Problem solve Get help with specific problems with your technologies, process and projects.

'Smart' technology stops spam at the gate

If you use Exchange 2003, you have another weapon in your arsenal against spam: the Intelligent Message Filter.

Heads-up, spammers. You have another watchdog on your tail.

Last month Microsoft announced that its Intelligent Message Filter (IMF) would be available to all Exchange 2003 customers, and not just those with a Software Assurance maintenance agreement in their contracts, as originally planned.

The IMF, now available for download, uses Microsoft's "SmartScreen" technology to determine whether or not incoming e-mail is spam, NDRs or other unwanted e-mail.

The IMF is installed on the Exchange 2003 gateway servers that accept incoming e-mail from the Internet, or on a bridgehead server accepting e-mail for a non-Exchange server.

When you install IMF, it creates two new objects labeled "Intelligent Message Filtering," a tab in Global Settings | Message Delivery Properties and a node under the SMTP protocol. You can also choose to install the administration tools only, for the sake of managing IMF on another computer.

SmartScreen works by examining certain elements of inbound e-mail -- more than 500,000 discrete characteristics, according to Microsoft Research -- and comparing them against similar elements that have been pre-classified as being either legitimate or spam. The administrator can also provide classification data as the filter processes more e-mail. In doing this, the filter can start with a good sense of what is spam and what isn't, but won't be locked into those definitions permanently.

When an e-mail comes in, it is assigned a "confidence level" (a concept also used by the freeware antispam product SpamBayes), which describes how "spammy" the message is. By default, a message with a confidence level of 3 or higher (higher numbers mean a better chance of the message being spam) is screened out. For situations where there is a good volume of e-mail that has a better chance of being tracked as spam (i.e., false positives), you can raise this number by one, but the default settings should work in most environments.

This confidence level travels with the message no matter where it is in Exchange, and can be used by Outlook 2003 to determine if the message should be filtered on the client side, depending on the client's own settings. IMF also can operate in conjunction with existing whitelisting/blacklisting techniques, so if mail from a friendly recipient is marked as spam by IMF, it won't be tossed out. (If users are on an earlier version of Outlook but are using Outlook Web Access 2003, the safe sender and block sender features will work.)

If you are using Exchange in a cross-forest topology, with a bridgehead server in one forest accepting e-mails for another, you must enable cross-forest authentication by creating connectors in each forest. Each connector must use an authenticated account from the other forest, with the appropriate Send As permissions. The accounts must also be set to require authentication to send outbound e-mail. When this is done, the extended message attributes for IMF will be passed along transparently.

The IMF can be downloaded here: The plug-in only works in Exchange 2003, but does not require Windows 2003 Server. It will also run on Windows 2000 Service Pack 3 and up.

Also available is the IMF Management Pack, which lets you garner statistics about the IMF's performance. For instance, you could use the System Monitor to see how many messages the IMF has rejected or allowed in a given period of time. A sudden spike in unwanted e-mail may mean an NDR attack is under way.

Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter.

Do you have a useful Exchange tip to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.

Dig Deeper on Exchange Server setup and troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.