Technical Tip: 'HELO DNS lookup' SPAM functionality

The HELO DNS Lookup functionality is a feature used in FortiGate devices to help identify and filter spam emails.

Here is a detailed description of how it works:

• SMTP Session Initiation: When a client opens an SMTP session with a server, it sends a HELO or EHLO command. This command includes the client's domain name or sometimes an IP address or PC hostname.
• DNS Lookup: The FortiGate device performs a DNS lookup on the 'A' record of the domain name provided in the HELO/EHLO command. This is to verify if the domain exists.
• Spam Identification:
• If the DNS lookup fails (i.e., the domain does not resolve to an IP address), the FortiGate considers the email as spam.
• The HELO DNS lookup is specifically available for SMTP traffic and is not supported in flow-based inspection mode.

Configuration and usage:

• Email Filter Profile: To use HELO DNS Lookup, it must be enabled in an email filter profile. This is done by configuring the profile to perform a DNS lookup on the client domain name specified in the SMTP HELO command.
• Inspection Mode: The HELO DNS lookup is only available in proxy-based inspection mode, not in flow-based mode.

Limitations:

• Verification: The FortiGate does not verify if the resolved IP address matches the connecting IP address. It only checks if the domain resolves.
• Potential False Positives: Poorly configured mail servers that do not have proper DNS records may be incorrectly marked as spam.

Additional features:

• Return Email DNS Check: Similar to HELO DNS Lookup, this feature performs a DNS lookup on the return field of an email. If no record exists, the email is treated as spam.
• Block/Allow Lists: FortiGate allows configuration of block/allow lists based on IP addresses or email patterns to further refine spam filtering.