Microsoft Exchange Server - Intelligent Message Filter (IMF)

Exchange Intelligent Message Filter (IMF)

http://www.msexchange.org/tutorials/microsoft-exchange-intelligent-message-filter.html

Can be downloaded for Exchange 2003 SP1 and is included with SP2.
http://www.microsoft.com/downloads/details.aspx?FamilyId=C1B08F7B-8CAF-4147-B074-8C9C8F277071&displaylang=en

IMF should be installed on your organization's Exchange Gateway Servers (the
servers accepting Internet e-mail messages and forwards them to the appropriate
mailbox server) or on the Exchange bridgehead servers behind potential
non-Microsoft e-mail Servers. Smaller organizations (without an Exchange
Gateway Server) will typically install IMF directly on the Exchange mailbox
server itself.

IMF is based on a patented machine learning technology originally developed by
Microsoft Research. The technology behind IMF is SmartScreen-based, which means
the add-on is able to distinguish between legitimate e-mail messages and
unsolicited commercial e-mail (UCE) or other spam. SmartScreen tracks over
500,000 e-mail characteristics based on data from hundreds of thousands of
MSN Hotmail subscribers who volunteered to classify millions of e-mail
messages as legitimate or as spam.

As many might know Outlook 2003’s Junk E-mail filter is also based on the
SmartScreen technology, and to make the most of IMF, it’s recommended to use
Outlook 2003 on your clients. But if your clients run Outlook 2002 or earlier,
don’t worry if this is the case you can set the filtering rules via Outlook
Web Access (OWA) 2003 instead.

When IMF is installed a new tab is added to the System Manager – the
Intelligent Message filter tab which can be found by taking Properties of
Message Delivery under Global Settings. In addition a new Intelligent Message
Filtering node is added under Protocols > SMTP, see Figure 1 and 2 (this is
where you enable IMF).

--------------------------------------------------------------------------------

POP3 Note
The POP3 connector on SBS2003 uses CDO through the pickup folder for delivery
and therefore it misses the "End of Data" event sink used by IMF. Therefore
messages delivered through the POP3 connector won’t be scanned by IMF.

Known IMF Bug

When changing the SCL Rating thresholds under Message Delivery Properties >
Intelligent Message Filter in the System Manager you should, at the time of
this writing, remember to restart the Exchange Information Store, otherwise
chances are you will see some pretty odd filtering results.

Another problem you may experience is that after you install and configure
Microsoft Exchange Intelligent Message Filter on your Microsoft Exchange Server
2003 computer, e-mail messages that contain a computer virus or a worm program
are not permanently deleted. Instead, these e-mail messages remain in the SMTP
local delivery queue in Exchange 2003 until they time out. Microsoft has
release a HotFix to resolve this problem, to download it visit MS KB article:
883522.

--------------------------------------------------------------------------------

IMF Configuration

When an external user sends e-mail messages to an Exchange Server with IMF
installed, IMF will evaluate the textual content of the messages and then assign
the message a spam confidence level (SCL) rating based on the probability the
message is UCE (from 1-9). This rating is stored as a message property called a
Spam Confidence Level (SCL) rating. This SCL rating is then compared to the
threshold set under Message Delivery Properties > Intelligent Message Filter in
System Manager.

Two thresholds can be set – a gateway threshold which will take a specified
action (you can select between Archive, Delete, No action and Reject) and a
mailbox store threshold which will deliver a given message (rated as spam) to
the respective user’s Junk E-mail folder instead of the Inbox.

If you have configured IMF to archive all messages with a SCL rating higher
than what you have specified, the messages are placed in
Program files\exchsrvr\mailroot\vsi 1\UceArchive folder, depending on what SCL
rating you specified, number of mail-enabled users in your Exchange messaging
environment etc. this folder will fill up quickly.

--------------------------------------------------------------------------------

You might wonder how you are able to see the SCL rating of a message, that
hasn’t been filtered at the gateway level? Well the answer is you can expose
the SCL rating of any message even though it hasn’t been filtered; this can
either be accomplished through the Outlook MAPI client or through Outlook Web
Access (OWA) 2003. In order to see what SCL rating is stamped on particular
mail see below two links over at the Microsoft Exchange Team Blog:
	Exposing SCL (Spam Confidence Level) in Outlook:
		http://blogs.msdn.com/exchange/archive/2004/05/26/142607.aspx
	Exposing the Spam Confidence Level (SCL) in OWA:
		http://blogs.msdn.com/exchange/archive/2004/05/27/143297.aspx
Note:
If you see a message assigned a SCL rating of "-1" it means it's an
authenticate, (typically an internally generated message).

--------------------------------------------------------------------------------

Intelligent Message Filter Archive Manager (IMFAM)

James Webster (who’s a Software Test Engineer on the Exchange Transport team)
created a neat little utility in order to ease management of the filtered
messages, it’s called Intelligent Message Filter Archive Manager (IMFAM) and
is a C# GUI tool released as shared source on GotDotNet.
http://www.gotdotnet.com/Community/Workspaces/workspace.aspx?id=e8728572-3a4e-425a-9b26-a3fda0d06fee

With IMFAM you can delete messages, resubmit them (by moving them to the Pickup
folder), copy message content to the clipboard and last but not least report
potential spam to a Real-time Blocklist provider. You can also see the SCL
rating of a selected message (though this needs to be enabled through the
registry first, see page 25 of the IMF Deployment guide for specific
instructions).

--------------------------------------------------------------------------------

Links

Microsoft Exchange Server: Exchange Server Intelligent Message Filter Overview:
http://www.microsoft.com/exchange/downloads/2003/imf/imf_wp.asp

Microsoft Exchange Intelligent Message Filter Deployment Guide:
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/imfdeploy.mspx

Spam Confidence Level Explained:
http://msdn.microsoft.com/library/en-us/e2k3/e2k3/ast_spam_confidence_level.asp?frame=true