Description
This article describes how 'heuristic scan' works in FortiMail devices.
Scope
FortiMail.
Solution
Heuristic scanning is a method for identifying email that contains viruses and spam.
FortiGate and FortiMail use heuristic scanning.
Heuristic filtering in FortiMail uses a scoring technique based on predetermined terms and words.
The rules are broken down into five categories: header, body, raw body, URI, and metadata.
Each rule has an individual score used to calculate the total score for an email.
To determine if an email is spam, the heuristic filter looks at an email message and adds the score for each rule that applies to get a total score for that email.
If the total is greater than or equal to the upper threshold, the mail is classified as spam and processed accordingly.
The FortiGuard service maintains a set of heuristic rules based on known spam content.
These heuristic rules are written as Perl-Compatible Regular Expressions (PCRE), a powerful form of regular expression matching, to locate spam-identified attributes within each message.
These rules are continuously updated as new spam threats emerge.
As each rule is evaluated against the message, a score is generated reflecting how many rule criteria were found in the message.
When the rule process is complete, the score is added to the message total score.
If the total score meets or exceeds the set, the message is determined to be spam.
When heuristic scanning is enabled in an antispam profile, two settings are provided to fine-tune the behavior.
The first setting is applied to determine what is the score necessary to decide if an email is spam.
The default value is appropriate for most environments but can be adjusted if there are false positives, or down as necessary.
The second setting, the percentage of rules used, specifies the rule list to apply for each message.
The rule ordering is maintained by FortiGuard so the rules that detect the most prevalent spam are at the top of the list, and rules for older, more obscure spam are lower.
This rule ordering will change every time as the FortiGuard service responds to the ever-changing spam landscape.
Heuristic rule processing is a fairly resource-intensive process.
This setting can be used to strike a balance between performance and thoroughness.
To configure heuristic scan options:
- When configuring an antispam profile, enable Heuristic in the antispam Profile.
- Select the arrow to expand the Heuristic.
- Select the action profile of the FortiMail unit to use.
- Enter the score which will consider an email as spam. The default value is recommended.
- In the percentage of rules used field, enter the percentage of the total number of heuristic rules to use.
- Select Create or OK to save the antispam profile.
Related article:
