IMF: Archiving spam

by Bharat Suneja

As explained in previous posts, the Intelligent Message Filter (IMF) offers a few configuration options. The primary interface for configuring IMF is under Global Settings | Message Delivery properties | Intelligent Message Filtering tab.

Screenshot: Intelligent Message Filtering tab in Message Delivery | Properties
Figure 1: IMF configuration options in Global Settings | Message Delivery | Properties | Intelligent Message Filtering tab

Here you specify a Gateway Blocking Configuration by telling Exchange what the Gateway SCL threshold is, and selecting an action to be taken when the threshold is met or exceeded. IMF assigns each message scanned a rating called “Spam Confidence Level” or SCL. Messages with SCL values that meet or exceed the Gateway threshold can be blocked from users’ mailboxes.

One of the following actions can be selected to treat such messages:

  • 1 Do Nothing: This simply forwards the message to the Store, and depending on the Store configuration, typically the messages should end up in a user’s Junk Mail folder. Important consideration: the Store threshold should be *lower* than the gateway threshold.
  • 2 Reject: Exchange rejects the message during the SMTP session. The sending server is responsible for generating any Non-Delivery Report (NDR) to the sender.
  • 3 Delete: Exchange accepts the message and deletes it, without notifying the sending host and without generating a NDR. This is also referred to as silent delete.
  • 4 Archive: When the Archive action is selected, Exchange delivers the message in the UCEArchive folder.

Some considerations and FAQs about archiving messages – most of these are documented in the IMF v2 Deployment Guide:

1. Where are the messages archived?
Messages are archived in the UCEArchive folder. By default this folder is created in \exchsrvr\mailroot\vsi 1 folder – where 1 is the instance number of SMTP virtual server.

2. Is there a way to change the location of the UCEArchive folder?
Yes, this is done by inserting a registry value of type String (REG_SZ) in the following location:
HKLM\Software\Microsoft\Exchange\ContentFilter
Value: ArchiveDir
Type: REG_SZ (string)
Value data: path to archive folder

3. I set the action to Archive. Why don’t I see the UCEArchive folder in the default location?
The UCEArchive folder is created when the first message meeting or exceeding the gateway threshold is received.

Things to check when you don’t see the UCEArchive folder:
– Is the action set to Archive?
– Is IMF enabled on SMTP virtual server?
Read the earlier post on changes to IMF v2 introduced in Exchange Server 2003 Service Pack 2 “Exchange Server 2003 SP2 and IMF”
– Is IMF working? (Check performance counters)
Read the earlier post “Troubleshooting IMF: Important Performance Counter” for more info.
– Are you receiving any messages meeting or exceeding the gateway threshold?
Check performance counters (again!) – MSExchange Intelligent Message Filter\Total Messages Assigned an SCL Rating of (number) – where number is the SCL rating. Counters are available for SCLs 0-9.
– Is the archive folder location modified using the above registry value?

4. I see a bunch of files with .eml extension in the UCEArchive folders. How do I view them?
You can open these .eml files with Outlook Express or using Notepad.

5. Managing archive files using the above method (opening each .eml file in Outlook Express or using Notepad) isn’t very efficient. Is there a better way?
There’s a popular third-party tool called IMF Archive Manager that makes managing the archived messages easier. You can download it for free from gotdotnet.com.

6. I don’t have the time or inclination to sort through so many archived messages. Should I just set it to delete or reject?
If you’re just starting out with IMF, I would recommend archiving initially. This will allow you to review the archive folder to see if there are any false positives – messages that are not spam, but got a higher SCL rating for some reason. Archiving will also allow you to finetune your IMF configuration based on the number of false positives you get using the gateway SCL threshold you use. Once you are comfortable with what you see in the archived messages, you can choose to reject or delete messages if you want.

7. I don’t see the SCL rating anywhere in the archived messages. Is there a way to save the SCL with the messages?
Yes, by adding the following registry value, IMF can be configured to save the SCL assigned to archived messages. Exchange inserts the X-SCL x-header.
Location: HKLM\Software\Microsoft\Exchange\ContentFilter
Value: ArchiveSCL
Type: DWORD
Value data: 1

{ 1 comment… read it below or add one }

Xavier y Marcy Elizondo July 26, 2006 at 6:22 am

I have configured everything as you show and working. The only wierd thing is that when I set the SCL configuration it only remains like that for 1 day and the next day it changes by it self to the default settings. Why is this happening?

Reply

Leave a Comment

Previous post:

Next post: