my client threw me a question on how FortiMail address spoofed emails. reading this forum and other Fortinet documents seems I gathered only few resources. Anyone could share recommended settings on how to address above subject? I read BEC feature and it seems it works differently. Does SPF, DKIM and DMARC could tighten the security perhaps?
Is this good enough to handle incoming spoof emails?
I assume this link is intended to protect internal users to spoof internal users or other domains
https://kb.fortinet.com/kb/documentLink.do?externalID=FD38665
Again any useful insights is much appreciated.
Fortigate Newbie
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Jeff Roback wrote:Hi there I think what he's getting at is the scenario where there is a mail infrastructure behind the fortimail and the vast majority of legitimate messages with @yourdomain.com in the header-from are originating inside the organization. I think the idea would be to put a rule above that permitting the legitimate senders of internal mail, which would be fairly limited. In our case from Microsoft 365 services. That's the rule I'm testing now.
Would you mind if you could let me know how your testing goes? I'm at an impasse for this recipe.
Adam
Hi there,
sorry im late, maybe i forgott to explain: my discribed "blocked header" is only works in this scenario:
Wan -> Fortigate -> Fortimail(Gateway Mode) -> MTA (where "yourdomain.com" emails belong)
in this case if someone send me an email from someone@spam.com and set the from-header to someone@yourdomain.com
it is valid to block them because emails from "yourdomain.com" should only be sent from our MTA and no one else.
We have this setup for years now long before the Fortimail impersonation feature was introduced
and it just works with no additional charge.
Regards
sudo apt-get-rekt
FYI, the regex string above doesn't do what I think the author is intending.
It has two problems: 1) The . in domain.com is evaluated as matching any character since it's not escaped. 2) The [EHeAdEr] isn't helping since a match of any of those characters will work. Here's what we've been testing with: ^From:.*<.*\@mydomain\.com>$ Here's a really handy site that lets you put in a regex string and test it against text. It will also break down the command for you. https://regexr.com/
Jeff Roback
Hi Jeff,
thanks for your input, but let me explain:
1) Fortimail regex is perl style so matches are case insensitive and can occur over multiple lines as if the word were on a single line (match modifier options i and s are in effect).
So for your tests on regexr.com you have to enable "i", "m" and "s" flags.
Then your regex hits multiple lines at my tests, everything between "from:" and the end of the "Retourn-Path" line.
2) The [EHeAdEr] part is FML specific and will specify to only check the original headers rather than the attachment headers also.
3) the dot in "yourdomain.com" is not escaped on purpose because spammers likes to fake header from fields with "," ":" or spaces between domain and topleveldomain.
Best Regards
sudo apt-get-rekt
Thank you for your explanation of this. I haven't been able to find much documentation on this, so I'm really glad to understand this now, and I'm actually really happy to understand the [EHeAdEr] portion, as this may solve another problem I'm having.
Happy to admit when I'm wrong and sorry if my tone was argumentative.
Jeff
Jeff Roback
the_giraffe_that_wasnt_president wrote:The [EHeAdEr] part is FML specific and will specify to only check the original headers rather than the attachment headers also.
In thinking about this part more, I'm curious. Can you explain how this part works? It is the Fortimail using an undocumented functionality to take specific actions against the outer message header? Or is it this a string that only exists in the main header? If it is still being processed as a regex, how come it needs the case written in that way? Since it's case sensitive, seems like it wouldn't matter.
Thanks for your thoughts on this.
Jeff Roback
ive got this EHeAdEr part from a fortinet training back in 2018.
I dont know much about this Part, and i also found no further informations in admin guides or cook books,
i was also concerned about the EHeAdEr part just like you but what i can say is after some tests with fake email accounts is it just works.
Regards
sudo apt-get-rekt
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1516 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.