BLOCKING EMBEDDED GIF ???

Report Inappropriate Content · ‎12-06-2006

Hi All, F-60 : we are inundated with spam which carries embedded GIF images. This of course negates use of word filters to block. Although they can be succesfully blocked by including GIF in the FileBlock option this also blocks substantial valid mail. Also blocking by IP and URLs is possible but simply never ending and impractical as they' re ever-changing. I have raised this twice with Fortinet on the support page with two separate tickets and thay have no real solution. If anyone has experienced similar problems a solution will be most welcome. Tks, John

Report Inappropriate Content · ‎01-04-2007

I did it as well, however when I work in a ssh session, when I go to FilePattern section , following the quote I cannot type as value the question mark because an error appears (token line: Unmatched double quote) What I want to type is

edit " ??????????.gif"

rwpatterson · ‎01-04-2007

What I believe is going on here is that the switch is expecting a name, where you' re trying to input the value. Names cannot have special characters, or spaces (I think). ??????????.gif isn' t the name of the file pattern, it' s the value, isn' t it? Call it something like q10, and use the same value. See if that works.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Report Inappropriate Content · ‎01-04-2007

excerpt from FortiGate CLI Version 3.0 MR2 reference: Command syntax pattern (FortiGate-500 and below)

config antivirus filepattern edit <filepattern_string> set action <allow | block> set active {ftp http imap nntp pop3 smtp im} end

Example:

config antivirus filepattern edit *.xyz set allow imap smtp pop3 set block http ftp end

I realize that it ins' t a name, but the extension (or file pattern) itself

rwpatterson · ‎01-04-2007

Have you tried without the quotes?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

abelio · ‎01-04-2007

Hello Ariel, indeed, " ?' is a reserved word for the CLI one workaround for that you want to do would be rely on TAB-completition included in CLI' s shell language; ( i couldn' t find -yet- references about how to change default global behaviour CLI) I mean: first step: add the filepattern ??????????.gif with the webGUI, you should see it enabled blocking all protocols; (uncheck block box to prevent your users flames meanwhile you' ve completed second step )

second step: with CLI (SSH)

 config  antivirus filepattern 
               edit

and press TAB several times until appears ??????????.gif filepattern; press enter and you' ll work as usual to define blocking by protocol

  edit ??????????.gif
   set active smtp
   set action block

after that you should can see results after issuing " show antivirus filepattern"

 ...... 
 config antivirus filepattern
     edit " ??????????.gif" 
         set active smtp
     next
 end

By the way, I' m not sure about effectiveness of this " ?????????.gif" strategy as file pattern Looking logs, I can see it' s blocking all gif files (same effect that *.gif" filepattern; In my opinion Antivirus-filepattern it' s not using regexp, just wildcards. Could anybody confirm/refute this? IÂ´m not sure.

regards

/ Abel

Report Inappropriate Content · ‎01-04-2007

I did it.... and as soon as I type the question mark the fortigate shows me all the existing file extensions

Eastwind · ‎02-02-2007

I think many people are having the same problem, althought adding *.gif to antivirus pattern block will stop all email with gif coming in, but I notice notebooks that we got that have Forticlient 3.0 installed actually can catches embeded gif email and relief the customer from deleting them every 2nd hours from the inbox, anyone has that experience as well.