Intelligent Message Filter, Content Filter, can do more...

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Quarantine and Reporting for Exchange IMF/Content Filter Agent

Alexander Zammit

Alexander Zammit Photo

Software Development Consultant. Involved in the development of various Enterprise software solutions. Today focused on Blockchain and DLT technologies.

Cast your Vote
Poor Excellent

Professional Reporting and Moderation is often associated with the more expensive anti-spam solutions. WinDeveloper is challenging the trend, providing this functionality for the built-in Exchange 2003/2007/2010 anti-spam.

Initially it was a fairly simple idea, tagging email subjects to expose the Exchange 2003 Intelligent Message Filter SPAM ratings. Five years and many builds later WinDeveloper is finalizing a Web Interface providing professional Reporting and email Moderation for the built-in Exchange 2003/2007/2010 anti-spam. This component is part of the new IMF Tune v5.5. At the time of writing, this is available for download as a Release Candidate.

But aren't Free Moderation Tools Already Available?

So far we had a number of free tools providing email moderation for the Exchange 2003 IMF. As discussed in IMF Archive Management Tools, these were based on IMF disk archiving. In Exchange 2007 and 2010 the Content Filter provides the option to Quarantine spam to a central mailbox. The quarantines are packaged as NDRs. From Outlook, users are then able to review blocked emails.

Development on the free tools used with IMF stopped after a few version updates. Despite being buggy, there have been no new fixes in recent years. In the long run it is hard to develop free tools unless you have the backing of some sponsor. The release of Exchange 2007, introducing a completely different quarantine repository has probably dealt the final blow to these projects.

The Exchange 2007/2010 quarantine solution is also riddled with shortcomings. Outlook does a great job when dealing with emails; however it is not a true email moderation interface. There is a lot of information relevant to a quarantine that is not typically included in a general purpose email client. For example an administrator is certainly interested to see why an email was blacklisted, to see how the email content, addresses, IPs etc. contributed to the spam rating, and to have that information right next to the quarantine.

Another shortcoming is the use of NDRs to package quarantines. The NDR hides the original email in an attachment. At the end this equates into more clicks to get down to the original email. When you are dealing with thousands, even just a few hundred emails, those extra clicks become a significant hurdle. The temptation to hit shift-delete blindly is much bigger if the interface is not helpful.

Another issue with the Exchange 2007/2010 Quarantine is the fact that it uses the Exchange Database as a repository. Despite working on IMF Tune for over five years and perfectly aware of the volume of spam organizations receives, I was still impressed with the reduction in load on our mailbox server once we stopped using a quarantine mailbox. The first thing you will see is a significant reduction in database transaction logs.

Another area where we saw ample space for improvement is access control. The free and built-in quarantine options do not offer much flexibility. The only option is that of giving full access to one or more administrators over the Quarantine and all emails within it. There is no way to allow users to only access emails addressed to them. No way to allow users to resubmit but not delete quarantines. No way to expose the full email recipient list (including BCCs) to administrators but not to regular users.

So what is IMF Tune Adding?

So far we looked at some of the main limitations of the free and built-in IMF/Content Filter moderation interfaces. We have not even touched on reporting. Indeed there is little to talk about when it comes to built-in reporting. So we now turn our attention to what is being added in order to bring the IMF/Content Filter up to speed in these areas.

The new quarantine system is composed of an IIS ASP.NET Web Interface and an MS SQL database backend. This relieves Exchange from wasting resources on spam, allowing it to better service the emails that matter.

System Setup

The main moderator interface is intended to quickly review and act on blocked emails.

Moderator Email List

The email view may also be filtered using various criteria.

Moderator Email Filtering

Opening an email we have an interface similar to that of an email client. However this also includes information relevant to spam filtering.

Quarantine Email

Quarantine Email Headers

Here is the SMTP Envelope property page including the full recipient list...

Quarantine Email SMTP Protocol

...and this is the Keyword Report showing exactly which whitelists, blacklists and filtering rules matched the email leading to the final spam rating:

Quarantine Email Keywords

Reporting

Turning our attention to reporting, we have the General Spam Detection Report and the Detailed Spam Detection Report.

The General report includes a number of bar charts and line graphs giving an overall view of the filtering performance. Here are the report headings under this category:

  • How many e-mails were Accepted, Rerouted, Deleted, Rejected by IMF Tune?
  • How many e-mails were Re-Submitted (Accepted) or Deleted at the Moderator?
  • How many e-mails did each SCL rating match?
  • Daily e-mail load/spam
  • Daily SCL ratings
  • Day of week e-mail load/spam
  • Hour of the day e-mail load/spam
  • Last 5 hours e-mail load/spam per minute

The following are some example reports. The first bar chart shows how emails were handled by the spam filter. It shows whether the email was Accepted, Deleted silently, Rejected with an SMTP rejection response, or Rerouted to a central spam mailbox. As usual with IMF Tune even Rejected emails may be reviewed and resubmitted if required.

Email Handling Report

The next chart shows how quarantines are being moderated. It shows the total number of emails Deleted, Resubmitted or pending Moderation.

Moderation Status Report

The next chart pictures the individual spam ratings. As you can see most emails are getting an SCL rating of 8 in this case.

SCL Ratings Total

The next graph also shows how emails are being rated. However here we see how the ratings are varying over the days covered by the reporting period.

SCL Ratings against Time

The information presented under the Detailed Spam Detection Report is more specific. The report headings include:

  • How are individual keywords performing?
  • Which are the recipients getting most e-mails?
  • Which are the recipients getting most spam?
  • Where are the e-mails coming from (by IP)?
  • Where is the spam coming from (by IP)?
  • Who are the top e-mail senders?
  • Who are the top spam senders?
  • Which are the last 100 emails received?

The first report shown here is the most interesting in my opinion. It shows how often the configured keywords, IPs, addresses etc. are matching processed emails. This gives a good indication of the configuration effectiveness.

For example let say you setup a blacklist because of the current spam wave targeting Facebook. After a few months that type of spam might have been discontinued and the configured keywords might not be matching anything. From here we will get a good indication of these changing trends. In that case we might remove that blacklist to avoid any misclassifications if Facebook usage is allowed within the organization.

Keywords Performance Report

The next set of tables highlight certain patterns on the emails and spam being received. Things like who are the recipeints receiving most emails, who are the top senders, from which IPs are emails originating.

Email Load per Recipient

Email Load per IP

The last report here is a simple list of the last 100 emails that went through the filter. This is not a spam filtering report. It is more intended to provide a heartbeat showing the activity going on.

Most Recent Emails

Access Control

The last bit we will discuss here is access rights control. A lot of flexibility is available in this area. To begin with, five fixed roles are defined; User, User Read Only, Admin, Admin Read Only and Reporting Only. These assign a standard set of rights. Alternatively we can go for custom rights assignment.

As the name suggest, the User roles only give access to the set of emails owned by the user, the Admin roles give access to all emails, whereas the Reporting role only allows access to the General and Detailed reports but not to the Quarantined emails themselves.

The complete set of rights are configurable when selecting Custom rights assignment. The inidividual rights include:

  • View all emails
  • View own emails only
  • View message processing details
  • View General Spam Detection Report
  • View Detailed Spam Detection Report
  • Delete any email
  • Delete emails if user is the only recipient
  • Delete emails if user in one of the recipients
  • Re-submit any email
  • Re-submit emails if user is the only recipient
  • Re-submit emails if user is one of the recipients

Access Control

Final Tips

All this functionality does not come for free. However with a 15 mailbox license at $170, IMF Tune should not cause any budget concerns. Furthermore this price includes the entire IMF Tune v5.5 product of which the Moderator/Reporting is only one component.

Copyright © 2005 - 2024 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation