Lately i have noticed that a spam with dodgy ZIP attachment containing exe is paasing thru.

any ideas how to tweak ORF


Who is Participating?
drilusConnect With a Mentor Commented:
It's about impossible to tell without knowing your configuration. There are a few things you can do to tweak ORF filters. Obviously this will all vary depending on whether or not you have any secondary MX's, relays, etc.

As per ORF Support here are a few things to try:

1) Assign all tests possible to Before Arrival (Configuration / Tests / Tests)

You only want to assign everything to Before Arrival if Exchange is on a perimeter server with no secondary MX's. Enable Greylisting if you don't already and set it to before arrival.

2) Enable the following DNS Blacklist in the following order (Configuration / Tests / DNS Blacklists, you can re-order them using the Move up | Move down buttons):

• CBL Composite Blocking List
• Spamhaus ZEN
• Spamcop
•  SORBS Combined with the and actions disabled (Select SORBS / Modify / SMTP Actions tab / Uncheck / Click OK)
• Not Just Another Bogus List (NJABL Combined List)

These proved to be the most accurate and most reliable DNSBLs (see http://www.vamsoft.com/press-release-2010-01-13.asp and http://blog.vamsoft.com/2010/05/20/configuration-used-for-the-vbspam-test/)

3) Update your URL Blacklist definitions and enable the recommended URL Blacklists (Configuration / Filtering - On Arrival / URL Blacklists):

Spamhaus has released a new URL blacklist called Spamhaus DBL since ORF v4.4 was released, so it was not included in the definition set shipped with the latest version. We released a new definition file, so the new list can be imported easily: it worth the effort, Spamhaus DBL is pretty effective.

1. Download the new definition file called surbls-100302.xml from http://www.vamsoft.com/dl.aspx?surbls-100302.xml
2. Start the ORF Administration Tool.
3. Expand Configuration / Filtering - On Arrival / URL Blacklists on the left navigation pane.
4. Right-click anywhere in the list and select Import Definitions.
5. Select the surbls-100302.xml file that you downloaded.
6. Make sure the Delete current definitions not listed here (full overwrite) checkbox is checked and click OK.
7. Enable the blacklists you want to use in the DNSBL list (we recommend using

• Spamhaus DBL
• SURBL: Combined
• uribl.com

in this order. Also, please note that Spamhaus DBL does not accept IP lookups, so you should disable them (see http://www.vamsoft.com/spamhaus-dbl.asp for instructions ("3) Disable IP lookups").

4) Publish SPF record(s) for your domain(s) and enable the SPF test of ORF (Configuration / Tests / Tests)

To prevent spammers from spoofing your domain name (and block incoming spam which spoofs your own domain), you should publish an SPF record and enable the SPF test of ORF: Sender Policy Framework is an email authentication protocol, which allows you to control who can send emails in the name of your domain. Basically, you have to publish your policy (like "v=spf1 mx -all", which means only the servers your MX records point to are allowed to send emails in the name of your domain) as a TXT record. For more information, please visit http://www.openspf.org/ and read our article at http://www.vamsoft.com/howto-blacklist-self-spam.asp

5) Import our updated Regular Expressions (Configuration / Filtering - On Arrival / Keyword Blacklist)

I attached some regexes we constructed for common spam phrases, I suggest to import them to the Keyword filtering list (from the main menu of the Administration Tool (Configuration | Import | Keyword blacklist...) or in Configuration / Filtering - On Arrival / Keyword blacklist ---> Right click in the expressions box and select "Import list..." and import orf_keywords.xml)


Finally, save your settings to apply the configuration changes by pressing Ctrl + S.

If you don't know about Greylisting be sure to read about it here http://www.greylisting.org/whitelisting.shtml and http://projects.puremagic.com/web-svn/wsvn/greylisting/trunk/schema/whitelist_ip.txt
The reason I mention this specifically is that if you rely on timely emails then you probably shouldn't use this. Some e-mails can be help up to an hour. Possibly more if a client has a poorly configured mail server.

Hopefully this will improve your catch rate.

Justin OwensITIL Problem ManagerCommented:
ORF cannot scan the contents of a ZIP file.  You can tweak it by adding part of the message (DHL Express Service) to look for or by disallowing all ZIP files.
aucklandnzAuthor Commented:

any ideas why it passes all checks ?

aucklandnzAuthor Commented:
Thanks for your help.
I would only like to add, that there is no need to use CBL Composite Blocking List if you are using Spamhaus ZEN, because CBL is already included in ZEN.

Look at "DNSBL Setup Recommendations" at http://cbl.abuseat.org/faq.html.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.