Recall Emails sent in error from Outlook Web Access (OWA)

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Exchange 2007 Content Filter Updates

Alexander Zammit

Alexander Zammit Photo

Alexander Zammit has been developing server applications for over 15 years. Most of his works involve Exchange integrated applications, including a FAX server, a mail security product and anti-spam products.

Cast your Vote
Poor Excellent

Microsoft provides three types of anti-spam updates for Exchange 2007. Today we see how this evolved from the Exchange 2003 IMF update system. We also see how to enable updates and how to make sure that the latest updates are in-place.

The Exchange 2007 Anti-Spam Content Filter relies on regular updates to stay up-to-date with the ever changing spamming trends. This is nothing new. The Exchange 2003 Intelligent Message Filter (IMF) has been receiving updates for almost 3 years now. However as we shall see the update system for Exchange 2007 changed in a number of ways.

Updates, Updates and more Updates

The Exchange 2003 IMF has access to one update type that is made available twice a month. On the other hand Exchange 2007 has a choice of three update types. However these are not for everyone. Access to the different update types depends on licensing.

Exchange 2007 Standard, just like its predecessor, can only tap to one of the update types. All three update types are available if running Exchange 2007 Enterprise or Microsoft Forefront Security for Exchange. Having clarified this point let's see what the update types are:

Type Enterprise/
Forefront
Standard Details
Content filter updates Yes Yes Similar to what we have in Exchange 2003 IMF. Updates the SmartScreen Spam heuristics.
IP Reputation Service Yes No An IP Block list exclusive to Exchange 2007.
Spam signature Yes No Signatures of the latest spam campaigns. Used together with Content Filter updates. Enhance the Content Filter SCL rating logic.

The IP Reputation and Spam Signature updates are more time critical than the Content Filter updates. The IP Block list needs to be refreshed as soon as a new host starts distributing spam. Spam signatures are meant to immediately identify new spam waves and again responsiveness makes all the difference. Thus everyday Microsoft releases multiple updates for these.

To satisfy the need to quickly pick updates Exchange 2007 includes the Microsoft Exchange anti-spam update service. This acts as a client to Microsoft Update, polling exclusively anti-spam updates once every hour.

Finally note that updates are not available to the 32-bit Exchange 2007 build. This build is not supported and is only meant for basic product evaluation. Thus if planning to test anti-spam as part of your Exchange 2007 evaluation, make sure to run the 64-bit build.

Enabling Updates

Just like in Exchange 2003, filter updates continue to be distributed through the Microsoft Update service (not Windows Update).

To start receiving the updates, enablement is required for each Exchange server. Here we find a welcome improvement. Exchange 2003 IMF update enablement required the manual setting of a registry value. This unintuitive switch used to be a hurdle, especially for newcomers. Exchange 2007 has made up for this, providing control both through the Management Console and the Shell. Furthermore the Exchange 2007 SP1 installation will immediately enable update reception.

At the Console select the server under Edge Transport. Here we find the enable/disable updates switch.

Enabling Updates on Edge Server

On a Hub Transport server we first need to make sure the anti-spam agents are installed otherwise the updates switch won't show up. For details please refer to The Exchange 2007 Content Filter Agent. Next we control enablement by selecting the server under Server Configuration | Hub Transport.

Enabling Updates on Hub Transport Server

Clicking Disable Anti-spam Updates will immediately disable reception of all updates and at the console the Enable Anti-spam Updates link is displayed. Clicking the Enablement link to turn it back on will launch a wizard that allows us to select which updates to retrieve.

Enabling Updates Wizard

The Wizard is really mostly relevant to users running Exchange 2007 Enterprise or Forefront Server. If we look at the bottom of the dialog we can see the notice alerting us of this. So if running Exchange 2007 Standard we might as well select the Manual Update mode and complete the wizard. Exchange Enterprise users here can choose between Manual and Automatic updates and whether to also retrieve the IP Reputation and Spam Signatures in addition to the Content Filter updates.

Anti-Spam Updates Cmdlets

The Exchange 2007 command shell supports three cmdlets for managing updates.

Get-AntispamUpdates is the one you will be using most often. It shows which updates are enabled and the currently installed update versions.

Enable-AntispamUpdates/Disable-AntispamUpdates allows us to enable/disable the reception of anti-spam updates.

The Enable/Disable cmdlets provide similar functionality to that provided by the console with a little more flexibility. However here I won't discuss the cmdlet parameters, for details on this refer to the TechNet documentation linked at the References section. Just keep in mind that in case you are running Exchange 2007 Standard most of the options do not apply.

Let's have a look at Get-AntispamUpdates. Here is what we get by running the cmdlet immediately after installing Exchange 2007 SP1 without ever receiving any updates.

Get-AntispamUpdates

Note how for each of the three update types we have the installed update version. We will be using that in a moment. However before that, we have to deal with a problem. Have a look at this value:
MicrosoftUpdate: NotConfigured

This means Microsoft Updates are not enabled on this server. Thus we won't receive anything even though the Exchange Management Console shows that updates are enabled. All we need, to resolve this issue, is to visit Microsoft Updates and allow it to install. Once ready, re-running Get-AntispamUpdates returns MicrosoftUpdate as Configured:

Enabling Microsoft Updates

Getting the Latest Updates

It is now time to return to the update versions that Get-AntispamUpdates supplies us. This is what we need when checking if the latest updates are in place. MS is conveniently providing an RSS feed listing all the released updates and their version. Here are the links, just subscribe the relevant feed at your RSS reader:

Exchange 2007 Content Filter Updates Feed

Exchange 2003 IMF Updates Feed

And here is how the feed looks like in RSS Bandit.

Updates RSS Feed

If we look closely, we can see a number of IP Block List and Anti-spam Signature updates on the same day. Also note how each update specifies exactly whether it is meant for Exchange Enterprise or Exchange Standard. Indeed, even though both receive the Content Filter updates, separate releases are made for the two Exchange flavours. Lastly each entry of course includes the update version and the release date.

Update

As expected we don't have the latest updates since this is a fresh Exchange install. So here I manually check Microsoft Updates:

Polling Updates Manually

Completing the install we confirm that Get-AntispamUpdates now shows the latest version for the Content Filter update.

Latest Update Version

Final Tips

Updates in Exchange 2007 continue to be important for obtaining good filtering results. The system now supports three update types. However if running Exchange 2007 Standard we can only benefit from the Content Filter updates.

Better support is available for enabling and managing updates through the Management Console and Shell.

References

The Exchange 2007 Content Filter Agent

TechNet: How to Configure Anti-Spam Automatic Updates

TechNet: Anti-Spam Updates

Get-AntispamUpdates

Enable-AntispamUpdates

Disable-AntispamUpdates

Copyright © 2005 - 2016 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation