I'm seeing that when the Fortimail is doing content filtering to scan headers, it doesn't see headers that are added earlier in processing. I could swear this used to work and stopped at a certain upgrade, but I can't confirm that, so I'm curious if others have tried and succeeded with this in the past.
The use case for me was this: I wanted an easy way to look for the Header From and Envelope From with the content filter, as it seemed this would be more accurate that just scanning the headers for the text of "FROM:".
So I used the session profile to add headers to every message as follows:
Header Name: PX-ENVELOPE-FROM Header Value: %%ORIG_ENVELOPE_FROM%%
Header Name: PX-HEADER-FROM Header Value: %%HEADER(FROM)%%
This part works great, and I've left it in for general troubleshooting, makes it very easy to jump to these during analysis.
But when I tried to use regex matching from within a content profile, it doesn't seem to see these new headers at all. I tried with the antispam dictionary as well, but I don't get a match.
I opened a case with support and they said this was expected behavior and that there's no way to do a dictionary inspection of headers added in the session profile. But I really remember in my head this working in earlier versions, but perhaps I'm mistaken.
Anyway, it's too bad this doesn't work, because it was a really handy way to be sure we were inspecting the actually Envelope from and Header from addresses, because with Regex we're still making assumptions and opening ourselves up to false positives.
Thanks for any thoughts on this,
Jeff
Jeff Roback
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I think DLP rule is also a good way to check env-From and header-From, you can choose "Sender matches regex" for env-From, and "Header matches regex" for header-From
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.