Features

Gateway-less integration

ORF integrates with Microsoft® Exchange and the IIS SMTP Service directly—there is no need to reconfigure the email flow and firewalls, just install ORF and it works right away.

Transport filtering

The SMTP transport-level filtering of ORF enables stopping threats right on their tracks and can save you server resources. The ability to bounce emails during transmission also allows proper, standards-compliant NDR handling and prevents backscatter issues, but there is more that you can do with emails.

Perimeter support

Spam, phishing and other email security threats are best kept outside your network. Not only ORF works on the network perimeter with Exchange Edge Transport and Client Access Server servers, it does its best job there, while it still allows deployment on internal gateways and Exchange Hub Transport (Mailbox) servers.

Scalability

The scalable design of ORF means it can do the job for a 1,000 emails a day or 1,000,000 emails a day. For load balanced scenarios, multi-site organizations and clusters, ORF is even capable of sharing its data and configuration between servers out of the box, without expensive datacenter licenses. No matter how fast you expand, ORF can keep up with you.

Layered protection

Each email in ORF goes through up to 23 individual tests to determine its status. These tests are a configurable blend of email security technologies working together to achieve the award-winning filtering performance of ORF. 16 "blacklist" tests are dedicated to detect and stop spam and other threats. The rest 7 tests are "whitelist" tests, which check if the email should be specifically trusted by ORF. This multiple layers of protection combines the power of each technology and fixes their individual weaknesses.

Multiple in-transport filtering points

Unlike other Exchange email filters, ORF employs multi-stage transport filtering, which allows bouncing unwanted emails before they would be fully transmitted to your server. The first stage (called the "Before Arrival" filtering point) of filtering is performed when the sending party specifies the email recipients. Only emails passing the tests at Before Arrival reach the second "On Arrival" stage when the email is fully transmitted and more comprehensive analysis is performed.

This early intervention approach has many benefits, like reduced resource consumption, proper NDR handling and the prevention of backscatter . It also enables certain features, such as transport-level recipient validation or the ability to detect and defer Directory Harvest Attacks (DHAs).

Self-learning whitelisting

The Auto Sender Whitelist feature of ORF learns from your outbound email traffic and can automatically accept emails from your trusted email partners. This feature guarantees effortless business continuity and allow you to set stricter anti-spam measures, knowing that email communication with your clientele is safe. Whitelist customization is supported on per user and per local domain basis.

DNSBL and SURBL support

DNS Blacklists (DNSBLs) and SURBLs (URL Domain Blacklists) are the workhorses of email filtering which take care of the vast majority of spam and phishing. DNSBLs are third-party databases of known "bad" email source IP addresses, such as botnet IPs, spamming operations and hacked email servers. DNSBLs are often updated many times a day and provide live coverage against spam outbreaks. SURBLs are very similar to DNSBLs, except that they list domain names involved in spam and phishing – instead of the source, they are concerned with the payload, such as links to "spamvertized" online pharmacy sites or replica shops. The URL payload harvesting engine of ORF can deal with most obfuscation attempts and can harvest IDNs.

Besides supporting both technologies, ORF ships with a predefined, extensible list of definitions for the major DNSBLs and SURBLs.

Advanced email authentication mechanisms

ORF uses the most advanced RFC-approved email authentication technologies available. By verifying cryptographic signatures and evaluating the emails source against the SPF/DKIM/DMARC policy of the sender, ORF can immediately spot if the email is forged. The number of adopters of these policies grows every day and today it includes Google, Microsoft and many Fortune 500 companies and all major social media sites.

External Agents

The External Agents feature allows attaching third-party software to ORF for email filtering. A typical attached software is the open source ClamAV anti-virus—which means you can get additional virus protection free of charge! External Agents are not necessarily software written for ORF, in fact, they are regular command-line programs, so you can attach any software with a command-line interface or even write your own to extend the range of filtering tools.

DHA protection

Directory Harvest Attacks (DHAs) are brute force attacks used by spammers to discover valid email addresses in your domain by email delivery probes. This ORF feature can detect and fend off the less distributed kind of attacks.

Sender, IP and recipient lists

ORF supports whitelisting specific trusted email senders, IP addresses and local recipient mailboxes, which excludes them from spam filtering. Email addresses can be specified by wildcard masks or even regular expressions. IP address range expressions support wildcard, CIDR (e.g. /24) and range notations.

The blacklist counterpart of the above lists can be used to stop specific threats or patterns.

In-transport recipient validation

This feature validates the email recipients during the SMTP transmission and accepts emails only for valid users. Spam is often sent with fake sender email address to recipients that are no longer or never been valid, which results in a large number of NDRs filling up the mail queue, or worse, backscattering . This feature is primarily useful for older Exchange servers and IIS SMTP gateways, because Exchange 2007 and later has this feature built-in. Address data for the validation can be retrieved from the Active Directory, SQL databases or simple text address lists.

Sender Score™ DNS whitelist support

Return Path, Inc's Sender Score™ email reputation service is available via ORF. Like a credit score, Sender Score is an indication of the trustworthiness of the email source. The comprehensive reputation data from this service can help reducing the chance for ORF to accidentally classify a legitimate email as spam.

Additional email filtering features

ORF offers several more filtering features, such as: Attachment Filtering (by file name and/or MIME type ) with quarantining and configurable email rejection or neutralization by attachment replacement; Greylisting (an aggressive, but very efficient anti-spam technique); Reverse DNS-based sender validation; Keyword Blacklist with various search scopes and regular expression support; HELO Blacklist with standard conformance check; email Character Set Blacklist; Honeypot/Spamtrap support.

Email actions

The versatile action settings of ORF grant you full control over emails caught by the filter: you can decide to bounce (reject) or keep the email and perform further actions on it, such as tagging the email header or subject, or to redirect them to a catch-all mailbox. The tagging feature can be used to move emails to the users' Junk Email folder (this feature requires Exchange 2003 or later), which allows the end-users to review the emails for false positives and recover them without administrator assistance.

Remote management

All administrative tools of ORF are capable of managing remote ORF installations over a HTTP-friendly communications platform with secure authentication and HTTP proxy support.

Real-time status monitoring

ORF offers a quick overview of the system status by providing real-time information about its state, including the system health, high-resolution 24-hour performance data and performance data and detailed statistics with resettable, stopwatch-like counters to aid evaluating state changes.

The best logs in the industry

With a log system designed to actually help the administrator, ORF makes logs a primary mean of software monitoring and stands out high from the usual crowd. To make sure you can always tell what happened to an email and why, the logs contain detailed information about every important event in the system, written in simple human language instead of cryptic codes. ORF also ships with a full-blown log management tool with sophisticated built-in event filtering, integrated knowledge base lookups, Unicode® support, data export and support for sending addresses to various ORF lists. In addition to our proprietary log format, ORF supports Windows Event log and syslog logging and can send email notifications about any event, as determined by the administrator.

Detailed reporting

ORF features a dedicated component called the Reporting Tool for generating highly detailed reports about the system performance, including test, subtest and even expression-level break down of data. Besides giving you an overall picture of the system, reports are useful to evaluate the effects of configuration changes and to monitor performance over the time.

Data sharing between servers

Sharing data between certain ORF tests (such as the Auto Sender Whitelist or the Greylisting test) is essential when you employ multiple front-ends or similar setups. ORF achieves sharing by using external SQL databases (such as Microsoft® SQL Server), which also offer scalable and robust storage.

Configuration sharing between servers

The configuration synchronization feature works in a publisher-subscriber model and enables appointing a central configuration repository server from which subscribers retrieve their settings. In this model, publisher configuration changes get automatically delegated to the subscribers, so there is only one configuration to edit. ORF also offers a wide range of local customizations to the configuration received, which helps coping with the differences between publisher and subscriber—file system paths and DNS settings are prime examples of what has to be overridden on individual systems. Due to this flexibility, the synchronization feature can be employed in various scenarios like load-balanced setups; failover clusters; within multi-site organizations or even by Managed Service Providers to distribute settings to client deployment sites.

Outstanding documentation and support

From deployment to best practices, complete documentation for the whole lifetime of the product is available ORF ships with a context-sensitive help system (also available online) and sensible UI dialogs, while our website offers a continuously expanding Knowledge Base, FAQ and various guides for common tasks like deployment, installation or migration.

Our technical support is also available free of charge, even during planning and evaluation, without any additional support agreement or per-incident fees.

Online services

From deployment to best practices, complete documentation for the whole lifetime of the product is available ORF ships with a context-sensitive help system (also available online) and sensible UI dialogs, while our website offers a continuously expanding Knowledge Base, FAQ and various guides for common tasks like deployment, installation or migration.