Skip to main content
seth57
seth57
New Member
February 9, 2016
Question

How to block SMTP sessions from HUGE spambot

  • February 9, 2016
  • 1 reply
  • 7576 views

Hello

 

We are using FM since years but we are stuck to resolve a problem with a large spambot in taiwan

We implemented sender reputation, some SMTP limits but the spammers always adapts their methods

We were used to handle +/- 400K sessions per month but since december, we are receiving more than 2,5M SMTP sessions

Stats were about 50% of spam before and reach 98% of spam now

Log files are not readable due to millions of rejects and log files are created more than once a day

 

Complaints to abuse mailbox stay

 

Are you aware about some other technics to block this ?

We have some other hosted services like Web servers and some of our clients are trading with taiwan so blocking IP prefixes with fortigate policies is not possible

 

thanks in advance

 

    1 reply

    Paul_S
    Paul_S
    New Member
    February 9, 2016

    can you post a sample email with the headers?

     

    I block most foreign countries with my fortigate. I know you said that would not work, but maybe you build a list of your partners, get their SMTP IP addresses, then block all SMTP traffic from Taiwan IP prefixes EXCEPT if they are in your allowed_partners_group.

     

    I basically do something like that now and it works pretty well. The only spam I struggle with is spam that is sent via a major email provider (outlook.com, gmail.com, etc...) because I cannot block the IP or the domain. I've started using keyword blocking for them.

    emnoc
    emnoc
    New Member
    February 10, 2016

    GEOIP blocking should be your friend but have you also engage  fortiguard to see if they can help with the intelligence?

     

    seth57
    seth57Author
    New Member
    February 10, 2016

    Hi all

    thanks for answers

    GeoIP and objects creation are not usable solutions as i work for an little ISP in a little country ( we have hundreds clients who are trading with many financial places all over the world )

    i'll check with fortinet to find a solution

     

    thanks again for suggestions

    Terms & ConditionsAccessibility statement