Hello, to ensure your email security FortiMail You need to configure anti-spoofing on your product. Fortimail by default Fortiguard The communication mode with the services is open, but the default configurations of security products never fully protect your environment.
What is Spoofing?
Spoofing is a fraudulent method that aims to disguise who the email is actually sending from by changing the information in the email header. This method creates the impression that emails are being sent from a different address than the one they are actually reported as.
Email spoofing is relatively easy to do and therefore many users may encounter this type of scam. Used to steal personal information or to encourage users to download malware, spoofing can sometimes be done for legitimate reasons, such as when a user is forced to answer work emails from their personal email account. However, it is most commonly used for spam and scam purposes.
Phishing attacks are the most common form of spoofing. This type of attack aims to collect personal information from the recipient, such as usernames, passwords, credit card information, and other personal data, while posing as a legitimate source. Designed to persuade the recipient, these emails are often designed to resemble real company emails, and the design of the company's website, email address, and logo are carefully adjusted to manipulate the victim. The main reason attackers use this method is to gain the target's trust.
How to Create a Spoofing Email?
Creating a spoofing email is relatively easy. There are two basic types of address encapsulation: the first is envelope sender and the second is SMTP Header (SMTP Header From). Each method has different uses, and FortiMail uses a variety of methods to verify and detect such forgeries:
- From SMTP Header (RFC 822) is considered the most user-friendly view and is determined in the SMTP “Data” phase of message transmission. Encapsulation is more common in this area and is often preferred for both legitimate and malicious spoofed email use cases. The SMTP Header is the information that users see in the "From:" field in the e-mail client.
- Envelope Sender (envelope sender) (also known as the RFC 821 sender address) is defined at the beginning of the SMTP communication phase, before the DATA command. This is where the "Mail From:" command is issued, which tells the receiving SMTP MTA which mailbox sent the message and where to send the return messages if necessary. NOTE: This field does not have to be defined and can be left blank (Mail From: <>); it also does not have to match the "from address" in the "data" payload in the SMTP Header.
| Command | Server Response | Comments |
|---|---|---|
| telnet mailhost:25 | Run a telnet connection to the mail server's IP or hostname on TCP port 25 | |
| 220 hostnames… | 220 response | Confirms the SMTP service is ready for commands |
| hello | 250 ... | Identify yourself with ehlo or helo handshake. Please meet you. Acceptance of command confirmed. If otherwise, rerun the helo or ehlo command. |
| mail from: [email protected] | 250 ... | Specify the 821 “envelope sender” of the message. Sender ok. Acceptance of command confirmed. If otherwise, SPF or other AntiSpoofing applied rules may block the message delivery attempt. |
| rcpt to:[email protected] | 250 ... | Specify the 821 “envelope recipient” of the message. Recipient ok. Acceptance of command confirmed. If otherwise, the recipient may be invalid or relaying is not allowed. |
| Data | 354 … | The “data” command indicates you are done specifying recipients and ready to transmit the message content. Send message. Server is ready to accept the message. NOTE: A new line feed followed by a period “.” and another line feed will mark the end of the message. |
| From: “Bill Gates” [email protected] | Specify the 822 “SMTP Header From” | |
| To: “Blank Doe”[email protected] | Specify the 822 “SMTP Header To” – Optional | |
| Subject: Some eye catching description | Specify the message subject | |
| — | This indicates the end of the 822 Header | |
| Specify the message body content | Specify the message body | |
| . | 250 ... | Indicate the body context is done and the message is ready to be queued for processing. Queued. Acceptance of message confirmed. |
| quit | 221 ... | This command indicates you are done sending messages. Goodbye. Server accepted command to close the SMTP session. |
Fortimail Spoofing Rule
Fortimail your product Cloud ve On-Premises You can use it as. Exchange Server, Exchange Online and works in harmony with other providers. Fortimail offers many methods to prevent Spoofing and Phishing, the two most important rules are;
- Envelope Sender (Access Control Reject)
- SMTP Header From (Regex)
Creating a Fortimail Spoofing Rule
Envelope Sender (Access Control Reject)
Fortimail – Policy – Access Control We follow your steps.
We need to create a new rule with the New button in the Access Control Rule section. The rule we will create should be as follows.
Sender – Internal
Recipient – Internal
Source – IP/Netmask “0.0.0.0”
Reverse DNS pattern – *
Authentication status – Not Authenticated
TLS profile – –None–
Action – Reject
Comment – Optional
Note: If a Mail Relay service is purchased for the domains we actively use or if they are hosted on an additional MTA, Fortimail will Reject mails coming from other MTAs. Therefore, an additional rule needs to be created by adding the IP addresses found on other providers and the Action section needs to be Safe/Relay.
How to Prevent Spoofing Using SMTP Header
Fortimail'also SMTP Header using spoofing To block mail, create a new Dictionary we need to create and I shared below regexWe need to activate the .
We follow the steps Fortimail – Profile – Dictionary and create a new Dictionary rule with the New button.
The rule we will create should be as follows.
Pattern : [EHeAdEr]^from:.*[email protected]
Pattern type : Regex
Search Header : Enabled
The RegEx given above will search for emails containing the domain you have added in the 'From' field. If you have multiple domains that you are using, it is recommended that you add a new Dictionary for each unique domain that you are trying to match..
NOTE: The above RegEx uses a FortiMail specific match condition '[EHeAdEr]' and is not supported by RegEx testing tools such as www.regex101.com should be removed when testing pattern(s) with .
Step 2: You need to apply a new Dictionary. This dictionary can be applied to a Content Profile or an AntiSpam Profile.
Open the Inbound profile by following the steps Fortimail – Profile – AntiSpam.
After expanding the Dictionary tab in the AntiSpam Profile, simply add the Dictionary rule you created in the “With dictionary profile” step.
Along with the operations we have done above, we talked about blocking Spoofing mail on Fortimail and provided information for Spoofing mail. I hope it was useful, see you in another article.
