Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jeff_Roback
Contributor

Content scanning of added headers doesn't work?

I'm seeing that when the Fortimail is doing content filtering to scan headers, it doesn't see headers that are added earlier in processing.   I could swear this used to work and stopped at a certain upgrade, but I can't confirm that, so  I'm curious if others have tried and succeeded with this in the past.

 

The use case for me was this:  I wanted an easy way to look for the Header From and Envelope From with the content filter, as it seemed this would be more accurate that just scanning the headers for the text of "FROM:".  

 

So I used the session profile to add headers to every message as follows:

Header Name: PX-ENVELOPE-FROM   Header Value: %%ORIG_ENVELOPE_FROM%%

Header Name: PX-HEADER-FROM Header Value: %%HEADER(FROM)%%

 

This part works great, and I've left it in for general troubleshooting, makes it very easy to jump to these during analysis.

 

But when I tried to use regex matching from within a content profile, it doesn't seem to see these new headers at all.  I tried with the antispam dictionary as well, but I don't get a match.

 

I opened a case with support and they said this was expected behavior and that there's no way to do a dictionary inspection of headers added in the session profile.    But I really remember in my head this working in earlier versions, but perhaps I'm mistaken.

 

Anyway, it's too bad this doesn't work, because it was a really handy way to be sure we were inspecting the actually Envelope from and Header from addresses, because with Regex we're still making assumptions and opening ourselves up to false positives.

 

Thanks for any thoughts on this,

Jeff

 

Jeff Roback

1 REPLY 1
Jjchen_FTNT
Staff
Staff

I think DLP rule is also a good way to check env-From and header-From, you can choose "Sender matches regex" for env-From, and "Header matches regex" for header-From