Feature requests? - ORF Forums

Feature requests? RSS Back to forum


1. An option to allow Automatic approval of all pending submissions in the admin tool, without any user input? I've never rejected anything using this feature, and it's extra steps every time I enter the admin tool.

2. A changelog for everything an admin has done to ORF? Not just events ORF is taking, but all admin *changes* an admin has taken. Make this filterable?

2. Ability to remove (or add!) an exact record within an automated whitelist or blacklist, like honeypot, or auto-sender?

by Indy 5 years ago

@Indy: The first is a bit more complicated than it seems: automatic approval would require the ORF Service to add the remotely sent items to the active configuration immediately, and that can be done only by reinitializing the configuration. That comes with two problems:

* If you concurrently edit the configuration in the Administration Tool, the configuration of the ORF Service and the one opened in the Administration Tool would be out of sync (as the Administration Tool loads the configuration when it is started, after that, it does not monitor/poll if anything has changed), so they'd overwrite each other's changes upon save/reinitialization. That is why the ORF Service channels these remotely sent items to the Administration Tool currently. E.g., you start the Administration Tool, change some things, but at the same time, you (or another administrator) send(s) items over from the Log Viewer to the ORF Service which are auto-approved (changing the active configuration). Now, you save the configuration in the Administration Tool: it will ignore the previously auto-approved items and overwrite the active configuration of the ORF Service with its own.

* Reinitialization is a somewhat resource intensive process and comes with a brief service outage, thus ORF is designed to perform it only when it is necessary (upon saving the configuration)

We can improve the current mechanism by prompting to accept remotely sent items upon save in the Administration Tool (and allowing to automatically approve pending items upon saving the configuration).

2. I posted this feature request, you can vote for this at http://vamsoft.com/support/feature-requests/configuration-change-log

3. You can already remove items manually by adding exceptions to the Auto Sender Whitelist, Honeypot, DHA Protection test and Greylisting test (they will not be removed from the databases immediately, but they will be ignored and the related database entries will eventually expire), or you can remove/add records to the databases if you use an external SQL database (e.g., by using SQL Management Studio). I would not recommend the latter though, the automated databases are not meant for manual entries: add them to the manual Sender/IP/Recipient Blacklists and Whitelists of ORF instead.

by Krisztián Fekete (Vamsoft) 5 years ago
(in reply to this post)


@Krisztián Fekete (Vamsoft): What about something in ORF to handle Snowshoe spammers?

We are frequently spammed by those who use hosting servers and travel slowly or quickly across an IP range. We often see rapid bursts from a single IP (during which time the RBLs have not yet picked it up) and then the spammer may change the message and the IP address and continue again. Sometimes our existing ORF rules catch them but other times not. If ORF were snowshoe-aware (building a local database of IPs that have previously sent spam to this local copy of ORF) then it could mark something as spam just by being in the same narrow range of IPs where other spam was recently sent.

Note what I'm asking for is simply a DB to collect and aggregate previous ORF results so that as a new IP address is detected and no current rules are tagging the new message as spam, the DB could be checked to see if it is a spammy network range. The range could grow dynamically as the sender moves across the IP range. It could drop out of the database after some innactivity timeout.

I do suscribe to SpamHaus zen which includes CSS but it seems that they do not yet list the IPs as they hit our site so this has not been effective for us. I also use the SpamHaus datafeed service so we are getting good queries. Senderbase.org has this sort of IP reputation working for manual web queries but they cannot be used as an RBL, it only benefits Cisco Ironport appliance users.

I could probably create such a DB as an external agent but I wondered if this is an idea you are considering to be added to ORF? There seems to have been a strong trend toward SnowShoe spam this year and this feature could be very useful for ORF users.

by Sam Russo 5 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2