IMF - Intelligent Message Filter
With Exchange 2003 Service Pack 2 Microsoft introduced their spam detection tool "Intelligent Message Filter" (IMF) as a built in component of Exchange. Previously it was available as a optional extra.
This article explains how to enable the feature, and then working with the results. While it is built in, it is not enabled by default.
Note: If you are using Small Business Server with the POP3 connector, then you cannot use IMF. The POP3 connector bypasses the IMF scanner. To use IMF you will need to get your email delivered directly by SMTP.
Enabling IMF
There are two steps to enable the Intelligent Message Filter. Many people carry out the first, but fail to do the second.
Step One - Enable the option in the Exchange Organisation
Exchange System Manager, Global Settings. Right click on Message Delivery and select Properties.
Click on the tab "Intelligent Message Filtering". Change the option in the middle from No Action to Archive (you should run with archive initially to ensure that it isn't catching legitimate email). Leave the other settings alone for now.
You could leave the setting to "No Action" and have the system simply record numbers. If you simply enable the option on the SMTP Virtual Server (see step 2) then you can monitor what the messages are being scored as. This will give you an idea as to whether you have a spam problem that IMF might be able to help with.
What do the numbers mean? There are two sets of numbers. Gateway Blocking Configuration - this is where the messages will be blocked at the server, and the users will not even see them. Store Junk E-mail Configuration - this is where the messages will be delivered to the user's Outlook and stored in their Junk Email folder (Outlook 2003 in cached mode only, or OWA). If you set both numbers the same, then no spam or suspected spam email will be delivered to the user's Outlook folder - it will be archived or deleted. Gateway should always be higher or the same as Store Junk Email. Never lower.
|
Step Two - Enable the option on the SMTP Virtual Server.
Exchange System Manager, Servers, <your server>, Protocols, SMTP.
Right click on the Default SMTP Virtual Server and choose Properties.
On the first tab click on "Advanced...".
On the next box, click "Edit...".
Enable the option "Apply Intelligent Message Filter".
The other options should be left alone. "Apply recipient filter" is used with the filter unknown recipients option, which is explained here.
For this change to take effect, you need to restart the SMTP Service. You may want to wait and make the change to enable automatic updates first, as that requires a restart as well.
Configure IMF to Update
Like antivirus applications, a spam detection application needs to be regularly updated. IMF is not enabled by default to update automatically, but can be quickly and easily via a registry change.
Open the registry editor and move down to the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange
Create a new DWORD in the root of that location (usually by right clicking on Exchange) called ContentFilterState
Give the new DWORD key a vale of 1 and close the registry editor.
Alternatively, copy this text in to notepad, save as "imf-update.reg" then right click and choose Merge.
The update comes down with automatic updates, however make sure that you have updated to Microsoft Update so that you get non Windows updates.
If you are using Windows Server Update Services (WSUS), then make sure that you have enabled Exchange server as a product to download updates for, and updates for IMF will be distributed through that mechanism.
Once you have made the change, restart the SMTP Service in the Services applet.
There is more information on the update process in MS KB article 907747 (http://support.microsoft.com/kb/907747)
Monitoring the IMF
You can easily monitor how many messages the filter is blocking (or would block if no archiving settings are set) by using perfmon.
Click Start, Run and type perfmon.
The performance object that you want is "MSExchange Intelligent Message Filter"
You can select all of the objects if you wish, however unless you are under heavy load, the top one (% of UCE Messages scanned in the last 30 minutes) and the LAST one (UCE Messages Acted Upon/sec) don't tend to provide much information of interest.
Viewing the Messages in the IMF Archive
If you have set the IMF system to archive your messages, rather than block or delete them, then you need some way of checking those messages.
By default, the messages are stored in \Exchsrvr\Mailroot\vsi 1\UceArchive as msg files. These can be easily viewed via Outlook Express or dragging and dropping in to a notepad document.
However direct access like that limits your options for managing the archive. Instead you could use a third party option to provide a simpler interface.
Web Page
Originally written for the bolt on version of IMF, a set of ASP pages provides a easy to use interface to view the messages, and resubmit them for delivery to the end user. If you have already deployed an SSL certificate protected web site, then you could add these pages to the site. That would allow an administrator or other trusted person to check the messages remotely.
To control access, simply put the pages on to an NTFS partition and then change the security settings of the folder to allow just those who should have access.
http://hellomate.typepad.com/exchange/2004/06/imf_archive_man.html
When you are using this application, if you get errors about "The HTTP headers are already written to the client browser" then go in to IIS Manager, find the virtual directory that has been created. On the "Application Settings" click on configuration, then the "Options" tab. Select the option "Enable Buffering" and then Apply/OK out.
Drop in to a command prompt and type IISRESET.
Utilities
There are a couple of free utilities that can be used as well. These will mean sharing the UCE folder out for remote access, or allowing access to the server.
IMF Archive Manager: http://www.codeplex.com/imfam
IMF Companion: http://stoekenbroek.com/demon/imfcompanion/default.htm (watch for Pop ups and no longer supported)
More Scripts and Reporting
Glen Scales has a collection of scripts for IMF available here: http://www.outlookexchange.com/articles/glenscales/imfrep1.asp
View the Spam Confidence Level of Messages in the Archive
Each message is given a spam confidence level (SCL). The level is then used by Exchange to decide what to do with the message.
You can get the SCL level entered in to the header of the email messages sent in to the archive via a registry change.
HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilter
Right click on ContentFilter and choose New and select DWORD Value.
Enter the key name as ArchiveSCL
Give the key a value of 1
Alternatively, copy this text in to notepad, save as "archive-scl.reg" then right click and choose Merge.
To disable the option, change the value to 0 or delete the key.
Viewing the SCL Level of All Messages
Microsoft have stated that it isn't possible to expose the SCL level in the headers for all email messages as it does for messages in the archive. That isn't to say that it cannot be done.
An Outlook configuration file has been posted to the MS Exchange Team blog, which uses a custom form to expose the SCL level.
http://blogs.technet.com/b/exchange/archive/2004/05/26/142607.aspx
This is a client side setting.
If you want server side, then you will have to look to third parties.
IVASOFT have produced ShowSCL as freeware. This allows you to see the SCL as a column in Outlook.
http://www.ivasoft.biz/showscl.shtml
Changing the Archive Location
If you want to store the archived messages in another location, then you can make a change to the registry to change it.
Create the folder first.
Then open your registry editor and go to HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilter
Right click on ContentFilter and choose New, String Value.
Enter ArchiveDir as the key value.
Enter the full path to the new folder as the string data.
If you have already started using a tool to manage the archive location, don't forget to change that.
Antivirus Scanning
Ensure that you antivirus application is not scanning the archive folder. On access scanners can cause problems when it comes to viewing messages due to the way that they hold the file open. Messages with viruses may well be caught by the this tool.
White Listing
One of the weaknesses of IMF is the lack of white list capability. This is where you can tell IMF to allow an email through, no matter what it scores.
The only white listing that is natively supported is via IP address. This is set elsewhere in Exchange System Manager.
Open Global Settings, then Message Delivery. Right click on Message Delivery in the left pane and choose Properties. Click on the tab Connection Filtering. The last option on that tab is the global Accept and Deny configuration. Choose the "Accept..." button and enter the IP addresses of the servers you want to bypass IMF.
If you want to white list internal resources, then a better option is to setup a second SMTP virtual server. IMF is enabled on a per virtual server basis.
Give the Exchange server an extra internal IP address. Then configure the existing SMTP virtual server to use only the original IP address. Create a new SMTP virtual server through Exchange System Manager, in Servers, <your server>, Protocols, SMTP. Right click on SMTP and choose New, Virtual server.
Fix the IP address of this new virtual server so that it doesn't conflict with the existing one.
Excluding users from IMF filtering.
Microsoft have released a hotfix for IMF to allow certain users to be excluded from IMF scanning.
This hotfix is one that you have to phone Microsoft support to get.
More information: http://support.microsoft.com/kb/912587
Removing IMF v1.
If you had version 1 of IMF installed on your server, then it needs to be removed before installing Service Pack 2 for Exchange 2003.
There are two ways to remove IMF v1.
- Use Add/Remove Programs.
If the tool doesn't appear in Add/Remove programs, but you have the original installation file, then you can simply reinstall it and then remove it.
It only appears in Add/Remove programs under the user account that it was originally installed by. - Manual removal.
Manual Removal of IMF v1
- Stop all Exchange services, including the Information Store, System Attendant, SMTP, services, plus any Exchange antivirus applications.
- Rename the folder "MSCFV1" in C:\Program Files\Exchsrvr\bin
- Rename the file C:\Program Files\Exchsrvr\bin\ContentFilter.dll file
- Open Regedit and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange key.
- Export a copy of that key for backup purposes.
- Delete the "ControlFilterVersion" subkey from the registry.
- Restart the server.
- Install/Reinstall Exchange 2003 SP2.