Lots of spam not being checked RSS Back to forum
@CrazyCanuck75:
As ORF is running at the perimeter server (Edge), I guess tests are performed at the Before Arrival filtering point. It is possible that ORF excludes these incoming emails from filtering because they arrive in an authenticated session and/or from an intranet IP address. By default, such exclusions are not logged at Before Arrival.
What happens if you enable all logging options in ORF (Administration Tool: System / Log, ORF Text Log - Configure button, check everything under "Available events", click OK, save your settings by pressing Ctrl+S)? Do these unfiltered incoming emails appear in the ORF Log Viewer as "whitelisted"?
@Krisztián Fekete (Vamsoft): No, they aren't showing in the list even after doing that. I just checked with a user who says he got 33 unsolicited emails before noon today. I checked the ORF log and none of them appear at all.
@CrazyCanuck75: Could you tell us more about the setup please? Are all incoming emails relayed through the Edge Server via SMTP, or are some of these POP-retrieved emails, i.e, is there anything special about these emails which do not show up in the ORF logs (but appear in the transport logs on the Edge server)?
I don't believe anyone uses POP. All users are either on the LAN with the server, on the WAN or connected using Exchange over VPN. The only thing I noticed about the emails in question, they were sent either just to the user, or to a group that the user was part of. I did not see any of the emails he sent me that had more than 1 recipient.
When I look at the logs on the Hub Transport/Mailbox server I see all the message to the user. When I look at the logs on the Edge server none of those show up. It looks like they are skipping the Edge server somehow. I just checked the mail flow troubleshooter and it didn't appear to find any issues. I must admit I'm over my head with the Exchange and Edge servers. I've never set up an Edge server before. This was all here when I started doing their work. 0 documentation on anything IT related to be found.
The rest of my clients are all using SBS 2008 or SBS 2011.
Thanks for your help,
CC
@CrazyCanuck75: One more thing I just noticed is that the Edge server only has 1 NIC enabled. My guess is it was never setup right from the get go? Would that make sense why this isn't catching everything?
@CrazyCanuck75:
I think what you need is this guide:
http://technet.microsoft.com/en-us/library/bb738158(v=exchg.141).aspx
I just inherited a new client that has an Edge and Exchange 2007 server. I installed ORF on the Edge server and followed the BP article. ORF is catching some spam but when I look in the logs it doesn't appear to be checking a vast majority of email. One user told me he received 60 spam yesterday, none of which appeared in the logs, in fact no messages to the user appeared in the log. I opened up EMC and checked and sure enough there were probably close to 100 emails to the user yesterday, none of which showed up in the ORF log. Please help. I'm in the trial period with ORF and need to know if it's going to work well enough for my client before they commit.
Thanks,
CC