Created on 06-04-2010 07:44 AM Edited on 06-09-2022 08:54 PM By Anonymous
Description
Scope
Solution
Return-Path: <user2@external.lab> X-Original-To: user2@external.lab Delivered-To: user2@external.lab Received: from [10.112.0.10] (unknown [10.160.0.108]) by mail.external.lab (Postfix) with ESMTPS id 325C36644 for <user2@external.lab>; Fri, 4 Jun 2010 19:57:03 +0200 (CEST) Message-ID: <4C0CFFE8.5080206@external.lab> Date: Mon, 07 Jun 2010 16:19:20 +0200 From: user2 <user2@external.lab> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: user2@external.lab Subject: Fwd: FW: o9byvn =?GB2312?B?udzA7bv5sb65pi0tvMa7rtPr1rTQ0CA2ODc5NA==?= =?GB2312?B?ODY=?= Content-Type: multipart/mixed; boundary="------------010703080306080705040102" This is a multi-part message in MIME format. --------------010703080306080705040102 Content-Type: multipart/alternative; boundary="------------070905030306010401070808" --------------070905030306010401070808 Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 7bit |
(*) This does not apply if the charset is "UTF-8" or Unicode , as shown in the MIME header excerpt below :
------=_NextPart_001_0E88_014824E4.176AA680 Content-Type: text/plain; charset=" utf-8" Content-Transfer-Encoding: base64 |
The example proposed here below shows how to block all mails containing the words "gb2312" (Chinese), or "koi8-r" (Cyrillic). Example given for 4.0MR2
A - FortiGate CLI configuration example
config dlp rule edit "filter gb2312" set protocol email set sub-protocol smtp set regexp "* gb2312*" set regexp-wildcard enable next edit "filter koi8-r" set protocol email set sub-protocol smtp set regexp " *koi8-r*" set regexp-wildcard enable next end config dlp sensor edit "Filter_mail_other_language" config rule edit "filter gb2312" set action ban set archive enable set expiry 5m set severity 5 next edit "filter koi8-r" set action ban set archive enable set severity 5 next end set dlp-log enable set nac-quar-log enable next end config firewall policy edit 2 set srcintf "wan2" set dstintf "dmz" set srcaddr "all" set dstaddr "all" set action accept set utm-status enable set schedule "always" set service "ANY" set spamfilter-profile "mail" set dlp-sensor "Filter_mail_other_language" set profile-protocol-options "default" set nat enable next end |
B - Verification when sending a mail containing gb2312 character set
B1 - FortiGate log
FGT# execute log filter category 9
FGT# execute log display
1 logs found. 1 logs returned. 1: 2010-06-07 17:11:30 log_id=0954024576 type=dlp subtype=dlp pri=warning vd="root" policyid=2 identidx=0 serial=1647 user="N/A" group="N/A" src=10.112.0.10 sport=2711 src_port=2711 src_int="wan2" dst=10.160.0.8 dport=25 dst_port=25 dst_int="dmz" service=smtp status=detected hostname="N/A" url="N/A" from="N/A" to= "N/A" msg="data leak detected(Data Leak Prevention Rule matched: ip address banned)" rulename="filter gb2312" compoundname="N/A" action=ban severity=5 |
B2 - Client MUA warning message (tested with Outlook Express)
An unknown error has occurred. Account: '10.160.0.8', Server: '10.160.0.8', Protocol: SMTP, Server Response: '554 5.7.1 This email has been blocked because a data leak was detected. Please contact your admin to be re-enabled.', Port: 25, Secure(SSL): No, Server Error: 554, Error Number: 0x800CCC6F
C - Verification when sending a mail containing gb2312 character set
C1 - FortiGate log
FGT# execute log filter category 9
FGT# execute log display
1 logs found. 1 logs returned. 1: 2010-06-07 17:09:56 log_id=0954024576 type=dlp subtype=dlp pri=warning vd="root" policyid=2 identidx=0 serial=1607 user="N/A" group="N/A" src=10.112.0.10 sport=2709 src_port=2709 src_int="wan2" dst=10.160.0.8 dport=25 dst_port=25 dst_int="dmz" service=smtp status=detected hostname="N/A" url="N/A" from="N/A" to= "N/A" msg="data leak detected(Data Leak Prevention Rule matched: ip address banned)" rulename="filter koi8-r" compoundname="N/A" action=ban severity=5 |
C2 - Client MUA warning message (tested with Outlook Express)
An unknown error has occurred. Account: '10.160.0.8', Server: '10.160.0.8', Protocol: SMTP, Server Response: '554 5.7.1 This email has been blocked because a data leak was detected. Please contact your admin to be re-enabled.', Port: 25, Secure(SSL): No, Server Error: 554, Error Number: 0x800CCC6F
D- Verification of the sensor action and banned action
FGT# get user ban list
id cause src-ip-addr dst-ip-addr expires
created dlp-proto 1 filter gb2312 10.112.0.10 Mon Jun 7 17:17:38 2010 Mon Jun 7 17:12:38 2010 SMTP
|
config spamfilter bword edit 2 config entries edit 1 set language simch set pattern "你 好 欢 迎" next edit 2 set language trach set pattern "你 好 歡 迎" next edit 3 set language japanese set pattern "こ ん に ち は" next edit 4 set language thai set pattern "สวัสดี" next end set name "block_other_language" next end config spamfilter profile edit "block_other_language" set spam-log enable config smtp set options bannedword end set spam-bword-table 2 next end config firewall policy edit 2 set srcintf "wan2" set dstintf "dmz" set srcaddr "all" set dstaddr "all" set action accept set utm-status enable set schedule "always" set service "ANY" set spamfilter-profile "block_other_language" set profile-protocol-options "default" set nat enable next end |
An unknown error has occurred. Subject 'Re: ??????', Account: '10.160.0.8', Server: '10.160.0.8', Protocol: SMTP, Server Response: '554 5.7.1 This message has been blocked because it contains a banned word.', Port: 25, Secure(SSL): No, Server Error: 554, Error Number: 0x800CCC6F
FGT# execute log filter category 5
FGT# execute log display
1 logs found. 1 logs returned. 1: 2010-06-04 17:30:27 log_id=0508020481 type=emailfilter subtype=smtp pri=notice policyid=2 identidx=0 serial=110560 user="N/A" group="N/A" vd="root" src=10.112.0.10 sport=1974 src_port=1974 src_int="wan2" dst=10.160.0.8 dport=25 dst_port=25 dst_int="dmz" service=smtp carrier_ep="N/A" profile="block_other_language" profilegroup="N/A" profiletype="Antispam_Profile" status=detected from="user1@external.lab" to="user2@external.lab" tracker="N/A" banword="สวัสดี" msg="The email contains banned word(s)." |
Related Articles
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.