Spam filter
FortiGate-100A Administration Guide
01-28007-0068-20041203
325
Order of spam filter operations
Generally, incoming email is passed through the spam filters in the order the filters
appear in the spam filtering options list in a firewall protection profile (and in
Table 29
):
FortiShield, IP address, RBL & ORDBL, HELO DNS lookup, email address, return
email DNS check, MIME header, and banned word (content block). Each filter passes
the email to the next if no matches or problems are found. If the action in the filter is
Mark as Spam, the FortiGate unit will tag or discard (SMTP only) the email according
to the settings in the protection profile. If the action in the filter is Mark as Clear, the
email is exempt from any remaining filters. If the action in the filter is Mark as Reject,
the email session is dropped. Rejected SMTP email messages are substituted with a
configurable replacement message. See
“Replacement messages” on page 106
.
The order of spam filter operations may vary between SMTP and IMAP or POP3 traffic
because some filters only apply to SMTP traffic (IP address and HELO DNS lookup).
Also, filters that require a query to a server and a reply (FortiShield and RBL/ORDBL)
are run simultaneously. To avoid delays, queries are sent while other filters are
running. The first reply to trigger a spam action will take effect as soon as the reply is
received.
This chapter describes:
•
FortiShield
•
IP address
•
RBL & ORDBL
•
Email address
•
MIME headers
•
Banned word
•
Using Perl regular expressions
FortiShield
FortiShield is an antispam system from Fortinet that uses an IP address black list and
spam filtering tools. FortiShield compiles the IP address list from email captured by
spam probes located around the world. Spam probes are email addresses purposely
configured to attract spam and identify known spam sources to create the antispam IP
address list. FortiShield combines IP address checks with other spam filter techniques
in a two-pass process.
On the first pass, FortiShield checks the SMTP mail server source address against the
antispam IP address list. If the source address matches the list of known spammers,
FortiShield terminates the session. If FortiShield does not find a match, the mail server
sends the email to the recipient.
As each email is received, FortiShield performs the second antispam pass by
checking the header, subject, and body of the email for common spam content. If
FortiShield finds spam content, the email is tagged or dropped according to the
configuration in the firewall protection profile.
Summary of Contents for FortiGate 100A
Page 12: ...Contents 12 01 28007 0068 20041203 Fortinet Inc ...
Page 24: ...24 01 28007 0068 20041203 Fortinet Inc FortiLog documentation Introduction ...
Page 72: ...72 01 28007 0068 20041203 Fortinet Inc Transparent mode VLAN settings System network ...
Page 80: ...80 01 28007 0068 20041203 Fortinet Inc DHCP IP MAC binding settings System DHCP ...
Page 114: ...114 01 28007 0068 20041203 Fortinet Inc Access profile options System administration ...
Page 232: ...232 01 28007 0068 20041203 Fortinet Inc Profile CLI configuration Firewall ...
Page 244: ...244 01 28007 0068 20041203 Fortinet Inc peergrp Users and authentication ...
Page 276: ...276 01 28007 0068 20041203 Fortinet Inc ipsec vip VPN ...
Page 338: ...338 01 28007 0068 20041203 Fortinet Inc Configuring the banned word list Spam filter ...
Page 356: ...356 01 28007 0068 20041203 Fortinet Inc syslogd setting Log Report ...
Page 374: ...374 01 28007 0068 20041203 Fortinet Inc Index ...