Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wayne11
Contributor

Created on ‎02-22-2021 07:14 AM

FORGED but still delivered

Hi

 

We have realized a huge problem with our FortiMail 6.4.4 and FORGED Emails. They are getting detected as FORGED because of SPF record is not valid, but afterwards if a user has the forged sender Address in their Whitelist, the Email will get still delivered. This is totally useless because if anyone has for example noreply@wetransfer.com in their Whitelist and the Email is sent with Forged sender noreply@wetransfer.com, the Email gets first detected as SPAM, in the next step it recognizes the (real)sender is Whitelisted SYSTEM SAFE and then the Email is delivered anyway, even it was previously detected and categorized as Spam/Forged.

 

Thx

Wayne

Preview file
99 KB
Labels:
5493
0 Kudos
5 REPLIES 5
abelio
SuperUser
SuperUser

Created on ‎02-22-2021 09:04 AM

Hello

2 comments:

 

1) wetransfer.com publishes '-all'  in its SPF record; so, if anyone sends an fake email address noreply@wetransfer.com AND you have correctly configured your fortimail  (with an action != accept), that email will not pass to mailbox user

 

2) whitelisting is LAST resource method when you cannot solve a problem in another way      So it must be used carefully and monitored continously. It shouldn't be enable as a friendly feature for non-  technical users. 

 

I.e: i have seen a lot of cases when user whitelists its entire domain...

 

regards




/ Abel

regards / Abel
4232
0 Kudos
abelio
SuperUser
SuperUser

Created on ‎02-22-2021 09:05 AM

 

 

 wetransfer.com.         300     IN      TXT     "v=spf1 include:spf1.wetransfer.com include:servers.mcsv.net include:_spf.google.com include:mail.zendesk.com include:mailsenders.netsuite.com include:_spf.salesforce.com -all"

regards




/ Abel

regards / Abel
4231
0 Kudos
Jeff_Roback
Contributor
In response to abelio

Created on ‎03-04-2021 02:34 PM

Fortimail has a strange behavior with SPF records that makes them quite vulnerable to sender spoofing.   In short, if the user or the admin has added an address to a safelist, the SPF is never checked.    I've raised this with support and PSIRT, but apparently it's by design and the answer was to tell people to not use safelists. 

 

There's really no practical workaround - if you put someone on a safelist, then you have no ability to use SPF to check for spoofed addresses.

 

See threads here:

https://forum.fortinet.com/tm.aspx?m=161900

 

and here:

https://forum.fortinet.com/tm.aspx?m=175489

 

for more details.

 

 

Jeff Roback

Jeff Roback
4232
0 Kudos
Jjchen_FTNT
Staff
Staff
In response to Jeff_Roback

Created on ‎03-10-2021 05:39 AM

In FortiMail 7.0, there will be option to not bypass SPF/DMARC/DKIM for safelist

4232
Jeff_Roback
Contributor
In response to Jjchen_FTNT

Created on ‎03-10-2021 02:33 PM

jjchen wrote:

In FortiMail 7.0, there will be option to not bypass SPF/DMARC/DKIM for safelist

This is incredibly fantastic, so happy to hear this!  This is really the only major problem we've had with FortiMail, but it's a big one, so having this taken care of will leave me feeling good again about recommending the platform to clients.

Jeff

Jeff Roback

Jeff Roback
4232
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.