Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
i_litvinov
New Contributor

Blocking mail from counterfeit (fake) sender

Is there any way to block fake "Client" field just like the one on the attachment?

 

In the attachment, there is "Header from" field pointing to an appropriate (trusted) sender, but the "Client" field displays unwanted and potentially dangerous sender. If there a method to block such fake senders?

1 Solution
Hosemacht
Contributor II

Hi

 

just activate SPF checking

 

yandex has the following SPF record :

v=spf1 include:_spf-ipv4.yandex.ru include:_spf-ipv6.yandex.ru ~all

so yandex did only a soft fail wich passes the email even if the SPF record doesnt match.

You have to set your fortimail to block all SPF failures to avoid further fake mails.

 

Regards

sudo apt-get-rekt

View solution in original post

sudo apt-get-rekt
8 REPLIES 8
Hosemacht
Contributor II

Hi

 

just activate SPF checking

 

yandex has the following SPF record :

v=spf1 include:_spf-ipv4.yandex.ru include:_spf-ipv6.yandex.ru ~all

so yandex did only a soft fail wich passes the email even if the SPF record doesnt match.

You have to set your fortimail to block all SPF failures to avoid further fake mails.

 

Regards

sudo apt-get-rekt

sudo apt-get-rekt
i_litvinov

Hi!

SPF was enabled on AntiSpam tab but in session profile was disabled. Activated, will try!

 

Thanks a lot!

live89

That's weird

If SPF was enabled in AntiSpam profile that should do the work.

Enabling SPF in the session profile will just "improve performance" by rejecting invalid senders before more resource-intensive AntiSpam scans are performed.

In our environment , SPF is disabled in session profile and enabled in AntiSpamprofile and still working fine ..

Thanks

Thanks
Jeff_Roback

Nope.   If the user or the admin adds the address to a safelist, all of the antispam profile, including SPF, is never checked.

 

Jeff Roback

Jeff Roback
i_litvinov

the_giraffe_that_wasnt_president wrote:

Hi

 

just activate SPF checking

 

yandex has the following SPF record :

v=spf1 include:_spf-ipv4.yandex.ru include:_spf-ipv6.yandex.ru ~all

so yandex did only a soft fail wich passes the email even if the SPF record doesnt match.

You have to set your fortimail to block all SPF failures to avoid further fake mails.

 

Regards

 

Should i also enable DMARC with SPF?

Hosemacht

DMARC is a combination of SPF and DKIM

 

i would not recomment to enable this feature unless you have not already a working DKIM for your Domain and MTAs.

enable SPF in the Antispam profile should work well but Bypass SPF checking in the session profile should be set to disable.

 

Regads

sudo apt-get-rekt

sudo apt-get-rekt
Jeff_Roback

Make sure you're aware of a unique behavior in the Fortimail...  anyone in your safelist will not have SPF checking done...  So frequently the very same people you're wanting to insure delivery for will not be protected with SPF.

 

See threads here:

https://forum.fortinet.com/tm.aspx?m=161900

 

and here:

https://forum.fortinet.com/tm.aspx?m=175489

 

for more details

 

Jeff Roback

Jeff Roback
Hosemacht

Jeff Roback wrote:

Make sure you're aware of a unique behavior in the Fortimail...  anyone in your safelist will not have SPF checking done...  So frequently the very same people you're wanting to insure delivery for will not be protected with SPF.

 

See threads here:

https://forum.fortinet.com/tm.aspx?m=161900

 

and here:

https://forum.fortinet.com/tm.aspx?m=175489

 

for more details

 

 

absolutely correct!

my own workaround for this behavior is to purge all white lists twice a year.

 

Cheers

sudo apt-get-rekt

sudo apt-get-rekt
Labels
Top Kudoed Authors