INTELLIGENT MESSAGE FILTER

 

We keep seeing the Junk mail folder in our Outlook with unread messages having sometimes strange characters. Mails which have no purpose. There are lot more such mails which enter our Exchange server but not our mailbox. Imagine those junk mails in your Inbox instead.. say daily 4 or 5 or more than that. I wouldn't like to see them in my Inbox. Nor do any professional. How do we ensure that these junk mails have their own place to stay? The Junk mail folder or not even that!!! There shouldn’t be a place these unsolicited commercial email (UCE) deserve. Let’s talk about one such topic, the IMF. This document is good for admins who are not aware of IMF and who would like to start learning in a simple manner.

 

What is IMF?

 

I'm sure Exchange administrators are going to curse me for this question. Well, sorry guys. This article is for folks with no knowledge on IMF and I tried my best to include everything about IMF in this blog.

 

As the name suggests, IMF is all about filtering emails intelligently. Let's discuss:

 

1. How to Operate IMF?

2. How IMF is setup and enabled?

3. How to monitor IMF and ensure that it does the best of filtering.

 

IMF is available for download on Microsoft site and the installation is easy (Only IMF version1).

Just download the executable file and install on the Exchange server of your choice. Wow! Isn't that really easy?

 

You can install IMF on the gateway or Internet bridgehead server. IMF does require Exchange Server 2003 and will not install on Exchange Server 2000. Well, IMF can be installed on interior mailbox servers as well but don't you think installing at former will make more sense? You are right. It is recommended that IMF be installed either on the gateway or Internet bridgehead server. Installing the server on a bridgehead protects multiple servers with one installation. Filtering and marking done by the IMF carries over to any other Exchange server, including Exchange 2000 and Exchange 5.5 servers.

 

Microsoft's SmartScreen Technology is the backbone of the Intelligent Message Filter. It analyzes over 500,000 characteristics from e-mail known to be spam. That is HUGE!!! As more and more of these characteristics are matched, the message's spam confidence level (SCL) rises. The SCL is an indicator of how likely it is that a message will be spam.

Once the SCL rises above a threshold, the Intelligent Message Filter performs the actions that it's been configured for. All other messages pass without modification. The message is not stored anywhere if it is not marked as spam.

 

There are two spam confidence level thresholds. The first is the gateway threshold. This is the value at which the filter itself will take action to potentially prevent the message from reaching a user. If the threshold is reached on the client, the filter can be configured not to pass the message at all, preventing it from appearing in the user's Inbox or Junk E-mail folder.

This setting should be relatively high, as messages that stop here stay on the gateway unless the administrator intervenes.

 

The second threshold is the store threshold or client level. If the SCL threshold is exceeded here, the client will not see their message in the Inbox. Rather, it will be delivered to the Junk E-mail folder found in the user's mailbox. Outlook 2003 users can use built-in tools to further refine how client-side filters work.

 

Higher spam confidence levels mean there is a greater chance a message truly is spam. For example, a message with an SCL of 9 is or should be a spam message and has met several criteria, while an SCL of 3 or 4 leaves room for some doubt, and an SCL of 0 or might not be spam.

The Intelligent Message Filter must be enabled on each virtual server for which filtering is desired. For most applications, this will be the default SMTP virtual server, since it's the only one. However, if multiple virtual servers have been created and they receive mail from the Internet, the IMF will need to be enabled on each one.

 

How to configure & enable IMF?

 

Open Exchange System Manager.

Under Global Settings--->Select Message Delivery.

Open properties of Message delivery.

You will see a tab named 'Intelligent Message Filtering'.

 

 

 

 

 

As shown in the above picture, when you choose the dropdown box, you have a selection from 1 to 9. Here, choosing a higher value means that fewer messages will potentially be flagged as spam, but those messages that are flagged, it's more likely that they will be actual spam instead of legitimate e-mail.

 

Under Gateway Blocking Configuration, we see an option "When blocking messages:". This determines what the filter will do with the message once that gateway SCL has been reached. There are four choices:

 

1. Archive

2. Delete

3. No Action

4. Reject

 

Most often, Exchange Administrators choose the Archive setting, as this will save the message on disk and it can later be reviewed. It's recommended that you take a look at the Archive folder for the SCL at least once or twice a month to make sure that no legitimate messages are being blocked.

 

We also see the Store Junk E-mail Configuration. This has same setting options from 1 to 9, and you can choose whichever one is appropriate. Exchange admins chose 3 to 6, so that messages that are possibly spam but we're not sure about can be delivered to the user's Junk E-mail folder, and they can figure it out from there. Click Apply and OK.

 

You can also see other configuration settings such as Connection Filtering, Sender Filtering, Recipient Filtering and Sender ID filtering.

 

To enable intelligent message filtering on a virtual server:

 

1. Start System Manager: On the Start menu, point to Programs, point to Microsoft Exchange, and then click System Manager.

2. Move to the SMTP virtual server, starting with Servers.

3. Right-click the SMTP virtual server, and then click Properties.

4. On the General tab, click Advanced.

5. In Identification, select the Apply Intelligent Message Filtering check box, and then click OK.

 

Once you have set this, the setting will take effect immediately, and the IMF will be in effect for all messages coming through that virtual server. Again, if you have more than one virtual server, if messages are received on, say, the second virtual server, and the IMF has not been enabled, then it will not process those messages.

 

MONITORING IMF

 

Monitoring IMF can be done in three different ways:

1. Using Event Viewer

2. Using Performance Monitor

3. Using Registry Editor

 

 

From Diagnostics Logging, set the SMTP protocol to medium or higher under MSExchangeTransport. This helps in IMF writing event IDs when an error occurs.

 

These are some of the more common event IDs seen in the IMF.

 

7152 indicates that a message was deleted or rejected by the filter. Again, this is only displayed at medium or higher logging.
 

7153 indicates the IMF was installed or updated or the SMTP service was restarted.
NOTE: If you restart the SMTP virtual server and you don't see a 7153 event, then the IMF is either not enabled on that virtual server or the IMF has become uninstalled.

 

7514 indicates an error when loading the IMF, and
 

7515 indicates that the IMF could not process an incoming message.
 

The reasons why an IMF could not process an incoming message are fairly slim, usually indicating that the message was pulled by antivirus first before the IMF could get to it.

 

Performance monitor counters for IMF:

 

"Total messages scanned for UCE" is basically a count of all incoming messages that the IMF looked at.

"Percentage UCE out of total messages scanned" is a rough percentage of the number of messages that were flagged as actual spam instead of receiving a score of 0 (zero), which is not spam at all.

Then there are nine different categories for the next one, "Total messages assigned an SCL rating of number", where number is 1 through 9. So this gives you a count of each message that was flagged with an SCL of 1, 2, 3, and so on.

The last one is "Total messages actioned", where action corresponds to the gateway settings such as Deleted, Rejected, or Archived. You will have a counter for each one of the actions except No Action.

 

IMF is most effective when used with Outlook 2003. It is because Outlook 2003 has a Junk E-mail folder built in, and it allows the user to specify that a message is not spam and should not be moved to the Junk E-mail folder. This will cause messages to be moved to the Inbox and will improve overall filtering for the Exchange organization.

 

IMF used in conjunction with other Exchange 2003 filtering settings, such as connection filtering which utilizes Realtime Block Lists, or recipient filtering where enables checking against the AD, your incoming spam protection is now even more effective.

 

GOOD TO KNOW INFO on IMF:

 

à Intelligent Message Filter v1 was the first version of IMF which was an add-in tool. Exchange Server 2003 Service Pack 2 (SP2) includes Intelligent Message Filter v2. You must uninstall IMF v1 before you install Exchange 2k3 SP2.

To manually remove the version 1 of IMF, delete the ContentFilterVersion sub key from the registry .HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange key.

 

à IMF does not work on a clustered server. You cannot use IMF in a cluster. You need to implement it in a Front-End server or separated server.

 

à MSExchange Intelligent Message Filter is the Performance Object you can add as a counter for monitoring IMF using System monitor.

 

à By default, Intelligent Message Filter does not save the SCL rating on messages that it archives. To customize these settings, you must create a registry key value under the following registry key with DWORD value of 1:

HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilter

 

To change the location of the archive directory

 

1. In Registry Editor (regedit), in the details pane, right-click ContentFilter, click New, and then click String value.

2. Type ArchiveDir for the registry key value.

3. Right-click ArchiveDir, and then click Modify.

4. In Edit String, under Value Data, enter the full directory path where you want to archive messages filtered by Intelligent Message Filter. For example, type C:\IMF\Archive.

 

àIf you are doing the first installation of the Intelligent Message Filter V1 in the Organization, you will need to login with an account that has Exchange Full Administrator rights at the Organization level to install it. For all subsequent installations of the IMF, you only need to have Exchange Full Administrator rights at the Administrative Group level.

 

àIn order to allow the sending server/s to bypass your Intelligent Message Filter, add the server or servers IP addresses in Exchange System Manager under, Global Settings, Message Delivery properties, Connection Filtering tab, Accept button.

 

Ashwin Kumar
Bangalore, Microsoft.
missiontechie@gmail.com