Troubleshooting Tip: Basic Troubleshooting and fine tunning the antispam solution on the FortiGate
Description
This article describes how to troubleshoot the antispam solution on the FortiGate.
FortiGuard antispam services are central to the spam solution on the FortiGate; once these are activated globally and in a protection profile, they will provide: IP address checking, URL checking, email checksum checking, and Spam submission.
Other techniques can help reduce and block unsolicited email messages, and combined with FortiGuard, will allow for the reduction of these messages.
Scope
FortiGate running NAT, Transparent, VDOM mode.
Solution
Despite a correctly configured protection profile, SPAM messages are still getting through the system. The first check is to verify if the sending MTA, sender IP, email address, or embedded URL is known to FortiGuard at the following link: AntiSpam Service.
If not, use the spam submission and URL lookup search tool on the FortiGuard portal: Contact Us
Submitting new SPAM attacks is a vital way for Fortinet to keep its databases up to date and protect networks from new attacks.
Step 2:
Verify that the FDS servers for antispam are reachable and available. These servers are the same servers that are used for web filtering. This can be obtained by running the following command on the CLI:
Locale : english
License : Contract
Expiration : Sat Sep 19 16:00:00 2009
Hostname : service.fortiguard.net
-=- Server List (Sat Oct 18 13:13:12 2008) -=-
IP Weight RTT Flags TZ Packets Curr Lost Total Lost
x.x.x.x 0 3 D -8 2 0 0
x.x.x.x 0 9 -8 1 0 0
x.x.x.x 0 101 -8 1 0 0
x.x.x.x 0 266 -8 1 0 0
x.x.x.x 30 78 -5 1 0 0
x.x.x.x 30 79 -5 1 0 0
x.x.x.x 30 59 -5 1 0 0
x.x.x.x 30 59 -5 1 0 0
x.x.x.x 80 147 D 0 2 0 0
x.x.x.x 80 154 0 1 0 0
x.x.x.x 80 154 0 1 0 0
x.x.x.x 90 211 DI 1 3 0 0
x.x.x.x 90 154 1 1 0 0
x.x.x.x 170 148 9 1 0 0
x.x.x.x 170 148 9 1 0 0
Note that the above diagnose command 'diagnose debug rating' will indicate the server status; the flag definitions are given below:
| D | Indicates the server was found via the DNS lookup of the hostname. If the hostname returns more than one IP address, all of them will be flagged with 'D' and will be used first for INIT requests before falling back to the other servers. |
| I | Indicates the server to which the last INIT request was sent. |
| F | The server has not responded to requests and is considered to have failed |
| T | The server is currently being timed. |
Step 3:
If the above steps have been checked, and SPAM messages are still affecting the email servers and users, then check the messages in question, the MTAs being used, and whether this appears to be a new attack with new variants. It is possible to adapt the configuration by adding the following features to the antispam configuration on the FortiGate:
Control spam by blocking email messages containing specific words or patterns.
To make a word or phrase case insensitive, use the regular expression /i. For example, /bad language/i will block all instances of bad language regardless of case.
Wildcard patterns are not case sensitive.
- Create either an IP or email address black/whitelist. This can be used as a filter against either an email address or an IP address of a potential spamming MTA. To configure the list, go to UTM ->AntiSpam -> IP Address.
- There are advanced antispam configuration options on the FortiGate; this is discussed in another KB article ''Configuring Advanced antispam options on the FortiGate'.
Step 4:
If there are too many SPAM messages received, raise a ticket with Fortinet Support. Before doing so, ensure the following information is included in the ticket:
- Current configuration file of the FortiGate.
- 'get system status' from the CLI.
- Examples in .msg format of the emails that are not being tagged as SPAM.
- A detailed network diagram of the mail traffic flow.