- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- block specific incoming e-mail address
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
block specific incoming e-mail address
Aloha,
I' ve perused and searched the forums, but can' t seem to get around this. We have an employee that no longer works here from late 2006 that still receives a fair amount of spam, and well frankly I' m tired of the NDR' s generated by it, so I' ve tried configuring the firewall (An FT-60, firmware 3.00-b0564 (MR5 Patch 1)) to just drop all incoming mail to that account.
This is what I' ve done so far, to no avail:
AntiSpam -> Black/White List -> E-mail Address -> defined-emailbwl (edit)
And added the following:
E-mail Address: /mowens@mai-hawaii\.com/i
Pattern Type: Regular Expression
Action: Mark as Spam
Enable: checked
and hit " OK"
In the Firewall -> Protection Profile -> filter_wizard (edit) I have under Spam Filtering " SMTP" checked (everything under SMTP is checked save for URL check), and in the E-mail address BWL check I have " defined-emailbwl" , and Spam Action set to " Discard" .
Under Firewall -> Policy -> wan1->internal, I have a virtual IP forwarding all SMTP traffic to my e-mail server, and the protection profile is set to filter_wizard. I know it' s enabled and catching most of the spam, because I can see via my FortiAnalyzer all the spam that doesn' tget through to my personal account.
What is the correct format of the Regular Expression (or should it be Wildcard?) of a specific e-mail address I want the firewall to block?
I' ve tried mowens@mai-hawaii.com (Regular & Wildcard), /mowens@mai-hawaii.com/i (Regular) and the latest, /mowens@mai-hawaii\.com/i (Regular), was done via information I' ve taken from these forums.
And nothing has given any definitive results. Is there a CLI only setting for this now that perhaps I haven' t come across?
Mahalo for any and all help!
Rick Payton, IT Support
Morikawa & Associates
http://www.mai-hawaii.com/
FortiGate-60 build 726 (retired)
FortiGate-60B v4.0 build 328 MR2 Patch 8
FortiAnalyzer-100B v4.0 build 513 MR3
Rick Payton, IT Support Morikawa & Associates http://www.mai-hawaii.com/
FortiGate-60 build 726 (retired) FortiGate-60B v4.0 build 328 MR2 Patch
8 FortiAnalyzer-100B v4.0 build 513 MR3
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try just using the name /mowens/i. The rest is ambiguous. You should only be getting mail for your domain...
Note* you could try escaping the @ and the - (\@ and \-), but don' t think that will buy you any mileage...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nope, sending a test e-mail from my google account to mowens@mai-hawaii.com still generated an NDR from my e-mail system.
that was with /mowens/i set to Regular Expression. Going to try that as a Wildcard next? *crosses fingers*
Thanks rwpatterson (Bob?)!
EDIT: Nope, /mowens/i set to Wildcard did nothing also.
Rick Payton, IT Support
Morikawa & Associates
http://www.mai-hawaii.com/
FortiGate-60 build 726 (retired)
FortiGate-60B v4.0 build 328 MR2 Patch 8
FortiAnalyzer-100B v4.0 build 513 MR3
Rick Payton, IT Support Morikawa & Associates http://www.mai-hawaii.com/
FortiGate-60 build 726 (retired) FortiGate-60B v4.0 build 328 MR2 Patch
8 FortiAnalyzer-100B v4.0 build 513 MR3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using the Fortiguard anti-spam feature?
Is the license valid?
If so, then under Firewall > protection profile > Fortiguard AntiSpam, check that the box under SMTP that relates to the ' E-mail address BWL check' is checked, and that your email BWL is in the drop down box to the right.
Also, for wildcard, just use the normal email (mowens@mai-hawaii.com), not the slashes and ' i' . That' s regex stuff.
EDIT* Nevermind. I see you' ve done all this stuff already... Try rebooting the box. (If you can during hours) Possibly an upgrade to P4 or P5.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mowens@mai-hawaii.com set to Wildcard did nothing as well :(
Oh well, guess I' ll go hit up support, unless you or anyone else has any other suggestions?
Thanks again!
EDIT: One thing I noticed, is that in the last hour, while the mail is still getting through, it is NOT getting logged by my FortiAnalyzer-100b. I just sent another test mail via my gmail account, and while it generated an NDR via the e-mail server itself, the actual message (nor the NDR got logged). Interesting ...
EIDT #2: Ok, guess I was just impatient, both messages finally appeared in the FA-100B after a few minutes. Oh well ...
Rick Payton, IT Support
Morikawa & Associates
http://www.mai-hawaii.com/
FortiGate-60 build 726 (retired)
FortiGate-60B v4.0 build 328 MR2 Patch 8
FortiAnalyzer-100B v4.0 build 513 MR3
Rick Payton, IT Support Morikawa & Associates http://www.mai-hawaii.com/
FortiGate-60 build 726 (retired) FortiGate-60B v4.0 build 328 MR2 Patch
8 FortiAnalyzer-100B v4.0 build 513 MR3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is because of the order that the Anti-Spam services are being applied. If he' s coming from mai-hawaii.com and you don' t care about blocking the whole domain, find out the sending IP address and block that in the anti-spam black/white list IP address. This will solve your issue. This is how they used to (and probably still apply the Anti-Spam techniques):
1. IP address BWL check - Last hop IP
2. RBL & ORDBL check
IP address FortiShield check
HELO DNS lookup
3. E-mail address BWL check
4. MIME headers check
5. IP address BWL check (for IPs extracted from " Received" headers)
6. Return e-mail DNS check, FortiGuard Antispam check (for IPs extracted from " Received" headers, and URLs in email content)
7. Banned word check
As you can see the IP address black/white list is first, so if you put the source IP in, it will be caught. This is our experience as we have customers that we are doing this process for. Doesn' t work for yahoo, msn, gmail, etc though because you have to block the Whole domain. Hope this helps! :)
John
CISSP, FCNSP
Adv(thanks)ance
John CISSP, FCNSP Adv(thanks)ance
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh boy! I just re-read your post and I misunderstood the question sorry. I left the post in case anyone else wants the info. As far as blocking a specific destination email address as you mentioned I would talk with support on that. Sorry :(
John
CISSP, FCNSP
Adv(thanks)ance
John CISSP, FCNSP Adv(thanks)ance
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For anyone interested in how to block a specific incoming e-mail address to your organization, this is the instructions given to me via support ticket, and I have verified that it works for me.
To reiterate WHAT I wanted done: I have an ex-employee whose e-mail account regularly gets spam (mowens@mai-hawaii.com), even though the account is no longer valid in our organization. I have set our e-mail server to send my personal account all copies of the NDR' s it generates so I can take appropriate action.
So without further ado, here' s what support told me to do (via CLI)
# config spamfilter mheader
# edit 1
# config entries
# edit 1
# set action spam
# set fieldbody mowens@mai-hawaii.com
# set fieldname /^To$/i
# set pattern-type regexp
# end
# set name mheader_table
# end
Now, the firewall generates the NDR, and deletes the e-mail (verified via my personal hotmail account).
Maybe this information can be put online somewhere, or maybe stickied in the forums?
Rick Payton, IT Support
Morikawa & Associates
http://www.mai-hawaii.com/
FortiGate-60 build 726 (retired)
FortiGate-60B v4.0 build 328 MR2 Patch 8
FortiAnalyzer-100B v4.0 build 513 MR3
Rick Payton, IT Support Morikawa & Associates http://www.mai-hawaii.com/
FortiGate-60 build 726 (retired) FortiGate-60B v4.0 build 328 MR2 Patch
8 FortiAnalyzer-100B v4.0 build 513 MR3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the above post no longer seems to function in FortiOS v4.
Does anyone have a way to block specific incoming address from generating an NDR (basically actually being dropped at the firewall) from my Exchange server?
I' m also going to re-open the support ticket and see what they have to say..
Rick Payton, IT Support
Morikawa & Associates
http://www.mai-hawaii.com/
FortiGate-60 build 726 (retired)
FortiGate-60B v4.0 build 328 MR2 Patch 8
FortiAnalyzer-100B v4.0 build 513 MR3
Rick Payton, IT Support Morikawa & Associates http://www.mai-hawaii.com/
FortiGate-60 build 726 (retired) FortiGate-60B v4.0 build 328 MR2 Patch
8 FortiAnalyzer-100B v4.0 build 513 MR3
Not applicable
Created on 04-05-2010 11:58 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The above commands you posted previously should still actually work they have not changed the way the Spamfilter mheader is configured and this has actually remained the same. Check to make sure you have the right settings checked in the protection profile to enable the email to be tagged as Spam
When you say it' s not working now what exactly is it doing? Is the email getting through to your Exchange Server and hence an NDR is being sent?
Related Posts
- Issues with activating proxy mode in... 90 Views
- Connect Fortigate to internet with 2... 261 Views
- Connecting Two SIP Trunks with Different... 285 Views
- Email POP3 block 161 Views
- dynamic ipool change - SNAT fort... 253 Views
Labels
-
FortiGate
6,545 -
FortiClient
1,306 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiAP
335 -
FortiSwitch
333 -
FortiClient EMS
264 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
FortiConnect
24 -
SD-WAN
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiDB
3 -
Port policy
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
TACACS
1 -
4.0MR1
1 -
Schedule
1 -
Users
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Application signature
1 -
Web rating
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Multicast routing
1 -
Email filter profile
1 -
Zone
1 -
Internet Service Database
1 -
Explicit proxy
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.