Obtaining and Installing IMF
Microsoft's original plan was to distribute IMF only to customers who had purchased a Software Assurance (SA) license. However, that strategy was unpopular, and after what I assume was a vigorous internal debate, Microsoft did an about-face and released IMF free to all Exchange 2003 customers. You can download IMF from Microsoft's Downloads for Exchange Server 2003 page at http://www.microsoft.com/exchange/downloads/2003.asp. Scroll down to the Security and Protection section and click the Exchange Intelligent Message Filter link. At the resulting page, download the filter and click the Microsoft Exchange Intelligent Message Filter Deployment Guide link. You should download and read the guide before attempting to deploy IMF.
The process of installing event sinks on an Exchange server isn't for the faint of heart; you have to put the sink in the correct place, then register it properly so that the SMTP core can find and call it. It's easy to make mistakes when doing this manually. Fortunately, IMF comes packaged as a Windows Installer (.msi) file that does all the work. All you have to do is launch the .msi file and tell Windows Installer whether you want to install IMF, the IMF management tools, or both. You can install the management tools on any machine on which Exchange System Manager (ESM) is installed, but as I mentioned earlier, you can install IMF only on an Exchange 2003 server.
Of course, if you implement IMF on one of your inbound SMTP bridgeheads, you must implement it on all of them. If you don't, some mail might be routed through unfiltered servers. (The Outlook 2003 Junk E-mail Filter might help here, but stopping the junk at the perimeter is better.)
Configuring IMF
Speaking of the IMF management tools, there are two. IMF installation adds a new Intelligent Message Filtering tab to the Message Delivery Properties dialog box and an Intelligent Message Filter node under the Protocols node for each SMTP virtual server in ESM. You access the Message Delivery Properties dialog box and its new Intelligent Message Filtering tab, which Figure 1 shows, from the Global Settings node in ESM. You can use this tab to set the gateway and store threshold values and to specify an action to take on messages that exceed the gateway threshold:
- No action is the default action. Microsoft recommends that you take no action at first while you determine exactly how much spam you receive. You can set a threshold and No action, and the Performance Monitor's "The Total Messages Assigned an SCL Rating of X" counters will tell you how many messages hit a particular threshold value. You can add up the counter values to determine how many messages the filter caught.
- The Archive action stores filtered messages in a folder named UCEArchive under the SMTP virtual server node, which is under the Mailroot node under the SMTP server. Archived messages are stored as plain text, so you can open and review them with Notepad, Outlook Express, or any other tool that can open text files. If the archive contains any legitimate messages, you can move them to the pickup directory and the SMTP service will reprocess them for delivery without further filtering. IMF doesn't provide any way to view the contents of the archives, but at least two free solutions exist; see http://www.e2ksecurity.com/archives/000835.html for details.
- The Delete action throws the message away without warning; neither the recipient nor the sender receives any indication that any action has been taken. Use this action with caution because if you set the SCL too low, you'll probably lose legitimate messages.
- The Reject action rejects the filtered message during the connection attempt and forces the sender's server to create an NDR and deliver it to the sender. IMF won't accept messages then send an NDR.
By default, these settings apply to all SMTP virtual servers on the IMF server. However, IMF should be enabled only for those virtual servers that you want to filter. For example, if you follow Microsoft's recommendation of using separate virtual servers for inbound and outbound traffic, you probably don't want to spend CPU cycles running IMF on the outbound virtual server. You enable and disable IMF filtering for a particular virtual server by using the second IMF management tool: the Intelligent Message Filter node that appears under each SMTP virtual server's Protocols node in ESM. When you open the Intelligent Message Filter node's properties dialog box, you see a list of virtual servers, each with a check box next to it. Make sure that only the boxes for the virtual servers on which you want filtering to be active are selected.
Advanced Tweaks
Of course, many of us would like to be able to tweak the IMF filtering corpus, but Microsoft isn't allowing that. The company also hasn't announced how it plans to make updates to the corpus available, but it will probably use a process similar to the one for the Outlook filter and Entourage filter: You'll download a hotfix from Windows Update. For now, the IMF deployment guide describes four registry entries that you can apply to tweak IMF's behavior. The first three tweaks require you to create a new subkey named HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\ContentFilter and add the following values to it:
- ArchiveDir--To change the location of the archive directory, add a string value named ArchiveDir and use it to specify the full path (local paths only, please) to the archive directory. ArchiveDir applies to all virtual servers on the server, so messages aren't grouped by virtual server when you use this setting.
- ArchiveSCL--To force the IMF to store filtered messages' SCL, add a REG_DWORD entry named ArchiveSCL and set its value to 1. Each filtered message will then have an X-SCL header.
- CheckAuthSessions--As I mentioned earlier, messages coming from authenticated connections aren't filtered. However, you might want to filter messages from authenticated senders if you receive messages from users who are authenticated but might still be sending spam. This situation can occur at application service providers (ASPs) and universities and in other environments in which users aren't necessarily trustworthy. To enable filtering of messages sent by authenticated users, add a REG_DWORD entry named CheckAuthSessions and set the value to 1.
The fourth setting is applied in a different location.
- Max Extended Rule Size--The lists of safe and blocked senders that each user creates is stored in an invisible message in the user mailbox. By default, Outlook and IMF allow about 510KB of data in the list, but the client and server must synchronize the lists, so you might want to keep them smaller. If so, create a REG_DWORD value named HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem\Max Extended Rule Size, then make its value the maximum size (in bytes) that you want to allow.
IMF is a useful filtering solution, especially because it's free. In most environments, it will drop the volume of spam significantly. It's not a substitute for more sophisticated filters from the likes of NetIQ, Nemx Software, and Symantec--these filters and services allow more customization and additional filtering, quarantine, and management functionality. However, IMF works well in conjunction with these tools, and it's valuable in its own right for organizations that don't want to, or can't, spend money on a more powerful product. It's probably safe to assume that Microsoft will roll more spam-filtering functionality into IMF as time passes, and I'll be interested to see how well the product keeps up with the legions of evil spammers.
End of Article
Prev. page
1
[2]
next page -->
