Spam getting through, regardless of SORBS listing RSS

1

We have received some spam from IP address - 201.76.49.10
This IP is listed on SORBS and has been listed since November 2017.
I have DNS Blacklists enabled as a test and SORBS as one of the lookups, but this SPAM was still allowed through ORF Fusion.

Have I got something misconfigured?

by gavpop 1 year ago
2

It is certainly a possibility, but first you should check what the ORF log says: Open the ORF log from the day of the incident (e.g. orfee-2018-04-08.log) in the Log Viewer, look for the email (Ctrl + F) and double-click the relevant log entry to see the details. The information in the 'Message' field should clarify what has happened to the email exactly (i.e. it was whitelisted or passed all of the blacklist tests).

by Daniel Novak (Vamsoft) 1 year ago
3

@Daniel Novak (Vamsoft): Here is copy from Log Viewer. I've stripped personal information.
It doesn't really tell me a lot??



-------------------------------------------------------------------------------

-- EVENT SUMMARY --
Time: 07/04/2018 02:51:16 GMT+0100 GMT Daylight Time

Related IP: 201.76.49.10
Action: (not available)
Email Subject: Alvera

-- EVENT MESSAGE --
Email passed checks.

-- EVENT DETAILS --
Filtering Point: On Arrival
Event Class: Pass
Severity: Information
Server:
Event Source: MSEXCHANGE
HELO Domain: (not available)
Message ID: (not available)
Log Mode: Verbose
ORF Version: 5.4.1 REGISTERED

-------------------------------------------------------------------------------

by gavpop 1 year ago
(in reply to this post)

4

According to the summary above, the emails has passed all of the ORF tests. If the IP address of the spammer has been on the SORBS list since 2017 and ORF could successfully query the records of the SORBS DNS server, it should have blocked the email. I suggest that you filter ORF logs (Ctrl + Shift + F) by 'Related IP'(201.76.49.10) or 'Sender' and see whether you can find any error message logged for the DNSBL test.

by Daniel Novak (Vamsoft) 1 year ago
5

@Daniel Novak (Vamsoft): I've attached below.
3 events.
First two were held by greylisting.
IP changes with each attempt, but all three IPs are listed on SORBS, so should have been blocked?



-------------------------------------------------------------------------------

-- EVENT SUMMARY --
Time: 07/04/2018 02:51:16 GMT+0100 GMT Daylight Time

Related IP: 201.76.49.10
Action: (not available)
Email Subject: Alvera

-- EVENT MESSAGE --
Email passed checks.

-- EVENT DETAILS --
Filtering Point: On Arrival
Event Class: Pass
Severity: Information
Server:
Event Source: MSEXCHANGE
HELO Domain: (not available)
Message ID: (not available)
Log Mode: Verbose
ORF Version: 5.4.1 REGISTERED

-------------------------------------------------------------------------------

-- EVENT SUMMARY --
Time: 07/04/2018 02:21:02 GMT+0100 GMT Daylight Time

Related IP: 201.76.49.9
Action: Rejected
Email Subject: (not available)

-- EVENT MESSAGE --
Temporarily rejected by the Greylisting Test.

-- EVENT DETAILS --
Filtering Point: Before Arrival
Event Class: Blacklist
Severity: Information
Server:
Event Source: MSEXCHANGE
HELO Domain: (not available)
Message ID: (not available)
Log Mode: Verbose
ORF Version: 5.4.1 REGISTERED

-------------------------------------------------------------------------------

-- EVENT SUMMARY --
Time: 07/04/2018 02:05:55 GMT+0100 GMT Daylight Time

Related IP: 201.76.49.7
Action: Rejected
Email Subject: (not available)

-- EVENT MESSAGE --
Temporarily rejected by the Greylisting Test.

-- EVENT DETAILS --
Filtering Point: Before Arrival
Event Class: Blacklist
Severity: Information
Server:
Event Source: MSEXCHANGE
HELO Domain: (not available)
Message ID: (not available)
Log Mode: Verbose
ORF Version: 5.4.1 REGISTERED

-------------------------------------------------------------------------------

by gavpop 1 year ago
(in reply to this post)

6

Unfortunately I have no explanation for this situation. If we can believe the data from the SORBS website/database, the emails should have been blacklisted.

Could you send us (to ) your ORF configuration file (orfent.ini) and the ORF log files from the 5th, 6th and 7th of April for analysis? I will review them and get back to you as soon as possible. You can find the requested files in the ORF program directory (default: \Program Fiels (x86)\ORF Fusion).

by Daniel Novak (Vamsoft) 1 year ago
7

Hello gavpop,

I believe I have found the problem: All of the mail sources (IP addresses) that you listed above are found in the 'spam.dnsbl.sorbs.net' zone (database), which is *not* part of the dnsbl.sorbs.net aggregate zone that ORF uses for its SORBS DNSBL test. If you want ORF to check the source IP against the SORBS SPAM database as well - which we do not actually recommend due to possible false positives - you will need to create a custom DNSBL entry in the ORF admin tool:

1. Start the 'ORF Administration Tool' and connect to the local or a remote instance

2. Navigate to the 'Blacklists > DNS Blacklists' page and click 'New'

3. On the 'General' tab of the 'DNS Blacklist Properties' dialog, fill in the 'short identifier' (which will be used in the logs) and 'DNS blacklist full name' (which will be displayed in the config) fields. e.g. SORBS-SPAM ; SORBS Spam Zone

3. On the 'Lookup' tab, enter 'spam.dnsbl.sorbs.net' for the lookup domain and(!) mark the 'Reverse the IP address for lookups' checkbox enabled.

4. On the 'Blacklist Web' tab, enter the URL "http://www.sorbs.net" into the first field, and 'http://www.sorbs.net/lookup.shtml' into the second.

5. On the 'SMTP Actions' tab add the IP address that this lookup zone returns on "hit" (127.0.0.6 - according to http://www.sorbs.net/general/using.shtml), with an appropriate SMTP response (default: "5.7.1 Mailbox unavailable. Your IP address {IP} is blacklisted using {BLACKLISTNAME}. Details: {TXTDATAORWEBLOOKUP}.").

6. Click OK, mark the new DNSBL enabled and save the ORF configuration (Ctrl + S) to apply the new settings.

I hope the above proves helpful to you, but let me know if you have further questions.

by Daniel Novak (Vamsoft) 1 year ago
8

@Daniel Novak (Vamsoft): Thank you for this.
I've now set it all up.
I'm curious what level of false positives I get, if any.
I'll report back.

by gavpop 1 year ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed