Change Log

A new test in ORF that can help to detect and stop Directory Harvest Attacks (DHAs).

Allows setting up honeypot (spamtrap) addresses and ban senders that attempt to send to these addresses.

ORF can now reinitialize with the new configuration without restarting the ORF Service, so you can enjoy uninterrupted email filtering.

The Remote Control feature which allows sending IP and email addresses from the ORF Log Viewer to various ORF lists has been improved. It no longer requires a running ORF Administration Tool, more target lists are supported and multiple items can be sent at once.

The SPF Test was added to the Whitelist Test Exceptions (disabled by default) so now you can validate the authenticity of the sender email address before the Auto Sender Whitelist or Sender Whitelist would run. This prevents forged emails from getting whitelisted.

The live statistics of ORF was redesigned to include a stopwatch functionality and got a few new counters.

For specific (user-configurable) domains, blacklisting on SPF Neutral result is now available.

Allows skipping the Greylisting test if the SPF Test says the sender is explicitly authorized to send in the name of a domain (enabled by default).

This new subtest of the Reverse DNS Test checks if the sending IP has reverse name (DNS PTR record). Blacklisting the resolved host names is also supported.

A new On Arrival-only test for whitelisting emails with specific keywords or patterns in the email body, subject or header.

Another On Arrival-only test, for blacklisting emails written in specific languages/scripts.

Version 4.2 now supports the Windows Server 2008 platform, when running with Microsoft® Exchange 2007. Note that the IIS SMTP-only mode is not supported on this platform, Exchange 2007 is required.

Allows excluding specific senders from the SPF test by the sender email address or the source IP address.

This feature can be used to quickly un-whitelist accidentally whitelisted senders, without editing the Auto Sender Whitelist database.

Allows automatic deletion of the ORF Text Log files after a user-defined number of days. This feature is disabled by default.

When this option is enabled, the SMTP HELO/EHLO argument domain is added to the ORF logs as a separate column, helping the creation of HELO Blacklist expressions. This feature is disabled by default.

ORF 4.1 now can be installed on Exchange 2007 Servers (Edge Transport or Hub Transport).

The Keyword Filtering feature was extended with the ability to filter for keywords in the email header.

ORF logged a warning message and did not filter emails that arrived with a blank HELO/EHLO domain argument.

Tarpit Delay was not triggered (irrespectively of the mode it was switched to) at the Before Arrival filtering point in case the Recipient Validation Test was excluded from the whitelists' scope (Whitelist Test Exceptions).

This new test takes over the role of the Active Directory test and allows you to validate recipients using the Active Directory and two new sources: SQL databases and text files.

The Log Viewer now supports viewing user-selected log files in addition to the automatic log file loading.

The ORF SMTP Module was leaking a specific amount of memory on every email that reached the On Arrival filtering point. The potential impacts of the leak were IIS crashes and out of memory errors. This bug primarly affected servers with very high email load.

Valid recipients did not get the email when all of the following conditions were satisfied at once:

The "Time" filter could not be set higher than 12:59:59 (after(...date/time), before(...date/time), between(...date/time) modes). Events that occurred after 12:59:59 could not be filtered by the "Time" filter.

Under Windows 2003 Server, the Log Viewer returned a "List index out of bounds" error when an IP filter with either CIDR notation (e.g. 1.2.3.0/24) or text range notation (e.g. 1.2.3.4-1.2.3.255) was applied to the "Related IP address" field.

Valid recipients did not get the email when all of the following conditions were satisfied at once:

Previously saved Log Viewer email subject filtering expressions could have changed unexpectedly when modified.

Previously saved filter in the Log Viewer could not be deleted if the view was switched to "All" mode.

A bug in the ORF SMTP Module caused the SMTP Module status displayed for one or more of the SMTP Virtual Server as "not loaded/inactive" when multiple SMTP Virtual Servers were present, even when the SMTP Module was loaded and active.

The ORF Administration Tool IP list (IP Blacklist, IP Whitelist) CSV format exports were broken in version 4.0 and thus could not be imported. Exporting/importing in TXT format and importing from earlier version CSV exports worked, however.

Whitelisted recipients did not get the email when all of the following conditions were satisfied at once:

When External Agents whitelist test exceptions were enabled and there were enabled External Agents with both Anti-Virus and Spam Filter role, agents with Spam Filter role were not ran by ORF.

The new version can tag and redirect the email at the same time at the On Arrival filtering point.

This feature allows some blacklist tests to take precedence over whitelists (Attachment Filtering, External Agents, Active Directory Integration and the Recipient Blacklist), which provides better email security.

Allows using Microsoft® SQL Server® databases for storing the Auto Sender Whitelist and Greylisting data.

The subject of the incoming email is now logged at the On Arrival filtering point.

ORF 4.0 can be used on 64-bit Windows Server editions.

This new feature prevents automatic responses (e.g. Out of Office autoresponses) from polluting your Auto Sender Whitelist.

Now Greylisting can be configured to accept delivery re-attempts from the same /24 network block. This reduces the email delay from senders with a pool of outgoing email servers.

This feature periodically checks for a new ORF version and tells you if there is any available.

The filtering feature of the ORF Log Viewer was completely redesigned to allow creating more flexible filters. The Search functionality is no longer column-specific (free text search).

In the new version, IP network definitions can be entered in various formats, including text range and CIDR notation.

ORF 4.0 preprocesses the PowerLog files about 75 times faster than the previous 3.0 version.

A bug in ORF caused the ORF PowerLog file under preprocessing to be deleted on the specific conditions (affected versions: 3.0 and 3.0.1).

ORF applied the tarpit delay on any non-whitelisted email on specific conditions (affected versions: 3.0 and 3.0.1).

A bug in ORF prevented persisting the changes made to the enabled state of the External Agent exit codes (affected versions: 2.1, 3.0 and 3.0.1).

Valid recipients did not get the email when all of the following conditions were satisfied at once:

This bugfix was released for 3.0 and 3.0.1 versions only.

When the Active Directory Test was in Synchronization Mode, version 3.0 failed to recognize that the address list was unavailable after a failed synchronization and rejected non-whitelisted emails.

This version introduces ORF Reporting Tool, which allows generating printable graphical reports about ORF's filtering activity. The Reporting Tool relies on a new log device called ORF PowerLogs.

The new version supports using the Sender Policy Framework (SPF), which is an email authentication protocol for recognizing email address forgery. As most of the spam arrives with forged sender address, SPF can do a great job in reducing spam.

Allows attaching various external software, such as anti-virus or anti-spam products to ORF. Depending on the agents used, it can boost ORF's spam filtering performance significantly or act as another layer of defense against viruses. You can download agent definitions for a few software from our website or define your own.

A new feature which helps to detect poorly written spammer software and malicious content based on the HELO/EHLO domain.

This version is shipped with an updated version of the database engine used by ORF. The update fixes the problems which may lead to corruption of the Greylisting or the Automatic Sender Whitelist databases. The symptoms of the database corruption were occasional database error messages logged by ORF and, in rare cases, 100% processor use for a long period (more than a minute) on a large number of outgoing emails (e.g. newsletters).

A bug in ORF caused the IP Whitelist to be ignored at the Before Arrival filtering point when the ORF log was in "Short Log Messages" mode.

We improved the performance of the Automatic Sender Whitelist performance, the new version processes outgoing email significantly faster and uses less resources than the previous version.

A bug in the ORF SMTP Module resulted in a small memory leak on each rejected email. The potential impacts of the bug were IIS crashes and out of memory errors. This bug primarly affected servers with very high email load.

SURBL's are very similar to DNS blacklist, except that they list domain names instead of spam IP sources. ORF 2.0 can collect links to "spamvertized" sites from the scanned email and check the linked domains in the SURBL's.

Anti-spam feature based on temporary rejection of emails from unknown senders. While greylisting provides outstanding spam stop rate, it causes about 15 minutes delay of emails from unknown senders as well. Moreover, it works at the Before Arrival filtering point only.

A self-learning whitelist which monitors your outgoing emails and builds a sender email address whitelist from the recipients of the outgoing emails. In other words, the recipients of the emails that you send become whitelisted senders.

Delays your server's response to blacklisted mails. Can be used to slow down/stop Directory Harvest Attacks or to fight back to spammers.

There were license agreement changes, the installer and the documentation was updated accordingly. This version does not add any new features compared to ORF 1.5.1.

The new AD integration mode allows validating the recipient "live", without extracting all addresses from the Active Directory (synchronization). The Live Mode is more resource-friendly and faster than the previous Synchronization mode when working with large directories. The performance of the Synchronization mode (pre-1.5.1 AD integration) was also improved.

A bug in the ORF 1.5 SMTP Module resulted in a 20-byte memory leak per email at the On Arrival filtering point. This has caused out of memory errors in ORF and IIS crashes. This bug has been fixed by version 1.5.1.

Previous ORF versions filtered the emails before email arrival. Now with 1.5 you can filter emails on arrival, which allows delivery path analysis, keyword and attachment filtering, etc.

Using the attachment filter you can drop emails with malicious attachments or replace the attachments with a customisable warning text. Both the keyword and the attachment filtering support using Perl-compatible regular expressions, which makes the filtering extremely flexible. Both features are Unicode-aware.

Emails blacklisted at the On Arrival filtering point can be dropped, redirected or tagged (header or subject).

ORF is now shipped with a built-in log viewer which allows easy browsing, searching and filtering the logs.

The default DNS blacklist definition set (blacklists.xml) has been updated.

The new list allows you to invalidate specific IP addresses returned by the RDNS A record test. This feature has been built into ORF to keep the RDNS test usable after .com/.net gTLD manager Verisign added a global A record wildcard to the .com/.net zones. The wildcard IP address is added to the list by default.
The DNS A record which resolves to any of the IP addresses listed on this list will be treated as non-existent record in the Reverse DNS test.

Using the new exception list, you can exclude specific email addresses or domains from the Active Directory-based recipient filtering. This comes handy if you provide filtered mail services for domains that are not listed in your directory.

User authentication may be required for the AD integration if ORF is running on a computer which is not a member of the domain. ORF now supports specifying a user name and password for LDAP authentication.

For easier tracking of authenticated sessions, version 1.3 logs the authenticated user name with the whitelist event message.

You could not start the syslog daemon on the syslog UDP port while ORF was running, if you had ORF syslogd logging enabled. This was caused by an unclosed socket has which allocated the syslog UDP port so the syslog daemon was unable to start listening to syslog messages. This issue occurred only when both ORF and the syslog daemon was running on the same computer.

Due to a software bug you could not disable the statistics report sender feature, statistics were sent regardless your settings. This bug has been fixed in version 1.2.1.

Until version 1.2, you had to manually stop and restart Exchange services during an ORF update. The new Update Setup shipped with ORF version 1.2 can automatically stop and restart the Exchange services and transfer your previous ORF settings to the updated version.

Unlike other mail servers, Exchange 2000 does not reject mails coming to mailboxes that does not exist. Exchange 2000 accepts the mail for delivery and bounces the email later if the recipient mailbox is unavailable. Spam is often sent with fake sender email address that does not exist to recipients that are no longer valid, which results in tons of NDR's filling up the mail queue.
Using the ORF's Active Directory integration you can reject all mails that are addressed to mailboxes that are no longer (or never been) valid and accept mails only to mailboxes that exists in the Active Directory.

IronPort Systems Inc's Bonded Sender™ Program provides a public DNS whitelist, which is now supported by ORF 1.2.
More information about this program is available at http://www.bondedsender.com.

Do you find it confusing to select the best DNS blacklists? Now ORF can automatically send your ORF statistics anonymously to our server in email. The server collects these statistics and displays DNS blacklist popularity and statistics on our website.

The new version supports commenting IP/sender/recipient whitelist and blacklist items which makes managing and exchanging these lists easier.

Using regular expressions you can create complex email address masks. ORF 1.2 supports the Perl-compatible regular expressions (PCRE, for more information, please see http://www.pcre.org). This feature is available for the sender whitelist, sender blacklist, recipient whitelist and recipient blacklists.

Version 1.2 extends logging capabilities with Windows Event Log and BSD syslog support.

Authenticated SMTP connections are now recognized and automatically whitelisted by the new version.

ORF did not log the sender email address when a recipient blacklist hit occurred and the log was configured to produce short log messages.

ORF failed to save the cumulative statistics to the statistics storage file (orfestat.dat) on system reboot or shutdown. Consequently, statistics generated since last ORF Enterprise Service startup got lost.

The reverse DNS test with "MX or A/CNAME" test mode did not test A/CNAME records due to a software bug. This bug caused the software to work as the reverse DNS test running with "MX" (strict check) mode and to provide wrong information to the remote SMTP server on the reason for the block.

Reverse DNS statistics were displayed incorrectly. The "Tests" value was equal to the "Blocks" value.

This feature makes writing log parsers easier.

In version 1.1, you can define multiple (fail-over) DNS servers with priorities.

Using the new cumulative statistics feature you can view the statistics of ORF since the installation not just since the last start up. You can also take a snapshot of the current run-time statistics and export the snapshot to various file formats (including CSV, which can be imported by Microsoft® Excel®). The statistics are resetable.

The 1.0 version reverse DNS test was very strict. Version 1.1 offers you a more lenient check. This helps in reducing the number of legitimate mails blocked.

Exporting and importing address lists (IP, sender, recipient whitelists and blacklists) is now available. Multiple text formats supported, including CSV which can be imported by Microsoft® Excel®.

ORFEE 1.1 can block mail with broken sender domain information (i.e. sender domain is not a fully qualified domain name - FQDN).

You can configure ORF to reject mail temporarily when it cannot be tested due to DNS errors. Using this option you can avoid accepting mail when the filtering is not available due to unavailable DNS data.

The reverse DNS test did not handle some specially formatted sender addresses correctly such as formats "mailbox@[1.2.3.4]", "mailbox@1.2.3.4". This syntax is allowed by RFC standards, but used rarely on the Internet. ORF did not recognize that the sender domain is actually an IPv4 address and blocked the mail (because it failed on RDNS test).

Mail blocked due to being listed on the sender blacklist were not logged by ORF Enterprise.

If your display was set to Large Fonts mode, you have experienced that some controls in the ORF Administration Tool were not visible on the screen.