Hot!Fortimail pre sales question

Author
James_G
Bronze Member
  • Total Posts : 27
  • Scores: 2
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
2017/03/09 04:07:36 (permalink)
0

Fortimail pre sales question

Hi folks
 
I am a Fortigate customer for firewalls across the organisation, but currently use a separate supplier for email security. Unfortunately we have found them lacking on a specific threat.
 
We have recently been receiving a number of malicious emails where the envelope address / display address of the incoming message has been spoofed to look like an internal sender, but the reply address is a totally different (but valid) 3rd party domain name. The incoming mail is not being blocked by SPF checks as the 3rd party domain is correctly configured, and the email contents have nothing that would flag as suspect, the sender is relying of gaining trust of the recipient to leak sensitive data as the conversation continues.
 
How would the Fortimail appliance mitigate this issue? Can you block if the envelope address / display address is spoofing the internal domain, but other headers are OK?
#1
JC_Geosoft
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/05/09 08:52:19
  • Status: offline
Re: Fortimail pre sales question 2018/02/14 10:52:13 (permalink)
0
Hey James,

You should look at implementing DMARC. It's specifically designed to look at the Header From address, and not the envelope recipient (a flaw in SPF). It combines SPF, DKIM, and the domain portion of the header From address to come to a conclusion on how to filter the email.
 
And yes, FortiMail does support SPF, DKIM and DMARC. We switched over from a 3rd party over a month ago and it works great for this.
 
--
Jason
#2
emnoc
Expert Member
  • Total Posts : 4778
  • Scores: 290
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Fortimail pre sales question 2018/02/14 11:49:13 (permalink)
0
Yes DMARC is what you want, but be advise depending on the FMLversion you might not have it.
 
You might be able to get away with a access_control and  set the  sender patter to be *.yourdomain.com and with 0.0.0.0/0 and a reject action tho.
 
YMMV and thread carefully
 
Ken Felix
 

PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
#3
Jump to:
© 2018 APG vNext Commercial Version 5.5