- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: how Fortimail address email spoofing (inbound)
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how Fortimail address email spoofing (inbound)
my client threw me a question on how FortiMail address spoofed emails. reading this forum and other Fortinet documents seems I gathered only few resources. Anyone could share recommended settings on how to address above subject? I read BEC feature and it seems it works differently. Does SPF, DKIM and DMARC could tighten the security perhaps?
Is this good enough to handle incoming spoof emails?
I assume this link is intended to protect internal users to spoof internal users or other domains
https://kb.fortinet.com/kb/documentLink.do?externalID=FD38665
Again any useful insights is much appreciated.
Fortigate Newbie
Fortigate Newbie
- « Previous
-
- 1
- 2
- Next »
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jeff Roback wrote:Hi there I think what he's getting at is the scenario where there is a mail infrastructure behind the fortimail and the vast majority of legitimate messages with @yourdomain.com in the header-from are originating inside the organization. I think the idea would be to put a rule above that permitting the legitimate senders of internal mail, which would be fairly limited. In our case from Microsoft 365 services. That's the rule I'm testing now.
Would you mind if you could let me know how your testing goes? I'm at an impasse for this recipe.
Adam
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
sorry im late, maybe i forgott to explain: my discribed "blocked header" is only works in this scenario:
Wan -> Fortigate -> Fortimail(Gateway Mode) -> MTA (where "yourdomain.com" emails belong)
in this case if someone send me an email from someone@spam.com and set the from-header to someone@yourdomain.com
it is valid to block them because emails from "yourdomain.com" should only be sent from our MTA and no one else.
We have this setup for years now long before the Fortimail impersonation feature was introduced
and it just works with no additional charge.
Regards
sudo apt-get-rekt
sudo apt-get-rekt
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FYI, the regex string above doesn't do what I think the author is intending.
It has two problems: 1) The . in domain.com is evaluated as matching any character since it's not escaped. 2) The [EHeAdEr] isn't helping since a match of any of those characters will work. Here's what we've been testing with: ^From:.*<.*\@mydomain\.com>$ Here's a really handy site that lets you put in a regex string and test it against text. It will also break down the command for you. https://regexr.com/
Jeff Roback
Jeff Roback
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jeff,
thanks for your input, but let me explain:
1) Fortimail regex is perl style so matches are case insensitive and can occur over multiple lines as if the word were on a single line (match modifier options i and s are in effect).
So for your tests on regexr.com you have to enable "i", "m" and "s" flags.
Then your regex hits multiple lines at my tests, everything between "from:" and the end of the "Retourn-Path" line.
2) The [EHeAdEr] part is FML specific and will specify to only check the original headers rather than the attachment headers also.
3) the dot in "yourdomain.com" is not escaped on purpose because spammers likes to fake header from fields with "," ":" or spaces between domain and topleveldomain.
Best Regards
sudo apt-get-rekt
sudo apt-get-rekt
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your explanation of this. I haven't been able to find much documentation on this, so I'm really glad to understand this now, and I'm actually really happy to understand the [EHeAdEr] portion, as this may solve another problem I'm having.
Happy to admit when I'm wrong and sorry if my tone was argumentative.
Jeff
Jeff Roback
Jeff Roback
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the_giraffe_that_wasnt_president wrote:The [EHeAdEr] part is FML specific and will specify to only check the original headers rather than the attachment headers also.
In thinking about this part more, I'm curious. Can you explain how this part works? It is the Fortimail using an undocumented functionality to take specific actions against the outer message header? Or is it this a string that only exists in the main header? If it is still being processed as a regex, how come it needs the case written in that way? Since it's case sensitive, seems like it wouldn't matter.
Thanks for your thoughts on this.
Jeff Roback
Jeff Roback
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ive got this EHeAdEr part from a fortinet training back in 2018.
I dont know much about this Part, and i also found no further informations in admin guides or cook books,
i was also concerned about the EHeAdEr part just like you but what i can say is after some tests with fake email accounts is it just works.
Regards
sudo apt-get-rekt
sudo apt-get-rekt
- « Previous
-
- 1
- 2
- Next »
Related Posts
- FortiMail Cloud and Office 365 guidance... 436 Views
- How to enable FortiMail ARC Sealing 475 Views
- Fortimail M365 Inbound handling 589 Views
- Multiple Domains 526 Views
- FortiMail DKIM 858 Views
Labels
-
FortiGate
6,453 -
FortiClient
1,289 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
67 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.