Technical Note : Blocking Spam based on keywords in the Senders Email address and using MIME header check
Purpose
The article shows the steps needed in order to block email based on keywords in the senders email address when the envelope and MIME "From" data do not match.
Scope
Expectations, Requirements
After reading the people should be able to examine their emails and configure their Fortigate units to block based on details in the Email.
The article shows the steps needed in order to block email based on keywords in the senders email address when the envelope and MIME "From" data do not match.
Scope
Scope | All FortiOS |
| Steps or Commands | Sometimes, when an email comes in, the email address displayed by the software will be different then the email that sent it.
Looking at the MIME headers shows that this is not the same as the sending email information
The FortiGate Email BWL list operates on the Envelope From information (The Return-Path). So if the details needed are located in the From but not the return path, MIME scanning must be used. This option can only be enabled from and configured from the CLI. Example in Fortis 4.0MR2 and above : FGT# sho spamfilter mheader config spamfilter mheader edit 2 set comment "block from user1" config entries edit 1 set fieldbody "/viagra/i" set fieldname "/^from$/i" set pattern-type regexp next end set name "user1" next end FGT# sho spamfilter profile mail config spamfilter profile edit "mail" set spam-log enable config smtp set options spamhdrcheck end set spam-mheader-table 2 next end FGT# sho firewall policy 2 config firewall policy edit 2 set srcintf "wan2" set dstintf "internal" set srcaddr "all" set dstaddr "all" set action accept set utm-status enable set schedule "always" set service "ANY" set spamfilter-profile "mail" set profile-protocol-options "default" set nat enable next end Example in Fortis 3.0, 4.0, 4.0MR1 : config spamfilter mheader edit 1 config entries edit 1 set action clear set fieldbody /viagra/i set fieldname /^from$/i set pattern-type regexp next end set name mheader_table next end config firewall profile edit Scan set smtp scan bannedword fragmail spamemailbwl spamfssubmit spamfsurl spamipbwl spamhdrcheck splice set spammheadertable 1 next end The command set smtp does not have to contain all these options. These can be selected by the administrator. The one key option that can only be added by CLI, and needs to be added to enable the check, is spamhdrcheck. If the email has been encrypted using StartTLS, then MIME header checking will fail because encrypted traffic can not be scanned for content unless the unit is running 4.0 and has 'Deep Scanning' enabled (not available on all models). |
Expectations, Requirements
After reading the people should be able to examine their emails and configure their Fortigate units to block based on details in the Email.
Related Articles