Block Spam with Exchange 2003 Intelligent Message Filter

by Daniel Petri - January 7, 2009

How can I configure Exchange 2003 to block unsolicited commercial e-mail (spam) with Intelligent Message Filter?

Advertisement



Microsoft Exchange Intelligent Message Filter is a product developed by Microsoft to help companies reduce the amount of unsolicited commercial e-mail (UCE), or spam, received by users.

Intelligent Message Filter is based on Microsoft SmartScreen Technology from Microsoft Research. By using e-mail characteristics tracked by SmartScreen technology, Intelligent Message Filter can help determine whether each incoming e-mail message is likely to be spam. Based on this likelihood, you can choose to block e-mail messages at the gateway or at the mailbox store.

How it works?

When an external user sends e-mail messages to an Exchange server with Intelligent Message Filter installed, IMF evaluates the textual content of the messages and assigns the message a rating based on the probability that the message is UCE or spam. All incoming messages are marked with a Spam Confidence Level SCL rating, regardless of the rating threshold you set. This rating is saved with the other message properties and these properties are sent with the message to other Exchange servers.

In Gateway Blocking Configuration, select the rating in Block messages with an SCL rating greater than or equal to above which Intelligent Message Filter takes action on this message.

If a message has a rating higher than the gateway threshold, IMF takes the action specified. If the message has a rating below the gateway threshold, the message is sent to the Exchange mailbox store of the recipient. At the Exchange mailbox store, if the message has a higher rating than the mailbox store threshold, the mailbox store delivers the message to the user's Junk E-mail folder rather than to the Inbox.

Intelligent Message Filter does not need to be installed on Exchange mailbox servers. If Intelligent Message Filter is installed and enabled on the gateway SMTP virtual servers, Exchange mailbox servers receive the SCL rating with each incoming Internet message and take the appropriate action.

Note: The Intelligent Message Filter is not supported in a clustered environment. Therefore, Intelligent Message Filter updates are not offered to Exchange Server 2003 servers in a clustered environment.

System Requirements: Supports Windows 2000 Service Pack 3, Windows 2000 Service Pack 4, and Windows Server 2003. Requires Exchange Server 2003.

Exchange Server 2003 SP2 Update Note: IMF is now an integral part of Exchange Service Pack 2 (SP2). You can learn how to configure it on SP2 by reading Configure Intelligent Message Filter in Exchange 2003 SP2.

Read more about IMF in the Related Articles section below.

Installing IMF (without Exchange 2003 SP2)

If you still do not have Exchange 2003 SP2 (and why don't you?) you can d/l the IMF standalone tool from the link above and manually install it. Service Pack 2 users do not need to manually perform these steps.

After downloading IMF you can now install it on your machine.

  1. Double-click the ExchangeIMF.msi file. In the Welcome screen click Next.

  1. Accept the License Agreement, and in the  screen, select to install both the Management Tools for IMF and the IMF Functionality.

  1. Watch as the installation process completes, click Finish at the end of it. There is no need to reboot.

Note: After installation, the FTP Publishing service is not restarted. Intelligent Message Filter installation stops the IIS Admin service. The following services are restarted after installation has completed.

  • Simple Mail Transfer Protocol service (smtpsvc)
  • Network News Transfer Protocol service (nntpsvc)
  • Microsoft Exchange Post Office Protocol version 3 service (pop3svc)
  • Microsoft Exchange Routing Engine Service (resvc)
  • Microsoft Exchange Internet Message Access Protocol Service (imap4svc)

The FTP Publishing service is not restarted. You must restart in manually.

Installing IMF (with Exchange 2003 SP2)

After downloading Exchange Server 2003 SP2 you can now install it on your machine.

Read the Installing Intelligent Message Filter with Exchange 2003 SP2 page for more info.

Once you've installed SP2, do not install IMF v1 again!

Configuring IMF

Configuring Intelligent Message Filter involves two settings:

Gateway Blocking Configuration - In Gateway Blocking Configuration, you establish a threshold based on a spam confidence level (SCL) rating above which the gateway server takes action on the message. You also define the type of action you want the gateway to take.

Store Junk E-mail Configuration - In Store Junk E-mail Configuration, you define the thresholds based on an SCL rating that Microsoft Exchange 2003 mailbox stores use to determine whether to deliver messages to a user's Inbox or Junk E-mail folder.

In order to configure IMF follow these steps:

  1. Open the Exchange System Manager snap-in (ESM).
  2. Expand your Organization object, expand Global Settings. Right-click Message Delivery and choose Properties.

  1. Notice there is a new tab named "Intelligent Message Filtering". Click on it.
  2. In the Gateway Blocking Configuration section enter the number you chose, based upon your own preferences. I use 7, but you may want to experiment with lower or higher numbers. Selecting a lower number for the SCL rating filters more messages, but also increases the likelihood of false positives, which are legitimate messages that appear to be UCE. Selecting a higher number for the SCL rating filters fewer messages, but also reduces the likelihood of false positives. Advertisement

  3. Now choose the action to perform when blocking messages. You can select Archive

  1. In the Store Junk E-mail Configuration select your desired threshold. I use 5. but again, you may want to experiment with lower or higher numbers.
  2. Click Ok.

After you configure Intelligent Message Filter, you must enable this filter on all inbound gateway SMTP virtual servers.

Exchange 2003 Service Pack 2 Note: IMF is installed as an integral part of SP2. Because of that, the IMF settings that need to be configured under the SMTP Virtual Server are no longer a subfolder node of the SMTP Virtual server (as displayed in these screenshots), but are part of the SMTP Virtual Server IP address advanced configuration. Please read Configure Intelligent Message Filter in Exchange 2003 SP2 for more details.

For SP1 follow these steps:

  1. Expand the Administrative Group folder, then expand the Servers folder, then expand each server that will be configured with IMF.
  2. Expand the server object and click to expand the Protocols folder. Expand the SMTP folder.

  1. Right-click Intelligent Message Filtering and choose Properties.
  2. In the General tab click to select the check-box the SMTP virtual server.

  1. Click Ok.

After the configuration of IMF

Make sure you monitor your Junk Mail folder. Test your e-mail software (it does not necessarily have to be Outlook) and make sure you don't have too many false positives. If you do, or if you see that legitimate e-mail is deleted or treated as junk you can always go back to the IMF configuration screen and lower your SCL rating. In order to view the SCL rating and understand how it works read the Display SCL Level in Outlook 2003, Display SCL Level in OWA 2003 SP2, Archiving the SCL Rating in Intelligent Message Filter and View Intelligent Message Filter Archive articles.

If you're running Exchange 2003 SP2 you can (and should) read the Updating Intelligent Message Filter in Exchange Server 2003 SP2 page.

Important issues and limitations of IMF

Here is a listing of important issues and limitations of IMF, things that you should consider before deploying IMF:

  • The Intelligent Message Filter can only be installed on Exchange 2003.
  • IMF is a heuristic text search engine, based upon simple text search. Skilled spammers have already found many tricks around this simple filtering method, thus making IMF obsolete even before it came out on the market.
  • Updating IMF is a task that needs to be done regularly, yet currently, there is no apparent way to do it. Even if IMF works well for you in the beginning, it may not work as well a few months later, when major spammers find their way around it.
  • IMF does not offer any granularity necessary for treating groups of users differently at the server level. Settings on the server side are the same for everybody.
  • Although generally a good idea, IMF may in fact cause greater administrative effort than before. E-mail with higher SCL threshold will be either thrown away or archived before the client ever sees it, meaning that the administrator will have to search the central archive for false positives, rather than just leaving that task to the users.
  • The features of IMF are fully available only for users of Outlook 2003 or Outlook Web Access, and although limited functionality is available with other versions of Outlook, companies that use other third party solutions will probably be disappointed by it's lack of features.
  • No performance figures are yet to be published by Microsoft. We still need to see how IMF affects your server performance.
  • IMF is not supported on Exchange 2003 clusters.

Related articles

You might also want to read the following related articles:

Links

Exchange Intelligent Message Filter

Microsoft Exchange Intelligent Message Filter Deployment Guide (2.2mb)

Microsoft Exchange Intelligent Message Filter Readme

Advertisement



Join The Petri Insider - Weekly IT Tutorial and Tips, Whitepaper and Webinars