FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats

It is possible to send samples of unsolicited bulk email messages (spam) to Fortinet FortiGuard service for analysis, using an email address alias .

However, some FortiMail customers (typically with a larger user base) have an internal email alias, responsible for receiving spam samples from internal users. In such cases, this alias is also directly responsible to aggregate and submit spam to FortiGuard for further analysis. 

However, as a direct result of this particular operational flow, it is often impossible to properly complete an automated spam analysis of the forwarded spam sample, because the original spam message is encapsulated as an attachment into another email message, and this message is again included as an attachment of the final message, sent to FortiGuard.

To highlight the example scenario:

1. Enterprise customer: Company with a domain name has an internal spam-report email alias, which is used company-wide by internal users to report spam. The original spam message is sent as an Outlook attachment/item to this alias.

2. will then take that message (including the attachment) from its Inbox, attach the whole message again as an Outlook attachment/item to a new message, and send it to FortiGuard at .


FortiMail 4.0 MR3
FortiMail 5.0.x (MR0)


Submitting spam samples directly to FortiGuard team is a process defined at the following link: 

For Microsoft Outlook:

Method 1:
  1. Open Microsoft Outlook
  2. Create a new email to
  3. Drag the message(s) you want to submit from the "message listing" pane into the body of the new message window you just created.
  4. Send the message.

Method 2:

Set Outlook to forward email as original attachment by
  1. In Outlook menu, click "Tools" -> "Options"
  2. In "Preference" tab, click "Email Options..." button in "Email" section
  3. In the drop-down section "When forwarding a message," choose "Attach original message text"
  4. Click "OK"
From now on, you can simply click "Forward" button in Outlook and put to "To:" address to submit a spam.


However, in the scenario above (step 1, followed by step 2), FortiGuard systems do have issues parsing the nested submissions properly, since the original spam message is nested within two email messages at the time of receipt by FortiGuard.

As a standard, the FortiGuard Spam Collection Engine assumes that RFC822 MIMEs in the first level contain the original spam email message, so nested / double-attached spam samples (as would be the case in the above example) cannot be parsed properly.   If the scenario above reflects your Spam management process,  please contact your Fortinet TAC/TAM representative. Fortinet will need to make accommodations to properly parse your Spam submission.

In other words:  If your Spam submission process looks like this:

Spam admin @                   - - >  Submits spam sample to Fortinet
         with email from                              - - >  Internal end Users
         with Spam sample (s)                     - - >  Attached

In these cases, Fortinet will need to make special accommodations to properly parse the spam submissions.  In other words, if there is a Central Spam collection alias for your company, responsible for aggregating and submitting spam samples from your internal customers and/or end-users,  please let your TAC and/or TAM representative know about your Operational Model so that we can properly parse your spam submission.

Internal Notes
#======= COMMENTS FROM  AUTHOR =======

This KB was initially pushed back from the reviewer because the reviewer felt that what I was requesting required an NFR from the customer.  Nothing could be further from the truth.  It is our responsibility to parse spam submissions from customers.  Unfortunately,  certain customer Operational model present technical difficulties for us in doing just that. 

This whole situation was discovered while working with Dept. of State, who had complained about the efficacy of our Spam solution.  After conversations with Development, it turns out in fact, we do have problems parsing certain submissions. 

The situation was this like this:

Dept. of State - > Ambassadors
Dept. of State - > Consulate
Dept. of State - > AntiSpam Managers

If the Internal end-users could submit spam samples directly to us, there would not be a problem. However, in Dept. of State's case, the spam submissions were as follows:

Dept. of State - > AntiSpam Managers  send us an email, containing
                       - >  Amabassadors email, containing
                       - >  Spam attachement.

In this manner, we have a problem parsing the received material due to RFC 822 and the fact that the Spam itself is nested 2 levels deep. In conversations with Development,  they said we could accommodate this manner of submission for customers, but only upon getting notice from Fortinet engineers.

This is a directive directly from our Spam team. (Jun Lu, or

To confirm, If you are sure the customer will always send double-attached emails to submitspam@, please send the "sender's email address" to, my team will take action to change the config and then always parse the double-attached emails from that sender.

We will not accept the customers' request directly, please send the request by Fortinet engineer.


Also applicable for:
FortiMail 5.0.x (MR0)
(KNOVA product category not yet created at the time of writing)