Now that the beta of ORF 5.2 is just around the corner, we thought you’d appreciate a few words on what the new version covers. In this three-part series, we’ll look into some of the new features.
- Part 1: The Attachment Quarantine (this article)
- Part 2: Log Event Explanations from Email Notifications
- Part 3: Configuration Snapshots
What is the Attachment Quarantine?
One of the useful new features arriving with 5.2 is the Attachment Quarantine. The concept is simple enough: whenever an email attachment is blacklisted by the Attachment Blacklist of ORF, the original attachment is saved in the file system to a dedicated folder for administrator retrieval.
This ability to recover the original attachment can come handy in a number of ways. For example, it enables you to enforce stricter attachment rules. When you implement a policy to allow .ZIP and .DOC attachments only, you still will be able to manually recover that .PSD file the graphic designer sent to marketing 15 minutes before the print submission deadline and right before he went offline to catch his flight to The-person-you-have-called-is-not-available-land. Handy, right?
Quarantining normally happens on a per-attachment basis, i.e. only those attachments will be quarantined that were blacklisted by ORF. However, when the email gets dropped due to an attachment filter hit, all attachments will be quarantined. This enables complete recovery of the email attachments on an accidental blacklisting.
Another thing to know about this feature is that attachments may be quarantined under a different file name than the original one. I particular, a new file is generated when:
- A file with the same name is already in the quarantine folder (think of “agreement.docx”).
- The file name would pose a security threat. Nothing stops Dr. Evil from sending an email with an attached file like “\Windows\explorer.exe”, “LPT1” or “file.txt:stream”, so ORF is a bit paranoid about path components, reserved characters and reserved file names.
Due to the above, you should always check the quarantined file name when starting the recovery. This file name can be found in the ORF logs, but you can also add the quarantined file name to attachment replacement notices under Configuration / Blacklists / Attachment Filtering / Settings.
Once turned on, the quarantine can run unattended, thanks to the automatic retention control that deletes files after 30 days by default. And when I say “files”, I mean “any files older than 30 days”, so be sure to use a dedicated directory for the quarantine. While you’re at it, it is probably a good idea to exclude this folder from real-time antivirus scanning as well, because some of those quarantined files will inevitably be viruses. If you’re not into compiling a nice library of viruses, that’s OK as well, just be aware that anti-virus software may remove quarantined files or cause warnings in ORF about files cannot be written in the quarantine.
There’s more to ORF 5.2 than just this feature, stay tuned for our next article in the series.
Hi Peter,
Do you have the full quarantine (all blocked emails, not just blocked attachments) scheduled on your release roadmap yet?
Hi Stuart,
That feature is something we always give serious thought when planning future versions. It probably has more design drafts and supporting research than any other ORF features. However, it is also a good candidate to be called the ‘most poorly understood’ feature request. Quarantines are for many things, e.g. recovering email without administrator assistance, letting end-users to manage their own whitelist/blacklist, spam retention control, etc. and we have very little information on relative importance of these goals — all we have is many votes and basically no word on what specific features are expected from the quarantine. It can easily happen that a web-based quarantine is not the best way to address to needs.
The next step regarding the quarantine is to collect more information to identify the proper scope of the project. It’s been on my to-do list for a while now, so I hope we can start that in the coming weeks. We will probably distribute a survey among ORF clients to better understand the needs.
I’d like to see attachment white listing: white listed senders have their attachments blocked just like unknown senders i.e. the “UPS Delivery Notice Scam” that often make it through ORF.
@lhuff:
You can actually do that with ORF under Filtering / Tests: click “Configure” in the Whitelist Test Exceptions box and clear the checkbox for the Attachment Filtering Test. The default is to make an exception with the Attachment Filtering test, but it can be changed. Find more about this design at http://vamsoft.com/support/docs/orf-help/5.2/adm-whitelisttestexceptions .
Personally, I don’t understand why the request is not accurately understood. We have several threads on it in the support forums, of which http://vamsoft.com/support/feature-requests/quarantine-web-based- is one of the most prominent. Also, this is a feature in almost every other product of the same type, so there should be a basic understanding of what is involved.
There is blatant spam, which no one disputes. There is also probable spam, which, depending on filters, mistakes in someone’s configuration (yours or the senders), could run afoul of the spam filter, but not be a egregious. There should be a way to route messages which pass the spam threshold (but not the blatant spam threshold) to end up in a quarantine.
While an end-user specific quarantine is nice, that could come in a phase 2. Phase one is just an optional quarantine where all mail flagged as spam (or all mail that crosses some spam threshold) is dropped off so that it could be reviewed within some admin definable period (typically 14-30 days).
This way, someone misconfiguring their sending server and messing up their SPF record, or their DNS records, or temporarily getting onto a SPAM block list, will not cause their mail to be rejected by an ORF user.
This is the base functionality, that if we had in place, many people would be very happy.
Regards,
-ASB: http://XeeMe.com/AndrewBaker
Providing Virtual CIO Services (IT Operations, Information Security) for SMB organizations
I think there may be more to that, because administrator-accessible quarantine can already be achieved easily with ORF: just configure it to redirect spam to a dedicated, administrator-only mailbox, apply a retention policy in Exchange and a lot of trouble is saved — you can manage the quarantine from Outlook and OWA, right under your fingertips, without having to worry about authentication, authorization, intranet/internet access, IE lockdown, etc.
What you have described probably matches this request better: http://vamsoft.com/support/feature-requests/per-test-actions — that is, to enable setting a different action per test (or with a finer granularity). A less crude approach would be using scoring (implied by ‘spam threshold’). The technologies used by ORF are a poor candidate for this, because we don’t really know what score Test X and User-Defined Keyword Filter Y should receive and deferring the responsibility to define scores to the administrator would not help matters. Scoring works best with technologies that output a probability of spam, i.e. the probability itself is the score.
What I was proposing in my previous comment is that Vamsoft should engage in discussions like this to better understand what the problem is and ship the best solution to that problem.
But we want it via the web — just like where (almost) everyone else has it. The whole point of using a 3rd party antispam solution is to keep that stuff away from Exchange and not burden Exchange with any of it. I could even do it more easily by tagging spam messages and letting outlook handle it directly.
But that’s not why people implement quarantines, and that’s not what I expect many of the requesters would want in a web-based quarantine.
I can understand and appreciate that, Peter, but my contention still stands that the basic functionality being requested is pretty clear — clear enough that many of your competitors offer it without substantial variance at the basic level. Not to mention what has been discussed in the other threads on this topic.
In any event, I’ll welcome more dialog if it means getting the feature sooner.
-ASB: http://XeeMe.com/AndrewBaker
Thank you. A web-based quarantine might indeed be the best answer to the challenges our clients face and then a web-based quarantine it will be that we ship. I’ve already scheduled initial works regarding this for the week.