Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
koldun
New Contributor

AntiSpam strange behaviour

Hello everyone. 

 

Can someone please describe me why this example spam mail was delivered to user ? 

I attached a export from fortimail with an example, and it is looks like whitelisted value "notifications@monday.com" was marked as equivalent to  "bounces+6182960-837b-Name.Surname=My.Domain@emails.monday.com" that is present in From field. 

 

How is it possible ? 

 

Here is a detailed trace for a mail: 

 

20 REPLIES 20
abelio
Valued Contributor

Hi

Your user has that sender in his whitelist, (see classifier tab: User Safe)

 

 

regards


__ Abel

koldun
New Contributor

that is not true actually.... 

 

because my user have in whitelist address: notifications@monday.com

and we are getting mail whwere From parameter is set to: 

bounces+6182960-837b-Name.surname=My.Domain@emails.monday.com

 

which is far away from beeng look like whitelisted address.

This one is even from different domain, from @emails.monday.com.

 

 

Carl_Windsor_FTNT

You have Personal Safe List entry for "notifications@monday.com" and this is what appears in the Header From (see the first history log line).

Dr. Carl Windsor Field Chief Technology Officer Fortinet

koldun

isn't it ridiculous behaviour? 

it is really look like a golden cave for spammers :) because basically anyone from anywhere can sent a mail, and all what this sender need is to set a HeaderFrom address as one that will be accepted. 

 

 

ok, next question, what can be done to stop that(and don't tell me "remove that address from whitelist")? 

 

koldun
New Contributor

BTW, 

 

is anyone is know a word "phishing attack" ? 

isn't is is exactly what is happening here? 

 

When someone is trying to pretend to be someone else, for some reason. 

the key word is "pretend" :) 

 

here is spammers is trying to pretend to be a legit sender, and you system is accepting mails with with salt, bread, and dances over that mail, and more over, a senior director and product manager is trying to tell us that it is correct behavior. 

 

 

Carl_Windsor_FTNT

This is not the normal correct behavior, this is only the case when you have explicitly safe listed the sender.   Safe listing is for working around situations where the sending party may not have their mail servers configured correctly (blacklisted IP, SFP fail etc) but where you must receive their emails.  There is a warning to this effect in the admin guide for this reason.

 

Dr. Carl Windsor Field Chief Technology Officer Fortinet

koldun

There is many things in your reply do not fit to my case. 

 

At first user whitelisted a pretty well defined address, not even close to wildcard.

And for some reason, system think that this "notifications@monday.com"  whitelisted address is exactly equal to this monster address =  bounces+6182960-837b-Name.Surname=My.Domain@emails.monday.com that is comming in From field

 

So I still do not understand how this could happen at all. 

 

like this is not my first time working with antispam. 

I got experience previously working with IronPort, ProofPoint, Retarus, Sendmail. And all of those systems never allow this thing to happen at all. And here instead of trying to provide some solution of how to fix that, I am get a message that it is exactly how it must work :) that's really funny.  

Carl_Windsor_FTNT

The wildcard in the example is to show that safelisting should be used with caution because of the impact it could have.  Caution should still be used for exact matches.

 

>And for some reason, system think that this "notifications@monday.com"  whitelisted address is

>exactly equal to this monster address = 

>bounces+6182960-837b-Name.Surname=My.Domain@emails.monday.com that is comming in

>From field

 

Your email was addressed as follows:

 

Mail From: bounces+6182960-837b-Name.Surname=My.Domain@emails.monday.com

Header From: notifications@monday.com

 

The Safelist matched the Header From.

 

Dr. Carl Windsor Field Chief Technology Officer Fortinet

koldun

OK, 

 

I hope that we both are agree that main here is a Mail From address, as it is represent a real sender address. 

Header From is needed to change displayed address in outlook client. And no doubts with this here? 

 

 

And now the question is: How we need to modify that system to make it match whitelistings with Mail From addresses, and do not touch Header From ? Or maybe what else we can change, to prevent that kind of spam to be accepted ?