Tuning IMF with IMF Tune - Izzy.Org by wuyunqing


									                       Tuning IMF with IMF Tune
Starting with Exchange 2003 Microsoft provided an add-on to assist in the filtering of spam
called the Intelligent Message Filter (IMF). IMF was initially an optional download that could
be installed on Exchange 2003. IMF was later included with SP2 for Exchange 2003 and
continued to provide a basic spam filtering solution for free. For the most part IMF is a “black
box” with only three options. In Exchange System Manager (ESM) you can set a gateway
threshold, gateway action and Junk E- mail folder threshold, see Figure I. These settings control
the level of filtering on all incoming mail, and if a message is above a threshold if it should be
rejected, deleted, archived, or transmitted. If the mail isn’t blocked at the gateway, or incoming
mail server, it can then be placed in the Junk E- mail folder in individual mailboxes, if the SCL
level is below the gateway threshold and above or equal to the Junk E- mail one. IMF uses a
rating called the Spam Confidence Level (SCL) for all messaged. The higher the SCL #, from 0-
9, the better chance the message is spam. So the gateway settings should be set higher than the
Junk E- mail folder to block as much spam from getting to user’s mailboxes without the lowest
chance of false positives. The Junk E- mail setting is then used to move the rest of the possible
spam messages to the user’s Junk E-mail folder so they can easily find, review, delete, or move
them. The problem with IMF is that you have very little control over what messages are or
aren’t block. You can only set the threshold levels and then leave it up to the IMF to decide
what to block. The filters and logic used by IMF is controlled by Microsoft. The filters are
normally updated the first and third Wednesday of the month and are very effective. But IMF
has no support for whitelisting, blacklisting, keyword management, spam message rerouting,
detailed logging, and other areas of fine tuning that most organizations need when it comes to
spam filtering.
                                 Figure I - Standard IMF Settings

This article will cover a 3rd party product by WinDeveloper.com called IMF Tune. For more
information on Microsoft’s IMF see Microsoft’s IMF Operations Guide. The goal of IMF Tune
was to address the many short coming with IMF when it comes to the fine tuning of the filtering
processes. IMF is a quick and simple install and starts at $138 for a small business edition,
limited to 30 mailboxes and one server, and $298 per server for an unlimited “enterprise”
edition. This provides a VERY viable spam filtering solution for a fraction of the cost of other
3rd party filtering solutions. All messages are still processed by Microsoft IMF and assigned a
SCL then IMF Tune evaluates the messages and adjusts the SCL level and blocks or allows the
message to continue to user’s mailboxes, see Figure II.
                                 Figure II - How IMF Tune Works

The only change that needs to be made to Exchange is to change the Exchange IMF gateway
setting “When blocking messages” to “No Action.” This allows all messages, even ones that
Microsoft IMF would have blocked to be processed by IMF Tune. The Junk E- mail folder
setting is still used by Exchange, or actually Outlook, to determine if a message should be move
to a user’s Junk E- mail folder instead of their Inbox. Once these settings are set in Exchange
IMF Tune can then be used to adjust the logic that is used in the identification of spam.

Using IMF Tune you do all of the following:
    Create a whitelist of messages that should always be delivered based on IP, sender,
       recipients, and keywords in the various message fields.
    Create a blacklist of messages that should always be blocked, based on the same settings
       as above.
    Create a mapping of keywords to SCL levels. This allows for incrementing,
       decrementing, or settings the SCL level on a message based the same criteria used for
       whitelisting and blacklisting. For example, if a message contains a key customer name
       you could have the SCL set to “whitelisted” to make sure those messages are always
       delivered. Similarly, if a message contains the work “Viagra” you could have the SCL
       level increased by 4, so if Exchange IMF assigned it a SCL level of 3 IMF Tune would
       then change the SCL to 7. This is a VERY powerful feature of IMF Tune and allows
       organizations to get very granular with the identification process of spam messages.
    Changing of message headers and\or subjects to include the SCL level. This allows SCL
       information to be used by other systems, message filtering programs, and by end users to
       easily sort messages by the SCL level.
    Optionally auto-reply to filtered e- mail messages just in-case of a false positive.
    Optionally strip attachments.
    Log all filtering and non- filtering actions in detail.
After installing IMF Tune, which includes a 30 days license follow the steps below to configure
and learn more about the product.

Changing some basic settings in IMF Tune

   1. Launch IMF Tune, under the “WinDeveloper IMF Tune” program group by default
   2. The default filtering thresholds are imported from the Exchange IMF Settings, as shown
      in the picture below messages with a SCL level of 7 or higher will be deleted.

           The Exchange server in question above had the gateway threshold set to 7 and the
            Store Junk E- mail threshold set to 5.
   3. Change it so all message with a SCL from 5-6 have the SCL insert into the subject
      a. Edit the SCL level between the allowed levels, 6 in the example above
      b. On the Email Handling tab change the 1 st SCL to 5
      c. Click “Insert SCL/Custom Tag in email subject”
      d. Click Tag Format…
         i.     Change “(SCL:” to “(POSSIABLE SPAM:”, or choose a setting of your choice
                 Its good idea to use a prefix so users can sort by the SCL assigned to
        ii.     Click OK
      e. Click “Insert SCL in email header” (Optional)
   f.   Confirm the options selected:

   g. Click OK
4. Set the archive folder on all blocked messages
   a. Edit the SCL levels that block messages, 7 – 9 in the example above
   b. Click the Archiving section to the left
   c. Click “Enabled arching to disk”
   d. I would also suggest changing the default directory to be the same as the one used by
       IMF, if it was configured to archive message, or to a known directory
   e. Confirm the other options are configured as shown

5. Enable logging on all blocked messages
   a. Click the Logging section
   b. Click “Enable Disk Logging”
   c. Click Browse and select the directory and file name where you want the log to be
      written to

        A single log file can be used for all SCL levels.
   d. Click OK to save changes
6. Set all SCL 9 messages to be rejected
   a. Click Add…
   b. Set the SCL Level to 9
   c. Set the action to Reject
   d. Enable “Custom Reject Message Text”
        This text is returned in the SMTP Protocol
   7. Confirm the settings are similar to those below:

   8. Confirm or adjust the Exchange IMF “Store Junk E- mail Configuration” to be 5
       This will move all messages with a SCL of 5 or higher to the users Junk E- mail

Now that we have tuned some of the basic options in IMF Tune the next step is to configure any
white\black list settings. When adding whitelist senders understand that the From setting in an e-
mail can easily be spoofed. So you should not add something like *@hotmail.com since
hotmail.com, and many other common ISP and mail providers, are spoofed by spammers. If you
were to add “*@hotmail.com” as an “Accepted Sender” you would get all spam that had a from
address at hotmail.com. If you have organizations you commonly get e- mail from that you want
to make sure it is never blocked it would make sense to add their domain name to the senders
whitelist, but if their domain name is spoofed by a spammer users will get those spam messages.
Under blacklist you can enable “Block Subjects” and add “SEXUALLY EXPLICIT” if you want
to block any e- mails where the sender has followed the guidelines to prefix such messages with
those words.

The most powerful section of IMF Tune is in the “SCL Management” section. This area allows
for the incrementing, decrementing, or setting of the SCL based on keywords in any part of a
message, including the header, or SMTP commands for the messages, see Figure III for a
complete list. For example, if “Received From:” part of the header contains the text “RDNS
failed” you could increase the SCL level by 3 points. If you have Exchange configured to do a
reverse DNS lookup on all incoming messages it will put this text in the “Received from” line in
the message header if the IP address that send the message does not have a PTR record in the
DNS server responsible for the IP address, see my article on this subject.

                                    Figure III - SCL Mapping Fiel ds

I would suggest adding keywords relating to your organizations to the list to decrement or
whitelist messages that contain them. For example, if you company sold a product called “Bass-
o-matic” you might want to either set the SCL level of any messages containing to either
whitelisted or have it decremented by a few points.

There is a great FAQ and User Guide, which includes step-by-step instructions on how to install
and configure IMF Tune, on the WinDeveloper.com website. In addition, you can download
IMF Tune from the website and try it out for 30 days for free. They also have multiple
whitepapers and related links on their site.

While IMF Tune may not have all of the spam filtering features larger organizations will require
it easily should meet the 80/20 rule for most.

Make sure you manage your archive folder, just like any other logging or archive folder, you
should delete files out of it to keep it from getting too large. I use a BAT file I found on the
Internet to do this. It deletes all files older than 7 days in the folder specified in the “Start in:”
line in the Schedule Task, see figure IV. The usage of the BAT, called DeleteOldFiles.bat, is
<folder with the files> <days of items to keep> <file mask [optional]>. In the example below it
deleted all files older than 7 days in the D:\Exchange\IMF directory and logs the results to

                                    Figure IV - Deleting Ol d Files

To top