FortiMail Troubleshooting: Antispam Issues

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting a wide variety of antispam issues you may encounter when using FortiMail, such as low spam detection, email users being spammed by DSN, and SMTP failure.

 

Problem #1: Low Spam Detection Rate

The spam detection rate is low.

The Solution

Make sure no SMTP traffic is bypassing the FortiMail unit due to an incorrect routing
policy. Configure routers and firewalls to direct all SMTP traffic to or through the FortiMail unit to be scanned. If the FortiMail unit is operating in gateway mode, for each protected domain, modify public DNS records to keep only a single MX record entry that points to the FortiMail unit.

Do not whitelist protected domains. White lists bypass antispam scan, email with spoofed sender addresses in the protected domains could bypass antispam features. Also, use white lists with caution, a white list entry *.edu would allow all email from all domains in the .edu top level domain to bypass antispam scans.

Make sure all protected domains have matching policies and proper protection profiles.

Enable adaptive antispam features such as greylisting and sender reputation.

Important: Enable additional antispam features gradually. Excessive antispam scans could decrease the performance of your FortiMail unit.

Problem #2: Faulty Send Spam

Email users are spammed by DSN for email they did not actually send.

The Solution

Spammers sometimes use the delivery status notification (DSN) mechanism to bypass
antispam measures. In this attack, sometimes called “backscatter”, the spammer spoofs the email address of a legitimate sender and intentionally sends spam to an undeliverable recipient, expecting that the recipient’s email server will send a DSN back to the sender to notify him/her of the delivery failure. Because this attack utilizes innocent email servers and a standard notification mechanism, many antispam mechanisms may be unable to detect the difference between legitimate and spoofed DSN.

To detect backscatter

1. Enable bounce address tagging and configure an active key (see “Configuring  bounce verification and tagging” on page 598).
2. Next, disable both the Bypass bounce verification option (see “Configuring protected domains” on page 355) and the Bypass bounce verification check option (see “Configuring session profiles” on page 453).
3. In addition, verify that all outgoing and incoming email passes through the FortiMail unit. The FortiMail unit cannot tag email, or recognize legitimate DSN for previously sent email, if all email does not pass through it. For details, see “Configuring bounce verification and tagging” on page 598.

Problem #3: Temporary Failure SMTP reply Code

Email users cannot release and delete quarantined messages by email.

The Solution

Two common reasons are:

• The domain name portion of the recipient email address (for example, fortimail.example.com
in release-ctrl@fortimail.example.com) could not be resolved by the DNS server into the FortiMail unit’s IP address.
• The sender’s email address in the release message was not the same as the intended
recipient of the email that was quarantined. If you have configured your mail client to handle multiple email accounts, verify that the release/delete message is being sent by the email address corresponding to that per-recipient quarantine. For example, if an email for user@example.com is quarantined, to release that email, you must send a release message from user@example.com.

Problem #4: Attachment Issues

Your attachment is less than the 10 MB configured limit and your message is not deliverable.

The Solution

The message limit is a total maximum for the entire transmitted email: the message body, message headers, all attachments, and encoding, which in some cases can expand the size of the email. For example, depending on the encoding and the content of the email, an email with an 8 MB attachment could easily exceed the transmitted message size limit of 10 MB.

Therefore, attachments should be smaller than the configured limit.

Problem #5: Email Archive Issues

The exported email archive is an empty file.

The Solution

Make sure you select the check boxes of archived email (see “Configuring email archiving accounts” on page 618) that you want to export. Only email whose Status column contains a check mark will be exported.

 

Share this recipe:

Facebooktwittergoogle_pluslinkedin

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.