MIME Spoofing & Keyword Blacklisting RSS Back to forum
Hello jean.davis,
Unfortunately, without the log files and detailed information about your system setup I can only guess, but I suspect that your remote users are not using SMTP Authentication for relaying or the Authentication Whitelist (http://vamsoft.com/support/docs/orf-help/5.4/adm-authwhitelist) is disabled, otherwise ORF would have automatically excluded their emails from filtering. As a workaround, you could add the source IPs to the IP Whitelist, but if the IPs are dynamic, your only choice is using SMTP authentication.
Regarding your SPF question, I suspect that the SPF Test is currently assigned only to the On Arrival filtering point where the Keyword Blacklist test is always performed before the SPF Test (See test order and priority: http://vamsoft.com/support/docs/orf-help/5.4/tests), hence the keyword hits before the SPF check. If your setup allows it, I suggest assigning all tests to both the Before Arrival and On Arrival filtering points.
@Daniel Novak (Vamsoft):
Thanks for the reply.
The remote users are using smtp authentication since I think thats the only way IMAP users can send mail. My Authentication Whitelist is enabled already. I can't add to a ip whitelist, too dynamic. It would be nice to have "ORF would have automatically excluded their emails from filtering."
I currently have the keyword blacklist off because it was blocking some folks, so even with that off they still get through the SPF fail. I know spf works since its working on normal spam. It just doesn't trigger on these remote smtp users. This part isn't a real issue was just wondering.
Let me know which logs would come in handy for you.
@jean.davis:
Hello,
I guess that remote users (who use IMAP to download emails and SMTP to relay them) use a different server for SMTP relaying, which in turns relays through the ORF server, is that correct? In this case, SMTP authentication is only applied in the relation of the user and their relay server and the Authentication Whitelist is not triggered. There are a couple of ways to work this around:
* Reconfigure the relay chain so that the SMTP relay server bypasses the server where ORF runs
* Reconfigure Exchange connectors (if these are Exchange server) to build a trust between the servers.
The smtp server is the orf server. Is there a way to have orf that recognize smtp authentications?
@jean.davis: If SMTP authentication takes place, then ORF must recognize that. If this is a single server configuration, I believe internal relaying may be to blame -- something receiving the SMTP connections first, stripping the SMTP authentication information by the time they get to ORF. Is this Exchange 2007 or later or IIS/pre-2007 Exchange? In the latter case, do client send to the default port 25 connector or through the SMTP submission port?
@jean.davis: Thank you, it appears to be an internal relaying issue. How are your Exchange connectors set up?
Its just setup for smtp recommended from Microsoft.
I think I'll just have to wait till I can get everyone off IMAP.
Thanks for all the replies.
@Péter Karsai (Vamsoft):
One last question which might work. Is there a way to create a keyword blacklist then gets set off if domain is used but the sender is listed as same domain therefor it will only scrap ones that are just in the header?
Thanks. Sorry to be a pain btw.
Jean
@jean.davis: Sorry, I am not sure if I understand your question -- in case you mean whether the envelope sender (the sender shown in ORF logs) address can be combined into a Keyword Blacklist expression, I am afraid the answer is no, there is no such rule available in ORF.
Ok, thanks. I guess I'm going to just get or imap users to switch over to activesync. Thanks for your time.
I added the recommended keyword blacklist to prevent mime spoofing of our own domain. I have one problem, IMAP people are showing up coming in from their home isp so their emails sending out are getting blocked.
I'd like to remove imap but not sure that is feasible yet.
Why does imap pull that ip for the related ip? Why doesn't this fall under the spf fail since our domain and their isp ip isn't allowed.
Thanks.