Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wayne11
Contributor

FORGED but still delivered

Hi

 

We have realized a huge problem with our FortiMail 6.4.4 and FORGED Emails. They are getting detected as FORGED because of SPF record is not valid, but afterwards if a user has the forged sender Address in their Whitelist, the Email will get still delivered. This is totally useless because if anyone has for example noreply@wetransfer.com in their Whitelist and the Email is sent with Forged sender noreply@wetransfer.com, the Email gets first detected as SPAM, in the next step it recognizes the (real)sender is Whitelisted SYSTEM SAFE and then the Email is delivered anyway, even it was previously detected and categorized as Spam/Forged.

 

Thx

Wayne

5 REPLIES 5
abelio
Valued Contributor

Hello

2 comments:

 

1) wetransfer.com publishes '-all'  in its SPF record; so, if anyone sends an fake email address noreply@wetransfer.com AND you have correctly configured your fortimail  (with an action != accept), that email will not pass to mailbox user

 

2) whitelisting is LAST resource method when you cannot solve a problem in another way      So it must be used carefully and monitored continously. It shouldn't be enable as a friendly feature for non-  technical users. 

 

I.e: i have seen a lot of cases when user whitelists its entire domain...

 

regards


__ Abel

abelio
Valued Contributor

 

 

 wetransfer.com.         300     IN      TXT     "v=spf1 include:spf1.wetransfer.com include:servers.mcsv.net include:_spf.google.com include:mail.zendesk.com include:mailsenders.netsuite.com include:_spf.salesforce.com -all"

regards


__ Abel

Jeff_Roback

Fortimail has a strange behavior with SPF records that makes them quite vulnerable to sender spoofing.   In short, if the user or the admin has added an address to a safelist, the SPF is never checked.    I've raised this with support and PSIRT, but apparently it's by design and the answer was to tell people to not use safelists. 

 

There's really no practical workaround - if you put someone on a safelist, then you have no ability to use SPF to check for spoofed addresses.

 

See threads here:

https://forum.fortinet.com/tm.aspx?m=161900

 

and here:

https://forum.fortinet.com/tm.aspx?m=175489

 

for more details.

 

 

Jeff Roback

Jjchen_FTNT

In FortiMail 7.0, there will be option to not bypass SPF/DMARC/DKIM for safelist

Jeff_Roback

jjchen wrote:

In FortiMail 7.0, there will be option to not bypass SPF/DMARC/DKIM for safelist

This is incredibly fantastic, so happy to hear this!  This is really the only major problem we've had with FortiMail, but it's a big one, so having this taken care of will leave me feeling good again about recommending the platform to clients.

Jeff

Jeff Roback