Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Created on ‎06-04-2010 07:44 AM Edited on ‎06-09-2022 08:54 PM By Anonymous

Article Id 190093

Technical Note : FortiGate configuration for email filtering based on the language or the character set (charset)

Description

The FortiGate is able to perform email inspection based on the language or text encoding by using either a DLP rule to look for specific character set (charset) within the MIME header (solution 1) , or by using banned word filtering (solution 2).

See also the related article "Technical Note : Configuring a FortiGate to block emails from specific countries, using domain suffixes".

There are numerous Internet sites that provide the character sets for various languages.


Scope


Solution

Summary

  • Solution 1 : Based on using DLP rules to look for specific charset in the MIME information.

  • Solution 2 : Using banned word filtering.

 

Solution 1 : Based on using DLP rules to look for specific charset in the MIME information.

This solution does not apply if the character set is UTF-8 or Unicode.

If the configured character set is detected in a mail, the sensor action will be triggered even if other parts of the mail are valid, hence false positives may be created. (For example: One section in Cyrillic for a mail written in English.)

It is assumed that the SMTP traffic is initiated from the WAN2 interface and destined to a SMTP server reachable via the DMZ interface.

The character set in use may be indicated in the MIME header. In the following example 'gb2312' is being used in one part of this mail.

Return-Path: <user2@external.lab>
X-Original-To: user2@external.lab
Delivered-To: user2@external.lab
Received: from [10.112.0.10] (unknown [10.160.0.108])
by mail.external.lab (Postfix) with ESMTPS id 325C36644
for <user2@external.lab>; Fri, 4 Jun 2010 19:57:03 +0200 (CEST)
Message-ID: <4C0CFFE8.5080206@external.lab>
Date: Mon, 07 Jun 2010 16:19:20 +0200
From: user2 <user2@external.lab>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: user2@external.lab
Subject: Fwd: FW: o9byvn =?GB2312?B?udzA7bv5sb65pi0tvMa7rtPr1rTQ0CA2ODc5NA==?=
=?GB2312?B?ODY=?=
Content-Type: multipart/mixed;
boundary="------------010703080306080705040102"
This is a multi-part message in MIME format.
--------------010703080306080705040102
Content-Type: multipart/alternative;
boundary="------------070905030306010401070808"
--------------070905030306010401070808
Content-Type: text/plain; charset=gb2312
Content-Transfer-Encoding: 7bit



(*) This does not apply if the charset is "UTF-8" or Unicode , as shown in the MIME header excerpt below :

------=_NextPart_001_0E88_014824E4.176AA680
Content-Type: text/plain;
charset=" utf-8"
Content-Transfer-Encoding: base64




The example proposed here below shows how to block all mails containing the words "gb2312" (Chinese), or "koi8-r" (Cyrillic). Example given for 4.0MR2

A - FortiGate CLI configuration example

config dlp rule
edit "filter gb2312"
set protocol email
set sub-protocol smtp
set regexp "* gb2312*"
set regexp-wildcard enable
next
edit "filter koi8-r"
set protocol email
set sub-protocol smtp
set regexp " *koi8-r*"
set regexp-wildcard enable
next
end


config dlp sensor
edit "Filter_mail_other_language"
config rule
edit "filter gb2312"
set action ban
set archive enable
set expiry 5m
set severity 5
next
edit "filter koi8-r"
set action ban
set archive enable
set severity 5
next
end
set dlp-log enable
set nac-quar-log enable
next
end

config firewall policy
edit 2
set srcintf "wan2"
set dstintf "dmz"
set srcaddr "all"
set dstaddr "all"
set action accept
set utm-status enable
set schedule "always"
set service "ANY"
set spamfilter-profile "mail"
set dlp-sensor "Filter_mail_other_language"
set profile-protocol-options "default"
set nat enable
next
end




B - Verification when sending a mail containing gb2312 character set

B1 - FortiGate log

FGT# execute log filter category 9
FGT# execute log display

1 logs found.
1 logs returned.

1: 2010-06-07 17:11:30 log_id=0954024576 type=dlp subtype=dlp pri=warning vd="root" policyid=2 identidx=0 serial=1647 user="N/A" group="N/A" src=10.112.0.10 sport=2711 src_port=2711 src_int="wan2" dst=10.160.0.8 dport=25 dst_port=25 dst_int="dmz" service=smtp status=detected hostname="N/A" url="N/A" from="N/A" to=
"N/A" msg="data leak detected(Data Leak Prevention Rule matched: ip address banned)" rulename="filter gb2312" compoundname="N/A" action=ban severity=5



B2 - Client MUA warning message (tested with Outlook Express)

An unknown error has occurred. Account: '10.160.0.8', Server: '10.160.0.8', Protocol: SMTP, Server Response: '554 5.7.1 This email has been blocked because a data leak was detected. Please contact your admin to be re-enabled.', Port: 25, Secure(SSL): No, Server Error: 554, Error Number: 0x800CCC6F


C - Verification when sending a mail containing gb2312 character set

C1 - FortiGate log

FGT# execute log filter category 9
FGT# execute log display

1 logs found.
1 logs returned.

1: 2010-06-07 17:09:56 log_id=0954024576 type=dlp subtype=dlp pri=warning vd="root" policyid=2 identidx=0 serial=1607 user="N/A" group="N/A" src=10.112.0.10 sport=2709 src_port=2709 src_int="wan2" dst=10.160.0.8 dport=25 dst_port=25 dst_int="dmz" service=smtp status=detected hostname="N/A" url="N/A" from="N/A" to=
"N/A" msg="data leak detected(Data Leak Prevention Rule matched: ip address banned)" rulename="filter koi8-r" compoundname="N/A" action=ban severity=5



C2 - Client MUA warning message (tested with Outlook Express)

An unknown error has occurred. Account: '10.160.0.8', Server: '10.160.0.8', Protocol: SMTP, Server Response: '554 5.7.1 This email has been blocked because a data leak was detected. Please contact your admin to be re-enabled.', Port: 25, Secure(SSL): No, Server Error: 554, Error Number: 0x800CCC6F


D- Verification of the sensor action and banned action

FGT# get user ban list

id cause src-ip-addr dst-ip-addr expires
created dlp-proto
1 filter gb2312 10.112.0.10 Mon Jun 7 17:17:38 2010
Mon Jun 7 17:12:38 2010 SMTP



Solution 2 : Using banned word filtering

This example is given for 4.0 MR2.
 
Email/spam inspection based on the language of banned word filtering is possible for the following languages:
  • French
  • Japanese
  • Korean
  • Simplified Chinese
  • Spanish
  • Thai
  • Traditional Chinese
  • Western
The following example is intended to block mail containing words in 4 different languages.
 
Step 1: From the GUI, go to UTM --> Email Filter --> Banned words and create the entries with banned words in the desired languages.
rmetzger_FD32502_FD32502.jpg


Step 2: Apply this list to the appropriage Email Filter Profile.
 
Step 3: Enable this UTM email profile in the appropriage firewall policy.

A - CLI configuration example

config spamfilter bword
edit 2
config entries
edit 1
set language simch
set pattern "&#x4f60; &#x597d; &#x6b22; &#x8fce;"
next
edit 2
set language trach
set pattern "&#x4f60; &#x597d; &#x6b61; &#x8fce;"
next
edit 3
set language japanese
set pattern "&#x3053; &#x3093; &#x306b; &#x3061; &#x306f;"
next
edit 4
set language thai
set pattern "&#xe2a;&#xe27;&#xe31;&#xe2a;&#xe14;&#xe35;"
next
end
set name "block_other_language"
next
end

config spamfilter profile
edit "block_other_language"
set spam-log enable
config smtp
set options bannedword
end
set spam-bword-table 2
next
end

config firewall policy
edit 2
set srcintf "wan2"
set dstintf "dmz"
set srcaddr "all"
set dstaddr "all"
set action accept
set utm-status enable
set schedule "always"
set service "ANY"
set spamfilter-profile "block_other_language"
set profile-protocol-options "default"
set nat enable
next
end


B - Test and verification :

  • Send a mail in the Thai language with the word สวัสดี (hello)
  • The sender MUA will receive the following warning message (tested with Outlook Express)

An unknown error has occurred. Subject 'Re: ??????', Account: '10.160.0.8', Server: '10.160.0.8', Protocol: SMTP, Server Response: '554 5.7.1 This message has been blocked because it contains a banned word.', Port: 25, Secure(SSL): No, Server Error: 554, Error Number: 0x800CCC6F

  • Check the FortiGate log :

FGT# execute log filter category 5
FGT# execute log display

1 logs found.
1 logs returned.

1: 2010-06-04 17:30:27 log_id=0508020481 type=emailfilter subtype=smtp pri=notice policyid=2 identidx=0 serial=110560 user="N/A" group="N/A" vd="root" src=10.112.0.10 sport=1974 src_port=1974 src_int="wan2" dst=10.160.0.8 dport=25 dst_port=25 dst_int="dmz" service=smtp carrier_ep="N/A" profile="block_other_language" profilegroup="N/A" profiletype="Antispam_Profile" status=detected from="user1@external.lab" to="user2@external.lab" tracker="N/A" banword="สวัสดี" msg="The email contains banned word(s)."

Related Articles

Technical Note : Configuring a FortiGate to block emails from specific countries, using domain suffi...

Technical Note : Using FortiGate DLP to block/filter email/spam based on "sender" (From:) informatio...

Labels:
15254
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.