Skip to main content
vpalli
Staff & Editor
vpalli
Staff & Editor
June 9, 2022

Technical Tip: Mark as Spam and discard SPAM Email of a specific domain using AntiSpam profile and Regular Expression on FortiGate

  • June 9, 2022
  • 0 replies
  • 5921 views
Description This article demonstrates the use of regular expression on FortiGate to mark an email sourced from a specific domain as spam with email filter block-allow-list.
Scope FortiGate.
Solution

The block-allow-list in the email filter can mark a domain as spam and also can clear and pass the domain without tagging as spam. The configuration sample is showed here:

CLI:

 

config emailfilter block-allow-list
      edit 1
          set name "email_filter"
          config entries
              edit 1
                  set type email-from
                  set pattern ".*@trusteddomain\\.com$"
              next
          end
     next
end

 

  • .* " matches any characters before the @.
  • " @" spamdomain.com is the specific domain you want to match.
  • " \. "  is the escaped dot (since the dot is a special character in regex).
  • " $ " ensures that the domain is at the end of the email address.


config emailfilter profile

      edit email_filter

           config smtp
                  set log-all enable
                  set action discard
                  set tag-type subject spaminfo
                  set tag-msg "Spam"
                  set hdrip disable
                  set local-override enable
               end
          next
end

 

Note: The action discard is only available for the SMTP and not for other protocols.

 

Apply this antispam profile to a PROXY-BASED Firewall policy. As of v7.2.0, new filter types {ip | email-to | email-from | subject} are currently not supported in flow inspection mode. 

 

  • Email-To: The recipient will be blocked once the mail is sent to this item.
  • Email-From: The Sender of this item will be blocked.
  • Subject: Once the subject field matches the email content will be blocked.

Administrators should be careful about FortiOS downgrading plan can make the 'email-to', 'email-from', and 'subject' entries and fields can be lost from the configuration. 

Once configured the log ID 0513020480 will appear in email filter logs, under the UTM log and reports section.

For more information about the block-allow-list feature on FortiGate, refer to:
Add email filters for block allow lists

To learn more about wildcards and regular expressions, refer to:
Wildcards and Perl regular expressions
    Terms & ConditionsAccessibility statement