FortiMail Troubleshooting: Antispam Issues

Posted on October 13, 2016 by Mike Mielke

Share this post:

Facebooktwittergoogle_plusredditpinterestlinkedin

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems
you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting a wide variety of antispam issues
you may encounter when using FortiMail, such as low spam detection, email users being
spammed by DSN, and SMTP failure.

Problem #1: Low Spam Detection Rate

The spam detection rate is low.

The Solution

Make sure no SMTP traffic is bypassing the FortiMail unit due to an incorrect routing

policy. Configure routers and firewalls to direct all SMTP traffic to or through the FortiMail unit to
be scanned. If the FortiMail unit is operating in gateway mode, for each protected domain,
modify public DNS records to keep only a single MX record entry that points to the FortiMail
unit.

Do not whitelist protected domains. White lists bypass antispam scan, email with spoofed
sender addresses in the protected domains could bypass antispam features. Also, use white lists
with caution, a white list entry *.edu would allow all email from all domains in the .edu top level
domain to bypass antispam scans.
Make sure all protected domains have matching policies and proper protection profiles.

Enable adaptive antispam features such as greylisting and sender reputation.

Important: Enable additional antispam features gradually. Excessive antispam scans could
decrease the performance of your FortiMail unit.

Problem #2: Faulty Send Spam

Email users are spammed by DSN for email they did not actually send.

The Solution

Spammers sometimes use the delivery status notification (DSN) mechanism to bypass

antispam measures. In this attack, sometimes called backscatter, the spammer spoofs the
email address of a legitimate sender and intentionally sends spam to an undeliverable recipient,
expecting that the recipients email server will send a DSN back to the sender to notify him/her
of the delivery failure. Because this attack utilizes innocent email servers and a standard
notification mechanism, many antispam mechanisms may be unable to detect the difference
between legitimate and spoofed DSN.

To detect backscatter

1. Enable bounce address tagging and configure an active key (see Configuring bounce
verification and tagging on page 598).

2. Next, disable both the Bypass bounce verification option (see Configuring protected
domains on page 355) and the Bypass bounce verification check option (see Configuring
session profiles on page 453).
3. In addition, verify that all outgoing and incoming email passes through the FortiMail unit. The
FortiMail unit cannot tag email, or recognize legitimate DSN for previously sent email, if all email
does not pass through it. For details, see Configuring bounce verification and tagging on page
598.

Problem #3: Temporary Failure SMTP reply Code

Email users cannot release and delete quarantined messages by email.

The Solution

Two common reasons are:

The domain name portion of the recipient email address (for example, fortimail.example.com

in release-ctrl@fortimail.example.com) could not be resolved by the DNS server into the

FortiMail units IP address.

The senders email address in the release message was not the same as the intended

recipient of the email that was quarantined. If you have configured your mail client to handle
multiple email accounts, verify that the release/delete message is being sent by the email
address corresponding to that per-recipient quarantine. For example, if an email for
user@example.com is quarantined, to release that email, you must send a release message from
user@example.com.

Problem #4: Attachment Issues

Your attachment is less than the 10 MB configured limit and your message is not deliverable.

The Solution

The message limit is a total maximum for the entire transmitted email: the message body,
message headers, all attachments, and encoding, which in some cases can expand the size of the
email. For example, depending on the encoding and the content of the email, an email with an 8
MB attachment could easily exceed the transmitted message size limit of 10 MB.

Therefore, attachments should be smaller than the configured limit.

Problem #5: Email Archive Issues

The exported email archive is an empty file.

The Solution

Make sure you select the check boxes of archived email (see Configuring email archiving
accounts on page 618) that you want to export. Only email whose Status column contains a
check mark will be exported.