Hot!how Fortimail address email spoofing (inbound)

Author
Fullmoon
Platinum Member
  • Total Posts : 925
  • Scores: 14
  • Reward points: 0
  • Joined: 2010/08/02 18:02:10
  • Status: offline
2020/10/15 04:50:13 (permalink)
0

how Fortimail address email spoofing (inbound)

my client threw me a question on how FortiMail address spoofed emails. reading this forum and other Fortinet documents seems I gathered only few resources. Anyone could share recommended settings on how to address above subject? I read BEC feature and it seems it works differently. Does SPF, DKIM and DMARC could tighten the security perhaps?
 
Is this good enough to handle incoming spoof emails?
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/47b932c2-9450-11e9-81a4-00505692583a/FortiMail_Preventing_Email_Spoofing.pdf
 
I assume this link is intended to protect internal users to spoof internal users or other domains
https://kb.fortinet.com/kb/documentLink.do?externalID=FD38665
 
Again any useful insights is much appreciated.
 

Fortigate Newbie
#1
Hosemacht
Silver Member
  • Total Posts : 81
  • Scores: 3
  • Reward points: 0
  • Joined: 2017/04/18 04:06:13
  • Location: Upper Austria
  • Status: offline
Re: how Fortimail address email spoofing (inbound) 2020/10/15 07:39:37 (permalink)
0
Hey there,
 
let me tell you what we did against email Spoofing with Fortimail:
 
  • 1st : enable a blocklist at your inbound Session Profile and set the record to "*@yourdomain.com"
  • 2nd: setup a Dictionary filter-> type Regex -> Pattern: "[EHeAdEr]^from:.*\b\@yourdomain.com\b" Pattern weight 1 Pattern Maximum 1 -> select Search header only -> add this to your Antispam Profile
  • 3rd:  if licensed Enable Impersonation and set dynamic and manual -> for critical emailadresses like CEOs set up a manual  Impersonation entry Patterntype Regex -> unter Displayname enter a Regex witch hits if surname and lastname are in the  Displayname like: "(surname)+[\s\S]+(lastname)+|(lastname)+[\s\S]+(surname)+/gi" -> add this to your Antispam      Profile
 Regards
post edited by Hosemacht - 2020/10/15 07:41:35

sudo apt-get-rekt
#2
Fullmoon
Platinum Member
  • Total Posts : 925
  • Scores: 14
  • Reward points: 0
  • Joined: 2010/08/02 18:02:10
  • Status: offline
Re: how Fortimail address email spoofing (inbound) 2020/10/15 22:38:48 (permalink)
0
the_giraffe_that_wasnt_president
  • 1st : enable a blocklist at your inbound Session Profile and set the record to "*@yourdomain.com"
  • 2nd: setup a Dictionary filter-> type Regex -> Pattern: "[EHeAdEr]^from:.*\b\@yourdomain.com\b" Pattern weight 1 Pattern Maximum 1 -> select Search header only -> add this to your Antispam Profile
  • 3rd:  if licensed Enable Impersonation and set dynamic and manual -> for critical emailadresses like CEOs set up a manual  Impersonation entry Patterntype Regex -> unter Displayname enter a Regex witch hits if surname and lastname are in the  Displayname like: "(surname)+[\s\S]+(lastname)+|(lastname)+[\s\S]+(surname)+/gi" -> add this to your Antispam      Profile



thank you for this. deeply appreciated. 
So far how's user experience after you defined above settings?
 
 

Fortigate Newbie
#3
Hosemacht
Silver Member
  • Total Posts : 81
  • Scores: 3
  • Reward points: 0
  • Joined: 2017/04/18 04:06:13
  • Location: Upper Austria
  • Status: offline
Re: how Fortimail address email spoofing (inbound) 2020/10/19 00:59:47 (permalink)
0
Hey there,
 
our users arent really aware of this feature, we have planned some trainings about this.
I forgott another usefull feature you could implement:
  • 4rd: at you local MTA add a specific tag for the user displaynames witch clearly identify your company like:" | Company Name". So the displayname for a user would be for example:  surname lastname | company Name. Then you can filter emails with that tag from inbound traffic with another dictionary filter : "[EHeAdEr]^from:.*\bCompany Name\b"
after that you can drill users to look specific for this tag in the display names to verify internal Senders.
 
Regards

sudo apt-get-rekt
#4
Fullmoon
Platinum Member
  • Total Posts : 925
  • Scores: 14
  • Reward points: 0
  • Joined: 2010/08/02 18:02:10
  • Status: offline
Re: how Fortimail address email spoofing (inbound) 2020/10/20 16:57:06 (permalink)
0
@hosemacht, appreciate for sharing knowledge about this.
 
Would you mind to share screenshot on your 4th recommendation? Sorry cant figure out where to find in FML settings.

Fortigate Newbie
#5
Jump to:
© 2020 APG vNext Commercial Version 5.5