Skip to main content
James_G
James_G
New Member
March 9, 2017
Question

Fortimail pre sales question

  • March 9, 2017
  • 1 reply
  • 5243 views

Hi folks

 

I am a Fortigate customer for firewalls across the organisation, but currently use a separate supplier for email security. Unfortunately we have found them lacking on a specific threat.

 

We have recently been receiving a number of malicious emails where the envelope address / display address of the incoming message has been spoofed to look like an internal sender, but the reply address is a totally different (but valid) 3rd party domain name. The incoming mail is not being blocked by SPF checks as the 3rd party domain is correctly configured, and the email contents have nothing that would flag as suspect, the sender is relying of gaining trust of the recipient to leak sensitive data as the conversation continues.

 

How would the Fortimail appliance mitigate this issue? Can you block if the envelope address / display address is spoofing the internal domain, but other headers are OK?

    1 reply

    JC_Geosoft
    JC_Geosoft
    New Member
    February 14, 2018

    Hey James,

    You should look at implementing DMARC. It's specifically designed to look at the Header From address, and not the envelope recipient (a flaw in SPF). It combines SPF, DKIM, and the domain portion of the header From address to come to a conclusion on how to filter the email.

     

    And yes, FortiMail does support SPF, DKIM and DMARC. We switched over from a 3rd party over a month ago and it works great for this.

     

    --

    Jason

    emnoc
    emnoc
    New Member
    February 14, 2018

    Yes DMARC is what you want, but be advise depending on the FMLversion you might not have it.

     

    You might be able to get away with a access_control and  set the  sender patter to be *.yourdomain.com and with 0.0.0.0/0 and a reject action tho.

     

    YMMV and thread carefully

     

    Ken Felix

     

    Terms & ConditionsAccessibility statement