my client threw me a question on how FortiMail address spoofed emails. reading this forum and other Fortinet documents seems I gathered only few resources. Anyone could share recommended settings on how to address above subject? I read BEC feature and it seems it works differently. Does SPF, DKIM and DMARC could tighten the security perhaps?
Is this good enough to handle incoming spoof emails?
I assume this link is intended to protect internal users to spoof internal users or other domains
https://kb.fortinet.com/kb/documentLink.do?externalID=FD38665
Again any useful insights is much appreciated.
Fortigate Newbie
Hey there,
let me tell you what we did against email Spoofing with Fortimail:
[ul]
Regards
sudo apt-get-rekt
the_giraffe_that_wasnt_president wrote:
[ul]1st : enable a blocklist at your inbound Session Profile and set the record to "*@yourdomain.com" 2nd: setup a Dictionary filter-> type Regex -> Pattern: "[EHeAdEr]^from:.*\b\@yourdomain.com\b" Pattern weight 1 Pattern Maximum 1 -> select Search header only -> add this to your Antispam Profile 3rd: if licensed Enable Impersonation and set dynamic and manual -> for critical emailadresses like CEOs set up a manual Impersonation entry Patterntype Regex -> unter Displayname enter a Regex witch hits if surname and lastname are in the Displayname like: "(surname)+[\s\S]+(lastname)+|(lastname)+[\s\S]+(surname)+/gi" -> add this to your Antispam Profile[/ul]
thank you for this. deeply appreciated.
So far how's user experience after you defined above settings?
Fortigate Newbie
Hey there,
our users arent really aware of this feature, we have planned some trainings about this.
I forgott another usefull feature you could implement:
[ul]after that you can drill users to look specific for this tag in the display names to verify internal Senders.
Regards
sudo apt-get-rekt
@hosemacht, appreciate for sharing knowledge about this.
Would you mind to share screenshot on your 4th recommendation? Sorry cant figure out where to find in FML settings.
Fortigate Newbie
the_giraffe_that_wasnt_president wrote:Hey there,
let me tell you what we did against email Spoofing with Fortimail:
[ul]
1st : enable a blocklist at your inbound Session Profile and set the record to "*@yourdomain.com" 2nd: setup a Dictionary filter-> type Regex -> Pattern: "[EHeAdEr]^from:.*\b\@yourdomain.com\b" Pattern weight 1 Pattern Maximum 1 -> select Search header only -> add this to your Antispam Profile 3rd: if licensed Enable Impersonation and set dynamic and manual -> for critical emailadresses like CEOs set up a manual Impersonation entry Patterntype Regex -> unter Displayname enter a Regex witch hits if surname and lastname are in the Displayname like: "(surname)+[\s\S]+(lastname)+|(lastname)+[\s\S]+(surname)+/gi" -> add this to your Antispam Profile[/ul] Regards
I'm a technical writer for FortiMail and currently drafting a recipe for preventing email spoofing based on these steps. Regarding your first point, correct me if I'm wrong, but the regex "[EHeAdEr]^from:.*\b\@yourdomain.com\b" would serve to block any email that has "@yourdomain.com" in the header-From. Would this not just blocks all legitimate emails, not just spoofed emails?
If this is the case, is the impersonation analysis profile configured in order to add/allow trusted senders from this domain? If so, this could become quite tricky to maintain/manage, with potentially so many senders?
Any additional explanation would be greatly appreciated.
Please feel free to email me at abristow@fortinet.com
Regards,
Adam
abristow wrote:I'm a technical writer for FortiMail and currently drafting a recipe for preventing email spoofing based on these steps.
Please share if your recipe is available to publish.
Fortigate Newbie
Access control can be used to prevent spoofing as well, valid internal users would likely authenticate or be coming from a trusted IP:
Sender: Internal Recipient: Internal Authentication status: Not authenticated Action: Reject
That access control policy would be below your trusted IP policies
Impersonation is often used only for the high level executives to prevent emails with header from like this:
From: Ken Xie <kenxie@gmail.com>
or
From: Ken Xie <kxie@fortinetinc.com>
This is a great thread, some interesting ideas here.
One thing we've run up against is that if you are using office 365 services like Sharepoint and Teams, but you have your Exchange servers on Prem, office 365 needs to be able to send messages on behalf of your domain, so we need to come up with a way to permit that. It appears that Microsoft has references of their current IP blocks here: https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-world... and the relevant Port 25 section is here as of today:
*.mail.protection.outlook.com
40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48
TCP: 25
However, at the risk of beating as dead horse.... if the fortimail didn't skip SPF for internal and safelisted domains, a lot of this could be handled automatically. It's true it doesn't deal with envelope from spoofing, but at least header from would be taken care of.
See threads here: https://forum.fortinet.com/tm.aspx?m=161900 and here: https://forum.fortinet.com/tm.aspx?m=175489 for more details.
Jeff Roback
abristow wrote:I'm a technical writer for FortiMail and currently drafting a recipe for preventing email spoofing based on these steps. Regarding your first point, correct me if I'm wrong, but the regex "[EHeAdEr]^from:.*\b\@yourdomain.com\b" would serve to block any email that has "@yourdomain.com" in the header-From. Would this not just blocks all legitimate emails, not just spoofed emails?
If this is the case, is the impersonation analysis profile configured in order to add/allow trusted senders from this domain? If so, this could become quite tricky to maintain/manage, with potentially so many senders?
Hi there I think what he's getting at is the scenario where there is a mail infrastructure behind the fortimail and the vast majority of legitimate messages with @yourdomain.com in the header-from are originating inside the organization. I think the idea would be to put a rule above that permitting the legitimate senders of internal mail, which would be fairly limited. In our case from Microsoft 365 services. That's the rule I'm testing now.
Jeff
Jeff Roback
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.