Skip to main content
Wayne11
Wayne11
Explorer
February 22, 2021
Question

FORGED but still delivered

  • February 22, 2021
  • 2 replies
  • 8010 views

Hi

 

We have realized a huge problem with our FortiMail 6.4.4 and FORGED Emails. They are getting detected as FORGED because of SPF record is not valid, but afterwards if a user has the forged sender Address in their Whitelist, the Email will get still delivered. This is totally useless because if anyone has for example noreply@wetransfer.com in their Whitelist and the Email is sent with Forged sender noreply@wetransfer.com, the Email gets first detected as SPAM, in the next step it recognizes the (real)sender is Whitelisted SYSTEM SAFE and then the Email is delivered anyway, even it was previously detected and categorized as Spam/Forged.

 

Thx

Wayne

2 replies

abelio
SuperUser
abelio
SuperUser
February 22, 2021

Hello

2 comments:

 

1) wetransfer.com publishes '-all'  in its SPF record; so, if anyone sends an fake email address noreply@wetransfer.com AND you have correctly configured your fortimail  (with an action != accept), that email will not pass to mailbox user

 

2) whitelisting is LAST resource method when you cannot solve a problem in another way      So it must be used carefully and monitored continously. It shouldn't be enable as a friendly feature for non-  technical users. 

 

I.e: i have seen a lot of cases when user whitelists its entire domain...

 

abelio
SuperUser
abelio
SuperUser
February 22, 2021

 

 

 wetransfer.com.         300     IN      TXT     "v=spf1 include:spf1.wetransfer.com include:servers.mcsv.net include:_spf.google.com include:mail.zendesk.com include:mailsenders.netsuite.com include:_spf.salesforce.com -all"

Jeff_Roback
Jeff_Roback
New Member
March 4, 2021

Fortimail has a strange behavior with SPF records that makes them quite vulnerable to sender spoofing.   In short, if the user or the admin has added an address to a safelist, the SPF is never checked.    I've raised this with support and PSIRT, but apparently it's by design and the answer was to tell people to not use safelists. 

 

There's really no practical workaround - if you put someone on a safelist, then you have no ability to use SPF to check for spoofed addresses.

 

See threads here:

https://forum.fortinet.com/tm.aspx?m=161900

 

and here:

https://forum.fortinet.com/tm.aspx?m=175489

 

for more details.

 

 

Jjchen_FTNT
Staff
Jjchen_FTNT
Staff
March 10, 2021

In FortiMail 7.0, there will be option to not bypass SPF/DMARC/DKIM for safelist

    Terms & ConditionsAccessibility statement