FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
cborgato_FTNT
Article Id 190107
Description
This article give more information regarding how Behavior-Analysis works on a FortiMail antispam profile.

Solution
Behavior Analysis (BA) evaluates the similarities between the uncertain email and the known spam email in the BA database and determines if the uncertain email is spam.

Tune/Reset BA configuration

To prevent further rejects due to the Behavior Analysis, it is possible to set the action in the antispam profile to tag or quarantine.

It is also possible to tune the analysis-level of the behavior analysis:
#config antispam behavior-analysis
#set analysis-level {high | medium (default) | low}
#end

The high setting means the most aggressive while the low setting means the least aggressive.

If needed, it is also possible to reset (empty) the BA database using the following CLI command:
#diagnose debug application mailfilterd
#behavior-analysis update

Possible verification

Behavior Analysis uses a variety of methods to identify spam not caught directly by the FortiGuard service.  It can detect changing spam samples by applying elements of heuristics and a fuzzy matching algorithm which compares spam recently detected (within the past 6 hours) by FortiGuard signatures on the device in question (so locally).

A time difference of more than 6 hours and/or different destination domains can explain why heuristics and a fuzzy matching algorithm can act differently with apparently the same email.

Therefore, one possible verification to do in the case where the same email is sometimes rejected in one case and not in another:
  • Compare the times of received emails to all domains (original email) and update logs for spam DB and to see it has been done in an update between the 2 cases.  On the webgui go to 'Event log' and search "Update" in 'message'.
  • Check and compare the difference between the original email with same sent email to destination domain.

Contributors