Posted on June 23rd, 2009 by Peter | Permalink
We are recruiting new members to the ORF Feature Test Program. Visit the program page to learn more.
We are recruiting new members to the ORF Feature Test Program. Visit the program page to learn more.
In case you have missed the news: ORF 4.3 was released yesterday with a many improvements like DHA Protection or a new Honeypot Test. The complete list of changes is available in the ORF Change Log.
It should be noted that ORF 4.3 is an intermediate release, we spent the majority of development time with things that will be available in ORF 5 only, but I really cannot tell more at the moment-however, I am sure you will like ORF 5 more than any ORF release before.
The second ORF 4.3 Beta release is now available. It fixes all known bugs with 4.3 Beta R1. Get the new beta from
I just came across this post on the official Exchange team blog (not exactly fresh content, but I have a _huge_ backlog in my RSS reader) and I am happy to report that Microsoft has fixed the Event ID 9667 problem we blogged about earlier. The fix is available in Exchange 2007 SP1 Update Rollup 8.
Sadly, this does not help Exchange 2003 admins and I guess we cannot expect a similar fix for Exchange 2003 - its mainstream support has retired on April 19, 2009. Time to upgrade!
Now that the first beta of ORF 4.3 is coming really soon with Honeypot support, we have published an article about, well, publishing your honeypot email addresses. If you plan to use the new feature, you can start the preparations right now, it will take time for spammers to find your baits.
By the way, do not ever try to send to any of the following addresses: do not, write here. Unless you are an email address harvesting robot with intention to spam us occassionally, of course. Thanks!
The first beta of Exchange Server 2010 became available a week ago and so we had a chance to test it with ORF 4.2.
The bad news: they are not compatible. The good news: they will be. Luckily, there are only a few changes in the 2010 Beta release that affect ORF, so once we found these changes and modified ORF 4.3, the initial tests ran successfully.
One reason why ORF 4.2 will not work is Exchange detection. We find local Exchange 2007 installations by checking various registry keys and these were changed in Exchange 2010 (actually, as the keys are versioned, it was expected). For instance, what was under HKLM\SOFTWARE\Microsoft\Exchange\v8.0 in Exchange 2007 is now under HKLM\SOFTWARE\Microsoft\ExchangeServer\v14\.
The other show-stopper is the name change of Exchange management PowerShell assembly - this was called Microsoft.Exchange.Management.PowerShell.Admin in Exchange 2007, now it is called Microsoft.Exchange.Management.PowerShell.E2010. Due to the name change, the ORF installer cannot install/uninstall the ORF Transport Agents or query their status.
We have updated the default DNS Blacklist definitions in ORF. Compared to version 4.2, the following changes have been made:
To get the new complete definition file, download blacklists-090416.xml. To get just the new blacklists, import blacklists-new-090416.xml. Please read the description of the new lists before enabling them.
Your feedback on the new lists are welcome.
If you are using OpenDNS and get DNS timeouts for the uribl.com Blacklist (UB-BLACK), that is because the administrators of URIBL decided to reject DNS requests from OpenDNS. The reason is that OpenDNS servers are alone responsible for 50 million DNS requests per day on the public mirrors of uribl.com. We recommend that you use your own DNS servers for ORF or if you are doing lookups in large volume (in case of uribl.com, 300.000 requests per day), set up a data feed. Alternatively, you can try getting OpenDNS to set up a data feed themselves.
Using your ISP DNS servers as DNS forwarders could also trigger a similar response from DNSBL/SURBL operators, because your lookups and everyone else’s on your ISP’s network add up.
For large volume lookups, please consider that the vast majority DNS blacklists and SURBLs are non-profit and run on donated hardware and bandwidth. Before using these, make sure to check their fair use policy and set up a data feed if necessary.
The Conficker worm is widely regarded as the worst since SQLSlammer. It’s latest C variant will activate on April 1st, 2009, generate 50,000 domain names using an algorithm and pull its payload from one of these domains.
Estimations for the number of infected PCs range 9 to 15 million, which probably makes it the largest botnet ever, not even the Storm or the Kraken botnet come close in numbers.
My guess is it means more spam from tomorrow. A large botnet like this one can send several billions of spam a day, so getting the V1agr@ ads to your mailbox will be cheaper than ever.
I am sure you have already checked your network for infected PCs, now make sure that Spamhaus ZEN is enabled in ORF (will blacklist emails from botnet dial-up lines) and you have SURBLs on (will catch spam payload).
We just launched a new community feature of vamsoft.com, the Feature Requests section. This is a community-powered feature request tracker that allows browsing, voting and submitting ORF feature requests.
In the tracker, you have 10 votes and it is up to you how you distribute your votes - let’s say you really want us to implement “Configuration Synchronization“, so you cast 6 of your votes on it and only 1 vote to “SCL Scoring“, because you consider it as just a nice-to-have feature. Of course, when “Configuration Synchronization” gets implemented, you get your 6 votes back (and anyway, you can change your mind anytime).
Visit the Feature Requests section at http://www.vamsoft.com/features
We are collecting feature requests since Day 1 and have recorded more than 150+ so far, but only the top requests were added to the tracker. This is intentional: what you might have needed two years ago may no longer what you want now. In any case, please feel free to submit your request via the tracker and convince others to vote.
Happy voting!