Secondary Spam Tool/Program or Additional Help with ORF Config RSS Back to forum
@Josh:
Please send us the following files in a single ZIP to :
• Your current configuration file called orfent.ini (located in Program Files (x86)\ORF Fusion by default)
• Your recent log files from the past few days (e.g., orfee-2013-07-09.log, orfee-2013-07-08.log, located in Program Files (x86)\ORF Fusion by default). Please send raw .log files, Log Viewer CSV exports are not suitable.
• A few spam samples which made it through filtering, which consist of the original emails in EML or MSG format (EML preferred) and the original MIME header in a separate TXT file. (Forwarded emails are not suitable). The MIME header can be retrieved by opening the email in Outlook and selecting View | Options... (or Message options) from the menu. If you use another email client and do not know how to retrieve the email headers, please visit http://www.spamcop.net/fom-serve/cache/19.html for instructions.
We also need the following information:
• A brief description of your system setup (OS and Exchange versions, perimeter and back-end servers, are there any secondary MXs, firewalls, proxies involved in email relaying, are there any other software affecting emails, e.g., email filtering feature of resident anti-virus software, built-in filtering features of Exchange, etc.)
• The list of recipient email addresses of users who receive the most spam.
@Krisztián Fekete (Vamsoft):
Krisztian,
Thank you for taking time to look at this for me. I will work on collecting all the information you requested and get it sent off to you. It may be a day or two until I have time to collect everything, but will post here once I've sent it.
Thanks
Josh
Krisztian,
I've collected all the information and emailed them to the email address you listed above. Please let me know if you don't receive it or would like any additional information.
Thanks a lot!
Josh
One thing I just found out is that almost all of these "repeat" type spammers are utilizing the same Apache server software. For example, all of these spammer domains go to the same type of test page. Here are three examples.
http://treeresult.net/
http://whamicro.net/
http://orbtad.com/
What I am curious about is whether this particular type of Apache mail server has some form of unique id or whether the program they are using the send spam has a finger print of some sorts in the SMTP commands. I've turned on all the logging I can through Exchange, but I don't believe it will allow me to log and see all the SMTP commands. Is there another way to do this so I can see the actual server smtp commands coming into my mail server?
Thanks
Josh
@Josh: Can you please send a few (4-5+) emails to us for analysis, along with a few recent ORF log files? We may be able to come up with something against these if they share other common traits.
Peter,
I've sent several emails & logs to Krisztián. I'd be happy to send additional emails & logs if you'd like.
Thanks
Josh
@Josh: Thank you. I have found the email you sent to our Customer Service, but I'm not sure if the email samples in that email are the ones you talked about in the above spam campaign -- they looked quite different and the links I've tried bought me to other pages.
Peter,
I just sent you some updated emails with headers & log files to the customer service email address. I included a recent log from Exchange. It shows more info than I previously had been logging, but still does not show the SMTP commands during the server communications.
Let me know if you have any additional thoughts or would like any additional information.
Thanks
Josh
I have ORF configured per the recommendations that were published with the exception of gray listing, which I did try, but it really did nothing to help my particular spam situation. Every day I get a handful of new spam from a new group of similar subnet IP's for that day. The spam is usually mortgage, health, and other spam that has the main body, which may or may not be html, then has a bit of a space below that and then a big block of random text nonsense. My email address is sometimes listed in the email body, but I have been reluctant to create a rule to ban my email address in the message body. I have created a rule for my email address in the subject, which has helped.
Even though it's not a recommended practice I have been banning IP subnets to help control the flow of spam. I know this is not a best practice and does take a bit of time on my part, but with what I know how to do in ORF, I can't seem to come up with a solution that works consistently. So what I'm looking for is some additional suggestions on how to configure ORF to more consistently catch this type of spam without resorting to banning every IP across the internet OR a recommendation on a secondary spam heuristic type program that will work with ORF to catch the type of spam I am seeing.
Interestingly, I've found that most of the IP's are based overseas, however this particular type of spam I receive is typically based during the work day hours in the US and found that during the recent 4th of July holiday that I didn't receive this type of spam. So I'm deducing that the actual spammer(s) are located in the US. Not sure if that helps or makes a difference, but I found that interesting.
Thanks for any help or suggestions you might have.
Josh