FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Adrian_Buckley_FTNT
Article Id 197177
Purpose
The article shows the steps needed in order to block email based on keywords in the senders email address when the envelope and MIME "From" data do not match.



Scope



Scope


All FortiOS
Steps or Commands Sometimes, when an email comes in, the email address displayed by the software will be different then the email that sent it.

abuckley_Image of From.jpg



Looking at the MIME headers shows that this is not the same as the sending email information
Return-Path: <something@example.com>
Received: from mail.example.org ([unix socket])
by example.org (Cyrus v2.3.7-Invoca-RPM-2.3.7-2.el5) with LMTPA;
Mon, 18 Jan 2010 18:47:12 -0800
Received: from mailrelay.fortinet.com (mailrelay.fortinet.com [192.168.1.3])
by mail.fortinet.com (8.13.8/8.13.8) with ESMTP id o0J2lAlH030300
for <something@example.org>; Mon, 18 Jan 2010 18:47:10 -0800
Received: from smtp.fortinet.com (smtp.fortinet.com [192.168.1.2])
by mailrelay.fortinet.com (192.168.1.3) with ESMTP id o0J2lAHQ011693
for <something@example.org>; Mon, 18 Jan 2010 18:47:10 -0800
Received: from [192.168.1.1] (localhost [192.168.1.2])
by smtp.fortinet.com with ESMTP id o0J2l717027529-o0J2l719027529
(version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO)
for <something@example.org>; Mon, 18 Jan 2010 18:47:09 -0800
Date: Mon, 18 Jan 2010 18:47:09 -0800
From: VIAGRA (c) Best Supplier <example@something.com>
To: something@example.org
The FortiGate Email BWL list operates on the Envelope From information (The Return-Path). So if the details needed are located in the From but not the return path, MIME scanning must be used.

This option can only be enabled from and configured from the CLI.


Example in Fortis 4.0MR2 and above :


FGT# sho spamfilter mheader
config spamfilter mheader
edit 2
set comment "block from user1"
config entries
edit 1
set fieldbody "/viagra/i"
set fieldname "/^from$/i"
set pattern-type regexp
next
end
set name "user1"
next
end

FGT# sho spamfilter profile mail
config spamfilter profile
edit "mail"
set spam-log enable
config smtp
set options spamhdrcheck
end
set spam-mheader-table 2
next
end

FGT# sho firewall policy 2
config firewall policy
edit 2
set srcintf "wan2"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set utm-status enable
set schedule "always"
set service "ANY"
set spamfilter-profile "mail"
set profile-protocol-options "default"
set nat enable
next
end


Example in Fortis 3.0, 4.0, 4.0MR1  :

config spamfilter mheader
edit 1
config entries
edit 1
set action clear
set fieldbody /viagra/i
set fieldname /^from$/i
set pattern-type regexp
next
end
set name mheader_table
next
end

config firewall profile
edit Scan
set smtp scan bannedword fragmail spamemailbwl spamfssubmit spamfsurl spamipbwl spamhdrcheck
splice
set spammheadertable 1
next
end




The command set smtp does not have to contain all these options. These can be selected by the administrator. The one key option that can only be added by CLI, and needs to be added to enable the check, is spamhdrcheck.

If the email has been encrypted using StartTLS, then MIME header checking will fail because encrypted traffic can not be scanned for content unless the unit is running 4.0 and has 'Deep Scanning' enabled (not available on all models).

Expectations, Requirements
After reading the people should be able to examine their emails and configure their Fortigate units to block based on details in the Email.

Related Articles

List and order of antispam filtering checks - an overview

Contributors