Huge drop in catch rate RSS Back to forum
Spam rates worldwide dropped like that around the end of last year and there are many theories why but that seems to be why our ratio's from last year to this year reflect a huge difference like yours.
@Kent Jones:
Did the number of spam slipping though increased noticeably?
If the number of spam increased, then probably something is wrong with either the ORF DNS settings, or the DNS server settings.
* Please make sure the new DNS server IP is listed in the ORF DNS settings (Configuration / Global / DNS and Lookups page).
* Check if the DNS server meets the requirements of ORF. You can check this in the ORF Administration Tool, on the DNS and Lookups page, using the Test button.
* Make sure that your DNS server performs lookups with the root DNS server, instead of forwarding to your ISP DNS servers, or a third-party DNS network like OpenDNS. Many DNSBLs and SURBLs have a fair usage limitation and if they see too much traffic from certain servers, the administrators may firewall out the offenders. ISP DNS servers aggregate traffic from their network (because often they are configured as forwarders) and this can trigger such blocking of DNSBL/SURBL services.
* Please check the ORF logs for errors.
If the number of spam did not increase, probably there was another change and it is a mere coincidence. This could be a drop in the global spam traffic, a new firewall that pre-filters spam for ORF, etc.
@Peter Karsai (ORF Team): If none of the above helps, please check this post: http://www.vamsoft.com/forum/topic/show/Spamhaus-Win-2008-DNS-server/4#comment423 for further tips.
@Peter Karsai (ORF Team):
Yes, the number of spam slipping through did increase noticeably. The DNS tests pass and it reports everything ok. There are no errors in the logs.
Our DNS does perform lookups with the root servers. We only have our ISP DNS and OpenDNS in forwarders as a backup.
I'm not sure what else to change/check.
@Kent Jones:
Please send us your system description (OS, Exchange version, are there any relaying hosts, secondary MXs, etc.), your configuration file called orfent.ini, and your .log files from the past 1-2 days to . The latter files are located in the ORF directory by default (Program Files \ ORF Enterprise Edition or Program Files (x86) \ ORF Enterprise Edition by default), please send raw .log files, Log Viewer CSV exports are not suitable.
If you agree, we will review your configuration and make some suggestions to increase the filtering rate if possible. Thanks!
That would be wonderful. Thanks for all your help!
I've sent the log files and system information.
@Kent Jones: Thanks, I sent you our recommendations in email. Please let us know if applying these changes improved the catch rate.
@Krisztian Fekete:
Thanks, that did help quite a bit. I'm currently at a 87% catch rate over 4 days.
I appreciate all the help you've given me.
We've been doing pretty well on catching most of the spam for our organization. We have a 91% spam ratio. Recently our DNS server died and I had to set up a new one. When I got everything back up and running our spam ratio is now at 51%. I have looked at everything and it seems that nothing has changed. I don't know how we went from 91% to 51%.
Any suggestions?