Technical Note : Using FortiGate DLP to block/filter email/spam based on "sender" (From:) information
Description
This article explains how to configure and verify DLP (Data Leak Prevention) to block / filter the emails / spams based on criteria present in the "sender" (From:) information.
Scope
Solution
The example presented hereafter is intended to block all emails that have the keyword "watch" in the email envelope or MIME header, and more specifically the sender information.
It is assumed that the SMTP traffic is initiated from the WAN2 interface and destined to an SMTP server reachable via the DMZ interface.
CLI configuration example (FortiOS 4.0MR2) :
Test and verification :
or , if ban-sender was user :
This article explains how to configure and verify DLP (Data Leak Prevention) to block / filter the emails / spams based on criteria present in the "sender" (From:) information.
Scope
- FortiOS 4.0MR1 and 4.0MR2
- Example presented in 4.0MR2
Solution
The example presented hereafter is intended to block all emails that have the keyword "watch" in the email envelope or MIME header, and more specifically the sender information.
It is assumed that the SMTP traffic is initiated from the WAN2 interface and destined to an SMTP server reachable via the DMZ interface.
CLI configuration example (FortiOS 4.0MR2) :
| config dlp rule edit "All-Email-from-watch-sender" set protocol email set sub-protocol smtp set field sender set regexp "*watch*" set regexp-wildcard enable next end config dlp sensor edit "sensor_block_watch" config rule edit "All-Email-from-watch-sender" set action ban (or ban-sender,to block only mails for this sender) set archive enable set expiry 10m next end set dlp-log enable next end config firewall policy edit 2 set srcintf "wan2" set dstintf "dmz" set srcaddr "all" set dstaddr "all" set action accept set utm-status enable set schedule "always" set service "ANY" set dlp-sensor "sensor_block_watch" set profile-protocol-options "default" next end |
Test and verification :
- Send a mail through the FortiGate, from wan2 to dmz, and from the sender " watch_shop@test.lab"
- The message sent back to the user MUA (tested with outlook express), is the following :
- Check the FortiGate log :
| 1 logs found. 1 logs returned. 1: 2010-06-04 15:08:09 log_id=0954024576 type=dlp subtype=dlp pri=warning vd="root" policyid=2 identidx=0 serial=107333 user="N/A" group="N/A" src=10.112.0.10 sport=1694 src_port=1694 src_int="wan2" dst=10.160.0.8 dport=25 dst_port=25 dst_int="dmz" service=smtp status=detected hostname="N/A" url="N/A" from="N/A" to="N/A" msg="data leak detected(Data Leak Prevention Rule matched: ip address banned)" rulename="All-Email-from-watch-sender" compoundname="N/A" action=ban severity=1 |
or , if ban-sender was user :
| 1: 2010-06-04 16:21:15 log_id=0954024576 type=dlp subtype=dlp pri=warning vd="root" policyid=2 identidx=0serial=109156 user="N/A" group="N/A" src=10.112.0.10 sport=1911 src_port=1911 src_int="wan2" dst=10.160.0.8 dport=25 dst_port=25 dst_int="dmz" service=smtp status=detected hostname="N/A" url="N/A" from="N/A" to="N/A" msg="data leak detected(Data Leak Prevention Rule matched)" rulename="All-Email-from-watch-sender" compoundname="N/A" action=ban sender severity=1 |
- Check the sensor action applied in the ban list :
| id cause src-ip-addr dst-ip-addr expires created dlp-proto 1 All-Email-from-watch-sender 10.112.0.10 Fri Jun 4 15:18:09 2010 Fri Jun 4 15:08:09 2010 SMTP |
Related Articles