SBS 2003 and Intelligent Mail Filtering (IMF).
[Today’s post comes to us courtesy Milind Bhavsar]
IMF helps reducing the UCE (unsolicited commercial e-mail) or in general terms SPAM. Version 2 for IMF gets installed with Exchange 2003 Sp2. Intelligent Message Filter learned distinguishing characteristics of legitimate e-mail messages and unsolicited commercial e-mail (UCE). This learning is based on e-mail messages submitted by Microsoft partners and classified as either legitimate messages or UCE.
With SBS we have the Single server which is a gateway server and mailbox server both. When external sender send message IMF evaluates the textual content of the Message and accordingly gives a SCL rating to the message on the probability that the message is UCE. SCL (spam confidence level) is stored with the message property for the further action.
IMF basically works on the two thresholds which are Gateway server threshold and mailbox server threshold. Gateway threshold is for the gateway server and mailbox threshold is on the recipient Mailbox server. In case of SBS both are on the same server.
Following flow chart explain how this works;
With IMF if you are using SMTP Session filters (e.g. Sender, recipient and connection filters) all of these apply before the message reaches the IMF. These can be used in conjunctions with client’s outlook where you can create safe sender and block list which will override the Mailbox Server threshold settings and action.
How to create Intelligent Message Filter
To define IMF V2, you should have Exchange Service pack 2 installed.
1) Go to Exchange System manager -> Global Setting -> Message Delivery -> Intelligent Message filtering
2) Gateway blocking Configuration – here you specify the gateway threshold and the action associated with it. Default threshold is 8 and action is “No Action”
3) You can set the threshold according to you environment, less the number you specify more the emails will get in to the filter
4) When blocking messages – we have to configure the action’s to be performed.
a) No Action – This means rating are saved with the message but no action taken and the message forwarded to Store Junk E-mail Configuration.
b) Archive – This saves the message in archive folder default location Exchsrvr\Mailroot\vsi n\UCEArchive
(This is the idle setting because if you set threshold to small value there are more chances of messages getting marked as UCE and which increases a chance of having legitimate email’s marked as UCE. With archiving the messages will not be deleted and there are tool with which you can browse through the archive messages and put them again in the pickup folder to be delivered to the recipients more info on https://msexchangeteam.com/archive/2004/05/26/142366.aspx)
c) Reject – Message is rejected and sender SMTP server is responsible for generating the NDR in this case
d) Delete – Message is deleted
5) Store Junk E-mail Configuration – in this configuration you specify the mailbox server threshold
It is having just one action of putting the mail in Junk folder or Inbox.
Once you are done with defining the message filter you need to enable the same on the SMTP virtual server on which you want to apply IMF.
1) Go to ESM -> Servers -> Servername->Protocols ->SMTP-> Default SMTP Virtual Server -> properties->Advance->Edit->Select Apply Intelligent Message Filter
How to update IMF
It is very critical to update the .dat and .dll files associated with the filter to keep it working efficiently. These updates have the latest definition of filters and spam definitions. On the basis these definitions SCL ratings are set on the messages. IMF is not set by default for automatically downloading the update which gets pushed twice in a month. You have to create the ContentFilterState registry key
Steps
1) Expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange
2) Create New DWORD value “ContentFilterState” with value 1
3) Restart the SMTP service
IMF update are stored in MSCFV2 folder. Default location
Drive_Letter:\Program Files\Exchsvr\Bin\MSCFV2
IMF updates are stored in different subfolders under MSCFV2 folder which are named according to their version number. At any given point of time you will not see more that three folders one for the current version in use and two for previous versions of update.
To know the version in use you can check the following registry key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 2003\SP3