Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Diabolicus23
New Contributor

Custom IPS signature to block some emails

I' m trying to create a custom IPS signatures to block email based on the recipient but I' m stuck. Could anyone help me?
7 REPLIES 7
emnoc
Esteemed Contributor III

Easy just use pattern and the full email-address. This should block your user; edit " EmailBlock01" set signature " F-SBID( --revision 1; --name \" BlockMail01\" ; --service SMTP; --protocol tcp; --tcp_flags A; --pattern \" user@domain.com\" ; --no_case; --flow from_client;)" next fwiw; If the user is not present, than you shouldn' t really need to block anything and more so if validation is being used by the sender. Are you under a email flood for a particular user?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Diabolicus23
New Contributor

Hi emnoc, I' ve created my own signature and it seems to work. The one you' ve posted should block an email even if the user@domain.com is written in the body (I check only the RCPT TO field).
ede_pfau
SuperUser
SuperUser

Would you please care to post your signature then? The forums are a two-way thing.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
emnoc
Esteemed Contributor III

Hi emnoc, I' ve created my own signature and it seems to work. The one you' ve posted should block an email even if the user@domain.com is written in the body (I check only the RCPT TO field).
That could be good or bad thing, but you might ( I' m only guessing, ede could correct me ) you could get creative and installed the actual " To: user@domain.com" in the match pattern and kill just the mail message with a header that contains thats. That would not catch anybody on a cc/bcc , just thinking off the top of my head. You will need to get creative and explore the options that you have and and how loose or tight of a block that you want imho. let us know what you come up with.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
SuperUser
SuperUser

The pattern should be " RCPT TO: <user@mailserver.tld>" with 2 blanks and brackets. Curious as I am I tried to sniff outgoing mails on my FGT. Two reasons it didn' t work: 1- I' m using IMAP 2. I' m using IMAPS. And so will many users, use encryption and not plain text protocols.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
lightmoon1992
New Contributor

SSL inspection can do you some help. otherwise you should sniff at the server or one client so you get plain text protocol. even if you dont, you can sniff the traffic via FortiGate, export it to pcap file, and via wireshark to import the private key if you have it so you decrypt the traffic Mohammad

Mohammad Al-Zard

 

Mohammad Al-Zard
emnoc
Esteemed Contributor III

Curious as I am I tried to sniff outgoing mails on my FGT. Two reasons it didn' t work: 1- I' m using IMAP 2. I' m using IMAPS. And so will many users, use encryption and not plain text protocols. Curious as I am I tried to sniff outgoing mails on my FGT. Two reasons it didn' t work: 1- I' m using IMAP 2. I' m using IMAPS. And so will many users, use encryption and not plain text protocols.
Yes I was assuming the OP was using SMTP, also your 100% correct this would not work if it' s SMTPS. Another items that OP should considered the Bcc and Cc so maybe you might need to write 3 ips rules to cover the possibilities

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors