I found that RBL/ORDBL filter handles SPAM differently on SMTP and POP3. Namely, a message could pass unidentified through SMTP to a Mail Server located behind FG and than tagged as " SPAM" when downloaded through POP3 from the same server! In many cases it is a legitimate message.
While troubleshooting the issue I guess I found what the problem is. In my opinion the issue is created by a firmware bug resulting in the way RBL/ORDBL handles the SPAM on POP3 and, possibly, on IMAP (I havenâ€™t checked the IMAP though).
On the contrary to SMTP where RBL/ORDBL filter checks IP address of the Mail Server the mail arrived from, on POP3 RBL/ORDBL filter checks not only IP address of SMTP server the mail was sent through but an original IP addresses of the mail sender as well - and that is what creates the problem! Because netblocks of address space, which are dynamically assigned to users and hosts makes identification of spam sources quite difficult, many RBL/ORDBL servers include all known dynamic address spaces into their databases. The opinion of such RBL/ORDBL serversâ€™ owners is that â€œall outgoing mail from a dynamic address space (and in a few cases static space) should be made to flow through their ISP' s mailserverâ€.
The above described issue creates another problem. I could put IP address of the server it arrived from to a White List (Spam Filter -> IP Adress with â€œMark as Clearâ€ action) so that legitimate mail is not labeled as â€œSPAMâ€. But it only works on SMTP (which doesnâ€™t identify the SPAM in this particular case anyway). Currently THERE IS NO WAY to exclude legitimate mail from RBL/ORDBL if it is found on POP3 or IMAP. Even though the above mentioned problem is fixed, BWL for POP3 and IMAP is still the must because in a lot of cases they are the main protocols, which users sitting behind of FG communicate to their Mail Server on the Internet.
I have raised the issue with the Support, but it may take ages before they respond. One of my three open tickets is raised a month ago (described here: [link]http://support.fortinet.com/forum/m.asp?m=5807 [/link]) - still there is no feedback.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.