Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fullmoon
Contributor III

how Fortimail address email spoofing (inbound)

my client threw me a question on how FortiMail address spoofed emails. reading this forum and other Fortinet documents seems I gathered only few resources. Anyone could share recommended settings on how to address above subject? I read BEC feature and it seems it works differently. Does SPF, DKIM and DMARC could tighten the security perhaps?

 

Is this good enough to handle incoming spoof emails?

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/47b932c2-9450-11e9-81a4-005056...

 

I assume this link is intended to protect internal users to spoof internal users or other domains

https://kb.fortinet.com/kb/documentLink.do?externalID=FD38665

 

Again any useful insights is much appreciated.

 

Fortigate Newbie

Fortigate Newbie
16 REPLIES 16
Hosemacht
Contributor II

Hey there,

 

let me tell you what we did against email Spoofing with Fortimail:

 

[ul]
  • 1st : enable a blocklist at your inbound Session Profile and set the record to "*@yourdomain.com"
  • 2nd: setup a Dictionary filter-> type Regex -> Pattern: "[EHeAdEr]^from:.*\b\@yourdomain.com\b" Pattern weight 1 Pattern Maximum 1 -> select Search header only -> add this to your Antispam Profile
  • 3rd:  if licensed Enable Impersonation and set dynamic and manual -> for critical emailadresses like CEOs set up a manual  Impersonation entry Patterntype Regex -> unter Displayname enter a Regex witch hits if surname and lastname are in the  Displayname like: "(surname)+[\s\S]+(lastname)+|(lastname)+[\s\S]+(surname)+/gi" -> add this to your Antispam      Profile[/ul]

     Regards

  • sudo apt-get-rekt

    sudo apt-get-rekt
    Fullmoon

    the_giraffe_that_wasnt_president wrote:

    [ul]
  • 1st : enable a blocklist at your inbound Session Profile and set the record to "*@yourdomain.com"
  • 2nd: setup a Dictionary filter-> type Regex -> Pattern: "[EHeAdEr]^from:.*\b\@yourdomain.com\b" Pattern weight 1 Pattern Maximum 1 -> select Search header only -> add this to your Antispam Profile
  • 3rd:  if licensed Enable Impersonation and set dynamic and manual -> for critical emailadresses like CEOs set up a manual  Impersonation entry Patterntype Regex -> unter Displayname enter a Regex witch hits if surname and lastname are in the  Displayname like: "(surname)+[\s\S]+(lastname)+|(lastname)+[\s\S]+(surname)+/gi" -> add this to your Antispam      Profile[/ul]

  • thank you for this. deeply appreciated. 

    So far how's user experience after you defined above settings?

     

     

    Fortigate Newbie

    Fortigate Newbie
    Hosemacht

    Hey there,

     

    our users arent really aware of this feature, we have planned some trainings about this.

    I forgott another usefull feature you could implement:

    [ul]
  • 4rd: at you local MTA add a specific tag for the user displaynames witch clearly identify your company like:" | Company Name". So the displayname for a user would be for example:  surname lastname | company Name. Then you can filter emails with that tag from inbound traffic with another dictionary filter : "[EHeAdEr]^from:.*\bCompany Name\b"[/ul]

    after that you can drill users to look specific for this tag in the display names to verify internal Senders.

     

    Regards

  • sudo apt-get-rekt

    sudo apt-get-rekt
    Fullmoon

    @hosemacht, appreciate for sharing knowledge about this.

     

    Would you mind to share screenshot on your 4th recommendation? Sorry cant figure out where to find in FML settings.

    Fortigate Newbie

    Fortigate Newbie
    Abristow_FTNT

    the_giraffe_that_wasnt_president wrote:

    Hey there,

     

    let me tell you what we did against email Spoofing with Fortimail:

     

    [ul]
  • 1st : enable a blocklist at your inbound Session Profile and set the record to "*@yourdomain.com"
  • 2nd: setup a Dictionary filter-> type Regex -> Pattern: "[EHeAdEr]^from:.*\b\@yourdomain.com\b" Pattern weight 1 Pattern Maximum 1 -> select Search header only -> add this to your Antispam Profile
  • 3rd:  if licensed Enable Impersonation and set dynamic and manual -> for critical emailadresses like CEOs set up a manual  Impersonation entry Patterntype Regex -> unter Displayname enter a Regex witch hits if surname and lastname are in the  Displayname like: "(surname)+[\s\S]+(lastname)+|(lastname)+[\s\S]+(surname)+/gi" -> add this to your Antispam      Profile[/ul]

     Regards

  • I'm a technical writer for FortiMail and currently drafting a recipe for preventing email spoofing based on these steps. Regarding your first point, correct me if I'm wrong, but the regex "[EHeAdEr]^from:.*\b\@yourdomain.com\b" would serve to block any email that has "@yourdomain.com" in the header-From. Would this not just blocks all legitimate emails, not just spoofed emails?

    If this is the case, is the impersonation analysis profile configured in order to add/allow trusted senders from this domain? If so, this could become quite tricky to maintain/manage, with potentially so many senders?

     

    Any additional explanation would be greatly appreciated.

    Please feel free to email me at abristow@fortinet.com

     

    Regards,

     

    Adam

     

    Fullmoon

    abristow wrote:

    I'm a technical writer for FortiMail and currently drafting a recipe for preventing email spoofing based on these steps.

    Please share if your recipe is available to publish. 

    Fortigate Newbie

    Fortigate Newbie
    Bromont_FTNT

    Access control can be used to prevent spoofing as well, valid internal users would likely authenticate or be coming from a trusted IP:

     

    Sender: Internal    Recipient: Internal    Authentication status: Not authenticated    Action: Reject

     

    That access control policy would be below your trusted IP policies

     

    Impersonation is often used only for the high level executives to prevent emails with header from like this:

     

    From: Ken Xie <kenxie@gmail.com>

     

    or 

     

    From: Ken Xie <kxie@fortinetinc.com>

    Jeff_Roback

    This is a great thread, some interesting ideas here.

     

    One thing we've run up against is that if you are using office 365 services like Sharepoint and Teams, but you have your Exchange servers on Prem, office 365 needs to be able to send messages on behalf of your domain, so we need to come up with a way to permit that.   It appears that Microsoft has references of their current IP blocks here: https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-world... and the relevant Port 25 section is here as of today:

     

    *.mail.protection.outlook.com

    40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48

    TCP: 25

     

    However, at the risk of beating as dead horse.... if the fortimail didn't skip SPF for internal and safelisted domains, a lot of this could be handled automatically.     It's true it doesn't deal with envelope from spoofing, but at least header from would be taken care of.

     

    See threads here: https://forum.fortinet.com/tm.aspx?m=161900   and here: https://forum.fortinet.com/tm.aspx?m=175489   for more details.  

     

     

    Jeff Roback

    Jeff Roback
    Jeff_Roback

    abristow wrote:

    I'm a technical writer for FortiMail and currently drafting a recipe for preventing email spoofing based on these steps. Regarding your first point, correct me if I'm wrong, but the regex "[EHeAdEr]^from:.*\b\@yourdomain.com\b" would serve to block any email that has "@yourdomain.com" in the header-From. Would this not just blocks all legitimate emails, not just spoofed emails?

    If this is the case, is the impersonation analysis profile configured in order to add/allow trusted senders from this domain? If so, this could become quite tricky to maintain/manage, with potentially so many senders?

     

    Hi there I think what he's getting at is the scenario where there is a mail infrastructure behind the fortimail and the vast majority of legitimate messages with @yourdomain.com in the header-from are originating inside the organization.  I think the idea would be to put a rule above that permitting the legitimate senders of internal mail, which would be fairly limited.  In our case from Microsoft 365 services.   That's the rule I'm testing now.

     

     

    Jeff

    Jeff Roback

    Jeff Roback
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors