Know Your Limits
IMF installation is simple, and the only signs you'll have of the new add-on are the addition of an Intelligent Message Filtering tab in the Exchange System Manager (ESM) Message Delivery Properties dialog box (which you can access through the Global Settings\Message Delivery node) and a new ESM Intelligent Message Filtering node (under the Protocols\SMTP node for the Exchange server that's running IMF). After IMF installation, open ESM and open the Message Delivery Properties dialog box, then go to the Intelligent Message Filtering tab, which Figure 1 shows, to set SCL thresholds for gateway and Store processing and to set an action to occur when spam is blocked at the gateway. (Note that the Store threshold, which you set under the Store Junk E-mail Configuration section, must be lower than the gateway threshold, which you set under the Gateway Blocking Configuration section.) Like other Global Settings, these settings apply to all servers within the Exchange organization.
The gateway SCL threshold (sometimes referred to as the block threshold) controls the action that Exchange takes on the server that hosts the SMTP connector. You'll need to perform a balancing act when determining this setting. If you set the threshold too low—say, 2—you run the risk that legitimate messages will be treated as spam. If you set the threshold too high—say, 7—your users might still get more spam than they care for. Every company will have a different tolerance level, and some believe that it's better to accept some spam to be sure that every legitimate message gets through as quickly as possible. Others believe that it's better to filter as much spam as possible and to have a reliable process for dealing with false positives. The best idea is to start with thresholds that are slightly higher than you think you need, keep an eye on the volume of false positives that occur during the first couple of weeks, then reduce the threshold until you arrive at a steady state at which IMF blocks the maximum amount of spam possible without generating an excess of false positives.
Your options for determining what the gateway server does with a message that has an SCL rating equal to or greater than the gateway threshold are Archive, Delete, No Action, and Reject. When you select Delete, IMF immediately drops the message. The No Action setting causes Exchange to let the message pass the gateway, although the message might still be rejected during store-level processing. Reject causes the gateway to return the message to its originator. You can use the Archive setting to archive messages so that you can check for false positives. (See the sidebar "Archiving Dos and Don'ts," http://www.winnetmag.com, InstantDoc ID 42685 for information about dealing with this setting and with archived messages.)
The Exchange gateway server takes no action for messages that have an SCL lower than the threshold; Exchange routes those messages to the mailbox server that hosts the destination mailbox. When the messages arrive at the mailbox server, the transport engine delivers them to the Store, which (assuming that the mailbox server is an Exchange 2003 server) checks the messages against the Store threshold and against the Blocked Senders and Safe Senders lists that users have configured through Outlook 2003 or Outlook Web Access (OWA) 2003. If the SCL rating is equal to or lower than the Store threshold and the message sender isn't on the recipient's Blocked Senders list (or the Store can’t access that list—for example, because the recipient is using an earlier version of Outlook or OWA), the Store delivers the message to the user’s Inbox. If the sender is on the Blocked Senders list, the Store takes the action defined in the user’s Junk E-mail options (e.g., deliver the message to the user's junk mail folder, delete the message permanently). If the SCL rating is higher than the Store threshold, the Store checks the user’s Safe Senders List. If the Store finds the sender’s email address on that list (or can't find a Safe Senders list for the mailbox), it delivers the message to the user's mailbox. Otherwise, the Store handles the message according to the user’s Junk E-mail options.
Apply Yourself
After you've configured the global IMF settings, you have to activate IMF on the SMTP virtual servers that handle message traffic. In concept, this operation is the same one you use to enable connection, sender, or recipient filtering—you just perform this task through a slightly different interface. The primary difference is that you can apply IMF to multiple SMTP virtual servers simultaneously, whereas you apply other filters to virtual servers one by one.
As I mentioned earlier, after you install IMF on an Exchange server, a new Intelligent Message Filtering node appears in ESM under that server's Protocols\SMTP node. The Intelligent Message Filtering node's Properties dialog box lists all the SMTP virtual servers that are active on the Exchange server and indicates whether IMF is active on each virtual server. (Figure 2 shows an example of what you'll see on the vast majority of Exchange 2003 servers: One default SMTP virtual server associated with TCP port 25 and handling all IP addresses. Each physical Exchange server can support multiple SMTP virtual servers—assigned to different ports and handling different ranges of IP addresses—but making such changes to the default configuration is usually unnecessary.)
Get More Information
Behind the scenes, IMF writes a number of new events to the Windows Application log when specific actions occur. For example, event ID 7512 provides information about messages that the gateway has rejected or deleted. More interestingly, IMF writes event 7515 whenever it can't process a message (because, for example, the message was malformed or corrupted in some way). Event data tends to be sparse, however, so to gain insight into IMF’s activity level, you can use Performance Monitor to view the performance counters under the MSExchange Intelligent Message Filter object. These counters give you a total count of scanned messages, scan rate per second, and totals for rejected, deleted, and archived messages. A separate counter reports the percentage of total scanned messages that IMF has marked as spam; another counter displays the percentage of spam received in the past 30 minutes.
The best approach to stopping spam is to implement multiple layers of defense and to have as much knowledge as possible about what your organization is up against. IMF can be a useful addition on both fronts. However, you might want additional protection, in which case third-party alternatives might be in order. For more information about your other options, see the sidebar "IMF Alternatives," http://www.winnetmag.com, InstantDoc ID 42684.)