Tag Archives: fortinet smtp block

Creating a custom signature to block the SMTP “vrfy” command

Creating a custom signature to block the SMTP “vrfy” command

The SMTP “vrfy” command can be used to verify the existence of a single email address or to list all of the valid email accounts on an email server. A spammer could potentially use this command to obtain a list of all valid email users and direct spam to their inboxes.

In this example, you will create a custom signature to block the use of the vrfy command. Since the custom signature blocks the vrfy command from coming through the FortiGate unit, the administrator can still use the command on the internal network.

This example describes the use of the custom signature syntax to block the vrfy command. To create the custom signature entry in the FortiGate unit web-based manager, see “Creating a custom IPS signature”.

1. Enter the custom signature basic format

All custom signatures have a header and at least one keyword/value pair. The header is always the same:

F-SBID( )

The keyword/value pairs appear within the parentheses and each pair is followed by a semicolon.

2. Choose a name for the custom signature

Every custom signature requires a name, so it is a good practice to assign a name before you add any other keywords.

Use the –name keyword to assign the custom signature a name. The name value follows the keyword after a space. Enclose the name value in double-quotes:

F-SBID( –name “Block.SMTP.VRFY.CMD”; )

The signature, as it appears here, will not do anything if you try to use it. It has a name, but does not look for any patterns in network traffic. You must specify a pattern that the FortiGate unit will search for.

3. Add a signature pattern

Use the –pattern keyword to specify what the FortiGate unit will search for:

F-SBID( –name “Block.SMTP.VRFY.CMD”; –pattern “vrfy”; )

The signature will now detect the vrfy command appearing in network traffic. The custom signature should only detect the command in SMTP traffic, however. Any other traffic with the pattern should be allowed to pass. For example, an email message discussing the vrfy command should not be stopped.

4. Specify the service.

Use the –service keyword to limit the effect of the custom signature to only the HTTP protocol.

F-SBID( –name “Block.SMTP.VRFY.CMD”; –pattern “vrfy”; –service SMTP; )

The FortiGate unit will limit its search for the pattern to the SMTP protocol.

Even though the SMTP protocol uses only TCP traffic, the FortiGate will search for SMTP protocol communication in TCP, UDP, and ICMP traffic. This is a waste of system resources that you can avoid by limiting the search further, as shown below.

5. Specify the traffic type.

Use the –protocol tcp keyword to limit the effect of the custom signature to only TCP traffic. This will save system resources by not unnecessarily scanning UDP and ICMP traffic.

F-SBID( –name “Block.SMTP.VRFY.CMD”; –pattern “vrfy”; –service SMTP; — protocol tcp; )

The FortiGate unit will limit its search for the pattern to TCP traffic and ignore the pattern in UDP and

ICMP network traffic.

6. Ignore case sensitivity.

By default, patterns are case sensitive. If a user directed his or her browser to Example.com, the custom signature would not recognize the URL as a match.

Use the –no_case keyword to make the pattern matching case insensitive.

F-SBID( –name “Block.SMTP.VRFY.CMD”; –pattern “vrfy”; –service SMTP; –no_case; )

Unlike all of the other keywords in this example, the –no_case keyword has no value. Only the keyword is required.

7. Specify the context.

The SMTP vrfy command will appear in the SMTP header. The –context host keyword/value pair allows you to limit the pattern search to only the header.

F-SBID( –name “Block.SMTP.VRFY.CMD”; –pattern “vrfy”; –service SMTP; –no_case; –context header; )