SPF "neutral" not blocking RSS Back to forum
If ORF is configured as you say and the email was not actually whitelisted, then most probably the spammer used the *@hp.com address in the message header only (in the 'From:' field) and used a different 'envelope sender address' during the mail submission. ORF, similarly to mail servers, uses and logs the envelope addresses for its tests, while mail clients, such as Outlook, display the email address found in the 'From:' header. If you want to create a rule to block emails based on the address in the 'From:' header, you will have to add a header filter to Keyword Blacklist or ORF, as described in the following article: https://vamsoft.com/support/docs/articles/how-to-blacklist-self-spam#mime-sender-spoofing -- use the 'hp.com' domain instead of your own.
Before you do anything though, I would suggest that you check the ORF logs in the ORF Log Viewer to see what happened to that particular email exactly (Press Ctrl+F to find the email, or Shift+Ctrl+F for a filtered view). It might turn out that the email got excluded from filtering for some reason - check the 'Message' column or double click the relevant event record for details. Possible scenarios from the top of my head:
1) The email was submitted with a sender address that does not match your "*@hp.com" wildcard mask -> see the first part of my post.
2) The The email was submitted with a *@hp.com sender address, but it was allowed to pass -> double-check your SPF settings, test the wildcard expression in the 'SPF Neutral Domains' dialog (SPF Test > Settings > Edit List... > Test button) -- consider enabling the logging of all SPF check results (SPF Test > Settings > Log) for troubleshooting.
3) The email was whitelisted -> remove the incorrect entry from the whitelist indicated in the 'Message' column.
4) The email cannot be found in the ORF logs -> Update the Transport Agent priority settings (i.e. the filtering order) of your Exchange Server: https://vamsoft.com/support/docs/knowledge-base/changing-the-filtering-order -- and check the Exchange (SMTP) protocol logs for additional details: http://practical365.com/exchange-server/exchange-server-protocol-logging/
Please let me know if this has helped.
@Daniel Novak (Vamsoft):
Daniel,
1. Sender address match "*@hp.com" wildcard mask
2. I have tested wildcard mask when I added wildcard mask to exclusion
3. Emal wasn't whitelisted
Email's header for spam message:
Received: from mx-19.hp.com (138.68.177.159) by mx1.........
with Microsoft SMTP Server id 14.3.361.1; Tue, 31 Oct 2017 09:41:10 +0300
Message-ID: <>
Date: Tue, 31 Oct 2017 07:35:03 +0100
From: =?UTF-8?B?0K3QutC+0L3QvtC80LjRh9C10YHQutCw0Y8g0LHQtdC30L7Qv9Cw0YHQvdC+?=
=?UTF-8?B?0YHRgtGMINC/0YDQtdC00L/RgNC40Y/RgtC40Y8=?= <>
To: <>
MIME-Version: 1.0
Subject: =?UTF-8?B?0YPRj9C30LLQuNC80YvQtSDQvNC10YHRgtCwINCyINC/0YDQsNCy0L7QstC+?=
=?UTF-8?B?0Lkg0YHQuNGB0YLQtdC80LUg0L/RgNC10LTQv9GA0LjRj9GC0LjRjw==?=
JB: .
Content-Type: multipart/mixed; boundary="c2e256464606190558b1b1efad65030c"
Return-Path:
X-MS-Exchange-Organization-PRD: hp.com
Received-SPF: Neutral (.................: 138.68.177.159 is neither
permitted nor denied by domain of )
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus Neutral;OrigIP:138.68.177.159
X-MS-Exchange-Organization-SCL: 5
X-MS-Exchange-Organization-SenderIdResult: NEUTRAL
X-MS-Exchange-Organization-AuthSource: .................
X-MS-Exchange-Organization-AuthAs: Anonymous
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
And log from ORF:
-------------------------------------------------------------------------------
-- EVENT SUMMARY --
Time: 31.10.2017 9:35:04 GMT+0300 (local)
Sender Email:
Recipient Email:
Related IP: 138.68.177.159
Action: (not available)
Email Subject: (not available)
-- EVENT MESSAGE --
SPF check done for domain "hp.com". Result: SPF "neutral".
-- EVENT DETAILS --
Filtering Point: Before Arrival
Event Class: System Message
Severity: Information
Server: f5-orf5.fdoctor.ru
Event Source: MSEXCHANGE
HELO Domain: mx-19.hp.com
Message ID: (not available)
Log Mode: Verbose
ORF Version: 5.4.1 REGISTERED
-------------------------------------------------------------------------------
-- EVENT SUMMARY --
Time: 31.10.2017 9:35:04 GMT+0300 (local)
Sender Email:
Recipient Email:
Related IP: 138.68.177.159
Action: Rejected
Email Subject: (not available)
-- EVENT MESSAGE --
Temporarily rejected by the Greylisting Test.
-- EVENT DETAILS --
Filtering Point: Before Arrival
Event Class: Blacklist
Severity: Information
Server: f5-orf5.fdoctor.ru
Event Source: MSEXCHANGE
HELO Domain: mx-19.hp.com
Message ID: (not available)
Log Mode: Verbose
ORF Version: 5.4.1 REGISTERED
-------------------------------------------------------------------------------
-- EVENT SUMMARY --
Time: 31.10.2017 9:41:09 GMT+0300 (local)
Sender Email:
Recipient Email:
Related IP: 138.68.177.159
Action: (not available)
Email Subject: (not available)
-- EVENT MESSAGE --
SPF check done for domain "hp.com". Result: SPF "neutral".
-- EVENT DETAILS --
Filtering Point: Before Arrival
Event Class: System Message
Severity: Information
Server: f5-orf5.fdoctor.ru
Event Source: MSEXCHANGE
HELO Domain: mx-19.hp.com
Message ID: (not available)
Log Mode: Verbose
ORF Version: 5.4.1 REGISTERED
-------------------------------------------------------------------------------
-- EVENT SUMMARY --
Time: 31.10.2017 9:41:10 GMT+0300 (local)
Sender Email:
Recipient Email:
Related IP: 138.68.177.159
Action: (not available)
Email Subject: (not available)
-- EVENT MESSAGE --
Recipient passed checks.
-- EVENT DETAILS --
Filtering Point: Before Arrival
Event Class: Pass
Severity: Information
Server: f5-orf5.fdoctor.ru
Event Source: MSEXCHANGE
HELO Domain: mx-19.hp.com
Message ID: (not available)
Log Mode: Verbose
ORF Version: 5.4.1 REGISTERED
-------------------------------------------------------------------------------
-- EVENT SUMMARY --
Time: 31.10.2017 9:41:13 GMT+0300 (local)
Sender Email:
Recipient Email:
Related IP: 138.68.177.159
Action: (not available)
Email Subject: уязвимые места в правовой системе предприятия
-- EVENT MESSAGE --
External Agent "Kaspersky Anti-Virus 6 for Windows Servers" reported error (exit code 0, comment "All OK"). Taking no action. Agent output: "2017-10-31 09:41:13 Scan_Objects$490408 starting 1% <CR><LF>; --- Settings ---<CR><LF>; Action on detect: Disinfect automatically<CR><LF>; Scan objects: All objects<CR><LF>; Use iChecker: Yes<CR><LF>; Use iSwift: Yes<CR><LF>; Try disinfect: No<CR><LF>; Try delete: Yes<CR><LF>; Try delete container: Yes<CR><LF>; Exclude by mask: No<CR><LF>; Include by mask: No<CR><LF>; Objects to scan: <CR><LF>; "c:\temp\sce-0835F37B575BEEF6B0409D4626DE670B.eml" Enable=Yes Recursive=No<CR><LF>; ------------------<CR><LF>2017-10-31 09:41:13 c:\temp\sce-0835F37B575BEEF6B0409D4626DE670B.eml archive Mail<CR><LF>Progress 1%...<CR>2017-10-31 09:41:13 c:\temp\sce-0835F37B575BEEF6B0409D4626DE670B.eml//text/html ok<CR><LF>Progress 1%...<CR>2017-10-31 09:41:13 c:\temp\sce-0835F37B575BEEF6B0409D4626DE670B.eml//Ž¡¥á¯¥ç¥¨¥ íª®®¬¨ç¥áª®© ¡¥§®¯ á®á⨠¯à¥¤¯à¨ïâ¨ï.pdf archive PDF<CR><LF>Progress 1%...<CR>2017-10-31 09:41:13 c:\temp\sce-0835F37B575BEEF6B0409D4626DE670B.eml//Ž¡¥á¯¥ç¥¨¥ íª®®¬¨ç¥áª®© ¡¥§®¯ á®á⨠¯à¥¤¯à¨ïâ¨ï.pdf//data0000 ok<CR><LF>Progress 1%...<CR>2017-10-31 09:41:13 Scan_Objects$490408 running 1% <CR><LF>2017-10-31 09:41:13 c:\temp\sce-0835F37B575BEEF6B0409D4626DE670B.eml//Ž¡¥á¯¥ç¥¨¥ íª®®¬¨ç¥áª®© ¡¥§®¯ á®á⨠¯à¥¤¯à¨ïâ¨ï.pdf//data0001 ok<CR><LF>Progress 1%...<CR>2017-10-31 09:41:13 c:\temp\sce-0835F37B575BEEF6B0409D4626DE670B.eml//Ž¡¥á¯¥ç¥¨¥ íª®®¬¨ç¥áª®© ¡¥§®¯ á®á⨠¯à¥¤¯à¨ïâ¨ï.pdf//JIM ok<CR><LF>Progress 1%...<CR>2017-10-31 09:41:13 c:\temp\sce-0835F37B575BEEF6B0409D4626DE670B.eml//Ž¡¥á¯¥ç¥¨¥ íª®®¬¨ç¥áª®© ¡¥§®¯ á®á⨠¯à¥¤¯à¨ïâ¨ï.pdf ok<CR><LF>Progress 1%...<CR>2017-10-31 09:41:13 c:\temp\sce-0835F37B575BEEF6B0409D4626DE670B.eml ok".
-- EVENT DETAILS --
Filtering Point: On Arrival
Event Class: System Message
Severity: Warning
Server: f5-orf5.fdoctor.ru
Event Source: MSEXCHANGE
HELO Domain: mx-19.hp.com
Message ID: <>
Log Mode: Verbose
ORF Version: 5.4.1 REGISTERED
-------------------------------------------------------------------------------
-- EVENT SUMMARY --
Time: 31.10.2017 9:41:17 GMT+0300 (local)
Sender Email:
Recipient Email:
Related IP: 138.68.177.159
Action: (not available)
Email Subject: уязвимые места в правовой системе предприятия
-- EVENT MESSAGE --
DNS error. Test: "DNSBL: BRBL", server "127.0.0.1", domain: "159.177.68.138.b.barracudacentral.org", record type: A, protocol: UDP. DNS timeout error.
-- EVENT DETAILS --
Filtering Point: On Arrival
Event Class: System Message
Severity: Warning
Server: f5-orf5.fdoctor.ru
Event Source: MSEXCHANGE
HELO Domain: mx-19.hp.com
Message ID: <>
Log Mode: Verbose
ORF Version: 5.4.1 REGISTERED
-------------------------------------------------------------------------------
-- EVENT SUMMARY --
Time: 31.10.2017 9:41:17 GMT+0300 (local)
Sender Email:
Recipient Email:
Related IP: 138.68.177.159
Action: (not available)
Email Subject: уязвимые места в правовой системе предприятия
-- EVENT MESSAGE --
Email passed checks.
-- EVENT DETAILS --
Filtering Point: On Arrival
Event Class: Pass
Severity: Information
Server: f5-orf5.fdoctor.ru
Event Source: MSEXCHANGE
HELO Domain: mx-19.hp.com
Message ID: <>
Log Mode: Verbose
ORF Version: 5.4.1 REGISTERED
-------------------------------------------------------------------------------
Strange. Based on the above, ORF should have blacklisted email. Have you saved the ORF configuration after adding the wildcard expression to the SPF Neutral Domains list? - The configuration must be saved in order to apply new settings.
Of course, Daniel, I have saved the ORF configuration exactly after adding wildcard.
Could you send us (to ) your ORF configuration file (orfent.ini) and the ORF log (e.g. orfee-2017-10-31.log) from the day of the incident for analysis? The requested files can be found in the ORF program directory by default (\Program Files (x86)\ORF Fusion). Thank you!
Hello dit.fdoctor,
I think I figured it out. You will have to remove the '@' symbol from the *@hp.com wildcard expression to make this work. In case of the SPF Test, ORF extracts the domain part from the sender address first (i.e. the part after the @ symbol) and checks that against the expressions on the 'SPF Neutral Domains' list. I will ask the devs to include a warning about this in the description of the 'SPF Neutral Domains' dialog in the next version -- or to make it less ambiguous at least -- to avoid incidents like this. I hope this helps :)
Thank you, Daniel. I removed '@' from wildcard expression and will observe the behavior. If problem persists, I'll write.
I have the spam messages from hp.com domain. Checkbox "Blacklist email on SPF neutral (for specific domain)" is set and domain expression "*@hp.com" is specified at list. But ORF still pass that emails. At sender whitelist this domain isn't listed.