the_giraffe_that_wasnt_president wrote:

[ul]

1st : enable a blocklist at your inbound Session Profile and set the record to "*@yourdomain.com"

2nd: setup a Dictionary filter-> type Regex -> Pattern: "[EHeAdEr]^from:.*\b\@yourdomain.com\b" Pattern weight 1 Pattern Maximum 1 -> select Search header only -> add this to your Antispam Profile

3rd:  if licensed Enable Impersonation and set dynamic and manual -> for critical emailadresses like CEOs set up a manual  Impersonation entry Patterntype Regex -> unter Displayname enter a Regex witch hits if surname and lastname are in the  Displayname like: "(surname)+[\s\S]+(lastname)+|(lastname)+[\s\S]+(surname)+/gi" -> add this to your Antispam      Profile[/ul]

thank you for this. deeply appreciated. 

So far how's user experience after you defined above settings?

Hey there,

our users arent really aware of this feature, we have planned some trainings about this.

I forgott another usefull feature you could implement:

@hosemacht, appreciate for sharing knowledge about this.

Would you mind to share screenshot on your 4th recommendation? Sorry cant figure out where to find in FML settings.

the_giraffe_that_wasnt_president wrote:

Hey there,

 

let me tell you what we did against email Spoofing with Fortimail:

 

[ul]

1st : enable a blocklist at your inbound Session Profile and set the record to "*@yourdomain.com"

2nd: setup a Dictionary filter-> type Regex -> Pattern: "[EHeAdEr]^from:.*\b\@yourdomain.com\b" Pattern weight 1 Pattern Maximum 1 -> select Search header only -> add this to your Antispam Profile

3rd:  if licensed Enable Impersonation and set dynamic and manual -> for critical emailadresses like CEOs set up a manual  Impersonation entry Patterntype Regex -> unter Displayname enter a Regex witch hits if surname and lastname are in the  Displayname like: "(surname)+[\s\S]+(lastname)+|(lastname)+[\s\S]+(surname)+/gi" -> add this to your Antispam      Profile[/ul]

 Regards

I'm a technical writer for FortiMail and currently drafting a recipe for preventing email spoofing based on these steps. Regarding your first point, correct me if I'm wrong, but the regex "[EHeAdEr]^from:.*\b\@yourdomain.com\b" would serve to block any email that has "@yourdomain.com" in the header-From. Would this not just blocks all legitimate emails, not just spoofed emails?

If this is the case, is the impersonation analysis profile configured in order to add/allow trusted senders from this domain? If so, this could become quite tricky to maintain/manage, with potentially so many senders?

Any additional explanation would be greatly appreciated.

Please feel free to email me at abristow@fortinet.com

Regards,

Adam

abristow wrote:

I'm a technical writer for FortiMail and currently drafting a recipe for preventing email spoofing based on these steps.

Please share if your recipe is available to publish. 

Access control can be used to prevent spoofing as well, valid internal users would likely authenticate or be coming from a trusted IP:

Sender: Internal    Recipient: Internal    Authentication status: Not authenticated    Action: Reject

That access control policy would be below your trusted IP policies

Impersonation is often used only for the high level executives to prevent emails with header from like this:

From: Ken Xie <kenxie@gmail.com>

or 

From: Ken Xie <kxie@fortinetinc.com>

This is a great thread, some interesting ideas here.

One thing we've run up against is that if you are using office 365 services like Sharepoint and Teams, but you have your Exchange servers on Prem, office 365 needs to be able to send messages on behalf of your domain, so we need to come up with a way to permit that.   It appears that Microsoft has references of their current IP blocks here: https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-world... and the relevant Port 25 section is here as of today:

*.mail.protection.outlook.com

40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48

TCP: 25

However, at the risk of beating as dead horse.... if the fortimail didn't skip SPF for internal and safelisted domains, a lot of this could be handled automatically.     It's true it doesn't deal with envelope from spoofing, but at least header from would be taken care of.

See threads here: https://forum.fortinet.com/tm.aspx?m=161900   and here: https://forum.fortinet.com/tm.aspx?m=175489   for more details.  

abristow wrote:

I'm a technical writer for FortiMail and currently drafting a recipe for preventing email spoofing based on these steps. Regarding your first point, correct me if I'm wrong, but the regex "[EHeAdEr]^from:.*\b\@yourdomain.com\b" would serve to block any email that has "@yourdomain.com" in the header-From. Would this not just blocks all legitimate emails, not just spoofed emails?

If this is the case, is the impersonation analysis profile configured in order to add/allow trusted senders from this domain? If so, this could become quite tricky to maintain/manage, with potentially so many senders?

Hi there I think what he's getting at is the scenario where there is a mail infrastructure behind the fortimail and the vast majority of legitimate messages with @yourdomain.com in the header-from are originating inside the organization.  I think the idea would be to put a rule above that permitting the legitimate senders of internal mail, which would be fairly limited.  In our case from Microsoft 365 services.   That's the rule I'm testing now.

Jeff