Related IP is internal LAN adapter - ORF Forums

@gavpop: Hello gavpop,

There are two things to remember when it comes to analyzing the ORF logs:

1) Before Arrival, ORF considers the remote peer IP address of the SMTP connection as the sender and use the connecting IP for its IP-based tests. If the IP address is on the Intermediate Host List (https://vamsoft.com/support/docs/orf-help/5.5/adm-intermediatehostlist), ORF skips the Before Arrival tests, and waits for the whole email to arrive in order to determine the original sender address from the available message header (https://vamsoft.com/support/docs/orf-help/5.5/headeranalysis).

2) The IP address recorded in the “Related IP” field of the ORF log should be interpreted as the IP address that is related to and relevant to the logged *filtering event* - which is not necessarily the source IP of the incoming email. Unless the event is directly related to an IP-based test, such as the IP blacklist, IP Whitelist or the SPF Test (etc.), the Related IP field will show the IP address of the last delivery hop, and not the IP of the sending server.

I hope this helps.

@gavpop: Hello gavpop,

The email was whitelisted because the IP 192.0.0.174 was - manually - added - by one of the admins to the IP whitelist of ORF, hence the message "Whitelisted by the IP Whitelist". Find the IP address on the IP Whitelist page (of the ORF Administration Tool) and remove it from the list.

Considering that IP address 192.0.0.174 is a reserved special purpose address that is not routed publicly, I assume it belongs your organization. Do you use the 192.0.0.0/24 range as alternative to the standard 192.168.0.0/24 private intranet range? Please note that IANA has specified the following three blocks of the IP address space for private intranet use (in RFC1918: https://tools.ietf.org/html/rfc1918):

Class A: 10.0.0.0 - 10.255.255.255 (10/8 prefix)
Class B: 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
Class C: 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Emails sent directly from the above ranges are automatically excluded from ORF filtering to avoid accidental blacklisting of internal and outgoing emails. Moreover, if you check the 'Intermediate Hosts' page in the ORF Administration Tool (Filtering > Intermediate Hosts), you will notice that the aforementioned IPv4 blocks are already pre-added and "burnt onto" the list (i.e. they cannot be removed). This is because ORF uses this list to figure out where your network perimeter ends and where the internet begins, while analyzing the message header of an incoming email to find the source IP of it (see 'Header Analysis" explained at https://vamsoft.com/support/docs/orf-help/5.5/headeranalysis). Consequently, it is crucial that you keep the intermediate host list up-to-date. It should include the IP address (or range) of any host that belongs to your organization and can relay emails to the ORF server - unless, it has a standard Class A, B, C private intranet address.

So, in short, if 192.0.0.174 does belong to your organization, remove the IP address from the 'IP Whitelist' and add it to the 'Intermediate hosts' list of ORF to resolve this issue. Then, save the ORF configuration (Ctrl + S) to apply the new settings.

On a final note, make sure that your firewalls and mail-security appliances are configured to leave the "Receieved from:" header fields in the email's message header intact (i.e. do not let them strip those fields). Otherwise, ORF will not be able to determine the correct source IP and will use a wrong IP for its tests.

Le me know if this has helped.