Fortinet black logo

Administration Guide

Troubleshoot antispam issues

Troubleshoot antispam issues

Problem

The spam detection rate is low.

Solution

  • Confirm that no SMTP traffic is bypassing the FortiMail unit due to an incorrect routing policy. Configure routers and firewalls to direct all SMTP traffic to or through the FortiMail unit to be scanned. If the FortiMail unit is operating in gateway mode, for each protected domain, modify public DNS records to keep only a single MX record entry that points to the FortiMail unit.
  • Use safe lists with caution. For example, a safe list entry *.edu would allow all email from all domains in the .edu top level domain to bypass antispam scans.
  • Do not safelist protected domains. Because safe lists bypass antispam scans, email with spoofed sender addresses in the protected domains could bypass antispam features.
  • Verify that all protected domains have matching policies and proper protection profiles.
  • Consider enabling adaptive antispam features such as greylisting and sender reputation.
Caution

Enable additional antispam features gradually, and do not enable additional antispam features after you have achieved a satisfactory spam detection rate. Excessive antispam scans can unnecessarily decrease the performance of the FortiMail unit.

Problem

Email users are spammed by DSN for email they did not actually send.

Solution

Spammers may sometimes use the delivery status notification (DSN) mechanism to bypass antispam measures. In this attack, sometimes called “backscatter”, the spammer spoofs the email address of a legitimate sender and intentionally sends spam to an undeliverable recipient, expecting that the recipient’s email server will send a DSN back to the sender to notify him/her of the delivery failure. Because this attack utilizes innocent email servers and a standard notification mechanism, many antispam mechanisms may be unable to detect the difference between legitimate and spoofed DSN.

To detect backscatter
  1. Enable bounce address tagging and configure an active key (see Configuring bounce verification and tagging).
  2. Next, disable both the Bypass bounce verification option (see Configuring protected domains) and the Bypass bounce verification check option (see Configuring session profiles).
  3. In addition, verify that all outgoing and incoming email passes through the FortiMail unit. The FortiMail unit cannot tag email, or recognize legitimate DSN for previously sent email, if all email does not pass through it. For details, see Configuring bounce verification and tagging.

Problem

Email users cannot release and delete quarantined messages by email.

Solution

Two common reasons are:

  • The domain name portion of the recipient email address (for example, fortimail.example.com in release-ctrl@fortimail.example.com) could not be resolved by the DNS server into the FortiMail unit's IP address.
  • The sender’s email address in the release message was not the same as the intended recipient of the email that was quarantined. If you have configured your mail client to handle multiple email accounts, verify that the release/delete message is being sent by the email address corresponding to that per-recipient quarantine. For example, if an email for user@example.com is quarantined, to release that email, you must send a release message from user@example.com.

Problem

Attachments less than the 10 MB configured limit are not deliverable

Solution

The message limit is a total maximum for the entire transmitted email: the message body, message headers, all attachments, and encoding, which in some cases can expand the size of the email. For example, depending on the encoding and the content of the email, an email with an 8 MB attachment could easily exceed the transmitted message size limit of 10 MB.

Therefore, attachments should be significantly smaller than the configured limit.

Problem

The exported email archive is an empty file.

Solution

Make sure you select the check boxes of archived email (see Configuring email archiving accounts) that you want to export. Only email whose Status column contains a check mark will be exported.

Problem

Event log messages show DNSBL query errors.

Solution

Log messages such as:

RblServer::check 20.4.90.202.zen.spamhaus.org error=2 : 'Host name lookup failure'

could mean that the query is being refused because it exceeds pre-defined service limitations by the DNSBL service provider. If you have very high volumes of email traffic, consider providing a DNSBL server on your local network by synchronizing the DNSBL database to it. For details, consult your service provider.

Problem

Antispam quarantine reports are delayed.

Solution

In most cases, this is caused by an excessive number of quarantine accounts.

When an email is accepted for a recipient and identified as spam, a quarantine account is automatically created in FortiMail.

Check that these quarantine accounts are valid, as netbots and spam harvest scans can cause the creation of a large number of false accounts.

There are options to manage quarantine accounts in FortiMail. These options are available under Domain & User > Domain > Domain (not in server mode).

  • Enable Recipient Address Verification to stop invalid account creation with SMTP or LDAP authentication (Note that LDAP cache should be enabled).
  • Remove invalid accounts by enabling Automatic Removal of Invalid Quarantine Accounts.

Recipient validation is a clean solution with a performance cost on SMTP or LDAP services. Its another disadvantage is that it also results in informing the outside whether the accounts are valid or not.

The automatic clearance of accounts is started once per day at 4:00 AM by default, but can be modified by the following CLI command:

config antispam settings

set backend-verify <hh:mm:ss>

end

where hh is the hour according to a 24-hour clock, mm is the minute, and ss is the second.

Troubleshoot antispam issues

Problem

The spam detection rate is low.

Solution

  • Confirm that no SMTP traffic is bypassing the FortiMail unit due to an incorrect routing policy. Configure routers and firewalls to direct all SMTP traffic to or through the FortiMail unit to be scanned. If the FortiMail unit is operating in gateway mode, for each protected domain, modify public DNS records to keep only a single MX record entry that points to the FortiMail unit.
  • Use safe lists with caution. For example, a safe list entry *.edu would allow all email from all domains in the .edu top level domain to bypass antispam scans.
  • Do not safelist protected domains. Because safe lists bypass antispam scans, email with spoofed sender addresses in the protected domains could bypass antispam features.
  • Verify that all protected domains have matching policies and proper protection profiles.
  • Consider enabling adaptive antispam features such as greylisting and sender reputation.
Caution

Enable additional antispam features gradually, and do not enable additional antispam features after you have achieved a satisfactory spam detection rate. Excessive antispam scans can unnecessarily decrease the performance of the FortiMail unit.

Problem

Email users are spammed by DSN for email they did not actually send.

Solution

Spammers may sometimes use the delivery status notification (DSN) mechanism to bypass antispam measures. In this attack, sometimes called “backscatter”, the spammer spoofs the email address of a legitimate sender and intentionally sends spam to an undeliverable recipient, expecting that the recipient’s email server will send a DSN back to the sender to notify him/her of the delivery failure. Because this attack utilizes innocent email servers and a standard notification mechanism, many antispam mechanisms may be unable to detect the difference between legitimate and spoofed DSN.

To detect backscatter
  1. Enable bounce address tagging and configure an active key (see Configuring bounce verification and tagging).
  2. Next, disable both the Bypass bounce verification option (see Configuring protected domains) and the Bypass bounce verification check option (see Configuring session profiles).
  3. In addition, verify that all outgoing and incoming email passes through the FortiMail unit. The FortiMail unit cannot tag email, or recognize legitimate DSN for previously sent email, if all email does not pass through it. For details, see Configuring bounce verification and tagging.

Problem

Email users cannot release and delete quarantined messages by email.

Solution

Two common reasons are:

  • The domain name portion of the recipient email address (for example, fortimail.example.com in release-ctrl@fortimail.example.com) could not be resolved by the DNS server into the FortiMail unit's IP address.
  • The sender’s email address in the release message was not the same as the intended recipient of the email that was quarantined. If you have configured your mail client to handle multiple email accounts, verify that the release/delete message is being sent by the email address corresponding to that per-recipient quarantine. For example, if an email for user@example.com is quarantined, to release that email, you must send a release message from user@example.com.

Problem

Attachments less than the 10 MB configured limit are not deliverable

Solution

The message limit is a total maximum for the entire transmitted email: the message body, message headers, all attachments, and encoding, which in some cases can expand the size of the email. For example, depending on the encoding and the content of the email, an email with an 8 MB attachment could easily exceed the transmitted message size limit of 10 MB.

Therefore, attachments should be significantly smaller than the configured limit.

Problem

The exported email archive is an empty file.

Solution

Make sure you select the check boxes of archived email (see Configuring email archiving accounts) that you want to export. Only email whose Status column contains a check mark will be exported.

Problem

Event log messages show DNSBL query errors.

Solution

Log messages such as:

RblServer::check 20.4.90.202.zen.spamhaus.org error=2 : 'Host name lookup failure'

could mean that the query is being refused because it exceeds pre-defined service limitations by the DNSBL service provider. If you have very high volumes of email traffic, consider providing a DNSBL server on your local network by synchronizing the DNSBL database to it. For details, consult your service provider.

Problem

Antispam quarantine reports are delayed.

Solution

In most cases, this is caused by an excessive number of quarantine accounts.

When an email is accepted for a recipient and identified as spam, a quarantine account is automatically created in FortiMail.

Check that these quarantine accounts are valid, as netbots and spam harvest scans can cause the creation of a large number of false accounts.

There are options to manage quarantine accounts in FortiMail. These options are available under Domain & User > Domain > Domain (not in server mode).

  • Enable Recipient Address Verification to stop invalid account creation with SMTP or LDAP authentication (Note that LDAP cache should be enabled).
  • Remove invalid accounts by enabling Automatic Removal of Invalid Quarantine Accounts.

Recipient validation is a clean solution with a performance cost on SMTP or LDAP services. Its another disadvantage is that it also results in informing the outside whether the accounts are valid or not.

The automatic clearance of accounts is started once per day at 4:00 AM by default, but can be modified by the following CLI command:

config antispam settings

set backend-verify <hh:mm:ss>

end

where hh is the hour according to a 24-hour clock, mm is the minute, and ss is the second.