Description
This article provides more information regarding how Behavior-Analysis works on a FortiMail antispam profile.
Scope
FortiMail all versions.
Solution
Behavior Analysis (BA) evaluates the similarities between the uncertain email and the known spam email in the BA database and determines if the uncertain email is spam.
Tune/Reset BA configuration
To prevent further rejects due to the Behavior Analysis, it is possible to set the action in the antispam profile to tag or quarantine.
It is also possible to tune the analysis-level of the behavior analysis:
config antispam behavior-analysis
set analysis-level {high | medium (default) | low}
end
The high setting means the most aggressive while the low setting means the least aggressive.
If needed, it is also possible to reset (empty) the BA database using the following CLI command:
diagnose debug application mailfilterd behavior-analysis update
Possible verification:
Behavior Analysis uses a variety of methods to identify spam not caught directly by the FortiGuard service. It can detect changing spam samples by applying elements of heuristics and a fuzzy matching algorithm that compares spam recently detected (within the past 6 hours) by FortiGuard signatures on the device in question (so locally).
A time difference of more than 6 hours and/or different destination domains can explain why heuristics and a fuzzy matching algorithm can act differently with apparently the same email.
Therefore, one possible verification to do in the case where the same email is sometimes rejected in one case and not in another:
- Compare the times of received emails to all domains (original email) and update logs for spam DB and to see if it has been done in an update between the 2 cases. On the webgui go to 'Event log' and search "Update" in 'message'.
- Check and compare the difference between the original email and with same sent email to the destination domain.
