Introduction
The Intelligent Message Filter (IMF) was designed to be a hands-off anti-spam package for Exchange 2003. Compared to other packages there is very little to configure. This means an administrator can set configure a confidence level for blocking mails but none over particular e-mails falsely identified as spam.
However, IMF can store blocked e-mails in an archive directory, which can be browsed and searched. So you can either look at those e-mails yourself or use one of the available third-party free IMF archive managers.
Preparation
First of all, you need to configure IMF to archive mails, instead of deleting or rejecting them.
The Archive folder is typically found at “program files\exchsrv\mailroot\vsi <#>\UceArchive” where <#> is the VSI number the IMF filter is configured to run on. If you haven’t played around with your server too much the VSI number will be “1”.
I would recommend moving this directory to a large drive because spam really accumulates over time.
To change the location of this directory, you should locate, using the Registry Editor, the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilter
Add to this key the string value “ArchiveDir” with the name of a folder such as “E:\Archive”.
You can also implement a script that deletes old files such as this one:
‘ folder to start search in…
path = “c:\program files\exchsrvr\mailroot\vsi 1”
‘ delete files older than 7 days…
killdate = date() – 7
arFiles = Array()
set fso = createobject(“scripting.filesystemobject”)
‘ Don’t do the delete while you still are looping through a
‘ file collection returned from the File System Object (FSO).
‘ The collection may get mixed up.
‘ Create an array of the file objects to avoid this.
‘
SelectFiles path, killdate, arFiles, true
nDeleted = 0
for n = 0 to ubound(arFiles)
on error resume next ‘in case of ‘in use’ files…
arFiles(n).delete true
if err.number = 0 then
nDeleted = nDeleted + 1
end if
on error goto 0
next
sub SelectFiles(sPath,vKillDate,arFilesToKill,bIncludeSubFolders)
on error resume next
‘select files to delete and add to array…
‘
set folder = fso.getfolder(sPath)
set files = folder.files
for each file in files
‘ uses error trapping around access to the
‘ Date property just to be safe
‘
dtlastmodified = null
on error resume Next
dtlastmodified = file.datelastmodified
on error goto 0
if not isnull(dtlastmodified) Then
if dtlastmodified < vKillDate then
count = ubound(arFilesToKill) + 1
redim preserve arFilesToKill(count)
set arFilesToKill(count) = file
end if
end if
next
if bIncludeSubFolders then
for each fldr in folder.subfolders
SelectFiles fldr.path,vKillDate,arFilesToKill,true
next
end if
end sub
You can add the script to the Control Panel Scheduled Tasks and run it every week. The script goes through subdirectories so it will also delete old mails from the “Bad Mail” directory which is quite recommended though unrelated to the topic of this article.
Behind the scenes
This “UceArchive” folder or whichever other folder chosen for the IMF queues fills up with files with the EML extension, much like the regular SMTP queues. You can view these files using notepad. Double clicking them will typically open Outlook Express which lets you view the e-mail and their attachments. You can also search these files using the regular operating search feature which allows you to search for a certain text.
Having looked up the files you can delete them as they are not locked. You can also re-submit the an e-mail by moving it to the SMTP “pickup” folder , typically located under the “c:\program files\exchsrvr\mailroot\vsi 1”. This folder is used by the IIS/Exchange SMTP engine to place e-mails before routing them. Do not resubmit an e-mail if you did not change your IMF settings or otherwise updated IMF because it will just end up in the IMF archive folder again.
Essentially IMF Mangers provide a GUI for the actions listed above. They can be run remotely if you share the IMF queue and the Pickup folders.
IMF Archive Manager
This utility, written in C#, can be downloaded here:
http://www.gotdotnet.com/workspaces/workspace.aspx?id=e8728572-3a4e-425a-9b26-a3fda0d06fee
It does not provide an installer, or icons or anything of that sort, so after unpacking it you need to locate its EXE file to run it.
At startup it will ask you for the locations of the IMF archive and the pickup directory.
Fortunately, it stores these selections so that subsequent runs of the utility do not require you to re-enter the folders.
IMF Archive Manager can allow you to view the SCL rating of an e-mail so you can learn a bit about how IMF decides on blocking e-mails. Analyzing it might let you re-evaluate your IMF setting, choosing higher settings.
As you can see the SCL box is empty because I did not configure IMF to archive e-mails with their ratings. To do so, using the Registry Editor, you must locate the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilter
Add to this key the DWord value “ArchiveSCL” of “1”.
Doing so allows you to see which SCL value was assigned to an e-mail and how sure was IMF that any given e-mail is indeed spam. To view the SCL ratings of all the messages you need to scroll the left pane right. This a weak spot of the IMF Archive Manager’s GUI, especially seeing that you cannot expand the utility’s window.
The utility also has a report feature allowing you to e-mail an archived e-mail to an external SMTP engine.
IMF Companion
You can download this utility here:
http://stoekenbroek.com/imfcompanion.htm
The downloadable is a MSI file so unlike IMF Archive Manager it has a proper installer and its own desktop icon. Its GUI is much better as the e-mail information is presented in a an easier to read horizontal rather than a vertical pane and a few handy buttons.
It also features a useful search tool (you can access it by pressing the “binocular” button) that allows you to search e-mails fields such as “To”, “From”, etc.
However it does not show the SCL rating, and lacks the reporting feature of IMF Archive Manager.
Missing Features
Following is a list of features I think should be added to these tools:
Automatic folder identification
Surely this is not such a complex programming task as all it requires is querying the Windows registry and the IIS Metabase.
Release e-mail to feature
Instead of resubmitting an e-mail, simply delivering it to the mailbox. There various methods of doing this: MAPI, WebDAV, even the M: Drive but the easiest way is to do this is by creating an authenticated SMTP session with Exchange. By default these are not scanned by IMF.
HTML view of e-mails.
Nothing beats Outlook Express which can display an e-mail message in its original language with all the HTML code intact. Easiest way to this would be to simply use Outlook Express to view messages.
Statistics
Always a good thing. Oh, and if you’re at it, how about a graph?
Eventually Microsoft will probably add this functionality to Exchange System Manager, perhaps with one of the Exchange 2003 service packs.
Conclusion
IMF Companion seems to be the better IMF add-on tool of the two; unless you really need to see the SCL ratings of messages, but I’m sure you can e-mail the author of this utility to add this feature.
You are not going to get features of complex and expensive anti-spam packages, such as daily updates and whitelisting, but having IMF as a low cost solution, as a second front and possibly as a method of testing how effective are more professional solutions can go a long way if you know how to make it work for you.