Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpalli
Staff & Editor
Staff & Editor

Created on ‎06-08-2022 05:12 PM Edited on ‎03-21-2025 04:51 AM By Staff

Article Id 214136

Technical Tip: Mark as Spam and discard SPAM Email of a specific domain using AntiSpam profile and Regular Expression on FortiGate

Description This article demonstrates the use of regular expression on FortiGate to mark an email sourced from a specific domain as spam with email filter block-allow-list.
Scope FortiGate.
Solution

The block-allow-list in the email filter can mark a domain as spam and also can clear and pass the domain without tagging as spam. The configuration sample is showed here:

CLI:

 

config emailfilter block-allow-list
      edit 1
          set name "email_filter"
          config entries
              edit 1
                  set type email-from
                  set pattern ".*@trusteddomain\\.com$"
              next
          end
     next
end

 

  • .* " matches any characters before the @.
  • " @" spamdomain.com is the specific domain you want to match.
  • " \. "  is the escaped dot (since the dot is a special character in regex).
  • " $ " ensures that the domain is at the end of the email address.


config emailfilter profile

      edit email_filter

           config smtp
                  set log-all enable
                  set action discard
                  set tag-type subject spaminfo
                  set tag-msg "Spam"
                  set hdrip disable
                  set local-override enable
               end
          next
end

 

Note: The action discard is only available for the SMTP and not for other protocols.

 

Apply this antispam profile to a PROXY-BASED Firewall policy. As of v7.2.0, new filter types {ip | email-to | email-from | subject} are currently not supported in flow inspection mode. 

 

  • Email-To: The recipient will be blocked once the mail is sent to this item.
  • Email-From: The Sender of this item will be blocked.
  • Subject: Once the subject field matches the email content will be blocked.

Administrators should be careful about FortiOS downgrading plan can make the 'email-to', 'email-from', and 'subject' entries and fields can be lost from the configuration. 

Once configured the log ID 0513020480 will appear in email filter logs, under the UTM log and reports section.

For more information about the block-allow-list feature on FortiGate, refer to:
Add email filters for block allow lists

To learn more about wildcards and regular expressions, refer to:
Wildcards and Perl regular expressions
Labels:
5464
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.