bannedwords
edit <word_str>
set subject {enable | disable}
set action-banned-word <action_profile>
set safelist-enable {enable | disable}
set safelist-word {enable | disable}
config safelistwords
edit <word_str>
set subject {enable | disable}
set dictionary {enable | disable}
set dictionary-type
set dictionary-profile <profile_name>
set action-dictionary <action-profile_name>
set image-spam {enable | disable}
set aggressive {enable | disable}
set action-image-spam <action-profile_name>
set bayesian {enable | disable}
set bayesian-usertraining {enable | disable}
set bayesian-autotraining {enable | disable}
set bayesian-user-db {enable | disable}
set action-bayesian <action-profile_name>
set suspicious-newsletter-status {enable | disable}
set action-suspicious-newsletter <action-profile_name>
set newsletter-status {enable | disable}
set action-newsletter <action-profile_name>
set action-virus <action-profile_name>
end
|
Variable |
Description |
Default |
|
Enter the name of an antispam profile. |
|
|
|
Enter a DNSBL server name to perform a DNSBL scan. The FortiMail unit will query DNS blocklist servers. |
|
|
|
Enter a SURBL server name to perform a SURBL scan. The FortiMail unit will query SURBL servers. |
|
|
|
Enter the banned word. You can use wildcards in banned words. But regular expressions are not supported. For more information about wildcards and regular expressions, see the FortiMail Administration Guide. |
|
|
|
Enter the safelisted word to configure. |
|
|
|
Enter the action profile that you want the FortiMail unit to use if the banned word scan determines that the email is spam. |
|
|
|
Enter the action profile that you want the FortiMail unit to use if the Bayesian scan determines that the email is spam. |
|
|
|
Enter the action profile that you want the FortiMail unit to use if the behavior analysis scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the cousin domain scan determines that the email is spam. |
|
|
|
Enter the action profile that you want the FortiMail unit to use if the deep header scan determines that the email is spam. |
|
|
|
Enter the default action profile that you want all scanners of the FortiMail unit to use. However, if you choose an action profile other than “default" for a scanner, this scanner will use the chosen profile. |
|
|
|
Enter the action profile that you want the FortiMail unit to use if the heuristic scan determines that the email is spam. |
|
|
| action-dkim-fail <action-profile_name> | Enter the action profile that you want the FortiMail unit to use for DKIM check failure. |
|
| action-dkim-none <action-profile_name> | Enter the action profile that you want the FortiMail unit to use if no DKIM DNS record is not found or parsed correctly. |
|
| Enter the action profile that you want the FortiMail unit to use for DKIM check pass. |
|
|
|
Enter the action profile that you want the FortiMail unit to use if DNS server returns Temp error when querying the DKIM DNS record. |
|
|
| Enter the action profile that you want the FortiMail unit to use for DMARC check failure. |
|
|
| Enter the action profile that you want the FortiMail unit to use if no DMARC DNS record is not found or parsed correctly. |
|
|
| Enter the action profile that you want the FortiMail unit to use for DMARC check pass. |
|
|
|
Enter the action profile that you want the FortiMail unit to use if DNS server returns Temp error when querying the DMARC DNS record. |
|
|
|
Enter the action profile that you want the FortiMail unit to use if the FortiGuard block IP scan determines that the email is spam. |
|
|
|
Enter the action profile that you want the FortiMail unit to use if the FortiGuard phishing URL scan determines that the email is spam. |
|
|
|
Enter the action profile that you want the FortiMail unit to use if the FortiGuard Antispam scan determines that the email is spam. |
|
|
|
Enter the action profile that you want the FortiMail unit to use if the grey list scan determines that the email is spam. |
|
|
|
Enter the action profile that you want the FortiMail unit to use if the heuristic scan determines that the email is spam. |
|
|
|
Enter the action profile that you want the FortiMail unit to use if the image scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if impersonation analysis determines that the email is from someone impersonating a known email address. |
|
|
|
Enter the action profile that you want assigned to IP reputation level 1. FortiGuard categorizes the blocklisted IP addresses into three levels, level 1 has the worst reputation and level 3 the best. |
|
|
|
Enter the action profile that you want assigned to IP reputation level 2. FortiGuard categorizes the blocklisted IP addresses into three levels, level 1 has the worst reputation and level 3 the best. |
|
|
|
Enter the action profile that you want assigned to IP reputation level 3. FortiGuard categorizes the blocklisted IP addresses into three levels, level 1 has the worst reputation and level 3 the best. |
|
|
|
Enter the action profile that you want the FortiMail unit to use if the newsletter scan determines that the email is spam. |
|
|
|
Enter the action profile that you want the FortiMail unit to use if the DNSBL scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the email does not pass the sender alignment scan. |
|
|
|
Enter the action profile that FortiMail uses if the email does not pass the SPF scan, which means the host is not authorized to send messages. |
|
|
|
Enter the action profile that FortiMail uses if the SPF scan result is neutral, which means the SPF record is found but no definitive assertion. |
|
|
|
Enter the action profile that FortiMail uses if the SPF scan has no result, which means there is no SPF record. |
|
|
|
Enter the action profile that FortiMail uses if email passes the SPF scan, which means the host is authorized to send a message. |
|
|
|
Enter the action profile that FortiMail uses if the SPF scan has a permanent error, which means the SPF records are invalid. |
|
|
|
Enter the action profile that FortiMail uses if the SPF scan has a soft failure, which means the host is not authorized to send messages, but it's not a strong statement. |
|
|
|
Enter the action profile that FortiMail uses if the SPF scan has a temporary error, which means there is a processing error. |
|
|
|
Enter the action profile that FortiMail uses if the SURBL scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the suspicious newsletter scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the URL filter scan determines that the email is spam. |
|
|
|
Enter the action profile that FortiMail uses if the URL filter scan determines that the email is spam. |
|
|
|
Enter the action profile that requires the FortiMail unit to treat messages with viruses as spam. |
|
|
|
Enable this option to examine file attachments in addition to images embedded in the message body. Tip: To improve performance, enable this option only if you do not have a satisfactory spam detection rate. |
disable |
|
|
Enable to perform the action in |
disable | |
|
Enable to perform a banned words scan. |
disable |
|
|
Enable to use FortiGuard Antispam and SURBL scan results to train per-user Bayesian databases that are not yet mature (that is, they have not yet been trained with 200 legitimate email and 100 spam in order to recognize spam). |
enable |
|
|
Enable to use per-user Bayesian databases. If disabled, the Bayesian scan will use either the global or the per-domain Bayesian database, whichever is selected for the protected domain. |
disable |
|
|
Enable to accept email forwarded from email users to the Bayesian control email addresses in order to train the Bayesian databases to recognize spam and legitimate email. |
enable |
|
|
Enable to perform a Bayesian scan. |
disable |
|
|
Enable to perform a business email compromise (BEC) scan. Then configure which scans in |
disable |
|
|
Enable this option to activate behavior analysis scan for this antispam profile. |
disable | |
|
Enable to analyze the similarities between uncertain email and known email in the behavior analysis (BA) database to determine whether the uncertain email is spam. See also antispam behavior-analysis to adjust the BA aggressiveness level. |
disable |
|
|
Enable to check the message body for the safelisted word. |
disable |
|
|
Enable to check the message body for the banned word. |
disable |
|
|
Select which cousin domain profile to use. This setting takes effect if |
||
|
cousin-domain-scan-option {auto-detection body-detection header-detection} |
Select where in the email to scan for domain name impersonation, either automatically, within the email body, and/or the message headers. This setting takes effect if |
header-detection body-detection auto-detection |
|
Enable to perform a cousin domain (domain impersonation) scan. This detects domain names that are deliberately misspelled in order to appear to come from a trusted domain. Then also configure This setting takes effect if |
disable |
|
|
Enable to inspect all message headers for known spam characteristics. If the FortiGuard Antispam scan is enabled, this option uses results from that scan, providing up-to-date header analysis. |
disable |
|
|
Enable to query for the blocklist status of the IP addresses of all SMTP servers appearing in the If this setting is disabled, the FortiMail unit examines only the IP address of the current SMTP client. This setting requires that you also configure either or both FortiGuard Antispam scan and DNSBL scan. |
disable |
|
|
Enter the threshold for dictionary profile matches. When the dictionary profile scans an email, it counts the number of matching words or phrases, and adjusts this total according to |
|
|
|
Enter the dictionary profile name. |
|
|
|
Enter the type of dictionary profile. |
|
|
|
Enable to perform a dictionary scan for this profile. |
disable |
|
|
Enable to have the unit perform email authentication with DKIM checking. If either SPF check or DKIM check passes, DMARC check will pass. If both fail, DMARC fails. |
disable |
|
|
Enable or disable checking invalid DKIM body hash or signature. |
enable |
|
|
Enable or disable checking for instances where no DKIM DNS record is found, or the record could not be correctly parsed. |
disable |
|
|
Enable or disable DKIM check passing. |
disable |
|
|
Enable or disable checking for instances where DNS server returns Temp error when querying the DKIM DNS record. |
disable |
|
|
Enable to have the unit perform email authentication with SPF and DKIM checking. If either SPF check or DKIM check passes, DMARC check will pass. If both fail, DMARC fails. |
enable |
|
|
Enable or disable DMARC check failing. |
enable |
|
|
Enable or disable checking for instances where no DMARC DNS record is found, or the record could not be correctly parsed. |
disable |
|
|
Enable or disable DMARC check passing. |
disable |
|
|
Enable or disable checking for instances where DNS server returns Temp error when querying the DMARC DNS record. |
disable |
|
|
Enable to perform a DNSBL scan for this profile. The FortiMail unit will query DNS blocklist servers defined using “set out_profile profile modify deepheader" on page 405. |
disable |
|
|
Enable to let the FortiMail unit query the FortiGuard Antispam service to determine if any of the uniform resource identifiers (URL) in the message body are associated with spam. If any URL is blocklisted, the FortiMail unit considers the email to be spam, and you can select the action that the FortiMail unit will perform. |
disable |
|
|
Enable to include whether or not the IP address of the SMTP client is blocklisted in the FortiGuard Antispam query. |
disable |
|
|
Enable to include whether or not the phishing URL is blocklisted in the FortiGuard Antispam query. |
disable |
|
|
Enable to perform a greylist scan. |
disable |
|
|
Enter the score equal to or below which the FortiMail unit considers an email to not be spam. |
-20.000000 |
|
|
Enter the percentage of the total number of heuristic rules that will be used to calculate the heuristic score for an email message. The FortiMail unit compares this total score to the upper and lower level threshold to determine if an email is:
To improve system performance and resource efficiency, enter the lowest percentage of heuristic rules that results in a satisfactory spam detection rate. |
100 |
|
|
Enter the score equal to or above which the FortiMail unit considers an email to be spam. |
10.000000 |
|
|
Enable to perform a heuristic scan. |
disable |
|
|
Enable to perform an image spam scan. |
disable |
|
|
Enable to perform a sender impersonation analysis scan. This automatically learns and tracks the mapping of display names and internal email addresses to prevent spoofing attacks. Then also configure This setting takes effect if |
disable |
|
|
Select which impersonation profile to use. This setting takes effect if |
|
|
|
Enable IP reputation to enable the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted. FortiGuard categorizes the blocklisted IP addresses into three levels, level 1 has the worst reputation and level 3 the best. |
disable |
|
|
Enable IP reputation to enable the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted. FortiGuard categorizes the blocklisted IP addresses into three levels, level 1 has the worst reputation and level 3 the best. |
disable |
|
|
Enable IP reputation to enable the FortiMail unit to query the FortiGuard Antispam service to determine if the public IP address of the SMTP client is blocklisted. FortiGuard categorizes the blocklisted IP addresses into three levels, level 1 has the worst reputation and level 3 the best. |
disable |
|
|
Enable dection of newsletters to make sure newsletters and other marketing campaigns are not spam. |
|
|
|
Enable to automatically update personal safelist database from sent email. |
disable |
|
|
Enable to perform a safelist word scan using words configured in <word_str>. |
disable |
|
|
Enable to omit antispam scans when an SMTP sender is authenticated. |
disable |
|
|
Enter the maximum size, in bytes, that the FortiMail unit will scan for spam. Messages exceeding the limit will not be scanned for spam. To scan all email regardless of size, enter |
1204 bytes for predefined profiles
600 bytes for user-defined profiles |
|
|
Enable to scan the first page of PDF attachments using heuristic, banned word, and image spam scans, if they are enabled. |
disable |
|
|
Enable to scan for sender email address and name mismatches. Sender alignment compares the sender email address in the message header ( If the sender email address fails the check, FortiMail takes the action in This setting takes effect if |
|
|
|
Enable to temporarily hold suspicious email for a certain period of time (configurable with When set to |
disable | |
|
Enable to have the FortiMail unit perform the action configured in this antispam profile, instead of the action configured in the session profile. See spf-validation {enable | disable}. You can also specify different actions toward defferent SPS check results:
|
disable |
|
|
Enable to make the FortiMail unit check if the host is not authorized to send messages. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-fail. |
|
|
|
Enable to make the FortiMail unit check if the SPF record is found but no definitive assertion. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-neutral. |
|
|
|
Enable to make the FortiMail unit check if there is no SPF record. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-none. |
|
|
|
Enable to make the FortiMail unit check if the host is authorized to send messages. If the client IP address fails the SPF check, FortiMail takes the antispam action configured in action-spf-pass. |
|
|
|
Enable to make the FortiMail unit check if the SPF records are invalid. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-perm-error. |
|
|
|
Enable to make the FortiMail unit check if the host is not authorized to send messages but not a strong statement. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in action-spf-soft-fail. |
|
|
|
Enable to make the FortiMail unit check if there is a processing error. If the client IP address fails the SPF check, FortiMail takes the antispam action entered in |
|
|
|
Enable to check the subject line for the safelisted word. |
disable |
|
|
Enable to check the subject line for the banned word. |
disable |
|
|
Enable to perform a SURBL scan. The FortiMail unit will query SURBL servers defined using “set out_profile profile modify surblserver" on page 421. |
disable |
|
|
Enable the detection of newsletters. |
disable | |
|
Enable or disable the secondaryURI filter scan. |
disable | |
|
To take different actions towards different URL filters/categories, you can specify a primary and a secondary filter, and specify different actions for each filter. If both URL filters match an email message, the primary filter action will take precedence. |
|
|
|
Enable or disable URL filter scan. |
disable | |
|
Specify the URL filter to use. |
|
|
|
Enable to treat email with viruses as spam. When enabled, instead of performing the action configured in the antivirus profile, the FortiMail unit will instead perform either the general or individualized action in the antispam profile. |
disable |