Anti-Spam filter

Anti-Spam filter

This section describes how to configure FortiGate email filtering for IMAP, POP3, and SMTP email. Email filtering includes both spam filtering and filtering for any words or files you want to disallow in email messages. If your FortiGate unit supports SSL content scanning and inspection, you can also configure spam filtering for IMAPS, POP3S, and SMTPS email traffic.

 

The following topics are included in this section:

  • Anti-Spam concepts
  • Enable Anti-Spam
  • Configure email traffic types to inspect
  • Configure the spam action
  • Configure the tag location
  • Configure the tag format
  • Configuring Anti-Spam
  • Configure local email filters
  • Anti-Spam examples

 

AntiSpam concepts

You can configure the FortiGate unit to manage unsolicited commercial email by detecting and identifying spam messages from known or suspected spam servers.

The FortiGuard Anti-Spam Service uses both a sender IP reputation database and a spam signature database, along with sophisticated spam filtering tools, to detect and block a wide range of spam messages. Using FortiGuard Anti-Spam profile settings, you can enable IP address checking, URL checking, email checksum checking, and spam submission. Updates to the IP reputation and spam signature databases are provided continuously via the global FortiGuard Distribution Network.

From the FortiGuard Anti-Spam Service page in the FortiGuard Center, you can find out whether an IP address is blacklisted in the FortiGuard Anti-Spam IP reputation database, or whether a URL or email address is in the signature database.

 

AntiSpam techniques

The FortiGate unit has a number of techniques available to help detect spam. Some use the FortiGuard Anti- Spam Service and require a subscription. The remainder use your DNS servers or use lists that you must maintain.

 

Black white list

These are the types of black white lists available. They include:

  • IP/Netmask

The FortiGate unit compares the IP address of the client delivering the email to the addresses in the IP address black/white list specified in the email filter profile. If a match is found, the FortiGate unit will take the action configured for the matching black/white list entry against all delivered email.

The default setting of the smtp-spamhdrip CLI command is disable. If enabled, the FortiGate unit will check all the IP addresses in the header of SMTP email against the specified IP address black/white list.

  • Email Wildcard

The FortiGate unit compares the sender email address, as shown in the message envelope MAIL FROM, to the pattern in the patterned field. The wildcard symbol is used in the patterned to replace the characters in the address that may vary from the pattern. If a match is found, the FortiGate unit will take the action configured for the matching black/white list entry.

  • Email Regular Expression

The FortiGate unit compares the sender email address, as shown in the message envelope MAIL FROM, to the pattern in the patterned field. The regular expression that can be used is much more sophisticated than a simple wildcard variable. If a match is found, the FortiGate unit will take the action configured for the matching black/white list entry.

 

Pattern

The pattern field is for entering the identifying information that will enable the filter to correctly identify the email messages.

  • If the type is IP/Netmask the filter will be an IP address with a subnet mask.
  • If the type is Email Wildcard the filter will be an email address with a wildcard symbol in place of the variable characters. For example *.example.com or fred@*.com.
  • If the type is Email Regular Expression, regular expression can be used to create a more granular filter for email addresses. For example, ^[_a-z0-9-]+(\.[_a-z0-9-]+)*@(example|xmple|examp).(com|org|net) could be used filter based on a number of combinations of email domain names.

 

Action

  • Mark as Spam

If this is the selected action, the email will be allowed through but it will be tagged with an indicator that clearly marks the email as spam.

  • Mark as Clear

If this is the selected action, the email will be allowed to go through to its destination on the assumption that the message is not spam.

  • Mark as Reject

If this is the selected action, the email will be dropped at the before reaching its destination.

 

Status

Indicates whether this particular list is enabled or disabled.

 

Banned word check

When you enable banned word checking, your FortiGate unit will examine the email message for words appearing in the banned word list specified in the Anti-Spam profile. If the total score of the banned word discovered in the email message exceeds the threshold value set in the Anti-Spam profile, your FortiGate unit will treat the message as spam.

When determining the banned word score total for an email message, each banned word score is added once no matter how many times the word appears in the message. Use the command config spamfilter bword to add an email banned word list. Use the command config spamfilter profile to add a banned word list to an Anti-Spam profile.

 

How content is evaluated

Every time the banned word filter detects a pattern in an email message, it adds the pattern score to the sum of scores for the message. You set this score when you create a new pattern to block content. The score can be any number from zero to 99999. Higher scores indicate more offensive content. When the total score equals or exceeds the threshold, the email message is considered as spam and treated according to the spam action configured in the email filter profile. The score for each pattern is counted only once, even if that pattern appears many times in the email message. The default score for banned word patterns is 10 and the default threshold is

10. This means that by default, an email message is blocked by a single match.

A pattern can be part of a word, a whole word, or a phrase. Multiple words entered as a pattern are treated as a phrase. The phrase must appear as entered to match. You can also use wildcards or regular expressions to have a pattern match multiple words or phrases.

For example, the FortiGate unit scans an email message that contains only this sentence: “The score for each word or phrase is counted only once, even if that word or phrase appears many times in the email message.”

Banned word pat- tern  

Pattern type

 

Assign score

 

ed  Score added to the sum for the

entire page

 

 

Comment

 

word

 

Wildcard

 

20

 

20

 

The pattern appears twice but multiple occur-

        rences are only counted once.
         

Although each word in the phrase appears in the

word phrase Wildcard 20 0 message, the words do not appear together as
        they do in the pattern. There are no matches.
 

word*phrase

 

Wildcard

 

20

 

20

 

The wildcard represents any number of any char-

        acter. A match occurs as long as “word” appears
        before “phrase” regardless of what is in between
        them.
         

Since the wildcard character can represent any

mail*age Wildcard 20 20 characters, this pattern is a match because
        “email message” appears in the message.

In this example, the message is treated as spam if the banned word threshold is set to 60 or less.

 

Adding words to a banned word list

When you enter a word, set the Pattern-type to wildcards or regular expressions.

 

Wildcard uses an asterisk (“*”) to match any number of any character. For example, re* will match all words starting with “re”.

Regular expression uses Perl regular expression syntax. See http://perldoc.perl.org/perlretut.html for detailed information about using Perl regular expressions.

DNSbased Blackhole List (DNSBL)

A DNSBL is a list of IP addresses, usually maintained by a third party, which are identified as being associated with spamming.

 

FortiGuard-Antispam Service. FortiGuard IP address check

The FortiGate unit queries the FortiGuard Anti-Spam Service to determine if the IP address of the client delivering the email is blacklisted. A match will cause the FortiGate unit to treat delivered messages as spam.

The default setting of the smtp-spamhdrip CLI command is disable. When you enable FortiGuard IP address checking, your FortiGate unit will submit the IP address of the client to the FortiGuard service for checking. If the IP address exists in the FortiGuard IP address black list, your FortiGate unit will treat the message as spam.

 

FortiGuard URL check

When you enable FortiGuard URL checking, your FortiGate unit will submit all URLs appearing in the email message body to the FortiGuard service for checking. If a URL exists in the FortiGuard URL black list, your FortiGate unit will treat the message as spam.

 

FortiGuard email checksum check

When you enable FortiGuard email checksum checking, your FortiGate unit will submit a checksum of each email message to the FortiGuard service for checking. If a checksum exists in the FortiGuard checksum black list, your FortiGate unit will treat the message as spam.

 

Detect phishing URLs in email

When you enable FortiGuard phishing URL detection, your FortiGate unit will submit all URL hyperlinks appearing in the email message body to the FortiGuard service for checking. If a URL exists in the FortiGuard URL phishing list, your FortiGate unit will remove the hyperlink from the message. The URL will remain in place, but it will no longer be a selectable hyperlink.

 

FortiGuard spam submission

Spam submission is a way you can inform the FortiGuard Anti-Spam service of non-spam messages incorrectly marked as spam. When you enable this setting, the FortiGate unit adds a link to the end of every message marked as spam. You then select this link to inform the FortiGuard Anti-Spam service when a message is incorrectly marked.

 

Trusted IP Addresses

A list of IP addresses that are trusted by the FortiGate is created. Any email traffic coming in from these IP address will be considered to be non-spammers.

If the FortiGate unit sits behind a company’s Mail Transfer Units, it may be unnecessary to check email IP addresses because they are internal and trusted. The only IP addresses that need to be checked are those from outside of the company. In some cases, external IP addresses may be added to the list if it is known that they are not sources of spam.

 

MIME header

This feature filters by the MIME header. MIME header settings are configured in a separate part of the command tree but MIME header filtering is enabled within each profile.

 

HELO DNS lookup

Whenever a client opens an SMTP session with a server, the client sends a HELO command with the client domain name. The FortiGate unit takes the domain name specified by the client in the HELO and does a DNS lookup to determine if the domain exists. If the lookup fails, the FortiGate unit determines that any messages delivered during the SMTP session are spam.

The HELO DNS lookup is available only for SMTP traffic.

 

Return email DNS check

The FortiGate unit performs a DNS lookup on the If no such record exists, the message is treated as spam. When you enable return email DNS checking, your FortiGate unit will take the domain in the reply-to email address and reply-to domain and check the DNS servers to see if there is an A or MX record for the domain. If the domain does not exist, your FortiGate unit will treat the message as spam.

Order of spam filtering

The FortiGate unit checks for spam using various filtering techniques. The order in which the FortiGate unit uses these filters depends on the mail protocol used.

Filters requiring a query to a server and a reply (FortiGuard Antispam Service and DNSBL/ORDBL) are run simultaneously. To avoid delays, queries are sent while other filters are running. The first reply to trigger a spam action takes effect as soon as the reply is received.

Each spam filter passes the email to the next if no matches or problems are found. If the action in the filter is Mark as Spam, the FortiGate unit tags the email as spam according to the settings in the email filter profile. For SMTP and SMTPS, if the action is discard, the email message is discarded or dropped.

If the action in the filter is Mark as Clear, the email is exempt from any remaining filters. If the action in the filter is Mark as Reject, the email session is dropped. Rejected SMTP or SMTPS email messages are substituted with a configurable replacement message.

 

Order of SMTP and SMTPS spam filtering

The FortiGate unit scans SMTP and SMTPS email for spam in the order given below. SMTPS spam filtering is available on FortiGate units that support SSL content scanning and inspection.

1. IP address black/white list (BWL) check on last hop IP

2. DNSBL & ORDBL check on last hop IP, FortiGuard Antispam IP check on last hop IP, HELO DNS lookup

3. MIME headers check, E-mail address BWL check

4. Banned word check on email subject

5. IP address BWL check (for IPs extracted from “Received” headers)

6. Banned word check on email body

7. Return email DNS check, FortiGuard Antispam email checksum check, FortiGuard Antispam URL check, DNSBL & ORDBL check on public IP extracted from header.

 

Order of IMAP, POP3, IMAPS and POP3S spam filtering

The FortiGate unit scans IMAP, POP3, IMAPS and POP3S email for spam in the order given below. IMAPS and POP3S spam filtering is available on FortiGate units that support SSL content scanning and inspection.

1. MIME headers check, E-mail address BWL check

2. Banned word check on email subject

3. IP BWL check

4. Banned word check on email body

5. Return email DNS check, FortiGuard Antispam email checksum check, FortiGuard Antispam URL check, DNSBL & ORDBL check.

 

Spam actions

When spam is detected, the FortiGate unit will deal with it according to the Spam Action setting in the email filter profile. Note that POP3S, IMAPS and SMTPS spam filtering is available only on FortiGate units that support SSL content scanning and inspection. POP3, IMAP, POP3S and IMAPS mail can only be tagged. SMTP and SMTPS mail can be set to Discard or Tagged:

 

Discard

When the spam action is set to Discard, messages detected as spam are deleted. No notification is sent to the sender or recipient.

 

Pass

When the spam action is set to pass, message the spam filter is disabled for this message.

 

Tag

When the spam action is set to Tagged, messages detected as spam are labelled and delivered normally. The text used for the label is set in the Tag Format field and the label is placed in the subject or the message header, as set with the Tag Location option.

 

Email traffic types to inspect

The FortiGate unit examines IMAP, POP3, and SMTP email traffic. If your FortiGate unit supports content inspection, it can also examine IMAPS, POP3S, and SMTPS traffic. The options that you will see in the profile window are IMAP, POP3 and SMTP.

 

Configuring Anti-Spam

FortiGuard email filtering techniques us FortiGuard services to detect the presence of spam among your email. A FortiGuard subscription is required to use the FortiGuard email filters. To enable email filtering an email filter needs to be created and then the filter needs to be associated with a security policy.

 

The filter can be created as follows:

  • Go to Security Profiles > Anti-Spam.
  • Select the Create New icon (a plus symbol in a circle in the upper right hand corner).
  • Select the List icon (a page symbol in the upper right hand corner) and in the new window select Create New. An existing filter can be edited as follows:
  • Go to Security Profiles > Anti-Spam.
  • Select the filter that you wish to edit from the dropdown menu in the upper right corner.
  • Select the List icon (a page symbol in the upper right hand corner) and select the filter that you wish to edit from the list.

Once you are in the proper Edit Email Filter Profile window, you can enter a name in the Name field if it’s a new filter.

The Comments field is for a description or other information that will assist in understanding the function or purpose of the this particular filter.

Using the radio buttons for the Inspection Mode field, select either Proxy or Flow-based.

Before any of the other features or options of the filter appear the checkbox next to Enable Spam Detection and Filtering must be checked.

 

Spam detection by protocol

This matrix includes three rows that represent the email protocols IMAP, POP3 and SMTP. There are also columns for:

Spam Action

 

For the client protocols, IMAP and POP3 the options are:

  • Tag – This action will insert a tag into the email somewhere so that when the recipients view the email they will be warned that it is likely a spam.
  • Pass – This action will allow any emails marked as spam to pass through without change. If this option is chosen, the Tag comments will be greyed out.

For the transfer protocol, SMTP, the options are:

  • Tag – This action will insert a tag into the email somewhere so that when the recipients view the email they will be warned that it is likely a spam.
  • Discard – The action will drop the email before it reaches its destination.
  • Pass – This action will allow any emails marked as spam to pass through without change. If this option is chosen, the Tag comments will be greyed out.

 

Tag Location

  • Subject – The contents of the Tag Format will be inserted into the subject line. The subject line is the most commonly used.
  • MIME – The contents of the Tag Format will be inserted in with the MIME header header.

 

Tag Format

The contents of this field will be entered into the tag location specified. The most common tag is something along the lines of [Spam] or **SPAM**

 

FortiGuard Spam Filtering

The options in the section are ones that require a FortiGuard subscription. The options available in this section, to be selected by checkbox are:

  • IP Address Check
  • URL Check
  • Detect Phishing URLs in Email
  • Email Checksum Check
  • Spam Submission

 

Local Spam Filtering

The options in the section are ones can be managed on the local device without the need for a FortiGuard subscription.

The options available in this section, to be selected by checkbox are:

  • HELO DNS Lookup
  • Return Email DNS Check
  • Black White List – checking this option will produce a table that can be edited to create a number of BWL lists that can be separately configured and enabled.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS, FortiOS 5.4 Handbook and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Anti-Spam filter

  1. Rossano

    Hi Mike

    I report spam to spamcop and after create a filter to block spam on sending mails this reports where blocked.
    White List was not working,
    For solve that I enabled in CLI “set local-override enable” for smtp on my email-out-filter.
    Now is working as expected.

    Maybe you can Improve your text to put this exception.
    https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/Anti_Spam/Order%20of%20spam%20filtering.htm

    Thank you for your content

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.