Quite often, our emails bounce back from our customers because of failed SPF test results. One might suspect our SPF record is broken, but actually the problem is caused by misconfigured ORF installations on the recipient’s end in all cases (our SPF record is fine):
Let’s assume the recipient has a primary MX with ORF installed, and the SPF test enabled. Also, there is a secondary MX hosted by the recipient’s ISP, but the secondary MX is not added to the Intermediate Host List of ORF. The Intermediate Host List (as the name implies) is a list of intermediate hosts through which emails are relayed to the primary MX (and ORF) from external sources. The sender server sends the email to the secondary MX, which relays it to the primary MX, finally, the recipient receives it. ORF should be aware of such hosts, otherwise it will think the secondary MX sent the email directly. This may cause spam emails allowed in, as the DNS Blacklist test will be uneffective (as ORF checks the secondary MX IP against them instead of the actual sender IP). Moreover, if you have the SPF test enabled, it will check the secondary MX IP against the SPF policy of the sender. Of course, the secondary MX is not authorized to send any emails in the name of the sender domain, so the (otherwise legitimate) email will be blacklisted.
To avoid this problem, you should add all external relaying hosts (such as secondary MXs) to your Intermediate Host List, so ORF can “look behind” your secondary MX at the On Arrival filtering point by checking the email headers. For more information, please read the Intermediate Host List and Header Analysis topics of the ORF Help.
A lot of you guys asked about the configuration used during the test, so here it goes. We used a very basic, quite conservative configuration with the following test enabled:
Reverse DNS (Normal sender domain validation, PTR check was turned off – default setting)
HELO Blacklist (“Is malformed” and “is the same as the recipient domain” options on – default setting)
SPF (blacklist on SoftFail disabled – default setting)
DNS Blacklist (the recommended lists were enabled: SpamCop, Spamhaus ZEN, SORBS, NJABL)
URL Blacklist (the recommended lists were enabled: Spamhaus DBL*, SURBL: Combined, uribl.com)
That’s it. Like I said, it was pretty basic :) You can lower the chance for false positives even more by using the Auto Sender Whitelist test, but we could not use that during the VB testing, as no outgoing emails were involved.
If you do not see the above mentioned DNS and URL blacklists in your configuration, please read our best practices guide for detailed instructions on updating your blacklist definition sets. You will also find some useful tips & tricks on fine-tuning ORF and increasing the catch rate even further, so it is a must read for every ORF user. If any questions arise, feel free to contact us: we are happy to assist.
*The URL Blacklist definition of Spamhaus DBL is not included in any versions of ORF as of writing this (4.4 and older), but you can download it from our site and import it easily
Welcome to our new series, which intends to demonstrate various features of ORF. The first part (and video) will show you the reporting capabilities of ORF, which were introduced in version 3.0. The reporting feature is enabled by default, so you can start creating reports immediately.
Report Creation
Let’s start the ORF Reporting Tool. To create a new report, click on Create new report on the opening screen (or press Ctrl + N). ORF will ask you to set the time period which from you would like to create a report. You can either set a start and end date using a simple calendar, or select a preset. Finally, click Create. Yes, it’s that simple :)
Reviewing Reports
Reports show you how many emails ORF filtered, how many was allowed through, what are the most spammed recipient addresses, which are the most effective tests and filtering expressions in your setup, etc. By clicking on Navigation & Info in the upper left corner, a navigation pane will pop in, which can be used to skip to various sections of the report. If you have trouble interpreting any details, just click on the question mark icon for detailed explanation, which will be displayed in the left pane.
Printing and Saving Reports
The Reporting Tool supports printing either the entire report or a single section of it, and you can always save the report in RPT format for later review. RPT is the native format of the Reporting Tool: saving the report to other formats are not supported as of writing this, but you can work this around by using 3rd party tools (like the free PrimoPDF printer to “print” the report to a PDF file).
Notes & Troubleshooting
In order to create reports, you need the so-called PowerLogs to be enabled in the Administration Tool. These PowerLogs were designed specifically for the reporting feature: they store a lot more information about the email traffic than the regular text log files. PowerLogging is enabled by default, but if you have disabled it in the past, you should enable it: start the Administration Tool and expand Configuration / Global / Log and events in the left navigation tree. Click the Configuration button under PowerLogs and make sure “powerlogging” is enabled. When PowerLog is enabled, the ORF service will generate PowerLog files to the specified path with .opg extension. ORF pre-processes these PowerLogs in idle time creating files with identical file names, but with .ppr extension. The reports can be generated from the latter files. Once the pre-processing is complete, the .opg files are needed no longer, so you can configure the ORF service to delete them to save disk space. Also, please note that if you just enabled PowerLogs, you will need to wait at least a day until the first .ppr file is created in order to generate reports.
Summary
Reports can not only be used to amaze your boss and colleagues how effective ORF is, but they also provide useful information about your current configuration, which can be used to improve the filtering efficiency further. For example, the “Top spammed recipients” list is an excellent starting point for setting up your Honeypot address list.
Of the 20 vendors who signed up for the test, ORF ranked 4th overall during the one month testing period. During the course of the test, ORF blocked 99.13% of all incoming spam with a 0.00% false positive rating.
