Intelligent Message Filter, Content Filter, can do more...

WinDeveloper IMF Tune
WinDeveloper IMF Tune
  • Home
  • Anti-Spam
  • The Intelligent Message Filter as an Additional Filtering Layer

The Intelligent Message Filter as an Additional Filtering Layer

Alexander Zammit

Alexander Zammit Photo

Alexander Zammit has been developing server applications for over 15 years. Most of his works involve Exchange integrated applications, including a FAX server, a mail security product and anti-spam products.

  • Published: Feb 23, 2006
  • Category: Anti-Spam
  • Votes: 4.0 out of 5 - 1 Vote
Cast your Vote
Poor Excellent

Many organizations adopting the Intelligent Message Filter already have other anti-spam solutions in place. Adding IMF to the picture offers the opportunity to further harden spam filtering. Here are the key points relevant to effectively deploy IMF as the second line of defense.

Many organizations are today adopting the Intelligent Message Filter to block spam at server level. Some rely on IMF exclusively; others are combining it with their current filters to further harden spam filtering.

Since Exchange SP2, IMF is waiting for just one mouse click to kick in. Being so readily available, Administrators can hardly avoid facing some of these questions:

Why shouldn't IMF be enabled?

What are the benefits of having multiple products doing the same job?

Can IMF coexist with other anti-spam solutions?

How complex is it to manage the different filtering products?

Will the end-user experience be consistent?

Looking at IMF as a second anti-spam filtering layer is indeed an interesting scenario. In this case we are looking at organizations that already invested in an anti-spam solution and want to get the most effective spam filtering setup. Here the fact that IMF is free is certainly of secondary importance.

Picturing IMF

Let's start by putting the Intelligent Message Filtering technology into perspective and mention some basic facts. This filter is developed by a highly trusted vendor. Since you are reading this, it is probably the vendor most trusted by your organization. This vendor developed most of the software running on your network, including the most business critical applications. Right, you guessed, it is Microsoft.

Secondly this filter is now maturing. The second IMF version improved its email analysis technology. Sender ID verification can be combined with the message rating process. Furthermore IMF is now receiving updates twice a month keeping it in-sync with the latest spamming trends.

To round it off, IMF is easy to configure, readily available on each Exchange 2003 SP2 machine and free.

I intentionally left "free" for last. Too often this tends to overshadow the more important facts about IMF. Being free certainly simplifies the process to adopt IMF. Nevertheless here we are looking at organizations that already invested in other anti-spam solutions. These are organizations where the filtering result is the critical factor and not pricing.

Layered Filtering

Layering involves combining a number of filtering technologies. Each processes messages trying to separate spam from legitimate emails. Individual layers may immediately filter spam through rejection, deletion, etc. Otherwise a filter may contribute to a shared email rating system. Thus the classification process is distributed over a number of filtering layers.

Layering may at first sound complex. In reality it is the standard way anti-spam filtering is performed. I cannot think of a single anti-spam package that is not composed of a collection of layered filtering technologies. As an example you can look at the various anti-spam filtering layers provided by Exchange 2003 and Outlook 2003 on their own.

So should we simply chain as many filters as possible? Throwing in filters blindly won't give the best results. Effective layering should be based on filtering technologies. A good technology mix should cover all the information within the email delivery process and the email content itself. For a discussion of various filtering technologies from a layering perspective check my article Hardening Anti-SPAM Protection.

A chain of filters that covers the broadest spectrum could be one comprising SMTP protocol command filtering, verification of sender reputation, signature based filtering and a self-learning filter. Having filters based on the same technologies is certainly less effective. The filters would in that case end up analyzing the same information potentially missing other valuable data.

Answering the Questions

We are now ready to start addressing some of the introductory questions. Our scenario is quite broad. The answers do depend on the specifically deployed anti-spam filters. Nevertheless we can identify a common approach on how to tackle these questions.

Why shouldn't IMF be enabled?

What are the risks of enabling ANY anti-spam filter? False email classification. The fact that IMF is in use at various organizations and the fact that it comes from a trusted vendor should help us build some confidence. Nevertheless being cautions does not hurt.

I already discussed configuring IMF in the past. IMF SCL Configuration - getting it right discusses configuring IMF v1 in a conservative manner. The same approach can be directly applied to IMF v2. Just keep in mind the difference in enablement and deployment between the two IMF versions.

Organizations combining IMF to other filters can take further advantage of their position. Most filters are able to express their email classification in terms of a confidence rating. We could break down this type of classifications into three:

  1. Email is most likely Legitimate

  2. Email classification is uncertain

  3. Email is most likely Spam

The idea is to operate the filters within the range where email classification is most accurate. Ideally we should only allow filters to block emails when the likeliness of an email being spam is very high. As soon as we fall in the uncertainty range, email classification is considered inconclusive. The decision should then be left to the next filter. Filters built on different technologies look at the same message from a different angle. This gives us a fresh opportunity to classify the email. Hopefully this time the message is classified with a high degree of certainty.

This approach indeed combines the strengths of individual filters in order to minimize false classification. Applying the concept to IMF, one could operate the filter at the higher SCL threshold levels. Once the system is running we can start lowering the thresholds a little to fine tune the system. Having multiple filters brings extra flexibility. If one filter is giving better results than another, then we can lower its filtering benchmark, whilst retaining the thresholds for the other.

Copyright © 2005 - 2018 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation