FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Kenichi_Terashita_FT
Article Id 198134

Description

This article provides some background on AS Engine Scanning and the Antispam Rule Set.


Scope

FortiOS 4.0 and above


Solution

The AS Engine feature was released in FortiOS 4.0. A new AntiSpam Rule Set was also introduced in v4.0, this is the new rule which contains a Heuristic Antispam check for all suspicious spam upon passing through a firewall.

The AS Rule Set includes a predefined algorithm to scan the email including IP addresses and URLs contained in the message. If the email score is greater than the configured threshold then the email will be blocked. The default value is 80.

Note that if there are 2 items matched by the FDN DB, then it will increase its score to 100 (100x2=200 but the maximum is 100). If the threshold is 100, it will be processed by spam action.

In order to disable the AS Engine feature, increase the threshold to 100(%) as follows:

# config system fortiguard
(fortiguard) # set antispam-score-threshold 100
(fortiguard) # end
 
This configuration is a global setting and it cannot be set differently in each protection profile.

(nb: This parameter was removed in FortiOS 5.0.3)

The black listed IP addresses database is not saved by the FortiGate. The FortiGate will perform a real time query for the blacklisted IP addresses. The following command can be used to check the server list used by the FortiGate for the real time query:
# diagnose spamfilter fortishield servers
The FortiGuard Antispam database can be checked to determine whether an IP address is blacklisted in the IP reputation database, or whether an email address or URL is listed in the signature database. The link to the FortiGuard Antispam database is http://www.fortiguardcenter.com/antispam/antispam.html

There are a number of ways to verify the result of AS Engine scanning:

1) Enable debug as follows:

# diagnose debug application spamfilter 255
# diagnose debug enable
 
2) In the mail header of scanned email the result can be seen in the X-ASE-REPORT field.

3) In spamfilter log. If the AS Engine detects email as SPAM it will log an "email is reported as spam by ASE" message in the log. In addition, the tracker ID identifies the reason for the detection.

Note: The attached article "KB_FGT_ASEscan_Japanese.pdf" is available in Japanese only.
 

 

Contributors