By now most of you should already be familiar with version 1 of the Intelligent Message Filter (IMF), which is a SmartScreen-based add-on specifically developed to help Exchange Administrators reduce the amount of unsolicited commercial e-mail (UCE) also known as spam received by their end-users. IMF version 1 was originally released back when Exchange 2003 SP1 was released to the web, but as a separate Exchange web release. Although IMF version 1 is very efficient at filtering out spam, not much has happened when it comes to filter updates, actually Microsoft only released one update filter for IMF and that was back in February 2005!
I’ve also written an article covering IMF version 1, so if you don’t know much about IMF I suggest you start out by reading that one first (can be found here), then read this article afterwards.
And then came October 2005 where Exchange 2003 SP2 was released. As most of you know, Exchange 2003 SP2 contains a lot of new features and improvements among them are IMF version 2. This means IMF no longer is a separate add-on, but now an integrated part of the Exchange Server 2003 product. Microsoft has also promised IMF version 2 will be updated on a much more frequent basis, if everything goes as planned it will be available every first and third Wednesday of the month (via Windows Update)
If you still don’t have the overall picture of the new features and improvements contained in Exchange 2003 SP2, you may find this article worth a read.
Enabling and Configuring Intelligent Message Filter Version 2 (v2)
As IMF version 2 is considered a replacement for IMF version 1, one of your first tasks before applying Exchange 2003 SP2 is to uninstall IMF version 1. In addition you should bear in mind IMF is not cluster-aware so please do not try to enable IMF on any of the nodes belonging to an Exchange cluster server. Enabling IMF on an Exchange 2003 Front-end server belonging to a Network Load Balancing (NLB) cluster is supported though.
If you’re upgrading an Exchange 2003 or Exchange 2003 SP1 server where IMF version 1 has not been installed and you want to, for example, change the location of the IMF Archive directory etc. you manually need to create a registry key named ContentFilter under HKEY_LOCAL_MACHINE\Software\Microsoft\ExchangeHKEY_LOCAL_MACHINE\Software\Microsoft\Exchange in the registry (Figure 1).
Figure 1: ContentFilter registry key
When the key has been created you need to restart the SMTP Service, then you’re ready to configure special values such as the location of the aforementioned Archive directory. For details on which values can be configured under this key, I recommend you check out Chapter 6 of the Intelligent Message Filter Deployment Guide.
If you forget to remove IMF version 1 from one of your servers before you start applying Exchange 2003 SP2 a flag will be raised, and you will be told to uninstall IMF version 1 before continuing.
As was also the case with IMF version 1 you still configure the SCL thresholds for the Gateway and the Store under Global Settings > Message Delivery > Intelligent Message Filter tab in the System Manager (see Figure 2 below.)
Figure 2: Configuring the SCL value under the Intelligent Message Filter tab
In order to enable IMF, you need to checkmark Apply Intelligent Message Filter under the Property page of the Default SMTP Virtual Server (more specifically under the General tab > Advanced > Edit) in the System Manager as shown in Figure 3 below.
Figure 3: Enabling the Intelligent Message Filter
Some of you might remember IMF version 1 had its own node under the SMTP container object in the System Manager as shown in Figure 4 below. Obviously this has changed and IMF is now located under the Default SMTP Virtual Server together with the rest of the connection filters as shown in Figure 3.
Figure 4: IMF Version 1 node under the SMTP container object
The Custom Weighting Feature
IMF version 2 includes a completely new feature called the Custom Weighting Feature (CWF), which allows you to customize IMF even further. With CWF you can filter e-mail messages based on specific phrases within the body of the messages, the subject line or both. As is the case with some of the other Exchange 2003 SP2 features such as MAPI access per user and the database size limit changes, customization to the CWF cannot be done via the user interface. Instead you need to make changes directly in an associated .xml file (MSExchange.UceContentFilter.xml). The .xml file is read by IMF version 2 upon initialization, and then reloaded every time it’s modified. The MSExchange.UceContentFilter.xml file you create should be saved under the following path:
Figure 5: Content of the MSCFV2 folder
As can be seen in Figure 5 above the MSExchange.UceContentFilter.dll and MSExchange.UceContentFilter.dat files are also located in this folder.
Before you can make use of the CWF you need to register the MSExchange.UceContentFilter.dll file, you do this by opening a command prompt then issue the following command:
regsvr32 Drive_letter:\Program Files\Exchsrvr\bin\MSCFV2\MSExchange.UceContentFilter.dll
When the MSExchange.UceContentFilter.dll file has been registered you can start to add words or phrases to the MSExchange.UceContentFilter.xml, normally Notepad would be sufficient for this task (just make sure you save the file as a .xml in the Unicode format!)
Below is an example of specific phrases and values you can use in the MSExchange.UceContentFilter.xml file.
<?xml version=”1.0″ encoding=”UTF-16″?>
<CustomWeightEntry Type=”BODY” Change=”1″ Text=”Tortured with health problems?”/>
<CustomWeightEntry Type=”BODY” Change=”-2″ Text=” Cigar Sampler and Bonus Gifts for Xmas”/>
<CustomWeightEntry Type=”BODY” Change=”4″ Text=”Special offer”/>
<CustomWeightEntry Type=”BODY” Change=”-7″ Text=”Gratis piller”/>
<CustomWeightEntry Type=”SUBJECT” Change=”MIN” Text=”Free Pills“/>
<CustomWeightEntry Type=”BOTH” Change=”MAX” Text=”Cheap Viagra”/>
In Table 1 below I have listed each CWF value which can be used in the MSExchange.UceContentFilter.xml file.
Search for value specified in text in the BODY field of the message
Search for value specified in text in the SUBJECT field of the message
Search for value specified in text in the BODY and SUBJECT field of the message
The Change value is used to define what effect a matched word or phrase will have on the SCL score of a message. The Change can be any integer value. Should the word or phrase be matched, the change integer value will be added to the original SCL value. Should the value exceed the supported SCL value, it will be normalized to a 0 to 9 range. In addition to the Change can also use the MIN or MAX keywords. Any time a phrase with the MIN keyword is matched, the message is given an SCL of 0 regardless of any other weights. Any time a phrase with the MAX keyword is matched, the message is given an SCL of 9 regardless of any other weights. Any time there is both MIN and MAX matches for one message, the message is given an SCL of 0.
The word or phrase is specified here (supports Unicode phrases up to 1,000 characters)
Table 1: Custom Weighting Feature Values
If Event ID 7514 (Description: An error occurred while loading Microsoft Exchange Intelligent Message Filter. The error code is 0x80004005) is logged in the Application log after you enabled the custom word list feature in Intelligent Message Filter version 2 on a server that is running Exchange Server 2003 Service Pack 2, chances are it’s because you saved the MSExchange.UceContentFilter.xml file in ANSI format, you should instead save it in Unicode format, for detailed steps on how you resolve this issue, see MS KB article 907970.
Enabling the IMF Update Feature
In order to automatically receive IMF updates via Windows Update (or WSUS), you must enable the IMF update feature by creating a registry key. You create a DWORD registry key named ContentFilterState under:
Like with many other registry key, you need to enable it by entering 1 in the Data value field as shown in Figure 6 below.
Figure 6: IMF Update Feature Registry Key
When you have created the registry key shown in Figure 6 you need to restart the SMTP service in order to make the IMF update feature become effective.
The IMF updates will be available every first and third Wednesday of the month through Windows Update, Automatic Updates, WSUS and SMS technologies, and as you can see in Figure 7, 8, 9 and 10 below the first IMF update is already available for approval via Windows Update, Automatic Updates as well as WSUS.
Figure 7: IMF Update via Windows Update
Figure 8: IMF Update via Automatic Updates
Figure 9: IMF Update available via WSUS
Figure 10: IMF Update Revision Properties
For further details about the IMF update feature you might want to take a look at MS KB article: 907747 – How to update the Intelligent Message Filter version 2 in Exchange Server 2003 SP2.
IMF version 2 also includes a new anti-phishing technology mechanism known as the Phishing Confidence Level (PCL), this PCL value is incorporated in the IMF engine (more specifically the MSExchange.UceContentFilter.dat file). Each incoming message is verified against the phishing scams (and assigned a PCL value) before they are assigned an SCL value, this makes it possible for the PCL value to count in the overall SCL value assignment of each incoming message.
In this article we had a look at the new Intelligent Message Filter, which is included in Exchange 2003 SP2 and therefore now has become an integrated part of Exchange Server 2003. As most of you are aware the first version of the Intelligent Message Filter was a separate add-on released as a web release. As we have seen in this article IMF version 2 brings us several new functionalities such as the Custom Weighting Filter (CWF) as well as the Phishing Confidence Level (PCL) value which makes it even more efficient in the combat against unsolicited commercial e-mail (UCE) also known as spam as well as phishing attempts.
So far we have only seen one single filter update for IMF version 1! But Microsoft has, with IMF version 2, promised to deliver filter updates on a much more frequent basis (if everything goes as planned they will be released bi-weekly via Windows Update.)