received large spam mail on my leased line

i received large spam mail om my leased line and checked my exchange 2013 and my two mailbox and Symantec exchange mail security  7.5.6 are updated and good
I opened Anti spam in fortiGate and blocked many ip but not all.
i need solution for my situation.
Mohamed EsmatAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
It's impossible to prevent all spam, because spammers are continually looking for ways to fool spam filters.  As soon as a filter goes up that prevents spam of new type Z2, the spammers start hurling more spam looking for a new format Z3 that will pass through the filter for Z2.  And so on, endlessly.

The result of this continuing combat between postmasters and spammers is that some spam is always going to get through, even with the best available spam filters kept absolutely up-to-date.

Two approaches I've found effective on linux:

Use the iptables geoip add-on and block destination port 25 from any country you do not expect email from.  At present I have over 100 countries blocked.  Note:  While this looks like a wonderful and very effective approach, it is not.  An IP block registered to country A could be physically located in country C and used by sites with a TLD for country K.  It's about 50% reliable and as a result of the previous IP block swapping issue, it blocks some things you don't want blocked, e.g., somebody in your own country using an IP block registered to a country you don't want.

Block the IP blocks belonging to server farms.  If your business is doing business with consumers and not companies, there's no reason to allow email from server farms -- which is where most spam seems to come from, at least on my system.  But blocking server farms takes time, you have to go investigate the IP addresses from your logs and see where they are coming from, and then write blocking rules for them.  Further, a bad side effect of this approach is that anybody using a email based on a "cloud" server won't be able to get email to you, so you must leave some particularly bad server farms un-blocked.

At some point you must grit your teeth and say "I must tolerate this level of spam", or you end up endlessly chasing a problem that cannot be solve.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lee W, MVPTechnology and Business Process AdvisorCommented:
I don't disagree with Dr. Klahn, however, I find some spam filtering methods more effective than others.  I use Untangle (free version) of a router/UTM with the spam filter enabled and find, once I've tweaked the settings, I RARELY get blocked legitimate mail (when I do it's often marketing mail or occasionally mailing list mail from someone I just need to whitelist.  And I probably get 3-5 false negatives per week out of literally thousands of messages.  Their paid version is supposed to be more effective, but at 3-5 per week, I'm happy with the free.
To add to earlier comments, and because I think you would like to mitigate/eliminate the cost incurred from the large data transfer which is what you hope to accomplish, but to determine if something is spam, the data must be received to be analyzed.

So to mitigate bandwidth consumption through receiving data, the best way is to determine/assess whether the source is likely a spam source. this determination needs to be made quickly and while limiting the max data transfer of such connections. THis can be limited to let's say less than 500bytes. And the sole way to achieve this is through the utilization of the DNS black lists such as sorbs, and others look at

The RBL check checks whether the source is a known spammer. Some of the lists designate dynamically allocated IP pools as unacceptable message originators on the premise that dynamically allocated IPs would not function as mail servers to which messages would be expected since the IP changes.

Even setting a message size limit will still count against you though the message will not be accepted into e processing .......

On FortiGate use the geo-location based blocking and enable all AntiSpam features along with 3rd party DNSBL.
Fortinet Article for DNSBL configuration:

Also enable DOS protection on FortiGate for SMTP traffic.

Good Luck!
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

-- Dr. Klahn (https:#a42441120)
-- Lee W MVP (https:#a42441179)
-- arnold (https:#a42441787)
-- myramu (https:#a42443374)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.