Certian Type of Spam just wont get filtered! RSS Back to forum
@Grant:
Please send us an email to with the following information / files:
1. Description of your your system setup (OS and Exchange versions, perimeter and back-end servers, which server relays to where, firewalls, proxies, secondary MXs, other software which may affect the email flow, etc.)
2. Your configuration file called orfent.ini
3. Your raw text .log files related to this issue from the past few days (orfee-<date>.log files). Please send us raw .log files, Log Viewer .csv exports are not suitable.
The above files are located in the ORF directory (Program Files \ ORF Enterprise Edition or Program Files (x86) \ ORF Enterprise Edition by default).
4. The original MIME headers of such spam getting through filtering. The MIME headers can be retrieved by selecting View | Options in Outlook ("Internet Headers"). (Instructions on how to get the MIME headers from other email clients: http://www.spamcop.net/fom-serve/cache/19.html). Please copy/paste these into a text file.
5. the original email bodies spam getting through filtering (in .eml or .msg format)
Please send all the above mentioned files in a single ZIP. If you agree, I will review your configuration and make some suggestions to maximize the filtering efficiency.
@Grant: Are you using DNSBL's and SURBL's? I use Barracuda, spamhaus zen, spamcop, and combined surbl lists and haven't had a problem with these.
@mikeg: I am using: CBL Composite List/SORBS/SpamCop/Spamhaues I want to say I also used Barracuda at one time as well.
I suggest you add the combined surbl list located in configuration/filtering/on arrival/url blacklists and see if that helps. It filters urls in messages that could lead to images.
I am having an issue with a certian type of spam that keeps bypassing ORF, we ahve the latest version and this type spam basically shows a large image in teh body and changes teh subject line so you cant keyword blacklist. I have also notice that it will change it domain name everyday as well to get past I will copy and paste just a few different domain names that it comes from so I cant blacklist it because it changes way to often. I have turned on SPF and RDNS on (both:before and after arrival) and it still doesnt catch it. Here is a few domain names that it comes from like I said it always changes:
pharmacy assistant programs []
physicians blend hgh spray []
accounting degrees []
It is very annoying one user gets about 50 of these a day, any ideas or anyone need more information?