Configuring deep header options

The Deep header section of an antispam profile lets you configure the FortiMail unit for more extensive inspection of message headers. Deep header scanning involves two separate checks:

• Black IP checking examines the Received: message header. The FortiMail unit then extracts any URIs or IPs from the header and passes them to the FortiGuard Antispam service, DNSBL, or SURBL servers for spam checking.
• Header analysis examines the entire message header for spam characteristics.

If the message header inspection indicates that the email message is spam, the FortiMail unit treats the email as spam and performs the associated action.

To configure deep header scan options

1. When configuring an antispam profile, enable Deep header in the AntiSpam Profile dialog.
2. Click the arrow to expand Deep header.
3. From Action, select the action profile that you want the FortiMail unit to use if the deep header scan finds spam email.

For more information, see “Configuring antispam action profiles” on page 516.

4. Enable Black IP to query for the blacklist status of the IP addresses of all SMTP servers appearing in the Received: lines of header lines.
   • If this option is disabled, the FortiMail unit checks only the IP address of the current SMTP client.
   • This option applies only if you have also configured either or both FortiGuard and DNSBL. For more information, see “Configuring FortiGuard options” on page 506 and “Configuring DNSBL options” on page 507.
5. Enable Headers analysis to inspect all message headers for known spam characteristics.

If the FortiGuard is enabled, this option uses results from that scan, providing up-to-date header analysis. For more information, see “Configuring FortiGuard options” on page 506.

6. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring SURBL options

In addition to supporting Fortinet’s FortiGuard Antispam SURBL service, the FortiMail unit supports third-party Spam URI Realtime Block Lists (SURBL) servers. You can specify which public SURBL servers to use as part of an antispam profile. Consult the third-party SURBL service providers for any conditions and restrictions.

The SURBL section of antispam profiles lets you configure the FortiMail unit to query one or more SURBL servers to determine if any of the uniform resource identifiers (URI) in the message body are associated with spam. If a URI is blacklisted, the FortiMail unit treats the email as spam and performs the associated action. There are two types of URIs. For details, see “URI types” on page 507.

To configure SURBL scan options

1. When configuring an antispam profile, enable SURBL in the AntiSpam Profile
2. From Action, select the action profile that you want the FortiMail unit to use if the SURBL scan finds spam email.

For more information, see “Configuring antispam action profiles” on page 516.

3. Next to SURBL click Configuration.

A pop-up window appears that displays the domain name of the SURBL servers.

4. To add a new SURBL server address, click New and type the address in the field that appears.

Since the servers will be queried from top to bottom, you may want to put the reliable servers with less traffic to the top of the list. Click the drop-down menu in the title bar to sort the entries.

5. Select a server and click OK.

The pop-up window closes.

6. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring Bayesian options

The Bayesian section of antispam profiles lets you configure the FortiMail unit to use Bayesian databases to determine if the email is likely to be spam. If the Bayesian scan indicates that the email is likely to be spam, the FortiMail unit treats the email as spam and performs the associated action.

FortiMail units can maintain multiple Bayesian databases: global, per-domain, and per-user.

• For outgoing email, the FortiMail unit uses the global Bayesian database.
• For incoming email, which database will be used when performing the Bayesian scan varies by configuration of the incoming antispam profile, configuration of the protected domain, and the maturity of the personal Bayesian database.

Before using Bayesian scans, you must train one or more Bayesian databases in order to teach the FortiMail unit which words indicate probable spam. If a Bayesian database is not sufficiently trained, it can increase false positive and/or false negative rates. You can train the Bayesian databases of your FortiMail unit in several ways. For more information, see “Training the Bayesian databases” on page 645.

To configure Bayesian scan options

1. When configuring an antispam profile, enable Bayesian in the AntiSpam Profile dialog.
2. Click the arrow to expand
3. From Action, select the action profile that you want the FortiMail unit to use if the Bayesian scan finds spam email.

For more information, see “Configuring antispam action profiles” on page 516.

4. Configure the following:

GUI item           Description

Use personal database	Enable to use the per-user Bayesian databases instead of the global or per-domain Bayesian database, if the personal Bayesian database is mature. If the email user’s personal Bayesian database is not yet mature, the FortiMail unit will instead continue to use the global or per-domain Bayesian database. Note: Bayesian scan results may be unreliable if the Bayesian database being used has not been sufficiently trained. For more information, see “Training the Bayesian databases” on page 645. Personal databases can provide better individual results because they are trained by the email user and therefore contain statistics derived exclusively from that email user’s messages. Disable to use either the global or per-domain Bayesian database. Whether the FortiMail will use the global or per-domain Bayesian database varies by your selection in the protected domain. This option is available only if Direction is Incoming. (Personal Bayesian databases cannot be used when the recipient does not belong to a protected domain, which defines outgoing email.
Accept training messages from users	Enable to accept training messages from email users. Training messages are email messages that email users forward to the email addresses of control accounts, such as is-spam@example.com, in order to train or correct Bayesian databases. For information on Bayesian control account email addresses, see “Configuring the quarantine control accounts” on page 612. FortiMail units apply training messages to either the global or per-domain Bayesian database depending on your configuration of the protected domain to which the email user belongs. If Use personal database is enabled, the FortiMail unit will also apply training messages to the email user’s personal Bayesian database. Disable to discard training messages. This option is available only if Direction is Incoming. (Personal and per-domain Bayesian databases cannot be used when the recipient does not belong to a protected domain, which defines outgoing email.)
Use other techniques for auto training	Enable to use scan results from FortiGuard, SURBL, and per-user and system-wide white lists to train per-user Bayesian databases until those databases are considered to be mature. For information on database maturity, see “Backing up, batch training, and monitoring the Bayesian databases” on page 649. This option is available only if Direction is Incoming. (Personal and per-domain Bayesian databases cannot be used when the recipient does not belong to a protected domain, which defines outgoing email.)

5. Continue to the next section, or click Create or OK to save the antispam profile.

Configuring heuristic options

The FortiMail unit includes rules used by the heuristic filter. Each rule has an individual score used to calculate the total score for an email. A threshold for the heuristic filter is set for each antispam profile. To determine if an email is spam, the heuristic filter examines an email message and adds the score for each rule that applies to get a total score for that email. For example, if the subject line of an email contains “As seen on national TV!”, it might match a heuristic rule that increases the heuristic scan score towards the threshold.

• Email is spam if the total score equals or exceeds the threshold.
• Email is not spam if the total score is less than the threshold.

The FortiMail unit comes with a default heuristic rule set. To ensure that the most up-to-date spam methods are included in the percentage of rules used to calculate the score, update your FortiGuard Antispam packages regularly. See “Configuring FortiGuard updates and antispam queries” on page 233.

To configure heuristic scan options

1. When configuring an antispam profile, enable Heuristic in the AntiSpam Profile
2. Click the arrow to expand Heuristic.
3. From Action, select the action profile that you want the FortiMail unit to use if the heuristic scan finds spam email.

For more information, see “Configuring antispam action profiles” on page 516.

4. In Threshold, enter the score at which the FortiMail unit considers an email to be spam. The default value is recommended.
5. In the The percentage of rules used field, enter the percentage of the total number of heuristic rules to use to calculate the heuristic score for an email message.
6. Continue to the next section, or click Create or OK to save the antispam profile.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!