Embedded image spam getting through - ORF Forums

@aeleus: Hello aeleus,

Are the "From:" and "To:" addresses (in the message header) identical in those emails by any chance? Is the spammer spoofing your domain in the From address field? If so, you should add a special header filter to ORF as described in the “Other campaigns: MIME sender spoofing” section of our related article:

https://vamsoft.com/support/docs/articles/how-to-blacklist-self-spam#mime-sender-spoofing

@aeleus: Yes, you could try to block empty emails, but I think it would be better to approach this spam problem from a different angle. Based on the description you provided, it sounds like you are being hit by snowshoe (+sextortion scam) spam which is indeed a headache and it is remarkably successful at evading DNSBLs/SURBLs. In any case, there is often room for improvement or problems with ORF configurations that contribute toward a worse-than-ideal spam filtering performance. The best way to identify these is to do a comprehensive review of your configuration and logs. Once this review is completed, we can provide you with an analysis and recommendations (if any) to achieve more with ORF. If you agree, please send us (to ) the following files for analysis:

+ Your configuration file orfent.ini. This can be found in the ORF program directory, \Program Files (x86)\ORF Fusion by default.

+ A few recent ORF log files. These have .log extension (e.g. orf-2019-04-23.log for yesterday) and can be found on the configured ORF logging path.

@mark.hoban: Hello Mark,

If you want to blacklist blank emails (i.e. no content in the mail body), add the following regex type expression to the Keyword Blacklist with an "Email body" search scope. - the "Body raw HTML source" option should not be checked in this case.

Regex pattern to use:

^\s$