• Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 110
  • Last Modified:

received large spam mail on my leased line

i received large spam mail om my leased line and checked my exchange 2013 and my two mailbox and Symantec exchange mail security  7.5.6 are updated and good
I opened Anti spam in fortiGate and blocked many ip but not all.
i need solution for my situation.
Mohamed Esmat
Mohamed Esmat
4 Solutions
Dr. KlahnPrincipal Software EngineerCommented:
It's impossible to prevent all spam, because spammers are continually looking for ways to fool spam filters.  As soon as a filter goes up that prevents spam of new type Z2, the spammers start hurling more spam looking for a new format Z3 that will pass through the filter for Z2.  And so on, endlessly.

The result of this continuing combat between postmasters and spammers is that some spam is always going to get through, even with the best available spam filters kept absolutely up-to-date.

Two approaches I've found effective on linux:

Use the iptables geoip add-on and block destination port 25 from any country you do not expect email from.  At present I have over 100 countries blocked.  Note:  While this looks like a wonderful and very effective approach, it is not.  An IP block registered to country A could be physically located in country C and used by sites with a TLD for country K.  It's about 50% reliable and as a result of the previous IP block swapping issue, it blocks some things you don't want blocked, e.g., somebody in your own country using an IP block registered to a country you don't want.

Block the IP blocks belonging to server farms.  If your business is doing business with consumers and not companies, there's no reason to allow email from server farms -- which is where most spam seems to come from, at least on my system.  But blocking server farms takes time, you have to go investigate the IP addresses from your logs and see where they are coming from, and then write blocking rules for them.  Further, a bad side effect of this approach is that anybody using a email based on a "cloud" server won't be able to get email to you, so you must leave some particularly bad server farms un-blocked.

At some point you must grit your teeth and say "I must tolerate this level of spam", or you end up endlessly chasing a problem that cannot be solve.
Lee W, MVPTechnology and Business Process AdvisorCommented:
I don't disagree with Dr. Klahn, however, I find some spam filtering methods more effective than others.  I use Untangle (free version) of a router/UTM with the spam filter enabled and find, once I've tweaked the settings, I RARELY get blocked legitimate mail (when I do it's often marketing mail or occasionally mailing list mail from someone I just need to whitelist.  And I probably get 3-5 false negatives per week out of literally thousands of messages.  Their paid version is supposed to be more effective, but at 3-5 per week, I'm happy with the free.
To add to earlier comments, and because I think you would like to mitigate/eliminate the cost incurred from the large data transfer which is what you hope to accomplish, but to determine if something is spam, the data must be received to be analyzed.

So to mitigate bandwidth consumption through receiving data, the best way is to determine/assess whether the source is likely a spam source. this determination needs to be made quickly and while limiting the max data transfer of such connections. THis can be limited to let's say less than 500bytes. And the sole way to achieve this is through the utilization of the DNS black lists such as sorbs, and others look at mxtoolbox.com/blacklists.

The RBL check checks whether the source is a known spammer. Some of the lists designate dynamically allocated IP pools as unacceptable message originators on the premise that dynamically allocated IPs would not function as mail servers to which messages would be expected since the IP changes.

Even setting a message size limit will still count against you though the message will not be accepted into e processing .......

On FortiGate use the geo-location based blocking and enable all AntiSpam features along with 3rd party DNSBL.
Fortinet Article for DNSBL configuration:

Also enable DOS protection on FortiGate for SMTP traffic.

Good Luck!
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

-- Dr. Klahn (https:#a42441120)
-- Lee W MVP (https:#a42441179)
-- arnold (https:#a42441787)
-- myramu (https:#a42443374)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Tackle projects and never again get stuck behind a technical roadblock.
Join Now