How to include intranet servers to spam tests - ORF Forums

@A7exius: ORF treats the localhost address (127.0.0.1) class A, B and C intranet address ranges as Intermediate Hosts by default (even though these hosts are not indicated on the Intermediate Host List itself: Class A intranet: 10.0.0.0 - 10.255.255.255, Class B intranet: 172.16.0.0 - 172.31.255.255 and Class C intranet: 192.168.0.0 - 192.168.255.255), therefore emails originating directly from these addresses are always whitelisted. This behavior aims to exclude internal and outgoing emails from filtering to avoid false positives, and cannot be overridden by any manual rule. For more information about the Intermediate Host List, see the related help topic at http://vamsoft.com/r?o-hto-adm-intermediatehostlist

For testing I recommend sending emails from an external host, or creating a loopback network interface with an APIPA IP address, and sending emails through that (e.g., by telnetting to port 25). For instructions, please see my related blog posts at

http://blog.vamsoft.com/2009/08/14/tales-from-tech-support-part-4-testing-our-external-agent/
http://blog.vamsoft.com/2009/08/18/tales-from-tech-support-part-5-testing-before-arrival/

@A7exius: That is unlikely to happen, sorry. ORF is designed to filter incoming emails only, and even if we add some functionality in the future to filter internal/outgoing emails (http://vamsoft.com/support/feature-requests/run-specific-tests-on-outgoing-emails), the related settings will be separated entirely (i.e., it is unlikely that you would want to apply the same rules to incoming, outgoing and internal emails).

For incoming emails, hosts with internal IPs may act only as relaying hosts in between the original sender and your Exchange server with ORF installed, hence they are treated as Intermediate Hosts.

@marvinfs: Hello MarvinFS,

I believe you are commenting on an issue that is different from what Krisztian was addressing in his posts. His posts are about how ORF handles emails that 'originate' from intranet servers (i.e. internal messages) - as brought up by A7exius.

If you check the ORF logs of your primary MX, I am quite sure that you will find a different whitelist message as well recorded for the emails coming via your secondary MX: "Whitelisted authenticated session, type: organization.", instead of "email whitelisted (email from a trusted intermediate host or intranet)".

ORF logs “Whitelisted authenticated session, type: organization” if Exchange detects that the email is coming from a trusted Exchange receive connector, from someone inside the organization (not necessarily the local server, but someone belonging to the wider organization). In your case, the problem seems to be that your primary MX's Receive connector, that accepts emails from the secondary MX, has authentication enabled. Thus, all emails that are received from the secondary MX are considered trusted and excluded from filtering. This can be confirmed by checking the Exchange connector logs if needed. The fix in this setup is to configure the primary MX's Receive connector not to trust the emails coming from the secondary MX -- similarly to internet emails.

Please let me know if this has helped.