Hot!AntiSpam strange behaviour

Author
koldun
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/18 06:15:31
  • Status: offline
2019/06/19 04:44:23 (permalink)
0

AntiSpam strange behaviour

Hello everyone. 
 
Can someone please describe me why this example spam mail was delivered to user ? 
I attached a export from fortimail with an example, and it is looks like whitelisted value "notifications@monday.com" was marked as equivalent to  "[email=bounces+6182960-837b-Name.Surname=My.Domain@emails.monday.com]bounces+6182960-837b-Name.Surname=My.Domain@emails.monday.com[/email]" that is present in From field. 
 
How is it possible ? 
 
Here is a detailed trace for a mail: 

 
post edited by koldun - 2019/06/25 02:32:08
#1
abelio
Expert Member
  • Total Posts : 3628
  • Scores: 55
  • Reward points: 0
  • Joined: 2005/03/31 13:28:59
  • Location: Buenos Aires, Argentina
  • Status: offline
Re: AntiSpam strange behaviour 2019/06/19 07:17:16 (permalink)
0
Hi
Your user has that sender in his whitelist, (see classifier tab: User Safe)
 
 
post edited by abelio - 2019/06/19 07:18:56

regards
--
Abel
#2
koldun
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/18 06:15:31
  • Status: offline
Re: AntiSpam strange behaviour 2019/06/19 07:22:02 (permalink)
0
that is not true actually.... 
 
because my user have in whitelist address: notifications@monday.com
and we are getting mail whwere From parameter is set to: 
bounces+6182960-837b-Name.surname=My.Domain@emails.monday.com 
which is far away from beeng look like whitelisted address.
This one is even from different domain, from @emails.monday.com.
 
 
#3
Carl Windsor_FTNT
Fortinet
  • Total Posts : 244
  • Scores: 38
  • Reward points: 0
  • Joined: 2012/05/02 03:09:16
  • Location: United Kingdom
  • Status: offline
Re: AntiSpam strange behaviour 2019/06/19 08:03:01 (permalink)
0
You have Personal Safe List entry for "notifications@monday.com" and this is what appears in the Header From (see the first history log line).

Carl Windsor
Senior Director, Product Management
Fortinet
#4
koldun
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/18 06:15:31
  • Status: offline
Re: AntiSpam strange behaviour 2019/06/19 08:28:08 (permalink)
0
isn't it ridiculous behaviour? 
it is really look like a golden cave for spammers :) because basically anyone from anywhere can sent a mail, and all what this sender need is to set a HeaderFrom address as one that will be accepted. 
 
 
ok, next question, what can be done to stop that(and don't tell me "remove that address from whitelist")? 
 
#5
koldun
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/18 06:15:31
  • Status: offline
Re: AntiSpam strange behaviour 2019/06/20 23:54:57 (permalink)
0
BTW, 
 
is anyone is know a word "phishing attack" ? 
isn't is is exactly what is happening here? 
 
When someone is trying to pretend to be someone else, for some reason. 
the key word is "pretend" :) 
 
here is spammers is trying to pretend to be a legit sender, and you system is accepting mails with with salt, bread, and dances over that mail, and more over, a senior director and product manager is trying to tell us that it is correct behavior. 
 
 
#6
Carl Windsor_FTNT
Fortinet
  • Total Posts : 244
  • Scores: 38
  • Reward points: 0
  • Joined: 2012/05/02 03:09:16
  • Location: United Kingdom
  • Status: offline
Re: AntiSpam strange behaviour 2019/06/21 06:38:15 (permalink)
0
This is not the normal correct behavior, this is only the case when you have explicitly safe listed the sender.   Safe listing is for working around situations where the sending party may not have their mail servers configured correctly (blacklisted IP, SFP fail etc) but where you must receive their emails.  There is a warning to this effect in the admin guide for this reason.
 


Carl Windsor
Senior Director, Product Management
Fortinet
#7
koldun
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/18 06:15:31
  • Status: offline
Re: AntiSpam strange behaviour 2019/06/21 06:55:29 (permalink)
0
There is many things in your reply do not fit to my case. 
 
At first user whitelisted a pretty well defined address, not even close to wildcard.
And for some reason, system think that this "notifications@monday.com"  whitelisted address is exactly equal to this monster address =  bounces+6182960-837b-Name.Surname=My.Domain@emails.monday.com that is comming in From field
 
So I still do not understand how this could happen at all. 
 
like this is not my first time working with antispam. 
I got experience previously working with IronPort, ProofPoint, Retarus, Sendmail. And all of those systems never allow this thing to happen at all. And here instead of trying to provide some solution of how to fix that, I am get a message that it is exactly how it must work :) that's really funny.  
#8
Carl Windsor_FTNT
Fortinet
  • Total Posts : 244
  • Scores: 38
  • Reward points: 0
  • Joined: 2012/05/02 03:09:16
  • Location: United Kingdom
  • Status: offline
Re: AntiSpam strange behaviour 2019/06/21 07:15:31 (permalink)
0
The wildcard in the example is to show that safelisting should be used with caution because of the impact it could have.  Caution should still be used for exact matches.
 
>And for some reason, system think that this "notifications@monday.com"  whitelisted address is
>exactly equal to this monster address = 
>bounces+6182960-837b-Name.Surname=My.Domain@emails.monday.com that is comming in
>From field
 
Your email was addressed as follows:
 
Mail From: bounces+6182960-837b-Name.Surname=My.Domain@emails.monday.com
Header From: notifications@monday.com
 
The Safelist matched the Header From.
 

Carl Windsor
Senior Director, Product Management
Fortinet
#9
koldun
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/18 06:15:31
  • Status: offline
Re: AntiSpam strange behaviour 2019/06/24 23:55:32 (permalink)
0
OK, 
 
I hope that we both are agree that main here is a Mail From address, as it is represent a real sender address. 
Header From is needed to change displayed address in outlook client. And no doubts with this here? 
 
 
And now the question is: How we need to modify that system to make it match whitelistings with Mail From addresses, and do not touch Header From ? Or maybe what else we can change, to prevent that kind of spam to be accepted ? 
 
#10
koldun
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/18 06:15:31
  • Status: offline
Re: AntiSpam strange behaviour 2019/06/25 02:30:11 (permalink)
0
Or at least if AS engine marks it as SPAM(and it is really do, good job), is there an option to modify subject, to prepend it with some [FortiMail=This Is Spam] part? 
#11
Bromont_FTNT
Platinum Member
  • Total Posts : 566
  • Scores: 43
  • Reward points: 0
  • Joined: 2012/11/19 07:22:36
  • Status: offline
Re: AntiSpam strange behaviour 2019/06/25 05:17:40 (permalink)
0
I would start by asking why does notifications@monday.com need to be whitelisted? Why is the legitimate sender being quarantined if not whitelisted?
Also the Mail From: on the legitimate e-mail may not match notifications@monday.com either. Best to check the logs and make sure. 
post edited by Bromont_FTNT - 2019/06/25 05:22:22
#12
koldun
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/18 06:15:31
  • Status: offline
Re: AntiSpam strange behaviour 2019/06/25 05:34:18 (permalink)
0
this monday.com is just an example, there is many many different cases like this. 
So I would like to have some ways of improvement on FortiMail side, first. 
 
in other words, before starting to fight the windmils, I would like to be sure that my sword is sharp, and horse is strong. So I need to fix FortiMail settings first. And what I am see right now, is not looking good. 
#13
Bromont_FTNT
Platinum Member
  • Total Posts : 566
  • Scores: 43
  • Reward points: 0
  • Joined: 2012/11/19 07:22:36
  • Status: offline
Re: AntiSpam strange behaviour 2019/06/25 05:45:42 (permalink)
0
I would suggest opening a support ticket to get this looked at. 
#14
koldun
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/18 06:15:31
  • Status: offline
Re: AntiSpam strange behaviour 2019/06/25 05:49:08 (permalink)
0
Bromont
I would suggest opening a support ticket to get this looked at. 


Good idea, but I think that this kind of discussion would be interested to many different fortimail users, and going support way is a hidden from public. Which does not mean that I didn't do that. I am going two ways at the same time :) 
#15
Carl Windsor_FTNT
Fortinet
  • Total Posts : 244
  • Scores: 38
  • Reward points: 0
  • Joined: 2012/05/02 03:09:16
  • Location: United Kingdom
  • Status: offline
Re: AntiSpam strange behaviour 2019/06/25 06:25:05 (permalink)
0
>I hope that we both are agree that main here is a Mail From address,as it is represent a real
>sender address.  Header From is needed to change displayed address in outlook client.
 
Agreed that the Mail From address represents the originating sender of the email (assuming it is not forged) and is where any NDRs should be sent but the mail may be sent on behalf of another user e.g. in your case "notifications@monday.com" which is the address you wanted to safelist in the first place.  There is no point safelisting the FROM in this case as it changes "email=bounces+6182960-837b-Name.Surname=My.Domain@emails.monday.com" 
 
>How we need to modify that system to make it match whitelistings with Mail From addresses,
>and do not touch Header From?
 
If we did as suggested, you would not be able to create whitelist the example above I described.   Those user expecting to safe/blocklist emails based on the client Display Address (Mail From:) would be unsuccessful.  This is functioning as intended.
 
>Or maybe what else we can change, to prevent that kind of spam to be accepted ? 
 
Safelisting deliberately bypasses SPF as it is one of the biggest causes of non-delivery.  We could look at enforcing SPF whist bypassing other methods but it would have a major impact on those people using safelisting due to remediate bad SPF configs - there are a surprisingly large number in some pretty major organizations, including monday.com who have a PermError "too many lookups".
 
Ideally, to avoid misuse, you remove the safelist entry however, what has not been mentioned yet is why it was needed to safelist "notifications@monday.com" in the first place? 
 
 

Carl Windsor
Senior Director, Product Management
Fortinet
#16
koldun
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/18 06:15:31
  • Status: offline
Re: AntiSpam strange behaviour 2019/06/25 06:35:52 (permalink)
0
It's a super feature, that maybe enabled by default, or was enabled by one of admins that was setting this up before me. 
This feature called "Outgoing Recipient Safelisting". 
 
Sometimes that caused a funny cases where user getting some spam, user have Out of office set, sending auto-reply, and that spam address automatically whitelisted for future spam mails. 
#17
Jump to:
© 2019 APG vNext Commercial Version 5.5