Exchange Intelligent Message Filter

[beacon]

Hey Guys

Can anyone who has used Exchange Intelligent Message Filter in Exchange 2003 tell me how effective it is to combat spam.

Just recently we've started to be attacked by spam recieving over 16000 spam emails in 3 days. We're testing surf control and message labs currently but i'm wondering how good the Exchange Intelligent Message Filter with or without Outlook 2003.

Cheers

B :)

[+orgitnized Subscriber¹]

The built-in functions in 2003 are better than its predecessors, but it still needs an add-on. Personally, if you are looking at 3rd party solutions, I'd give GFI products a try. Try MailEssentials and/or MailSecurity depending on your needs for email. The solutions are very cost-effective and very effective.

Realistically, you have to take into consideration of the following:

[1] Cost effectiveness of using GFI to help secure Exchange

[2] Cost effectiveness of trying to make Exchange 2003 do what GFI can. (which is impossible)

[3] Ease of management for either solution

[4] Manageability of either solution

For me, the bottom line is using a 3rd party utility to protect Exchange's resources, because Exchange by itself cannot do a good enough job.

[beacon]

Exchange Intelligent Message Filter is an add-on built by MS i thought?

[+orgitnized Subscriber¹]

It is - my point is that it's built on Exchange's already limited filtering capabilities. No matter what way you use Exchange filtering (whether through Exchange or through Outlook (client only)) the filtering capabilities are limited.

I mean, IMF doesn't offer anything from a performance review or standpoint, so you really don't know how well it works depending on the amount of messages coming in and going out.

On the server, the clients never see the emails that come through if it's above the threshold settings. They are either archived or deleted. If they are archived, have fun wasting money by doing a "Windows search" function through the folders trying to find where the message went, since it's treated like a spam depository. Very inefficient.

Keep in mind that IMF is a text-based heuristics filter. This has been around for years and has been defeated by many many spammers out there. Especially since a ton of spam received these days are links to spammed messages that can automatically be loaded in the Outlook in-line HTML capabilities.

IMF doesn't allow the users to do assist the administrator in any way shape or form close the what 3rd party products allow. If your server flags the emails as being spam, you have to manually search through all the emails to find out what is spam and what is not. 3rd party products allow the end users to see what's being filtered and why it's being filtered.

IMF will not have (and never has) any type of regular updates. Whereas 3rd party products offer the following types of detection and/or filtering and updates:

SPF

Bayesian

DNS Blacklisting

Whitelisting

Blacklisting

Keyword

Header

There's no granular approach to the IMF route - you have one set of rules for all your users instead of defining different rules for different users and/or groups.

Many times spammers will send email messages that appear to come from your domain. Good luck making IMF block those messages. :(

Edited April 5, 2005 by Ghost96

[Marsden]

We use it and it works. MS uses it enternally filtering spam from 8 to 10 million emails a day.

We don't need 3rd party solutions to do the following:

1. Connection filtering blocks approximately 25 percent of all incoming SMTP connections. These connections come from blocks that we have created.

2. Sender and recipient filtering deletes 59 percent of the messages received after connection filtering.

3. Intelligent Message Filter deletes 38 percent of the messages remaining after sender and recipient filtering.

In addition to the above measures we also use these Exchange 2003 out-of-the-box features:

? Connection filtering

? Sender and recipient filtering, including blank sender filtering

? Recipient lookup

? Real-time block list?based filtering

? Suppression of sender display name resolution

Some spam does get through and Outlook's Client-Layer spam filtering cleans up most of that. The important thing is our users report their spam levels have drmatically decreased and on a "bad" day they maybe get 1 or 2 spams in their inbox.

Edited April 5, 2005 by Marsden

[MazX_Napalm]

Works like a dream. Takes a while to get the level just right (I use level 5). I'm catching about 95 - 98% of all the spam.

Wrongly identified as spam? about 1 in every 300 or 400 caught.

[beacon]

Hmmm thanks guys :)

How have you set it up in your environment.

Is it possible to install it as a gateway and send it through to an exchange 2000 store?

Because we wont be upgrading the clients or exchange to 2003 for at least 6 months or more.

[MazX_Napalm]

My note to myself on the server.

**************************************
IMF Updated 02/March/2005 *** Archive 5+
**************************************

IMF (Intelligent Message Filter) for Exchange.
IMF Filter Update 02/02/2005 from 
http://www.microsoft.com/downloads/details.aspx?FamilyId=C1EA8CF1-48C9-4E43-A4EB-82D9A83FD4A7&displaylang=en

**************************************
Setup & Settings
**************************************
Install IMF
Install updates

Path to archive directory see HKLM\Software\Microsoft\Exchange\ContentFilter\ArchiveDir = "E:\Spam"

To configer IMF:
System Manager (Exchange)
Global Settings
Message Delivery
Right-Click / Properties
IMF

To write the SCL to the header:
Regedit
HKLM\Software\Microsoft\Exchange\ContentFilter\ArchiveSCL = 1

To turn off IMF:
System Manager (Exchange)
Admin Groups
First ....
Rpaserver1
Protocols
SMTP
IMF
Right-Click / Properties
Uncheck

Performance Monitor is watching how many messages are coming in and the SCL applied to the header.

**************************************
How It Works
**************************************

All incoming mail on the SMTP is scanned and a SCL rating is applied to the heading of the email Where number is between 0 and 9.
0= Definatly safe, 9= definatly spam.

Mails with a rating of 5 or higher are being Archived into the "E:\Spam" (Shortcut on desktop)

**************************************
IMF Archive Manager 2.0.4
**************************************

Mails sent to "E:\Spam" can be viewed.
Mails that are not spam need to be Resubmitted.
Resubmit folder is "D:\Program Files\Exchsrvr\Mailroot\vsi 1\PickUp" (Shortcut on desktop)
Mails sent to Pickup are automatically picked up by Exchange and delivered. (Note IMF doesn't scan these again)

**************************************
Clearing out Spam
**************************************
The "E:\Spam" folder will fill up quickly.
When checking, Resubmit legit emails


**************************************
Event viewer
**************************************
7513 means that IMF is installed and working
7512 Intelligent Message Filter writes this event when it rejects or deletes a message at the gateway.
7515 Intelligent Message Filter writes this event when it is unable to filter a message. Possible causes are corrupted or malformed messages.

[jonovate]

Didn't work for me in the opposite sense, I had it set for 7/8 originally, stuff was still getting sent to the junk folder, then i bumped it up to 9/9 so only def spam would get moved to junk, but emails from someone on my address book were still getting moved to junk. I've since turned it off as people were complaining.

[MazX_Napalm]

I have found that the mails that do get marked incorrectly have spam characteristics. There is one person who sends a user emails that are written so badly that it no wonder.

example:

All lower case without punctuation "d u want to come wiv me 2day fone b4 u leev d office"

Subject - "Fw:Fw:FW:fw:fw:fw.........fw:you have to see this" image included in the email

Any message from MessageLabs saying the email was too big

Any email where only BCC is used (ie there is no email address in the To:)

The rest are all ok

Running perfmon I can see around 30% is marked as suspected spam and I would hazzard a guess at .05% incorrectly marked as spam.

There is just one "floor" that I have found. Because the email is checked before the Exchange server sorts it, any emails addressesd to removed accounts get caught. This could skew the results as exchange would normally not take those messages anyway.

Remember that you it should be used in conjunction with Outlook Junk Folders. The setting could be 5/5 with no archive. Outlook then lets you white list, and messages with a 6 or 7 can still be sent to the inbox. The rest goes to the Junk Folder for the user to organise.

If you are getting huge amounts of spam everyday then a clearing house would be the better solution. I would like to see MS update the IMF on a regular basis, and also add the options of black and white lists. As a tool for evaluating you spam content it is great, "Boss we are getting 10000 emails a day and 8000 of then are spam. We need to spen some money."

[beacon]

Thanks guys :)

I had a yarn with an Exchange Guru at MS yesterday and he basically said its a value addon for customers already moving too exchange 2003. The archive bit of looking through folders seems massively painful.

Anyway we've decided to stick with either message labs or surfcontrol until we move our mail cluster to 2003.

Thanks everyone :)