Hi all, this happened to us yesterday. Our IP ended up in the Fortinet reputation database. We don' t know yet what triggered it.
Because all our outgoing mail goes thru our FG3600 it stopped delivering mail! Luckily an email to the removespam address worked and 4 hours later we were cleared.
Can someone shed some light on how this might have happened? All the mail logs and Fortianalyzer logs show no abnormal activity.
We made the spam list of spamhaus a few months ago. I hadn' t restricted access from internal clients to wan1 SMTP and I suspect that a client machine got a virus or something and started pushing spam.
I think that fortinet references spamhaus (and probably a few others). My outgoing mail was ok since my policy for outgoing mail doesn' t check for spam as only my exchange box can send now.
Once I cleared up spamhaus fortinet automatically dropped me from their blacklist.
If you haven' t already, I reccommend creating a policy that denies SMTP from all internal IPs to wan1... and then create another that implicitly allows just your mail server(s) to access SMTP on wan1. This will almost certainly keep you off of the spam lists.
Thanks for the quick reply, we do have a policy in place that only allows SMTP outbound from our mail servers. The policy that denies SMTP from all others is disabled. We must have a discussion internally tomorrow to remember why we turned that off.
Cool... just a reminder that if you need to find out who is using SMTP (if there' s a valid need for it from another machine somewhere) you can always use the session monitor and filter for TCP port 25 to see who is using it. Then just set up another rule for that system and you should be good to go.
Not blocking outgoing SMTP could also present a significant security risk as savvy users could use it to circumvent your e-mail system altogether.
Despite the fact that we block outbound SMTP some of our IPs ended up in the Fortinet reputation database as well.
Also a client that uses a FG has reported that the vast majority of email coming in across their FG is coming from fortinet blacklisted IPs. This is despite the fact that they have previously received hundreds of messages from many different sources that werent marked as spam.
I' m beginning to suspect some wider problem here with the Fortinet reputation database. What makes it so annoying is that you cannot actually tell WHY an IP is listed in the reputation database.
I' m in the process of getting some direct response from the Fortinet support droids about this problem.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.