Intermediate Email Whitelisted "Before Arrival" & Then Blacklisted "On-Arrival" - ORF Forums

Intermediate Email Whitelisted "Before Arrival" & Then Blacklisted "On-Arrival" RSS Back to forum

1

Hello,

I'm running Exchange 2019 in Mailbox role with ORF 6.2.1. I receive mail primarily from direct connections to my exchange server and filtering seems to be working correctly. I also have a backup server to collect mail when the primary server is down. Spammers are sending mail to the backup mail server. It is then downloaded via a third party program on my local server and then transferred to exchange.

When that happens ORF logs show that the mail is whitelisted on "Before Arrival" because intermediate/intranet source, but then is blacklisted "On Arrival". It appears that ORF is pulling the IP address in the headers and blacklisting the mail. Sometimes this gets in a loop and goes back and forth between the third party program and exchange.

I don't recall this being an issue in the past and seem to recall there being a setting to scan a certain number of headers/IP addresses deep. However, I can't seem to find this setting any more. Did this change? Is there anything I can modify to prevent the email from being whitelisted "Before Arrival" and then blacklisted "On Arrival"?

Thanks in advance for any help.
Josh

by Josh 4 years ago
2

@Josh: Hello Josh,

At the "Before Arrival" filtering point, where the email header (and thus the delivery history) is not available yet, ORF uses the IP address of the connecting SMTP host for its IP-based tests. If that IP address is an internal one or listed on the System \ Intermediate Hosts List, then Before Arrival filtering is skipped with the message you saw in the logs.

At the "On Arrival" filtering point (after the email header and body is transmitted), ORF analyzes the content of the "Received:" header fields in order the determine the IP address of the the original sender. The analysis starts with the IP address found in the topmost "Received:" header (which represents the last delivery hop). ORF checks whether the IP address is listed on the Intermediate Host List and checks the next "Received:" header if it is. This continues until the first non-intermediate host IP is found - which will be used for the IP-based tests at the On Arrival filtering point.

The process above is hard-coded into ORF and cannot be altered in any way. Limiting the number of Received header checks was not possible in previous versions either.

The back-and-forth between the backup and primary mail server should not affect the outcome of the blacklists tests as long as the "Received:" headers remain intact and the original sender IP is preserved in the message header.

Note, however, that ORF itself cannot cause a delivery loop because it is not an SMTP-proxy (it has no built-in SMTP engine) but an extension for the underlying mail server. As such, it cannot directly communicate with other SMTP servers or send/receive emails.

I am guessing some of the mail flow rules or receive connectors must be misconfigured on one (or both) of the mail servers if they keep forwarding the same email to each other. In order to investigate this issue, you will have to analyze the Exchange message tracking / SMTP protocol logs:

Message Tracking:
https://docs.microsoft.com/en-us/exchange/mail-flow/transport-logs/search-message-tracking-logs?view=exchserver-2019

Protocol Logging:
https://docs.microsoft.com/en-us/exchange/mail-flow/connectors/configure-protocol-logging?view=exchserver-2019

Mail Flow Rules:
https://docs.microsoft.com/en-us/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rules?view=exchserver-2019

by Daniel Novak (Vamsoft) 4 years ago
(in reply to this post)

3

@Daniel Novak (Vamsoft): Daniel,

Thank you for the information and I apologize for the late reply. I will take a look at the links you posted.

Thanks again!
Josh

by Josh 4 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2