weird scenario with filtering forwarded mail. - ORF Forums

weird scenario with filtering forwarded mail. RSS Back to forum


Hi, just checking.

we belong to a global organisation which means we have a global brand identity external to our own local brand/domain.

this means.. eg: we have. . and I do forwarding (via their web options) to

the problem is. doesn't really filter spam. so spam is forwarded over. via

the problem is. because the forwarded mail actually adds Return-Path: to the forwarded email. therefore. orf logs show the source of spam and the spamming ip to be from . to change this is beyond my control.

the bulk of such spam seems to originate from , various russian sites and .it sites.. the russian spam is usually blocked by the cyrilllic filter regex that you've given me before, I've already blocked those where *.es *.it is mentioned in the user defined url blacklist, but those which is plain text spanish spam literally goes through.

sad to say, spf is also not an option (cos the doesn't have one/ or can't have one for some reason.)

I've tried adding the main ips as intermediate hosts, but it doesn't really help/do anything)

any suggestions?

by christopher.low 6 years ago

@christopher.low: if adding the MXs of to the Intermediate Host List and assigning all blacklist tests to On Arrival did not help, that probably means the forwarder server at removes the original sender information and delivery path from the email headers, so ORF cannot check who the real sender host was and IP-based tests (such as the DNS Blacklist test) will not work.

The only way to address this issue is to configure the forwarder server to preserve the original sender information (Received: from lines in the header), so ORF could identify the real sender during its header analysis (related Help article:

We have seen similar issues with Forefront/ISA servers:

by Krisztián Fekete (Vamsoft) 6 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2