dodgy email not stopped by ORF - ORF Forums

dodgy email not stopped by ORF RSS Back to forum


We've received an email from [email protected] ... clearly not a valid email domain.

Somehow email hasn't been stopped by any of the tests. Why ?


Time: 13/02/2015 12:03:59 GMT+0000 GMT Standard Time
Sender Email: [email protected]
Recipient Email: ***.*****@**********
Related IP:
Action: (not available)
Email Subject: Cancelled Money Transfer!!! Case N 870930

Email passed checks.

Filtering Point: On Arrival
Event Class: Pass
Severity: Information
Server: MAIL.**********.lan
Event Source: MSEXCHANGE
HELO Domain: (not available)
Message ID: (not available)
Log Mode: Verbose


by tomasz.sokolowski 4 years ago

@tomasz.sokolowski: Hi Tomasz,

I think a regex rule that catches the dotted quad IP address on Sender emails and perhaps the HELO string may help. Something like:

(lose the @ sign in a HELO rule)

Kristian: do you have a place online where there are sample regexes? From this forum I collected some good HELO rules from way back from Fluke, Lawton, Schmidt, etc but I can't find them online anymore. These rules still work well for me. I could repost them but XML does not work on this forum so I'm not sure how to go about it.


by Sam Russo 4 years ago
(in reply to this post)


@tomasz.sokolowski: IPv4 addresses in the domain part are valid according to the RFC as far as I know:

Invalid sender email addresses submitted in the MAIL FROM: command are rejected by Exchange.

by Krisztián Fekete (Vamsoft) 4 years ago
(in reply to this post)


I've never heard of genuine company using IP address in the domain. Its a silly idea anyway.

I've added blacklist rule as per Sam's comment.

by tomasz.sokolowski 4 years ago

@Sam Russo: The Regex Corner section of our old site has not been migrated to the new one. Expressions which work in one environment may cause false positives in others (we have been contacted by many users in the past who imported all regular expressions found in the Regex Corner (submitted by other users) without knowing what they do, and got legitimate emails blocked).

If someone requires help with a specific expression, we are happy to assist in our forum :)

by Krisztián Fekete (Vamsoft) 4 years ago
(in reply to this post)


@Krisztián Fekete (Vamsoft): ORF is more of an anti-spam framework rather than turnkey solution. The rules one uses make all the difference and certainly any new rule that is added must be vetted by the end-user for their own environment to avoid and/or catch any false positives early. I'm not sure how end-users can learn to tune ORF without examples they can use at their own risk and their own comfort level...

by Sam Russo 4 years ago
(in reply to this post)


@Sam Russo: Hello Sam,

The general idea is that (good) manual filter rules are hard to write and maintain, so we encourage their use only as temporary fixes against specific outbreaks that other tests struggle to keep up with. When used with care, these are indeed powerful tools for the ORF power user, but we usually see significant room for improvement in ORF configuration without resorting to manual filtering rules.

by Péter Karsai (Vamsoft) 4 years ago
(in reply to this post)


Would you be able to start a section on the website/forum/blog where you put 'best practice' examples or filtering rules based on recent outbreaks ?

Not all the users are being hit with the most popular spam campaigns ... but those who are ... they would be very keen to look at something like this I think.

by tomasz.sokolowski 4 years ago

@tomasz.sokolowski: Hello Tomasz,

Sure we could, my point is that we rather improve things in a way that benefits every ORF user. There are usually multiple ways to achieve the same goal (that is, the perfect spam filtering performance). In this particular case, we believe the goal is to be achieved through more and better automated ORF tests and a flatter learning curve, because these would bring the benefits to the masses and eventually save you the time of constantly tuning ORF. Due to this, we are currently channeling our resources into research that could bring improved performance to ORF without tweaking with manual rules.

by Péter Karsai (Vamsoft) 4 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2