WinDeveloper O365 Mailer FREE for 1 Year

WinDeveloper IMF Tune
WinDeveloper IMF Tune
  • Home
  • Anti-Spam
  • Bringing Together the Exchange Anti-SPAM Cocktail

Bringing Together the Exchange Anti-SPAM Cocktail

Alexander Zammit

Alexander Zammit Photo

Alexander Zammit has been developing server applications for over 15 years. Most of his works involve Exchange integrated applications, including a FAX server, a mail security product and anti-spam products.

  • Published: Jun 14, 2005
  • Category: Anti-Spam
  • Votes: 4.8 out of 5 - 5 Votes
Cast your Vote
Poor Excellent

Ever wondered how many times an email is analyzed for all sorts of things? Today Exchange and Outlook on their own provide four layers just for SPAM filtering. Together these provide quite good protection but as we shall see using all of them might be unnecessary.

Ever wondered how many times an email is analyzed for all sorts of things? Today Exchange and Outlook on their own provide four layers just for SPAM filtering. Together these provide quite good protection but as we shall see using all of them might be unnecessary.

Exchange, Outlook and many third party products are all there ready to plug into the email flow. Is the email SPAM? Does it contain a virus, a Trojan, or maybe spyware? Any rude words in outgoing emails? The reasons for analyzing email content are only limited by our imagination.

Today I will just focus on anti-SPAM and will limit myself further to the protection provided by Microsoft. Even like that you will see just how the cocktail starts to get colorful. At the article introduction I promised you four protection layers just from Outlook and Exchange. The list that follows sorts the filters starting from the recipient client moving outwards towards the network edge. Clearly emails will meet these filters in the reverse order.

  1. Outlook 2003 client side anti-SPAM filtering. SmartScreen technology provides the email content analyzing engine. This is combined with Safe Senders, Safe Recipients and Blocked Senders lists for a more effective filter.

    Outlook 2003 Junk E-mail Filtering

    On installing Outlook 2003 filtering will by default be set to Low. Thus it acts only on emails with a high degree of certainty of being SPAM. Outlook 2003 relies on static filtering databases for which Microsoft provides periodic updates. This means that on installing Outlook 2003 today, the filtering technology will be fairly outdated unless you install the latest update (see references).

  2. Exchange 2003 re-implements the per mailbox Safe Senders, Safe Recipients and Blocked Senders lists. For organizations with Outlook2003 this might not be immediately apparent. Why should the same functionality be implemented twice? This is necessary for organizations using earlier versions of Outlook or to handle the case when Outlook 2003 filtering is not available (more on this later).

    Exchange 2003 per Mailbox Filtering

  3. Exchange 2003 Intelligent Message Filter (IMF). IMF is also based on SmartScreen Technology and again relies on periodic updates provided by Microsoft. When compared to other third party offerings IMF provides a stripped down server side anti-SPAM solution. Still, today with add-ons such as IMF Tune, IMFcompanion and IMF Archive Manager this gap has been bridged.

    Exchange Intelligent Message Filter

  4. Exchange 2003 server level Connection, Sender and Recipient Filtering. This is the first line of defense to be applied right at the network edge.

    Exchange Connection, Sender, Recipient Filtering

Let's see these filters in action and walk step-by-step with an email as it moves through each filtering stage. Here I will simply assume that all layers are configured and enabled:

  1. The sending server initiates an SMTP connection. Exchange analyzes the connecting IP against its connection filtering list. If listed, Exchange refuses the connection immediately.

  2. If the connection goes through, the sending server will then supply the SMTP sender address which is verified against Sender Filtering.

  3. Next in line is recipient filtering, checking each of the destination addresses.

  4. We have now completed the first filtering stage. The email is now in the hands of the Exchange Intelligent Message Filter. Here it is analyzed and an SCL rating assigned. This will either cause the email to be filtered due to Gateway Blocking or will go through heading towards the recipient mailbox.

  5. The email is right at the recipient mailbox. Exchange has to determine whether to deposit this to the Inbox or to Junk Email. It is now time to check the Safe Senders, Safe Recipients, Blocked Senders lists. A match with any of these lists will determine the final destination.

  6. If no match was found at the previous stage, Exchange has to check the IMF SCL rating. This is where the IMF Store Junk Email SCL threshold comes into play. If the email was assigned an SCL greater than the configured threshold the Junk Email folder becomes the final destination.

    Note that up to this stage all processing was done by Exchange 2003. This type of functionality is available to all organizations independently of what type of email client is in use.

  7. Exchange has now completed its job and it's the turn of Outlook 2003 to perform further processing. Outlook will only process emails reaching the inbox if used in cached mode or with personal folders. If this is the case, the client side content filter and the Safe Senders, Safe Recipients and Blocked Senders list are used to analyze the email determining the final classification between legitimate email and junk.

An interesting point is the fact that the Safe Senders, Safe Recipients and Blocked Senders lists were applied twice in the steps above. In this particular case the processing of these lists at the Outlook client is redundant. Still keep in mind that we are here considering a case where all filtering is being applied. This is not always the case.

Another point of interest is that SmartScreen Technology filtering was in this case applied at two separate stages once by IMF and once by Outlook. If we were to update both filters with the latest releases from Microsoft available today, we should have differing behaviors from these filters simply because Microsoft release Outlook filter updates more often than for IMF. Nevertheless this difference is not that noticeable when looking at the end result.

IMF has the important advantage of being a server side solution when compared to Outlook based filtering. At the server you can apply Gateway Blocking minimizing the load of SPAM reaching the recipient mailbox. Added to this IMF simplifies administration. It is clearly easier to manage one filter at the server rather than hundreds of filters at end user machines. Today with increasing support of third party tools, IMF is becoming the most appropriate solution at the enterprise level, rendering filtering at the client unnecessary.

References

Exchange Intelligent Message Filter

Latest Exchange IMF update

How to obtain the latest Microsoft Office Outlook 2003 junk e-mail filter updates

User Comments - Page 1 of 1

Add New Comment...

Alexander Zammit 23 Jul 2008 23:36
IMF Tune haven't got any such limitation you can load its white/black lists with thousands of entries.

However it is best to discuss an IMF Tune questions with WinDeveloper support.
IMF user 23 Jul 2008 21:06
We've moved to using the full set of Exchange spam filtering steps (and tarpit NDRs) but our biggest problem is that the custom content weighting list xml definitions file is limited to 128k. Does IMFTune overcome this limitation or do you know of a patch that allows it to be larger?
Copyright © 2005 - 2018 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation