When over two years ago IMF Tune was born, we came up with a simple goal: "Unleash the Full Intelligent Message Filter Power". Today with the fresh release of version 3, I look at how far we went in achieving this. I do this by looking at examples where IMF Tune adds the necessary functionality that makes the difference.
1. The PDF Spam Wave
The latest PDF spam wave caught many anti-spam filters unprepared. The emails contain no body content. Instead they deliver their message as an attachment of type PDF. Other variants also followed using other attachment types including FDF and ZIP.
Because of the lack of body content IMF assigned low SCL ratings allowing the emails to reach the inbox. With the help of IMF Tune Advanced rules, we configured a rule to accurately identify and filter these emails.
Advanced Rules allow for the setup of rules composed of a number of conditions, exceptions and an Action. The conditions are meant to match specific characteristics of the email being targeted. In this case we used these conditions types:
Email has no body text
Attachment name contains ".pdf" or ".fdf" or ".zip"
Email size is less or equal to 40KB
We then configure the action to "Blacklisted" in order to immediately block the emails from reaching their destination.
2. Image Spam
Image spam is another classic Achilles' heel of content based anti-spam filters. Typically these emails will contain an inline image instead of the body text. Some also include some garbage text. Content filters are able to learn about the garbage text but may again have problems when little or no text is present.
Looking at the mime of a typical image spam we discover some characteristics of interest
--------------080002030100010403070405
Content-Type: image/gif;
name="popularity.gif"
Content-Transfer-Encoding: base64
Content-ID: <part1.05020207.06070207@xxxxxx.com>
Content-Disposition: inline;
filename="popularity.gif"
We could easily increment the SCL rating for emails containing images by matching the content media-type. In the above example this is "image/gif". In IMF Tune this condition would be used:
Content media type matches "image/"
We could also target emails that are meant to appear inline within the body by creating a rule against the Content-Disposition header.
Content-Disposition contains "inline"
3. Foreign Spam
I can speak Maltese, English, Italian and a little French. Emails in other languages are greeted by a shift-delete. Instead of deleting manually we can setup a server rule to filter emails by character set. Hoping not to irk any Chinese reading this page, here is an example blocking ISO-2022-CN with IMF Tune:
Body character set "ISO-2022-CN"
4. User Specific White/Black Lists
It might be ok for me to block emails in a foreign language but sales and technical support might have different requirements. So user based rules are a requirement to effective filtering. IMF Tune allows us to include a condition listing recipient addresses. Combining this with other conditions identifies the recipients for whom the rule applies. Here is the condition:
Sent to recipient sales@domain.com
5. How is IMF rating emails?
Seeing an email's SCL ratings allows us to more effectively tweak filtering. With IMF Tune you can easily enable the insertion of SCL for all emails or only for emails going to the Junk Folder.
Let say a spam email is making it to the Inbox. Considering the SCL rating of the email and the Junk Folder threshold, we could create a rule that increment the SCL just enough to start depositing these to Junk.
An alternative to using IMF Tune exists in this case. Exposing the SCL is possible from Outlook. IMF Tune here simplifies administration as it allows you to centrally enable the SCL insertion for all mailboxes.
6. Why this SCL Rating?
On the newsgroups I see many requesting for details on why IMF rates emails the way it does. Understandably this information is not available. Uncovering the workings behind an SCL rating would allow spammers to easily craft emails to bypass it.
What is possible, is to allow administration to see when an email gets white/black listed. IMF Tune generates an HTML report for this purpose. Here is how this looks for the PDF spam:
7. Filter Scripts and other Unwanted HTML Body Content
Filtering script attachments could be achieved using a filename based condition as we did for PDF spam. However how about scripts within HTML bodies? What about links and other HTML elements?
IMF Tune allows you to filter the HTML text body and also the normally invisible HTML tags and attributes. Thus blocking scripts within the body is as easy as adding Body keywords such as:
"text/javascript"
"</script>"
8. Recovering Deleted/Rejected Emails
One essential aspect in any email filtering software is the ability to monitor and verify the emails being blocked. IMF Tune allows for Archiving and/or Logging of all filtered emails. This is also true in case of rejection.
IMF out-of-the box only allows you to archive emails that are deleted silently. Rejection is especially useful as it informs the sending end that the email was not delivered. Whereas a spammer is unlikely to do anything out of this response, a legitimate sender would be alerted and allowed to get back in some other manner. Thus archiving rejected emails gives you an additional level of control on filtered emails.
9. Archive/Logs Backup and Purging
Disk Archiving and Logging are useful, but consume disk space. Although HDDs are cheap, one should still keep the growth under control. IMF archiving will keep dumping emails to disk leaving disk archive management up to the user. IMF Tune adds the ability to automatically backup and purge archived emails and logs.
10. Other Anti-Spam Filters are Welcome!
There are loads of anti-spam filtering solutions. These may be running on non-Windows platforms, on a dedicated appliance or at an external service provider.
Many software vendors love to lock us to their software. Ideally we should stick to them, ignoring other options. IMF Tune takes a diametrically opposite position. It actually encourages the use of as much technology as possible in order to harden filtering.
The most common scenario is the integration of SpamAssassin. IMF Tune here allows for the setup of rules that convert the spam rating of other filters to SCLs. In this manner they suddenly become an integral part of our layered filtering defense. We discussed this functionality in an earlier article.
Final Tips
IMF only provides a content analysis based filter. Other solutions out of the box provide loads of extra features that couple their core filter. Thus making a direct comparison between the vanilla IMF and other solutions is certainly unfair.
IMF Tune takes IMF filtering a long way, bridging many functionality gaps. Here we just touched on some practical examples. Whether this tandem is ready for prime time is for you to decide.
References
IMF Tune Home Page
IMF Tune Download