| Description | This article describes a procedure to investigate cases where spam emails are not correctly detected and filtered by FortiMail. It explains how to analyze session information and cross-search logs to determine the reason why spam classification did not occur as expected. |
| Scope | This procedure applies to administrators and support engineers who manage FortiMail instances and need to investigate missed spam detection incidents. The steps apply to FortiMail environments using FortiGuard AntiSpam services. |
| Solution |
The ESMTP ID will appear as 326Gwolv024043-326Gwolx024043. It is recommended to search using only the first part, 326Gwolv024043, as it yields better results.
Check the reason recorded in the cross-search log. For example:
STARTTLS=server, relay=****.**.****.jp [***.***.***.***], version=TLSv1.2, verify=NO, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256 from=<*******=************=2jr0ird=424=****.****=********.*****@****. FortiGuard-AntiSpam identified spam IP: **.**.**.**, score: 3 to=****.********@********.*****, mailer=bulk, stat=sent
In this case, 'FortiGuard-AntiSpam identified spam IP: **.**.**.**, score: 3' indicates that the email is judged as spam based on the IP address.
The score threshold can be configured via CLI commands:
config system fortiguard antispam set threshold-ip-connect <1,2,3> end |
