Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSOAR
- FortiSIEM
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: SPAM problem.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 08-29-2008 04:58 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SPAM problem.
Hello,
I think that my problem doesn' t have the origin in the fortigate box that I' m using, so please excuse me if I post an off topic problem that I' m having.
My problem is that since I enabled antispam filter on my fortigate box I receive a lot of emails with rejected mesages sent out from my network. All the emails are spam so I understand why they get rejected, what I don' t undestand is were they come from. I' m posting a mesage maybe someone has a better undestanding off what is going on.
The original message was received at Thu, 28 Aug 2008 12:11:52 +0300
from [router_internal_ip_address]
----- The following addresses had permanent fatal errors -----
<sundog46@edirect168.com>
(reason: 554 mail server permanently rejected message (#5.3.0))
----- Transcript of session follows -----
... while talking to mx1.url.com.tw.:
>>> DATA
<<< 554 mail server permanently rejected message (#5.3.0)
554 5.0.0 Service unavailable
... while talking to spamgw1.tnc.edu.tw.:
>>> DATA
<<< 421 Service unavailable - try again later
<uang1025@jl2jh.tnc.edu.tw>... Deferred: Connection reset by spamgw1.tnc.edu.tw.
... while talking to mx1.mail.tw.yahoo.com.:
>>> QUIT
<<< 453 Mail from router_public_ip_address not allowed - [90]
... while talking to mx2.mail.tw.yahoo.com.:
>>> DATA
<<< 451 Message temporarily deferred - [90]
<she4364651@yahoo.com.tw>,<jig146178@yahoo.com.tw>,<patricia121176@yahoo.com.tw>,<mhans1213tw@yahoo.com.tw>... Deferred: 451 Message temporarily deferred - [90]
<ntn00378006@yaoo.com.tw>... Deferred: Connection timed out with yaoo.com.tw.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like either your mail server is relaying spam or a host internally is being used as a spam sender.
check your oubound connections to dest port 25, and see what internal hosts are sending them.
where you say router IP, i presume you mean the fortinets IP.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on 08-29-2008 07:15 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, where I say router IP I mean my fortigate box.
I did some checking and my mail server is not an open relay. How can it relay spam then. It seems that the outbound sessions on port 25 are coming from my email server.
What is odd is that this problem omly appeared after I switched on the antispam feature on the fgt box.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Marius,
check your mailserver IP (s) against FortiGuard AS database.
You can do that at:
http://www.fortiguardcenter.com/antispam/antispam.html
regards
/ Abel
regards
/ Abel
Not applicable
Created on 08-29-2008 07:48 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
" my_IP" is not blacklisted in the signature database.
I had NAT checked on the firewall policy that allows PAT to be performed on smtp service. Think that was the problem??
I red on the forum that it should not be checked.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
" my_IP" is not blacklisted in the signature database.good; let' s think another things. What do the logs say? Verify that those annoying mails really are sent by your smtp server. Bounced mails you' ve posted could be sent by another host with fake addresses within your domain and you only are receiving those bounces. Last thing: could you post which antispam settings did you enable in that ' smtp' profile?
I had NAT checked on the firewall policy that allows PAT to be performed on smtp service. Think that was the problem?? I red on the forum that it should not be checked.Not related with your problem at first If you' ve checked NAT for a firewall policy, the incoming mails appears becoming from FTG interface and not from original sources.
regards
/ Abel
regards
/ Abel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
could this just be a coincidence, as spammers occasionally start using your domain name for sending their spam, with random source email addresses.
These end up bouncing back to you even though you didnt sent them, their isnt anyway around this if this is whats happening.
We could do with some more information on the problem really? can you post a couple of example email header info. and say what the source and dest email addresses are.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on 08-29-2008 11:57 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, the source of the emails are not from my mail server. They are random source email address just like UkWizzard sad. Here are some examples:
source: gxttnaitixdcbw@schmumpf.de destination: cjm@ms.boe.ttct.edu.tw
source: emilbtbzonazqjlav@pcfusion.com.au destination:a2783@ms6.hinet.net
source: msbfuwagclm@doj.ca.gov destination:yatw@ms32.hinet.net
Antipam sttings for smtp:
ip address check
URL check
E-mail checksum
spam submission
IP address BWL check
Helo DNS lookup
Return e-amil DNS check
Spam Action discard
I just receive the bounces the only thing I can U give is this:
The original message was received at Thu, 28 Aug 2008 10:48:37 +0300
from [192.168.12.254] -> my internal router address
----- The following addresses had permanent fatal errors -----
<randyhsu@arcoa.com.tw>
(reason: 554 M.5 <randyhsu@arcoa.com.tw>... User unknown(Local Mailbox))
<s93910@mail2.tses.toc.edu.tw>
(reason: 550 Host unknown)
<s84195@scps.tpc.edu.tw>
(reason: 550 5.1.1 <s84195@scps.tpc.edu.tw>... User unknown)
<sandy234@unitech.com.tw>
(reason: 550 Recipient not in route list.)
----- Transcript of session follows -----
... while talking to bmail.arcoa.com.tw.:
>>> RCPT To:<randyhsu@arcoa.com.tw>
<<< 554 M.5 <randyhsu@arcoa.com.tw>... User unknown(Local Mailbox)
554 5.0.0 Service unavailable
451 4.4.1 reply: read error from spam.cc.nctu.edu.tw.
<mic@cc.nctu.edu.tw>... Deferred: Connection timed out with spam.cc.nctu.edu.tw.
<service-ebw@epaper.com.tw>,<service-leon@epaper.com.tw>... Deferred: mail.epaper.com.tw.: No route to host
550 5.1.2 <s93910@mail2.tses.toc.edu.tw>... Host unknown (Name server: mail2.tses.toc.edu.tw: host not found)
... while talking to ccsun41.cc.ntu.edu.tw.:
>>> DATA
<<< 450 <liwan@ntu.edu.tw>: Recipient address rejected: Greylisted for 5 minutes
<liwan@ntu.edu.tw>... Deferred: 450 <liwan@ntu.edu.tw>: Recipient address rejected: Greylisted for 5 minutes
<<< 450 <kunchang@ntu.edu.tw>: Recipient address rejected: Greylisted for 5 minutes
<kunchang@ntu.edu.tw>... Deferred: 450 <kunchang@ntu.edu.tw>: Recipient address rejected: Greylisted for 5 minutes
<<< 554 Error: no valid recipients
... while talking to ccsun42.cc.ntu.edu.tw.:
>>> DATA
<<< 450 <liwan@ntu.edu.tw>: Recipient address rejected: Greylisted for 5 minutes
<liwan@ntu.edu.tw>... Deferred: 450 <liwan@ntu.edu.tw>: Recipient address rejected: Greylisted for 5 minutes
<<< 450 <kunchang@ntu.edu.tw>: Recipient address rejected: Greylisted for 5 minutes
<kunchang@ntu.edu.tw>... Deferred: 450 <kunchang@ntu.edu.tw>: Recipient address rejected: Greylisted for 5 minutes
<<< 554 Error: no valid recipients
... while talking to ccsun8.cc.ntu.edu.tw.:
>>> DATA
<<< 450 <liwan@ntu.edu.tw>: Recipient address rejected: Greylisted for 5 minutes
<liwan@ntu.edu.tw>... Deferred: 450 <liwan@ntu.edu.tw>: Recipient address rejected: Greylisted for 5 minutes
<<< 450 <kunchang@ntu.edu.tw>: Recipient address rejected: Greylisted for 5 minutes
<kunchang@ntu.edu.tw>... Deferred: 450 <kunchang@ntu.edu.tw>: Recipient address rejected: Greylisted for 5 minutes
<<< 554 Error: no valid recipients
... while talking to smtp.scps.tpc.edu.tw.:
>>> DATA
<<< 550 5.1.1 <s84195@scps.tpc.edu.tw>... User unknown
550 5.1.1 <s84195@scps.tpc.edu.tw>... User unknown
<<< 503 5.0.0 Need RCPT (recipient)
... while talking to mailstp.unitech.com.tw.:
>>> RCPT To:<sandy234@unitech.com.tw>
<<< 550 Recipient not in route list.
550 5.1.1 <sandy234@unitech.com.tw>... User unknown
... while talking to mx1.mail.tw.yahoo.com.:
>>> QUIT
<<< 453 Mail from 88.158.10.42 not allowed - [90]
... while talking to mx2.mail.tw.yahoo.com.:
>>> QUIT
<<< 453 Mail from 88.158.10.42 not allowed - [90]
<piro00123@yahoo.com.tw>... Deferred: 453 Mail from 88.158.10.42 (my public ip address) not allowed - [90]
Sorry for the lack of more detailes, please tell if you need more.
Thank U very much for youre help!!!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
source: gxttnaitixdcbw@schmumpf.de destination: cjm@ms.boe.ttct.edu.tw source: emilbtbzonazqjlav@pcfusion.com.au destination:a2783@ms6.hinet.net source: msbfuwagclm@doj.ca.gov destination:yatw@ms32.hinet.netwhat ukwizard actually asked was the headers of those emails (' from' and ' to' fields are easily forged); is difficult guess who' s actually sending those emails without headers.
Helo DNS lookup Return e-amil DNS checktry de-activating those checkings to see what happen; are very strict. from docs: " HELO DNS lookup Enable or disable looking up the source domain name (from the SMTP HELO command) in the Domain Name Server Return e-mail DNScheck: Enable or disable checking that the domain specified in the reply-to or from address has an A or MX record."
regards
/ Abel
regards
/ Abel
Not applicable
Created on 09-02-2008 10:38 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As an update to this problem, it seems that someone is spoofing my public IP addre ss. I have configured rbl and dnsbl lists both on server and Fortigate box but the results are not very promiseing. So I will update my mail server since it' s a bit old and install domaninkeys to see if that will take care of problem completely.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,749 -
FortiClient
1,776 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
477 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
323 -
6.2
251 -
SSL-VPN
249 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
208 -
5.0
196 -
FortiNAC
191 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
106 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
84 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
60 -
Fortivoice
56 -
High Availability
56 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1737 | |
| 1107 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.