We have received several reports about an increased false positive rate in ORF installations. After a brief investigation, it seems the legitimate emails were all blocked by the uribl.com URL Blacklist with the following log message:

Blacklisted by the UB-BLACK SURBL (domain:”example.com”, DNS lookup result: 127.0.0.1)

By default, the uribl.com definition in ORF is configured to consider any response form the queried server as a hit, but actually, the 127.0.0.1 response indicates that uribl.com does not accept any queries from the DNS server.

After investigating this further, it seems the affected ORF users all use Google public DNS servers for the queries (or use such servers as forwarders in their local DNS configuration). Uribl.com is known to simply ignore queries initiated by DNS servers exceeding their query limit, but all of a sudden they have started to return 127.0.0.1 instead.

In other words, these queried domains found in incoming emails are not listed in uribl.com, but if you use Googe public DNS servers, ORF thinks they are.

Quick fix

1. Start the Administration Tool
2. Navigate to the Configuration / Filtering – On Arrival / URL Blacklists page using the navigation tree on the left
3. Double-click uribl.com Blacklist
4. Click the Lookup results tab, uncheck the Blacklist if DNS record exists (regardless record data) option
5. Click New
6. Add 127.0.0.2, click OK, then OK again
7. Save your configuration to apply the changes by pressing Ctrl + S

This will ensure uribl.com will block the email only if it returns a response explicitly indicating a hit (127.0.0.2). We will also change this in the default definition file shipped with future ORF versions.

To avoid such problems in the future, make sure you local DNS server queries the root servers directly. The DNS servers configured in ORF should/must meet the following requirements:

They must support recursion
Recursion means the DNS server returns the query result in a single step instead of redirecting ORF to the root DNS servers. This feature in enabled by default in Microsoft® DNS servers.

They should be on the local network or on the ORF computer
Using ISP DNS servers and third-party DNS resolution services (such as OpenDNS or Google Public DNS) is discouraged: you have no control of the configuration of such third-party party DNS servers, and these are usually banned by free DNS and URL Blacklist lookup services (i.e., they will not respond to the queries or return false data).

They should not use forwarders
Forwarders usually work with a large cache, which is usually no problem in simple name resolution, but will cause inaccurate (outdated) query results to be returned when checking online DNS and URL blacklists, causing degraded filtering performance. Also, using public DNS servers as forwarders may cause unexpected issues (see above).

They should not be the DNS server authoritative for your own domain (and supports your Active Directory)
Occasionally, ORF may need to query the records of your own domain (e.g., for the SPF test). The authoritative DNS server may not see your public MX or A/CNAME record if your internal AD domain name is the same as your public domain name (e.g., domain.com, instead of domain.local or domain.internal), resulting in false positives.

We have started to receive reports about weird error messages in the ORF logs, like the one below:

Unexpected SPF Test error. EAssertionFailed “Invalid network IP for the CIDR test.
(C:\projects\ORF\Source\ORFEnterprise\CoreService\tests\
spf\SPFCommon_un.pas, line 145)”.

Though the message seems quite disturbing, the explanation will surely calm your nerves: it simply indicates the SPF record included an invalid ip4 mechanism with a CIDR network range notation, therefore the range could not be interpreted by the SPF evaluation of ORF and the SPF test was skipped.

We will fix this in future versions, so ORF will return a more informative message in such cases.

Actually, we have not had reports about this issue in the past (despite the fact that the core SPF evaluation changed little over the past six years since its implementation), but now Microsoft changed one of their SPF policies and accidentally added an invalid dot-decimal notation (111.221.26.08/29 in the SPF policy of _spf-ssg-c.microsoft.com, which is included in policies of various Microsoft domains). The trailing .08 part is invalid, it should be simply zero or eight: unfortunately, this causes all emails from Microsoft domains (or emails spoofing any of these domains) to trigger the above mentioned error.

They will hopefully fix this soon and the policy will “wear off” in DNS caches as well, so the errors will also go away. In the meantime, you should simply ignore them, though some spoofed emails from Microsoft may leak through due to their faulty SPF record.

Update (October 5, 2011): Microsoft have fixed the SPF policy.

It is a question that comes up frequently at our Tech Support – OK, the email was blacklisted by the Sender Blacklist, but which item triggered the blacklisting exactly?

The upcoming ORF release will offer three handy improvements to help answering these questions.

Predecessors of ORF 5 already support entering optional comments with IP, email, keyword, etc. expressions and these are logged on a hit. This can help identifying the expression in question. Due to a technical constraint, however, these comments were logged as “(Unicode comment cannot be displayed)” if they contained any characters outside the 7-bit ASCII table, which is pretty much the Latin alphabet and numbers only. We overcame this constraint in ORF 5 and now the logged comments are fully Unicode-compliant. Let you speak Russian or Danish, you can use your national alphabet without limitation.

Expression comments are sadly omitted in many cases, though, and ORF has nothing to log. Nothing is lost either; we have two features for these cases.

The first one is very simple: one-click sortable lists. Remember the Sort button next to the lists in ORF 4? It is gone. It really should not have been there in the first place. Bad, bad Sort button. Lists are ought to get sorted by one click in the header, because that is the maximum effort to be exerted to make order and find things.

The second one is a bit more exciting: the Test button that took over the place of the Sort button (which is, again, gone, forever) for every major list. Say you want figure out which Sender Blacklist expression blacklisted emails from my-bosses-best-friend@example.com (ouch!), but the log did not reveal any further information. Just click Test, enter my-bosses-best-friend@example.com and you will get a live, editable list of expressions matching that address. Like *@example.com. Turns out it was not the best.idea.ever, but hey, now you can fix it.

Stay tuned, we are coming back with more next week.

One of the biggest changes on the website coming with ORF 5 will be the introduction of a brand new Client Portal which will replace the Customers Area currently used on our website. The online services will add number of features and integrate others. Some features are a direct result of changes in the licensing while others are usability improvements to improve your ORF experience. Here is a quick summary of 2 key features:

Managing multiple companies

First some technical background. After the launch of ORF 5, customer accounts will be disassembled into individual user accounts and company accounts. This will allow role based management of company accounts and management of multiple company accounts by a single user. In order to facilitate this, users managing multiple company accounts will be able to select which company they want to work with within the Client Portal.

In the screenshot above, you can see the website header which will be the basis for navigating through your companies where ever you are on the website. Clicking the “Change” button (2) will show a dialog where all manageable companies are listed with some key information in order to make identification easier. From then its just a click of a button to make the selection the active company on the Client Portal.

License Management

A separate licenses page will give an overview of the licenses handled by your company. The list is ordered by date and the individual license details can be opened and closed using a simple chevron mechanic. An overview of the licenses can also be found on the My Company: Overview page as well to give you a quick glance at the status of your licenses. If one or more of the licenses are within the renewal period, you can renew your license from here with one click of a button.

This concludes the quick sneak-peek at some of the features of the Client Portal. Stay tuned for more next week.

In this sixth article of our ORF 5 series, we look into two minor improvements the new ORF release will offer.

Noticed that blue thing below the menu? That is the brand new and shiny toolbar, implemented in all three administrative tools of ORF.

True to the role of toolbars, this one brings the most frequently used actions right under your fingertips (1). The dropdown design also acts as a secondary shortcut menu, making the tools more discoverable and faster to use (2).

You will find the the connection information here (3) which helps identifying which ORF installation your are currently working with.

The toolbar also hosts another new feature, the Notifications button (see screenshots below).

Basically, this is the entry point of ORF’s new asynchronous notifications system. This is meant to eliminate situations when you get interrupted by randomly popping up dialogs like “Hey there’s a new version available!”, “You really should do something about these waiting items!” or “Look, I can create dialog boxes out of nowhere HAHAHA isn’t it great?”. There are many background operations in ORF, from checking for updates, to querying the status of the Transport Agents. All these operations may required your attention occassionally but from ORF 5, they are all neatly line up here.

As you have probably noticed, ORF 5 gets a pretty intensive facelift along with the numerous usability improvements. This design philosophy will also be visible on the ORF website. Let’s look at one of these in detail.

Knowledge Base

Experienced ORF users will be familiar with the FAQ found on our website. As the name suggests, we tried to collect and categorize frequent problems that ORF users faced and gave suggestions on how to work the problem.

In ORF 5, FAQ will be replaced by a Knowledge Base section that will provide a more user friendly and intuitive interface to find the required content. The KB will be a searchable source of information on all of the topics covered by the FAQ as well as brand new articles. As you can see in the first screenshot, navigating through the knowledge base will be based around the search function.

The search box will have all the functions of advanced search including partial matches and wildcards. Within the results of the search, the keywords will be highlighted to show the context of the words. Clicking on a topic title will take you to the full article. Navigating back to the search results will take you back to the search result list with the keywords still highlighted. This will allow you to look through the search results without having to repeat the search.

Ratings and Comments

One of the coolest features of the new KB is the ability for you to rate each article in the Knowledge Base on the basis of relevance and conciseness.

Giving a rating of 4 stars or less (5 is the maximum), you will be able to write a short comment on the article to give us feedback on how we could improve the text. The whole process takes a few seconds while it provides us with excellent information on how we can tailor the article to your needs.

The Knowledge Base function is only one of many interactive features in the new ORF website that will help with the communication between our users (you) and us. We will be showcasing more of these in future blog articles so stay tuned.

The next cool feature of ORF 5 we are about to show falls into the category where the new version offers the most: overall experience improvements.

The Log Event View already exists in previous versions – this is the dialog you get when you double-click an event in the Log Viewer. In ORF 5, it underwent an major renovation:

I guess it is a fine example of how a picture is worth a thousand words. Now let’s see what’s new in there besides the aesthetic improvements.

1) Grouping and Highlighting: Every logged event has 16 fields. Each one carries useful information, but you rarely need all of them, so we grouped the fields and hid many lesser used fields to reduce the information load. The Email Subject and the Event Message columns are now highlighted.

2) Event Summary: Each event gets a one-sentence automatically generated summary. This will primarily benefit those new to ORF, but could provide everyone a quick overview of the event and its significance.

3) Remote Control Integration: Now you can send IP and email addresses to the ORF configuration from this dialog.

4) Integrated Log Knowledge Base: This is the coolest new stuff in here. No idea what a log message means? What are its implications? What action to take? Click the Explain button to look the event up online and get a knowledge base article specifically crafted for the logged event.

We expect this to become a major self-help option, because in a huge number of technical support cases the administrator finds the log message, but not sure what to do with it. Say, you run into a DNS timeout or SERVFAIL warning event. Many questions arise: how do I fix this? Does it has to be fixed at all? Does this mean the Vogon fleet is about to blow up Earth? Or is it the Klingons? Goa’ulds? Is the l33t Jeff Goldblum really our only hope? These are particularly complex questions that a short log message cannot volunteer to explain, but using this feature we will deliver the latest information right there where you need it.

Stay with us, next week we will look into another new feature.

We are updating the Out-Of-Office email subject samples for ORF 5 and collected more samples from more languages.

If you speak any of the languages displayed below and you can verify the credibility of the samples, it would be appreciated if you can comment on this blog entry. Also, if you have anything to add, please let us know.

Croatian: Odsutan:
Czech: Mimo kancelář
Danish: Automatisk svar ved fravær
Danish/Norwegian (alternative version): Ikke til stede
Dutch: Niet aanwezig:
English (alternative version #1): Automatic reply from:
English (alternative version #2): Out of office
Finnish: Olen lomalla
French (alternative version): Absence du bureau
German (alternative version): Abwesend:
Italian: Risposta automatica Fuori sede
Latvian: Ārpus biroja
Icelandic: Fjarverandi:
Polish (alternative version): Poza biurem
Portuguese (alternative version): Ausência Temporária
Slovenian: Odsoten:
Spanish: Fuera de la oficina
Swedish: Frånvaro, autosvar

Configuration Synchronization is an enterprise service in ORF 5 which helps organizations to reduce the administrative overhead of maintaining multiple ORF servers. This feature allows appointing a central settings repository server (“Publisher”) and takes care of distributing the setting changes to the rest of the servers (“Subscribers”).

The audience of this feature are organizations who maintain multiple ORF installations, e.g.

• Companies with two or more ORF servers on their network (e.g. one on the primary MX, another on the secondary MX)
• IT shops who manage the ORF installations of their clients centrally.

Back to the technical details, subscriber servers periodically check the publisher server for configuration changes. When a change is encountered, subscribers download the publisher configuration and reinitialize with the latest settings.

The entire process utilizes the same communication foundation as introduced in our previous Remote Access article. Thanks to this, administrators can grant Config Sync-only access to the subscriber clients.

In addition to the full configuration synchronization, ORF 5 also allows overriding certain settings from the publisher. This is called “localization” in ORF – when you “localize” something, the local settings of the subscriber will take effect, overriding the publisher settings.

ORF 5 has two localization scopes: Path Localization and Feature Localization.

Path Localizations are for overriding file system path settings, e.g. the path to the log files. This comes handy if the publisher and the subscriber servers are almost identical, having same role and location within the network, but the file system paths are different.

Feature Localizations allow overriding entire features, like the Intermediate Host List or the Sender Whitelist (a “feature” is something that has its own page in the ORF Administration Tool). This allows a versatile range of localizations, e.g. a different Intermediate Host List for a different location within the network.

As for fault tolerance questions, subscribers can operate with the last known configuration indefinitely if the publisher is not available for any reason (at least one successful initial sync is required, though).

Screenshots (some of the UI is subject to change):

Questions? Comments? Let us know.

A minor bugfix update to the Vamsoft Backscatter Protection Agent is now available. The update fixes a problem that causes the agent to report an error when processing emails with certain character encodings. It is recommended to install the update if you get error reports from this agent.