Latest Antispam Database:

Spam FAQs

What is Spam?

To judge an email message as spam is quite subjective. Most people easily agree on some email message as being spam, such as the never ending messages of Viagra ads and Nigeria scam messages. Some may include all advertisements and newsletters as spam, others may consider newsletters as legitimate email.

FortiGuard use the industry standard's definition of spam as Unsolicited Bulk Email (UBE). Unsolicited means that the Recipient has not granted verifiable permission for the message to be sent and the sender has no discernible relationship with all or some of the recipients. Bulk means the message is sent as part of a larger collection of messages, all having substantively identical content.

A message is considered spam if both Unsolicited and Bulk. Unsolicited Email can be normal email, such as first contact enquiries, job enquiries, and sales enquiries. Bulk Email can be normal email, such as subscriber newsletters, customer communications, discussion lists. The message content is generally irrelevant in determining whether a message is spam though most are commercial in nature. There is spam that fraudulently promotes penny stocks in the classic pump-and-dump scheme. There is spam that promotes religious beliefs.

Technically, an email message is spam if
  • The recipient's personal identity and context are irrelevant because the message is equally applicable to many other potential recipients
  • And, the recipient has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent.

How do I mark a message as spam?

Spam submitted will be analyzed, their signatures will be extracted and added to our spam signature database, which makes FortiGuard AntiSpam detecting and filtering similar spam. We appreciate your submitting spam samples, but do not respond to them because of the volume.

Submission Instructions:

For Microsoft Outlook:

Method 1:
  1. Open Microsoft Outlook
  2. Create a new email to
  3. Drag the message(s) you want to submit from the "message listing" pane into the body of the new message window you just created.
  4. Send the message.

Method 2:
Set Outlook to forward email as original attachment by
  1. In Outlook menu, click "Tools" -> "Options"
  2. In "Preference" tab, click "Email Options..." button in "Email" section
  3. In the drop-down section "When forwarding a message," choose "Attach original message text"
  4. Click "OK"
From now on, you can simply click "Forward" button in Outlook and put to "To:" address to submit a spam.

For Microsoft Outlook Express:

  1. Open Microsoft Outlook Express
  2. Right-click the message you want to submit, click "Forward As Attachment"
  3. Put to "To:" address
  4. Click "Send"

For Thunderbird/Mozilla/Netscape:

Method 1:
  1. Open Thunderbird/Mozilla/Netscape mail
  2. Create a new email to
  3. Drag the message(s) you want to submit from the "message listing" pane into the 'attachment' area of the new message window you just created.
  4. Send the message

Method 2:
Set Thunderbird/Mozilla/Netscape to forward email as original attachment by
  1. Click "Edit" -> "Preference"
  2. In Composition section, there is a drop-down option for "Forward messages". Choose "As Attachment".
  3. Click "OK"/"Close"
From now on, you can simply click "Forward" button in Thunderbird/Mozilla/Netscape and put to "To:" address to submit a spam.

For Lotus Notes Client:

  1. Open Lotus Domio Client
  2. Open the spam email which would like to submit.
  3. From Menu View -> Show -> Page Source
  4. Select the entire page source and copy the selected content.
  5. Paste it to a notepad and save it as spamsample.eml.
  6. Create a new email with the spam email as an RFC-822 MIME encoded attachment.
  7. In the To box, type:
  8. Send the message.
If you are using web-based mail like yahoo, please forward the spam email as attachment instead of inline text.

Due to the volume of the spam submitted, we do not respond to any spam submitted.

How do I submit a false-positive?

If you notice a false positive, a clean message marked as spam by FortiGuard AntiSpam Service, or if you believe an IP address, URL, or email address is blacklisted incorrectly, you can either:

If you are the email sender who had an email message incorrectly blocked:

  • Send us the error message you received. The error message shall look like this: #5.7.1 smtp;554 5.7.1 This message has been blocked because it contains FortiGuard - AntiSpam blocking URL/IP(s).(black url/ip

If you are a Fortinet customer:

  • Send us the AntiSpam log messages obtained from FortiGate, FortiClient or FortiMail, including your Fortinet product's serial number. The AntiSpam log from FortiGate shall look like this:

    Feb 26 19:15:13 date=2006-02-26 time=19:15:14 device_id=FGT-xxxxxxxxxxx log_id=xxxxxxx type=emailfilter subtype=smtp pri=notice vd=root src_int=wan1 dst_int=internal service=smtp status=detected from="" to="" msg="The email contains FortiGuard - AntiSpam blocking URL(s).(black url"

Antispam Service Information

FortiGuard AntiSpam Service filters include FortiIP and FortiSig database. FortiIP is a sender IP reputation database, and FortiSig is a spam signature database containing three types of signatures: FortiSig1, FortiSig2 and FortiSig3.


Sender IP reputation database.

Most of spam is presently sent from misconfigured or virus-infected hosts. FortiGuard AntiSpam Service maintains a global IP reputation database where the reputation of each IP is built and maintained based on many of properties of the IP address that are gathered from various sources.

The properties of an IP address include its whois information, geographical location, its service provider, whether it is an open relay or hijacked host, etc. One of the key properties used to maintain the reputation is the email volume from this sender as gathered from our FortiGuard service network. By comparing a sender's recent email volume with its historical pattern, FortiGuard AntiSpam Service updates each IP's reputation in real-time and provides a highly effective sender IP address filter.


Spamvertised URLs.

About 90% of spam has one or more URLs in the message body. These URLs link to spammers' websites promoting their products and services. In the phishing spam, these URLs direct one to a fake bank or other financial institution's website in an attempt to obtain private financial information.

FortiGuard AntiSpam Service collects spam samples through our global spam trap network and spam sample submissions from our customers and partners. The URLs are then extracted from the spam samples and undergo rigorous QA processes before the FortiSig Database is augmented. The URLs are then subject to the continuous aging process by which obsolete items are promptly removed.


Spamvertised email addresses.

Similar to the spamvertised URLs, another hallmark of spam stems from an email address in the message body that prompts one to contact the spammers. By extracting these email addresses from the spam samples, these spamvertised email addresses provide another powerful global filter to identify and filter spam.


Spam object checksums.

In line with the release of FortiOS 3.0, FortiGuard AntiSpam Service releases one additional global filter as FortiSig3 to counter attack those hard-to-detect spam that do not contain FortiSig1 or FortiSig2. Using a proprietary algorithm, objects in spam are identified and a fuzzy checksum is calculated from each object. The object can be part of the message body or an attachment. The checksum is then added into the FortiSig database, providing another highly effective global filter with virtual no false positives.


Dynamic heuristic rules.

This is the latest component offered in the FortiGuard Antispam Service, available in FortiMail version 3.0 MR1 and later. This global filter uses dynamically updated heuristic rules to identify spam, exploiting various attributes in the spam message header, body, mime header, and attachments. With manually crafted heuristic rules for specific spam attacks, FortiRule further increases the catch rate with virtually no false positives.


The FortiGuard Antispam Service uses both a sender IP reputation database and a spam signature database, along with sophisticated spam filtering tools on Fortinet appliances and agents, to detect and block a wide range of spam messages. On FortiGate or FortiMail systems, FortiGuard Antispam Service can dramatically reduce the amount of spam messages that an organization's email servers process. It also enables FortiClient end point security agents to block spam on remote PCs and mobile devices.

Technology Overview

Fortinet takes a comprehensive and multi-layered approach and uses a number of techniques to detect and filter spam.

Global Filters

Through the FortiGuard distribution network, FortiGuard AntiSpam service provides two databases, namely FortiIP and FortiSig, as global filters. FortiIP is a sender IP reputation database while FortiSig is a spam signature database. These global filters are constantly updated and they enable our FortiGate, FortiClient and FortiMail products to detect and filter most prevailing spam in the Internet.

Customized filters

Various customized spam filters are provided to compliment the Fortinet's AntiSpam solution on the service delivery units: FortiGate, FortiClient and FortiMail. These customized filters range from banned words filters, local white and black lists of sender email address, heuristic rules, to highly sophisticated techniques such as Bayesian training in FortiMail. See the documentation of respective products for more information.

Dedicated Service Team

To complete Fortinet's AntiSpam solution and provide our customer with best in class AntiSpam service, our dedicated service team of engineers and analysts is committed to respond to and resolve any false positive report and other issues in 24 hours, monitor and analyze latest spam techniques, continuously update FortiIP and FortiSig databases, and research and design new spam filters.

IP & Signature Lookup