So you were flooded with SPAM like everyone else. Once you are running Exchange 2003, you install the free Exchange Intelligent Message filter. Good, thresholds set and problem solved! SPAM now goes to the Junk Email folder and you can focus on your business. Sounds too good to be true, right? Are we sure it is only SPAM ending in the Junk Email Folder? What if valid email is being rejected?
When discussing IMF it is easy to end up discussing how to best configure the Gateway and Store thresholds. There are plenty of articles on this topic and today I want to move a step further. The fact is that even with the best anti-SPAM solution, even if this is configured by the book, the risk of classifying valid emails as SPAM is always present. This is typically referred to as a false positive. The other face of the coin, is the risk to have a false negative i.e. having SPAM classified as legitimate email. Still this is clearly much less serious. The end-recipient can easily cope with a few false negatives.
False positives are much more problematic. If your address has been around for some time, maybe even listed in newsgroups or mailto links, chances are that you are getting lots of SPAM. So having legitimate email mixed with this load of SPAM makes it much more difficult to track.
When did you last review your junk email folder actually? Or do you simply go Select All, Shift-Delete? This is the key issue with Junk Email folders in fact. Such a system is developed with the assumption that the end-recipient is actually conscious of this risk and is on the watch out. Since you are reading, there is some probability you are a good network citizen. Still, fact is that many end-recipients don't really review their Junk folder. This is something that beats the point of having these folders in the first place.
So any organization adopting anti-SPAM solutions of this type must somehow minimize the risk of losing emails, and hence business. Here are some tips on how to mitigate this risk as applied to systems adopting IMF. The strategy presented here is twofold. On one hand we have to strive to achieve optimal configuration, on the other hand we have to provide the necessary conditions for effective Junk Email revision.
- Get the IMF thresholds right.
- Keep-up with the latest IMF updates.
- Monitor the system effectiveness and make adjustments.
- Reduce the emails reaching the Junk Email folder whenever possible.
- Facilitate Junk Email revision to the end-recipient.
The first three points address the need to have an optimal configuration. This is when you would focus on threshold settings. System monitoring is important since SPAM is a moving target. So tweaking the configuration caters for the changing conditions. IMF updates are periodically released by Microsoft. These feed the IMF engine with the latest trends in the world of SPAM enabling it to adjust filtering accordingly. For more details on threshold configuration check my previous article
IMF SCL Configuration - getting it right
Reducing emails at the Junk Email folder is another important point. One shouldn't let all SPAM end up into the Junk Email Folder. The point here is that emails with very high probability of being SPAM should be blocked at gateway level. IMF provides the Archive, Delete and Reject options for this purpose. Further to this, one could combine IMF with other SPAM filtering technologies available with Exchange 2003 out-of-the box. This includes RBLs, and static block lists for recipients, senders, and IPs. I discussed this aspect in detail in a previous article
Hardening Anti-SPAM Protection
The last point focuses on creating the necessary conditions for end-recipients to effectively revise the content at the Junk Email folder. The previous steps aimed at reducing the likeliness of false positives and reducing the total number of emails ending here. This in itself alleviates the burden from Junk Email revision. Still we can do more. We can put in-place a company policy and also provide tools to simplify the revision process.
Company policy is part of the education process that needs to take place. Luckily SPAM has been given so much media exposure that most users will already have a fairly good understanding of the issues. Nevertheless with users having a wide varying understanding of technology, this can be quite a challenge. Combining company policy with user education is an art in itself into which I won't delve any deeper for today.
We are ready to close the circle. It is time for the users to start verifying the content of that folder. This is when tools come handy. As you will know by now, IMF uses SCL ratings to classify the likeliness of emails being SPAM. SCLs range from 0 to 9, where the higher the value, the more likely an email to be SPAM. So a nice tool is one that enables sorting of emails by SCL rating. At the Junk Email folder the end-recipient can then make sure to verify the emails most at risk of a false result.
Compare this to the case where users have to go through a flat list of emails. For example consider a setup where emails with SCL4 and higher are ending in the Junk Email folder. Enabling users to quickly check all emails with SCL 4 and 5 directly addresses the range of ratings most at risk. A more relaxed revision policy could then be applied for higher ratings. For example, higher ratings could then be checked on an on-demand basis. This is a huge improvement over the on-demand only adopted by many users.
IMF Tune is one such tool. It provides the ability to insert SCLs into the subject of all emails ending in the Junk Email folder. In this manner emails can be sorted by SCLs. This is done at a server level eliminating the burden of client side configurations.
References
Exchange Intelligent Message Filter
Exchange IMF update
IMF SCL Configuration - getting it right
Hardening Anti-SPAM Protection