Description
See also the related article 'Technical Note : Configuring a FortiGate to block emails from specific countries, using domain suffixes'.
Numerous Internet sites provide the character sets for various languages.
Scope:
FortiGate.
Solution
Solution 1:
Based on using DLP rules to look for specific charsets in the MIME information. This solution does not apply if the character set is UTF-8 or Unicode.
If the configured character set is detected in a mail, the sensor action will be triggered even if other parts of the mail are valid, hence false positives may be created. (For example: One section in Cyrillic for a mail written in English).
It is assumed that the SMTP traffic is initiated from the WAN2 interface and destined to a SMTP server reachable via the DMZ interface.
The character set in use may be indicated in the MIME header. In the following example 'gb2312' is being used in one part of this mail.
Return-Path: <user2@external.lab>
X-Original-To: user2@external.lab
Delivered-To: user2@external.lab
Received: from [10.112.0.10] (unknown [10.160.0.108])
by mail.external.lab (Postfix) with ESMTPS id 325C36644
for <user2@external.lab>; Fri, 4 Jun 2010 19:57:03 +0200 (CEST)
Message-ID: <4C0CFFE8.5080206@external.lab>
Date: Mon, 07 Jun 2010 16:19:20 +0200
From: user2 <user2@external.lab>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: user2@external.lab
Subject: Fwd: FW: o9byvn =?GB2312?B?udzA7bv5sb65pi0tvMa7rtPr1rTQ0CA2ODc5NA==?=
=?GB2312?B?ODY=?=
Content-Type: multipart/mixed;
boundary="------------010703080306080705040102"
This is a multi-part message in MIME format.
--------------010703080306080705040102
Content-Type: multipart/alternative;
boundary="------------070905030306010401070808"
--------------070905030306010401070808
Content-Type: text/plain; charset=gb2312
Content-Transfer-Encoding: 7bit
(*) This does not apply if the charset is 'UTF-8' or Unicode , as shown in the MIME header excerpt below :
------=_NextPart_001_0E88_014824E4.176AA680
Content-Type: text/plain;
charset=" utf-8"
Content-Transfer-Encoding: base64
The example proposed here below shows how to block all mails containing the words "gb2312" (Chinese), or "koi8-r" (Cyrillic). Example is given for 4.0MR2
A - FortiGate CLI configuration example
config dlp rule
edit "filter gb2312"
set protocol email
set sub-protocol smtp
set regexp "* gb2312*"
set regexp-wildcard enable
next
edit "filter koi8-r"
set protocol email
set sub-protocol smtp
set regexp " *koi8-r*"
set regexp-wildcard enable
next
end
config dlp sensor
edit "Filter_mail_other_language"
config rule
edit "filter gb2312"
set action ban
set archive enable
set expiry 5m
set severity 5
next
edit "filter koi8-r"
set action ban
set archive enable
set severity 5
next
end
set dlp-log enable
set nac-quar-log enable
next
end
config firewall policy
edit 2
set srcintf "wan2"
set dstintf "dmz"
set srcaddr "all"
set dstaddr "all"
set action accept
set utm-status enable
set schedule "always"
set service "ANY"
set spamfilter-profile "mail"
set dlp-sensor "Filter_mail_other_language"
set profile-protocol-options "default"
set nat enable
next
end
B: Verification when sending a mail containing gb2312 character set.
B1: FortiGate log.
FGT# execute log filter category 9
FGT# execute log display
1 logs found.
1 logs returned.
1: 2010-06-07 17:11:30 log_id=0954024576 type=dlp subtype=dlp pri=warning vd="root" policyid=2 identidx=0 serial=1647 user="N/A" group="N/A" src=10.112.0.10 sport=2711 src_port=2711 src_int="wan2" dst=10.160.0.8 dport=25 dst_port=25 dst_int="dmz" service=smtp status=detected hostname="N/A" url="N/A" from="N/A" to=
"N/A" msg="data leak detected(Data Leak Prevention Rule matched: ip address banned)" rulename="filter gb2312" compoundname="N/A" action=ban severity=5
B2: Client MUA warning message (tested with Outlook Express)
An unknown error has occurred. Account: '10.160.0.8', Server: '10.160.0.8', Protocol: SMTP, Server Response: '554 5.7.1 This email has been blocked because a data leak was detected. contact the admin to be re-enabled.', Port: 25, Secure(SSL): No, Server Error: 554, Error Number: 0x800CCC6F
C:Verification when sending a mail containing gb2312 character set.
C1: FortiGate log.
FGT# execute log filter category 9
FGT# execute log display
| 1 logs found. 1 logs returned. 1: 2010-06-07 17:09:56 log_id=0954024576 type=dlp subtype=dlp pri=warning vd="root" policyid=2 identidx=0 serial=1607 user="N/A" group="N/A" src=10.112.0.10 sport=2709 src_port=2709 src_int="wan2" dst=10.160.0.8 dport=25 dst_port=25 dst_int="dmz" service=smtp status=detected hostname="N/A" url="N/A" from="N/A" to= "N/A" msg="data leak detected(Data Leak Prevention Rule matched: ip address banned)" rulename="filter koi8-r" compoundname="N/A" action=ban severity=5 |
C2 - Client MUA warning message (tested with Outlook Express)
An unknown error has occurred. Account: '10.160.0.8', Server: '10.160.0.8', Protocol: SMTP, Server Response: '554 5.7.1 This email has been blocked because a data leak was detected. Contact the admin to be re-enabled.', Port: 25, Secure(SSL): No, Server Error: 554, Error Number: 0x800CCC6F
D- Verification of the sensor action and banned action
FGT# get user ban list
created dlp-proto
1 filter gb2312 10.112.0.10 Mon Jun 7 17:17:38 2010
Solution 2:
-
French
-
Japanese
-
Korean
-
Simplified Chinese
-
Spanish
-
Thai
-
Traditional Chinese
-
Western
Step 2: Apply this list to the appropriate Email Filter Profile.
A: CLI configuration example.
config spamfilter bword
edit 2
config entries
edit 1
set language simch
set pattern "你 好 欢 迎"
next
edit 2
set language trach
set pattern "你 好 歡 迎"
next
edit 3
set language japanese
set pattern "こ ん に ち は"
next
edit 4
set language thai
set pattern "สวัสดี"
next
end
set name "block_other_language"
next
end
config spamfilter profile
edit "block_other_language"
set spam-log enable
config smtp
set options bannedword
end
set spam-bword-table 2
next
end
config firewall policy
edit 2
set srcintf "wan2"
set dstintf "dmz"
set srcaddr "all"
set dstaddr "all"
set action accept
set utm-status enable
set schedule "always"
set service "ANY"
set spamfilter-profile "block_other_language"
set profile-protocol-options "default"
set nat enable
next
end
B: Test and verification :
-
Send a mail in the Thai language with the word สวัสดี (hello)
-
The sender MUA will receive the following warning message (tested with Outlook Express)
An unknown error has occurred. Subject 'Re: ??????', Account: '10.160.0.8', Server: '10.160.0.8', Protocol: SMTP, Server Response: '554 5.7.1 This message has been blocked because it contains a banned word.', Port: 25, Secure(SSL): No, Server Error: 554, Error Number: 0x800CCC6F.
-
Check the FortiGate log:
FGT# execute log filter category 5
FGT# execute log display
1 logs found.
1 logs returned.
1: 2010-06-04 17:30:27 log_id=0508020481 type=emailfilter subtype=smtp pri=notice policyid=2 identidx=0 serial=110560 user="N/A" group="N/A" vd="root" src=10.112.0.10 sport=1974 src_port=1974 src_int="wan2" dst=10.160.0.8 dport=25 dst_port=25 dst_int="dmz" service=smtp carrier_ep="N/A" profile="block_other_language" profilegroup="N/A" profiletype="Antispam_Profile" status=detected from="user1@external.lab" to="user2@external.lab" tracker="N/A" banword="สวัสดี" msg="The email contains banned word(s)."
Related articles
