How do Exchange IMF and Antigen Advanced Spam Manager work together?

Following article explains how Exchange Intelligent Message Filtering (IMF) and Antigen Advanced Spam Manager (ASM) work together. Specifically how SCL ratings are assigned

 IMF Options

Blocking spam with the IMF is a two-stage process. The filter scans the mail and gives each message a Spam Confidence Level rating from zero to nine, with zero meaning “not spam” and the SCL rating increasing based on the “spaminess” of a message. This SCL rating is then used to determine how the mail is handled. Mail can be handled at two points:

• At the Gateway – messages can be rejected or archived (quarantined) at the entry point, based on the SCL rating. This mail is not seen by the end user.

• In the message store – messages are routed to the Outlook 2003 Junk E-Mail folder based on the SCL rating.

The following would be a typical scenario:

• Gateway set to archive all mail with an SCL rating of 7 or higher.

• Message store set to send all mail with an SCL rating between 4 and 6 to the Junk E-Mail folder.

• All remaining mail (SCL from 0 to 3) is delivered as usual to the Inbox.

The specific SCL ratings can be changed as the mail administrator sees fit. In addition, the gateway can be set to “Take No Action,” meaning all mail over the message store threshold will go to the Junk E-Mail folder.

Advanced Spam Manager (ASM) Options

The SpamCure engine does not provide a range of SCL ratings. Because it uses highly accurate specific signatures, rather than a calculation that yields results within a range, it uses a yes/no mechanism. Mail detected as spam is given an SCL rating of 9. Mail not detected as spam is set to 0. ASM also provides various ways to handle mail, such as quarantining, subject line stamping and so forth. But for this illustration, we will assume use of the Outlook 2003 Junk E-Mail folder.

Running IMF and ASM Together

When IMF and ASM are installed on the same gateway, the IMF engine will scan messages first. As part of this scan, an SCL rating is applied to each mail. It then gets passed to ASM, which also scans the message. The way the SCL is designed, a higher rating always takes precedence over a lower rating, so ASM will never lower a score provided by IMF. This means that decisions made by IMF remain valid, even if the SpamCure engine misjudges a spam and rates it a zero.

Let’s put together a typical scenario to better understand how the parts all play together. For our illustration, we will play the role of email administrator and make the following settings:

• The IMF Gateway option is set to reject all messages that receive an 8 or 9 SCL rating. These are very high spam content ratings and there is only a slim chance of a false positive receiving a rating as high as 8 or 9.

• The message store is set to put all mail with SCL ratings between 5 and 7 into the Junk E-Mail folder.

• All messages with SCL from 0 to 4 go to the Inbox.

• Advanced Spam Manager is configured to use SCL ratings on all mail it detects as spam.

We can now easily trace the sequence of events as mail enters our dual spam net environment.

1. As mail enters, it is scanned by IMF, the first net. All mail that receives an SCL rating of 8 or 9 is rejected. All remaining mail receives an SCL rating from 0 to 7.

2. Mail is passed to ASM. It makes spam decisions that are completely independent of those made by the IMF. The following events can happen.

a) Mail is determined to be spam by ASM. The SCL rating is set to 9. Mail is caught in the second net.

b) Mail that IMF determined was not spam (0-4) is scanned by ASM. Anything missed by the first net can be caught by ASM in the second net.

c) Mail that ASM does not consider spam maintains the SCL rating from IMF. Therefore, spam that the second net missed is nevertheless still caught in the first net.

3. Mail reaches the message store. All mail that IMF has tagged within the store threshold of 5-7 and any mail tagged with a SCL rating of 9 by ASM is routed to the users’ Junk Mail Folders. All mail with SCL of 4 or below goes to the Inbox.

Of course, any of the parameters above can be changed. For instance, you may wish to consider some of the following:

• Do not reject any mail at the gateway to avoid even the slightest chance of missing a legitimate email.

• Set the gateway to archive SCL 8 and 9 messages, rather than reject them. This way, they can be retrieved if needed.

• Raise or lower the message store rating to fine tune the messages that are routed to the Junk E-Mail folder.

Related articles:

· Exchange IMF: https://technet.microsoft.com/en-us/exchange/bb288484.aspx

· Configuring the Exchange Intelligent Message Filter: https://technet.microsoft.com/en-us/library/bb914061.aspx

· How to verify the Intelligent Message Filter SCL rating in Outlook 2003: https://support.microsoft.com/kb/895091

· Anti-Spam updates in Forefront Security for Exchange Server: https://support.microsoft.com/kb/941271/en-us

· Information about the types of anti-spam updates that are available for Exchange 2007: https://support.microsoft.com/kb/925474/en-us

· Anti-Spam and Antivirus Functionality: https://technet.microsoft.com/en-us/library/aa997658(EXCHG.80).aspx

· Understanding Anti-Spam and Antivirus Mail Flow: https://technet.microsoft.com/en-us/library/aa997242(EXCHG.80).aspx

· Managing Anti-Spam and Antivirus Features: https://technet.microsoft.com/en-us/library/aa996604(EXCHG.80).aspx

· How to Configure Anti-Spam Automatic Updates: https://technet.microsoft.com/en-us/library/bb125199.aspx

Applies to:

Microsoft Antigen for Exchange 9.0

Microsoft Antigen for Exchange 9.0 Service Pack 1

Microsoft Antigen for SMTP 9.0

Microsoft Antigen for Exchange 9.0 Service Pack 1

Cheers,

Paul Gruner

Microsoft CSS (Customer Service and Support)

Comments

  • Anonymous
    January 01, 2003
    My name is Paul Gruner, and I am a Customer Service and Support engineer at Microsoft. We often get questions

  • Anonymous
    January 01, 2003
    PingBack from http://servercoach.com/?p=162

  • Anonymous
    March 18, 2016
    The comment has been removed