FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
Adrian_Buckley_FTNT
Article Id 191111

Description

 
This article describes how to use the FortiMail dictionary to detect credit card numbers in emails.


Scope

 

FortiMail v4.0 and above.


Solution

All major credit card numbers have a defined set pattern, for example:
 
American Express.
 
The first two digits will be 34 or 37.
The total length will be 15 digits.
Visa.
The first digit will be 4.
The total length will be 13 or 16 digits (depending on the card type).
 
Master Card.
The first digit will be 5.
The second digit will be from 1 to 5 (inclusive).
The total length will be 16 digits.
The remainder of the card number also has a meaning, it determines the account number and other information.

Create a dictionary and enable its use in either the antispam or Content Profiles using the following patterns:
 
Amex:  3[47]\d{2}([ \-]?)\d{6}([ \-]?)\d{5}
Mastercard:  5[1-5]\d{2}([ \-]?)(\d{4})([ \-]?)(\d{4})([ \-]?)(\d{4})
Visa (13 digits):  4\\d{3}([ \-]?)(\d{4})([ \-]?)(\d{4})
Visa (16 digits :(  4\d{3}([ \-]?)(\d{4})([ \-]?)(\d{4})([ \-]?)(\d{4})
 
Configuration example from the GUI :
  1. Creating a dictionary entry for the American Express card number:

Screenshot 2024-08-07 at 12.54.41.png
 
  1. Dictionary Profile with entries for American Express, Visa, and Master Card card numbers:
 
Screenshot 2024-08-07 at 12.48.05.png

 

Configuration example from the CLI ('\' is a control character, which is why it needs to be entered twice through the CLI).

config profile dictionary
    edit CreditCard
        config item
            edit 1
                set pattern "3[47]\d{2}([ \-]?)\d{6}([ \-]?)\d{5}"
                set pattern-scan-area body
            next
            edit 2
                set pattern "5[1-5]\\d{2}([ \\-]?)(\\d{4})([ \\-]?)(\\d{4})([ \\-]?)(\\d{4})"
                set pattern-scan-area body
            next
            edit 3
                set pattern "4\\d{3}([ \\-]?)(\\d{4})([ \\-]?)(\\d{4})"
                set pattern-scan-area body
            next
            edit 4
                set pattern "4\\d{3}([ \\-]?)(\\d{4})([ \\-]?)(\\d{4})([ \\-]?)(\\d{4})"
                set pattern-scan-area body
            next
        end
    next
end

 

This is a breakdown of what the expression is saying (for Amex detection).


Expression: 3[47]\d{2}([ \-]?)\d{6}([ \-]?)\d{5}.

3 --> The digit '3'.

[47] --> Followed by either a '4' or '7'.
\d{2}
-->Followed by any 2 random digits.
([ \-]?) --> Optionally, followed by a hyphen.
\d{6} --> Followed by any 6 random digits.
([ \-]?) --> Optionally, followed by a hyphen.
\d{5} --> Followed by any 5 random digits.