Using Microsoft Exchange Intelligent Message Filter

by [Published on 16 June 2004 / Last Updated on 16 June 2004]

Finally Microsoft has released the new Exchange Intelligent Message Filter (IMF) - a SmartScreen-based Exchange 2003 add-on specifically developed to help Exchange Admins reduce the amount of unsolicited commercial e-mail (UCE) also known as spam received by their users.

As many might know Microsoft’s original intention was to make the IMF add-on available to SA customers only, but fortunately they changed plans just before the add-on was released, and instead decided to make it available for anyone to download from their website.

IMF should be installed on your organization's Exchange Gateway Servers (the servers accepting Internet e-mail messages and forwards them to the appropriate mailbox server) or on the Exchange bridgehead servers behind potential non-Microsoft e-mail Servers. Smaller organizations (without an Exchange Gateway Server) will typically install IMF directly on the Exchange mailbox server itself.

Note:
Be aware the IMF add-on can only be installed on Exchange 2003 Standard or Enterprise Servers, so if your organization still uses Exchange 2000, you must upgrade to Exchange 2003 in order to deploy IMF. Also bear in mind IMF isn’t supported on Exchange 2003 Cluster Servers.

IMF is based on a patented machine learning technology originally developed by Microsoft Research. The technology behind IMF is SmartScreen-based, which means the add-on is able to distinguish between legitimate e-mail messages and unsolicited commercial e-mail or other spam. SmartScreen tracks over 500,000 e-mail characteristics based on data from hundreds of thousands of MSN Hotmail subscribers who volunteered to classify millions of e-mail messages as legitimate or as spam.

As many might know Outlook 2003’s Junk E-mail filter is also based on the SmartScreen technology, and to make the most of IMF, it’s recommended to use Outlook 2003 on your clients. But if your clients run Outlook 2002 or earlier, don’t worry if this is the case you can set the filtering rules via Outlook Web Access (OWA) 2003 instead.

When IMF is installed a new tab is added to the System Manager – the Intelligent Message filter tab which can be found by taking Properties of Message Delivery under Global Settings (see figure 3). In addition a new Intelligent Message Filtering node is added under Protocols > SMTP, see Figure 1 and 2 (this is where you enable IMF).


Figure 1


Figure 2

IMF also adds several interesting performance counters, which can be found by clicking Start > Administrative Tools > Performance > Add Counters then selecting MSExchange Intelligent Message Filter.

Note:
IMF can even be monitored through Microsoft Operation Manager (MOM) using a special IMF Manage Pack, which can be downloaded here.

When an external user sends e-mail messages to an Exchange Server with IMF installed, IMF will evaluate the textual content of the messages and then assign the message a spam confidence level (SCL) rating based on the probability the message is UCE (from 1-9). This rating is stored as a message property called a Spam Confidence Level (SCL) rating. This SCL rating is then compared to the threshold set under Message Delivery Properties > Intelligent Message Filter in System Manager, see figure 3.


Figure 3

As you can see in the screen shown in figure 3, two thresholds can be set – a gateway threshold which will take a specified action (you can select between Archive, Delete, No action and Reject) and a mailbox store threshold which will deliver a given message (rated as spam) to the respective user’s Junk E-mail folder instead of the Inbox.

Exposing the SCL rating of delivered Messages

You might wonder how you are able to see the SCL rating of a message, that hasn’t been filtered at the gateway level? Well the answer is you can expose the SCL rating of any message even though it hasn’t been filtered; this can either be accomplished through the Outlook MAPI client or through Outlook Web Access (OWA) 2003. In order to see what SCL rating is stamped on particular mail see below two links over at the Microsoft Exchange Team Blog:

Exposing SCL (Spam Confidence Level) in Outlook:
http://blogs.msdn.com/exchange/archive/2004/05/26/142607.aspx

Exposing the Spam Confidence Level (SCL) in OWA:
http://blogs.msdn.com/exchange/archive/2004/05/27/143297.aspx

Note:
If you see a message assigned a SCL rating of "-1" it means it's an authenticate, (typically an internally generated message).

IMF Manager Utility

If you have configured IMF to archive all messages with a SCL rating higher than what you have specified, the messages are placed in Program files\exchsrvr\mailroot\vsi 1\UceArchive folder, depending on what SCL rating you specified, number of mail-enabled users in your Exchange messaging environment etc. this folder will fill up pretty quickly (see figure 4).


Figure 4

Therefore checking the messages (.EML files) using either notepad or Outlook Express will quickly become quite an administrative burden. But fear not! James Webster (who’s a Software Test Engineer on the Exchange Transport team) created a neat little utility in order to ease management of the filtered messages, it’s called Intelligent Message Filter Archive Manager (IMFAM) and is a C# GUI tool released as shared source on GotDotNet, you can grab a copy here.

With IMFAM you can delete messages, resubmit them (by moving them to the Pickup folder), copy message content to the clipboard and last but not least report potential spam to a Real-time Blocklist provider. You can also see the SCL rating of a selected message (though this needs to be enabled through the registry first, see page 25 of the IMF Deployment guide for specific instructions), see figure 5.

A detailed explanation of IMFAM is out of the scope of this article, but remember to visit the home of the utility on a relatively frequent basis.

Note:
Some might find the GUI of IMFAM a little clumsy, but the cool thing about the utility is it’s a “work in progress”.


Figure 5

Conclusion

As many are already aware, the native spam-filtering features in Exchange 2003 are all too basic for most organizations, there’s no question IMF improves Exchange’s ability to catch spam, but you shouldn’t strive for solely relying on IMF though. You should rather consider IMF to be an extra layer in your organizations existing antispam solution. IMF simply can’t live up to third party solutions such as GFI’s MailEssentials and Symantec Antispam for SMTP. Products such as these have even started to implement the same SCL rating system, as IMF is based on, this is possible because of the new Ex2003 API (for example see the Whats new in MailEssentials 10 page). And while we’re at it remember to checkout the AntiSpam section here on MSExchange.org, it contains ton of nice antispam information.

We have only touched the surface of IMF, in order to get detailed information about the add-on, you should head over and read the IMF Deployment Guide, which you will find under the relevant reading section in the end of the article.

Note for SBS and other POP Users:
The POP3 connector on SBS2003 uses CDO through the pickup folder for delivery and therefore it misses the "End of Data" event sink used by IMF. Therefore messages delivered through the POP3 connector won’t be scanned by IMF.

Known IMF Bug:

When changing the SCL Rating thresholds under Message Delivery Properties > Intelligent Message Filter in the System Manager you should, at the time of this writing, remember to restart the Exchange Information Store, otherwise chances are you will see some pretty odd filtering results.

Another problem you may experience is that after you install and configure Microsoft Exchange Intelligent Message Filter on your Microsoft Exchange Server 2003 computer, e-mail messages that contain a computer virus or a worm program are not permanently deleted. Instead, these e-mail messages remain in the SMTP local delivery queue in Exchange 2003 until they time out. Microsoft has release a HotFix to resolve this problem, to download it visit MS KB article: 883522 - E-mail messages that contain a virus remain in the SMTP local delivery queue after you configure Intelligent Message Filter in Exchange Server 2003.

That was all for this time, see you soon…

Relevant reading

Microsoft Exchange Server: Exchange Server Intelligent Message Filter Overview:
http://www.microsoft.com/exchange/downloads/2003/imf/imf_wp.asp

Microsoft Exchange Intelligent Message Filter Deployment Guide:
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/imfdeploy.mspx 

Intelligent Message Filter- ReadMe:
http://download.microsoft.com/download/2/2/C/22CCB3FB-CE5F-4E23-810B-1A4AC5540C97/IntelligentMessageFilterReadmeMay2004.htm

885152 - TechNet Support WebCast: Intelligent Message Filter in Microsoft Exchange Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;885152

IMF Archive Manager: Home:
http://www.gotdotnet.com/Community/Workspaces/workspace.aspx?id=e8728572-3a4e-425a-9b26-a3fda0d06fee

Spam Confidence Level Explained:
http://msdn.microsoft.com/library/en-us/e2k3/e2k3/ast_spam_confidence_level.asp?frame=true

Featured Links