Lately i have noticed that a spam with dodgy ZIP attachment containing exe is paasing thru.

any ideas how to tweak ORF


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin OwensITIL Problem ManagerCommented:
ORF cannot scan the contents of a ZIP file.  You can tweak it by adding part of the message (DHL Express Service) to look for or by disallowing all ZIP files.
aucklandnzAuthor Commented:

any ideas why it passes all checks ?

It's about impossible to tell without knowing your configuration. There are a few things you can do to tweak ORF filters. Obviously this will all vary depending on whether or not you have any secondary MX's, relays, etc.

As per ORF Support here are a few things to try:

1) Assign all tests possible to Before Arrival (Configuration / Tests / Tests)

You only want to assign everything to Before Arrival if Exchange is on a perimeter server with no secondary MX's. Enable Greylisting if you don't already and set it to before arrival.

2) Enable the following DNS Blacklist in the following order (Configuration / Tests / DNS Blacklists, you can re-order them using the Move up | Move down buttons):

• CBL Composite Blocking List
• Spamhaus ZEN
• Spamcop
•  SORBS Combined with the and actions disabled (Select SORBS / Modify / SMTP Actions tab / Uncheck / Click OK)
• Not Just Another Bogus List (NJABL Combined List)

These proved to be the most accurate and most reliable DNSBLs (see http://www.vamsoft.com/press-release-2010-01-13.asp and http://blog.vamsoft.com/2010/05/20/configuration-used-for-the-vbspam-test/)

3) Update your URL Blacklist definitions and enable the recommended URL Blacklists (Configuration / Filtering - On Arrival / URL Blacklists):

Spamhaus has released a new URL blacklist called Spamhaus DBL since ORF v4.4 was released, so it was not included in the definition set shipped with the latest version. We released a new definition file, so the new list can be imported easily: it worth the effort, Spamhaus DBL is pretty effective.

1. Download the new definition file called surbls-100302.xml from http://www.vamsoft.com/dl.aspx?surbls-100302.xml
2. Start the ORF Administration Tool.
3. Expand Configuration / Filtering - On Arrival / URL Blacklists on the left navigation pane.
4. Right-click anywhere in the list and select Import Definitions.
5. Select the surbls-100302.xml file that you downloaded.
6. Make sure the Delete current definitions not listed here (full overwrite) checkbox is checked and click OK.
7. Enable the blacklists you want to use in the DNSBL list (we recommend using

• Spamhaus DBL
• SURBL: Combined
• uribl.com

in this order. Also, please note that Spamhaus DBL does not accept IP lookups, so you should disable them (see http://www.vamsoft.com/spamhaus-dbl.asp for instructions ("3) Disable IP lookups").

4) Publish SPF record(s) for your domain(s) and enable the SPF test of ORF (Configuration / Tests / Tests)

To prevent spammers from spoofing your domain name (and block incoming spam which spoofs your own domain), you should publish an SPF record and enable the SPF test of ORF: Sender Policy Framework is an email authentication protocol, which allows you to control who can send emails in the name of your domain. Basically, you have to publish your policy (like "v=spf1 mx -all", which means only the servers your MX records point to are allowed to send emails in the name of your domain) as a TXT record. For more information, please visit http://www.openspf.org/ and read our article at http://www.vamsoft.com/howto-blacklist-self-spam.asp

5) Import our updated Regular Expressions (Configuration / Filtering - On Arrival / Keyword Blacklist)

I attached some regexes we constructed for common spam phrases, I suggest to import them to the Keyword filtering list (from the main menu of the Administration Tool (Configuration | Import | Keyword blacklist...) or in Configuration / Filtering - On Arrival / Keyword blacklist ---> Right click in the expressions box and select "Import list..." and import orf_keywords.xml)


Finally, save your settings to apply the configuration changes by pressing Ctrl + S.

If you don't know about Greylisting be sure to read about it here http://www.greylisting.org/whitelisting.shtml and http://projects.puremagic.com/web-svn/wsvn/greylisting/trunk/schema/whitelist_ip.txt
The reason I mention this specifically is that if you rely on timely emails then you probably shouldn't use this. Some e-mails can be help up to an hour. Possibly more if a client has a poorly configured mail server.

Hopefully this will improve your catch rate.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
aucklandnzAuthor Commented:
Thanks for your help.
I would only like to add, that there is no need to use CBL Composite Blocking List if you are using Spamhaus ZEN, because CBL is already included in ZEN.

Look at "DNSBL Setup Recommendations" at http://cbl.abuseat.org/faq.html.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.