how Fortimail address email spoofing (inbound)

Question

my client threw me a question on how FortiMail address spoofed emails. reading this forum and other Fortinet documents seems I gathered only few resources. Anyone could share recommended settings on how to address above subject? I read BEC feature and it seems it works differently. Does SPF, DKIM and DMARC could tighten the security perhaps?

Is this good enough to handle incoming spoof emails?

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/47b932c2-9450-11e9-81a4-00505692583a/FortiMail_Preventing_Email_Spoofing.pdf

I assume this link is intended to protect internal users to spoof internal users or other domains

https://kb.fortinet.com/kb/documentLink.do?externalID=FD38665

Again any useful insights is much appreciated.

Hosemacht · Answer

Hey there,

let me tell you what we did against email Spoofing with Fortimail:

[ul]

1st : enable a blocklist at your inbound Session Profile and set the record to "*@yourdomain.com"

2nd: setup a Dictionary filter-> type Regex -> Pattern: "[EHeAdEr]^from:.*\b\@yourdomain.com\b" Pattern weight 1 Pattern Maximum 1 -> select Search header only -> add this to your Antispam Profile

3rd: if licensed Enable Impersonation and set dynamic and manual -> for critical emailadresses like CEOs set up a manual Impersonation entry Patterntype Regex -> unter Displayname enter a Regex witch hits if surname and lastname are in the Displayname like: "(surname)+[\s\S]+(lastname)+|(lastname)+[\s\S]+(surname)+/gi" -> add this to your Antispam Profile[/ul]

Regards

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded