Become a Columnist Microsoft Exchange Site Microsoft Support SiteMSDN Exchange Site

   

Subscribe to OutlookExchange
What's New
Columnist
Anderson Patricio
Ann Mc Donough
Bob Spurzem
Brian Veal
Catherine Creary
Cherry Beado
Colin Janssen
Collins Timothy Mutesaria
Drew Nicholson
Fred Volking
Glen Scales
Goran Husman
Guy Thomas
Henrik Walther
Jason Sherry
Jayme Bowers
John Young
Joyce Tang
Justin Braun
Konstantin Zheludev
Kristina Waters
Kuang Zhang
Mahmoud Magdy
Martin Tuip
Michael Dong
Michele Deo
Mitch Tulloch
Nicolas Blank
Pavel Nagaev
Ragnar Harper
Ricardo Silva
Richard Wakeman
Russ Iuliano
Santhosh Hanumanthappa
Steve Bryant
Steve Craig
Todd Walker
Tracey J. Rosenblath
Development
More Resources
Software
Other Links
 
   

Tuning Exchange 2003 IMF with IMF Tune
Page 1 | Page 2 | Page 3

Tuning IMF with IMF Tune

Starting with Exchange 2003 Microsoft provided an add-on to assist in the filtering of spam called the Intelligent Message Filter (IMF).  IMF was initially an optional download that could be installed on Exchange 2003.  IMF was later included with SP2 for Exchange 2003 and continued to provide a basic spam filtering solution for free.  For the most part IMF is a “black box” with only three options.  In Exchange System Manager (ESM) you can set a gateway threshold, gateway action and Junk E-mail folder threshold, see Figure I. These settings control the level of filtering on all incoming mail, and if a message is above a threshold if it should be rejected, deleted, archived, or transmitted.  If the mail isn’t blocked at the gateway, or incoming mail server, it can then be placed in the Junk E-mail folder in individual mailboxes, if the SCL level is below the gateway threshold and above or equal to the Junk E-mail one.  IMF uses a rating called the Spam Confidence Level (SCL) for all messaged.  The higher the SCL #, from 0-9, the better chance the message is spam.  So the gateway settings should be set higher than the Junk E-mail folder to block as much spam from getting to user’s mailboxes without the lowest chance of false positives.  The Junk E-mail setting is then used to move the rest of the possible spam messages to the user’s Junk E-mail folder so they can easily find, review, delete, or move them.  The problem with IMF is that you have very little control over what messages are or aren’t block.  You can only set the threshold levels and then leave it up to the IMF to decide what to block.  The filters and logic used by IMF is controlled by Microsoft.  The filters are normally updated the first and third Wednesday of the month and are pretty effective, but you have no control over them.  IMF has no support for whitelisting, blacklisting, keyword management, spam message rerouting, detailed logging, and other areas of fine tuning that most organizations need when it comes to spam filtering.

Figure I - Standard IMF Settings

This article will cover a 3rd party product by WinDeveloper.com called IMF Tune.  For more information on Microsoft’s IMF see Microsoft’s IMF Operations Guide.  The goal of IMF Tune was to address the many short comings with IMF when it comes to the fine tuning of the filtering processes.  IMF is a quick and simple install and starts at $138 for a small business edition, limited to 30 mailboxes and one server, and $298 per server for an unlimited “enterprise” edition.  This provides a VERY viable spam filtering solution for a fraction of the cost of other 3rd party filtering solutions.  All messages are still processed by Microsoft IMF and assigned a SCL then IMF Tune evaluates the messages and adjusts the SCL level and blocks or allows the message to continue to user’s mailboxes, see Figure II.

IMF Tune Plan

Figure II - How IMF Tune Works

The only change that needs to be made to Exchange is to change the Exchange IMF gateway setting “When blocking messages” to “No Action.”  This allows all messages, even ones that Microsoft IMF would have blocked to be processed by IMF Tune.  The Junk E-mail folder setting is still used by Exchange, or actually Outlook, to determine if a message should be move to a user’s Junk E-mail folder instead of their Inbox.  Once these settings are set in Exchange IMF Tune can then be used to adjust the logic that is used in the identification of spam.

Using IMF Tune you do all of the following:

  • Create a whitelist of messages that should always be delivered based on IP, sender, recipients, and keywords in the various message fields.
  • Create a blacklist of messages that should always be blocked, based on the same settings as above.
  • Create a mapping of keywords to SCL levels.  This allows for incrementing, decrementing, or settings the SCL level on a message based the same criteria used for whitelisting and blacklisting.  For example, if a message contains a key customer name you could have the SCL set to “whitelisted” to make sure those messages are always delivered.  Similarly, if a message contains the work “Viagra” you could have the SCL level increased by 4, so if Exchange IMF assigned it a SCL level of 3 IMF Tune would then change the SCL to 7.  This is a VERY powerful feature of IMF Tune and allows organizations to get very granular with the identification process of spam messages.
  •  Changing of message headers and\or subjects to include the SCL level.  This allows SCL information to be used by other systems, message filtering programs, and by end users to easily sort messages by the SCL level.
  • Optionally auto-reply to filtered e-mail messages just in-case of a false positive.
  • Optionally strip attachments.
  • Log all filtering and non-filtering actions in detail.
 

Tuning Exchange 2003 IMF with IMF Tune
Page 1 | Page 2 | Page 3

Disclaimer: Your use of the information contained in these pages is at your sole risk. All information on these pages is provided "as is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Stephen Bryant or Pro Exchange. OutlookExchange.Com, Stephen Bryant and Pro Exchange shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Copyright Stephen Bryant 2008