Intelligent Message Filter, Content Filter, can do more...

WinDeveloper IMF Tune
WinDeveloper IMF Tune

IMF Archive Management Tools

Alexander Zammit

Alexander Zammit Photo

Alexander Zammit has been developing server applications for over 15 years. Most of his works involve Exchange integrated applications, including a FAX server, a mail security product and anti-spam products.

  • Published: Nov 22, 2007
  • Category: Anti-Spam
  • Votes: 4.5 out of 5 - 6 Votes
Cast your Vote
Poor Excellent

IMF Archiving dumps blocked emails to disk. As the archive grows, verifying these emails quickly becomes a challenge unless one of the archive management tools is employed.

The archive directory provides an opportunity to moderate emails blocked by the Intelligent Message Filter. The administrator can thus take a final decision between permanent deletion and delivery to the originally intended recipients.

A Quick IMF Archiving Tour

Archiving is one of the gateway action options available under Global Settings | Message Delivery | Intelligent Message Filter.

IMF Properties

The default archive directory is located under the Exchange application directory:
<Exchange dir.>\mailroot\vsi <n>\UCEArchive

Here <n> is the SMTP Virtual server instance number, for which the Intelligent Message Filter is enabled. Although not very common, in case of multiple SMTP Virtual servers we could have multiple archive directories.

The default path can be overridden from this registry value:

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilter
Value: ArchiveDir
Type: String

The ContentFilter key may not be present. In that case we just create it manually. While at the registry, it is also worth highlighting the ArchiveSCL value. Setting this to 1 causes the insertion of the X-SCL header into archived emails, exposing SCL ratings.

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilter
Value: ArchiveSCL
Type: DWORD

Finally note that getting these registry settings to go live may require an IIS Admin service restart.

OK Archived - What's next?

So we now have a directory filling up with filtered emails. IMF has no limitations; it will just keep on dumping files here leaving the rest to us.

The point of having such an archive is to allow moderation of blocked emails. Someone or some process should monitor this directory. It should certainly be emptied regularly as otherwise the number of files becomes overwhelming. However before deleting anything it is wise to skim through it, looking for any false positives.

No matter how good an anti-spam filter is, false positives are a reality to be aware of. False positives arise from senders who inadvertently send "spam like" emails, from an excessively aggressive IMF threshold configuration, from outdated IMF signature files and also due to the fact that IMF like any other filter is not perfect.

If a false positive is found we need to allow the email to continue its journey and reach the originally intended recipients. In practice this involves moving the email file to the SMTP Virtual server pickup directory located under:
<Exchange dir.>\mailroot\vsi <n>\pickup

The nicest thing of this mechanism is that the email reaches its recipients with all original headers intact. Apart from the delay that the stop at the archive folder introduces, end-users don't see any other differences in the email itself.

Emails are archived as files with an EML extension. These can be opened using Outlook Express. However reviewing emails in this manner becomes unfeasible as soon as the number of files starts growing. Luckily a number of free archive management tools are available that greatly simplify this process. We now look at three such tools.

IMF Archive Manager (IMFAM)

Calling such a tool "IMF Archive Manager" must be an obvious choice. In fact two out of the three tools we will be discussing were given this name. The first of these is a C# client and I will be referring to this as IMFAM.

IMFAM is an open source project that was originally hosted at the now defunct GotDotNet. I am pointing this out not for historic reasons, but because many blogs and sites referring to this viewer did not record the new IMFAM home. Thus it can be a bit tricky to find. In fact IMFAM is now hosted at Codeplex.com here:
http://www.codeplex.com/imfam

Currently the latest production release is version 2.0.5. There is also a beta update versioned 2.5 that includes some new features and fixes.

To install just download the zip compressed package and extract all files to the directory of choice on the Exchange machine. Next start the application by running IMFFilterManager.exe. On the first run, the application will pop two Folder selection dialogs. At the first we need to identify the archive directory. At the second we identify the pickup directory. As already discussed these are normally located under the exchange application directory for the SMTP virtual server instance.

Directory Configuration

Once configured the application won't pop these dialogs again. However we can change paths anytime from the Settings menu.

We should now be ready to start using the application. IMFAM lists the emails on the left. On selecting a message its key headers and the raw email content is shown at the right pane.

IMF Archive Manager (IMFAM)

To expose all the columns we need to resize the list area. Version 2.0.5 gives the impression that this cannot be done. Just hover on the right of the list and watch the mouse icon changing to allow for the resize operation. This issue is solved in the 2.5 Beta with a proper resizing bar.

At the bottom we find buttons for:

  1. Refreshing the email list. In any case this is periodically done automatically.
  2. Deleting emails permanently.
  3. Resubmitting emails for delivery (i.e. move file to pickup)
  4. Copy to Clipboard the raw email.
  5. Send a Report email.

The Report button is handy if we want to quickly forward copies of blocked emails to some fixed address. If we wanted to send the email to the originally intended recipients we would use the Resubmit button instead. Using the Report button requires the configuration of the settings under Settings | Report Settings...

IMFAM - Reporting

The Reporting configuration allows us to specify the address where the report is to be sent. It also allows us to strip the X-Sender, X-Receiver and X-SCL headers. This is useful if we wanted to protect this information from being accessible. The X-Receiver exposes the list of email recipients including does being BCCed. Depending on who is the report recipient this information may be classified as confidential.

From the Settings menu we can switch the List to a Tree view. This exposes the full path and filename of the email. In the 2.5 Beta I installed, the tree view did not work very well occasionally throwing .NET exceptions. So if this is an important feature you should either wait for a more stable release or stick with 2.0.5.

A useful addition in version 2.5 is the fact that double clicking list items allows us to open the emails in Outlook Express. In this manner we can more easily review the email body and any attachments. In v2.0.5 this is not possible, leaving us only with the raw email view to figure out what the email looks like.

Copyright © 2005 - 2016 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation