Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Bgoines
New Contributor

Emails from *.ru domain

I am getting tons of emails from the *.ru domain. They are being quarantined but the amount of quarantined messages is getting to be a nuisance. Is there any way to stop these emails? I have put th3 *.ru domain in my blacklist but that does not seem to stop them. There are too many addresses that the spammers are using! Thank you, Brock
10 REPLIES 10
Paul_S
Contributor

blacklist should work. do the fortimail logs show " blacklisted" when it gets one of the messages. what type of firewall do you have in front of this mail system, fortigate? what IP addresses are the emails coming from? USA or russian IPs?

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Bgoines
New Contributor

The logs show System Black/ Blacklisted Possible Forged addressed. I have a fortimail 100C There is a Fortigate 110C in front of it. Here is the IP info.. " customer-static-201-216-205.49.iplannetworks.net [201.216.205.49] (may be forged)" Maybe I should look at the others to see if they are coming from the same address? if so, block that domain?
emnoc
Esteemed Contributor III

Can' t you do this with a match on the sender and access-controls using a regex expression? I do question why you would want to drop a whole ccTLD from sending you mail. Sounds like your fortiguard rating should have caught and flagged these as bad. What I would do personally; is using a recipient policy with the match on the ru domains, and then apply a tight session profile that limits these guys. Then apply this policy as your top-most policy. Monitor for a few days and see what happens. Thinking about this more, you could tweak it not to quarantine anything You also might want to speak to the fortinet FAM guys and see what they say or have the analyze the eml message.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
emnoc
Esteemed Contributor III

yes, block it and drop it like it' s hot :) On my response, I just realize you can' t appy session limits within the recipient-policies. But dropping a " ru" domain might be bad or good if depending on if you deal with anybody in Russian. How do you have your policies constructed and the action taken?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Bgoines
New Contributor

I will add that domain to see if that works :) My policy is very basic at this time. Fortimail' s are very new to me. We don' t deal with anyone from .ru. Blocking the domain wouldn' t hurt us at all. :)
Paul_S
Contributor

if you don' t deal with certain countries, then block them at the fortigate (Firewall) level. We only accept email from north america + a short list of foreign mail servers. The ip you shared, is from argentina, if you don' t need to talk with that country you could block the whole country at the fortigate using a geography firewall object. what version is your firewall, 4.3.x or 5.x ?

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Bgoines
New Contributor

We are on versioni 4.x
Bromont_FTNT
Staff
Staff

If the logs show this e-mail is blacklisted by the System Blacklist but the e-mails are still coming through then I would assume your blacklist action is set to AS Profile instead of Reject/Discard. You could change the blacklist action or the default action in the AS profile.
Bgoines

You are correct. It is set to AS Profile. I changed it to " discard" . Let' s see if this helps. Thanks for the help.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors