Enabling HELO DNS lookup

Whenever a client opens an SMTP session with a server, the client sends a HELO command with the client domain name. When you enable HELO DNS lookup, your FortiGate unit will take the domain the client submits as part of the HELO greeting and send it to the configured DNS. If the domain does not exist, your FortiGate unit will treat all messages the client delivers as spam.

The HELO DNS lookup is available only for SMTP traffic.

To enable HELO DNS lookup

1. Go to Security Profiles > Email Filter > Profile.
2. The default email filter profile is presented. To edit another profile, select it from the drop down in the Edit Email Filter Profile title bar.
3. Select Enable Spam Detection and Filtering and select Apply 4. Under the heading Local Spam Filtering, select HELO DNS Lookup.
4. Select Apply.

Select the edited email filter profile in a security policy, and the traffic controlled by the security policy will be scanned according to the settings you configured. You may select the email filter profile in more than one security policy if required.

Enabling return email DNS checking

When you enable return email DNS checking, your FortiGate unit will take the domain in the reply-to email address and send it to the configured DNS. If the domain does not exist, your FortiGate unit will treat the message as spam.

To enable return email DNS check

1. Go to Security Profiles > Email Filter > Profile.
2. The default email filter profile is presented. To edit another profile, select it from the drop down in the Edit Email Filter Profile title bar.
3. Select Enable Spam Detection and Filtering and select Apply
4. Under the heading Local Spam Filtering, select Return E-mail DNS Check.
5. Select Apply.

Select the edited email filter profile in a security policy, and the traffic controlled by the security policy will be scanned according to the settings you configured. You may select the email filter profile in more than one security policy if required.

Enabling banned word checking

When you enable banned word checking, your FortiGate unit will examine the email message for words appearing in the banned word list specified in the email filter profile. If the total score of the banned word discovered in the email message exceeds the threshold value set in the email filter profile, your FortiGate unit will treat the message as spam.

When determining the banned word score total for an email message, each banned word score is added once no matter how many times the word appears in the message. Use the command config spamfilter bword to add an email banned word list. Use the command config spamfilter profile to add a banned word list to an email filtering profile.

How content is evaluated

Every time the banned word filter detects a pattern in an email message, it adds the pattern score to the sum of scores for the message. You set this score when you create a new pattern to block content. The score can be any number from zero to 99999. Higher scores indicate more offensive content. When the total score equals or exceeds the threshold, the email message is considered as spam and treated according to the spam action configured in the email filter profile. The score for each pattern is counted only once, even if that pattern appears many times in the email message. The default score for banned word patterns is 10 and the default threshold is 10. This means that by default, an email message is blocked by a single match.

A pattern can be part of a word, a whole word, or a phrase. Multiple words entered as a pattern are treated as a phrase. The phrase must appear as entered to match. You can also use wildcards or regular expressions to have a pattern match multiple words or phrases.

For example, the FortiGate unit scans an email message that contains only this sentence: “The score for each word or phrase is counted only once, even if that word or phrase appears many times in the email message.”

Banned word pattern	Pattern type	Assigned score	Score added to the sum for the entire page	Comment
word	Wildcard	20	20	The pattern appears twice but multiple occurrences are only counted once.
word phrase	Wildcard	20	0	Although each word in the phrase appears in the message, the words do not appear together as they do in the pattern. There are no matches.
word*phrase	Wildcard	20	20	The wildcard represents any number of any character. A match occurs as long as “word” appears before “phrase” regardless of what is in between them.
mail*age	Wildcard	20	20	Since the wildcard character can represent any characters, this pattern is a match because “email message” appears in the message.

In this example, the message is treated as spam if the banned word threshold is set to 60 or less.

Adding words to a banned word list

Each banned word list contains a number of words, each having a score, and specifying where the FortiGate unit will search for the word (in the message subject, message body, or all which means both)

When the FortiGate unit accepts an email message containing one or more words in the banned word list specified in the active email filter profile, it totals the scores of the banned words in the email message. If the total is higher than the threshold set in the email filter profile, the email message will be detected as spam. If the total score is lower than the threshold, the message will be allowed to pass as normal.

The score of a banned word present in the message will be counted toward the score total only once, regardless of how many times the word appears in the message.

When you enter a word, set the Pattern-type to wildcards or regular expressions.

Wildcard uses an asterisk (“*”) to match any number of any character. For example, re* will match all words starting with “re”.

Regular expression uses Perl regular expression syntax. See

http://perldoc.perl.org/perlretut.html for detailed information about using Perl regular expressions.

Email filter examples

Configuring simple antispam protection

Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable antispam protection on a FortiGate unit located in a satellite office.

Creating an email filter profile

Most email filter settings are configured in an email filter profile. Email filter profiles are selected in firewall policies. This way, you can create multiple email filter profiles, and tailor them to the traffic controlled by the security policy in which they are selected. In this example, you will create one email filter profile.

To create an email filter profile — web-based manager

1. Go to Security Profiles > Email Filter > Profile.
2. Select the Create New icon in the Edit Email Filter Profile window title.
3. In the Name field, enter basic_emailfilter.
4. Select Enable Spam Detection and Filtering.
5. Ensure that IMAP, POP3, and SMTP are selected in the header row.

These header row selections enable or disable examination of each email traffic type. When disabled, the email traffic of that type is ignored by the FortiGate unit and no email filtering options are available.

6. Under FortiGuard Spam Filtering, enable IP Address Check.
7. Under FortiGuard Spam Filtering, enable URL Check.
8. Under FortiGuard Spam Filtering, enable E-mail Checksum Check.
9. Select OK to save the email filter profile.

To create an email filter profile — CLI config spamfilter profile edit basic_emailfilter set options spamfsip spamfsurl spamfschksum

end

Selecting the email filter profile in a security policy

An email filter profile directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an email filter profile is selected in a security policy, its settings are applied to all the traffic the security policy handles.

To select the email filter profile in a security policy — web-based manager

1. Go to Policy > Policy > Policy.
2. Create a new or edit a policy.
3. Turn on email filtering.
4. Select the basic_emailfilter profile from the list.
5. Select OK to save the security policy.

To select the email filter profile in a security policy — CLI config firewall policy edit 1 set utm-status enable set profile-protocol-options default set spamfilter-profile basic_emailfilter

end

IMAP, POP3, and SMTP email traffic handled by the security policy you modified will be scanned for spam. Spam messages have the text “Spam” added to their subject lines. A small office may have only one security policy configured. If you have multiple policies, consider enabling spam scanning for all of them.

Blocking email from a user

Employees of the Example.com corporation have been receiving unwanted email messages from a former client at a company called example.net. The client’s email address is client@example.net. All ties between the company and the client have been severed, but the messages continue. The FortiGate unit can be configured to prevent these messages from being delivered.

To create the email address list

1. Go to Security Profiles > Email Filter > Email List.
2. Select Create New.
3. Enter a name for the new email address list.
4. Optionally, enter a descriptive comment for the email address list.
5. Select OK to create the list.
6. Select Create New to add a new entry to the email address list.
7. Select Email Address.
8. Enter client@example.net in the E-mail Address

• If you wanted to prevent everyone’s email from the client’s company from getting through you could have used *@example.net instead.

9. Leave Pattern Type set to the default, Wildcard.

10.Leave Action as Mark as Spam to have the FortiGate unit mark all messages from example.net as spam.

Now that the email address list is created, you must enable the email filter in the email filter profile.

To enable Email Filter

1. Go to Security Profiles > Email Filter > Profile.
2. Select the email filter profile that is used by the firewall policies handling email traffic from the email filter profile drop down list.
3. In the row Tag Location, select Subject for all three mail protocols.
4. In the row Tag Format, enter SPAM: in all three fields.
5. Select Enable Spam Detection and Filtering.
6. Ensure that the check boxes labeled IMAP, POP3, and SMTP in the header row are selected.
7. Under Local Spam Filtering, enable BWL Check and select the email address list you created in the previous procedure from the drop down list.
8. Select OK.

When this email filter profile is selected in a security policy, the FortiGate unit will add “SPAM:” to the subject of any email message from an address ending with @example.net for all email traffic handled by the security policy. Recipients can ignore the message or they can configure their email clients to automatically delete messages with “SPAM:” in the subject.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!