I found that RBL/ORDBL filter handles SPAM differently on SMTP and POP3. Namely, a message could pass unidentified through SMTP to a Mail Server located behind FG and than tagged as " SPAM" when downloaded through POP3 from the same server! In many cases it is a legitimate message.
While troubleshooting the issue I guess I found what the problem is. In my opinion the issue is created by a firmware bug resulting in the way RBL/ORDBL handles the SPAM on POP3 and, possibly, on IMAP (I haven’t checked the IMAP though).
On the contrary to SMTP where RBL/ORDBL filter checks IP address of the Mail Server the mail arrived from, on POP3 RBL/ORDBL filter checks not only IP address of SMTP server the mail was sent through but an original IP addresses of the mail sender as well - and that is what creates the problem! Because netblocks of address space, which are dynamically assigned to users and hosts makes identification of spam sources quite difficult, many RBL/ORDBL servers include all known dynamic address spaces into their databases. The opinion of such RBL/ORDBL servers’ owners is that “all outgoing mail from a dynamic address space (and in a few cases static space) should be made to flow through their ISP' s mailserverâ€.
The above described issue creates another problem. I could put IP address of the server it arrived from to a White List (Spam Filter -> IP Adress with “Mark as Clear†action) so that legitimate mail is not labeled as “SPAMâ€. But it only works on SMTP (which doesn’t identify the SPAM in this particular case anyway). Currently THERE IS NO WAY to exclude legitimate mail from RBL/ORDBL if it is found on POP3 or IMAP. Even though the above mentioned problem is fixed, BWL for POP3 and IMAP is still the must because in a lot of cases they are the main protocols, which users sitting behind of FG communicate to their Mail Server on the Internet.
I have raised the issue with the Support, but it may take ages before they respond. One of my three open tickets is raised a month ago (described here: [link]http://support.fortinet.com/forum/m.asp?m=5807 [/link]) - still there is no feedback.
VA