beautypg.com

Order of spam filter operations, Fortishield – Fortinet 100A User Manual

Page 325

background image

Spam filter

FortiGate-100A Administration Guide

01-28007-0068-20041203

325

Order of spam filter operations

Generally, incoming email is passed through the spam filters in the order the filters
appear in the spam filtering options list in a firewall protection profile (and in

Table 29

):

FortiShield, IP address, RBL & ORDBL, HELO DNS lookup, email address, return
email DNS check, MIME header, and banned word (content block). Each filter passes
the email to the next if no matches or problems are found. If the action in the filter is
Mark as Spam, the FortiGate unit will tag or discard (SMTP only) the email according
to the settings in the protection profile. If the action in the filter is Mark as Clear, the
email is exempt from any remaining filters. If the action in the filter is Mark as Reject,
the email session is dropped. Rejected SMTP email messages are substituted with a
configurable replacement message. See

“Replacement messages” on page 106

.

The order of spam filter operations may vary between SMTP and IMAP or POP3 traffic
because some filters only apply to SMTP traffic (IP address and HELO DNS lookup).
Also, filters that require a query to a server and a reply (FortiShield and RBL/ORDBL)
are run simultaneously. To avoid delays, queries are sent while other filters are
running. The first reply to trigger a spam action will take effect as soon as the reply is
received.

This chapter describes:

FortiShield

IP address

RBL & ORDBL

Email address

MIME headers

Banned word

Using Perl regular expressions

FortiShield

FortiShield is an antispam system from Fortinet that uses an IP address black list and
spam filtering tools. FortiShield compiles the IP address list from email captured by
spam probes located around the world. Spam probes are email addresses purposely
configured to attract spam and identify known spam sources to create the antispam IP
address list. FortiShield combines IP address checks with other spam filter techniques
in a two-pass process.

On the first pass, FortiShield checks the SMTP mail server source address against the
antispam IP address list. If the source address matches the list of known spammers,
FortiShield terminates the session. If FortiShield does not find a match, the mail server
sends the email to the recipient.

As each email is received, FortiShield performs the second antispam pass by
checking the header, subject, and body of the email for common spam content. If
FortiShield finds spam content, the email is tagged or dropped according to the
configuration in the firewall protection profile.