IMF: Where’s the whitelist?

by Bharat Suneja

Another frequently asked question – asked frequently enough to make its way here.

Does the Intelligent Message Filter (IMF) v1/v2 in Exchange 2003 provide any way of “whitelisting” sending SMTP addresses or domains? (I will continue to use whitelisting as one word. Although it cannot be found in the dictionary, it is a common term if you’re reading this blog and work with messaging/anti-spam – Bharat)

The Sender Filtering feature provides a way to blacklist SMTP addresses and domains, so it’s logical to expect a way to whitelist addresses and domains as well. However, there’s no whitelisting feature in Exchange 2003 – or at least not out-of-the-box.

From the explanations I’ve heard, the one that comes across as the most reasonable: SMTP headers (and therefore the FROM: field in messages) can be easily spoofed. To a certain extent, it’s hard to argue with that – it is true, and that is perhaps one of the biggest reasons we have to deal with spam and phishing today.

Some workarounds for whitelisting
In absence of a whitelist feature built into IMF, here’s what can be done to ensure messages from trusted sources are not blocked:

1 Global Accept List: Adding the IP address(es) of sending hosts to Connection Filtering‘s Global Accept List allows messages from the sending host to bypass Connection Filtering — inbound messages will be accepted even if the sending host is listed on a RBL, and IMF as well. To add IP addresses of sending hosts to the Global Accept list using the ESM:
1. Expand Global Settings | select Message Delivery -> Properties | Select the Connection Filtering tab

Screenshot: Connection Filtering's Global Accept List
Figure 1: Connection Filtering’s Global Accept List allows you to whitelist IP addresses of sending hosts

2. Click Accept | Click Add
3. To add a single IP address, type the address in the IP address field. To add a range of IP addresses, select Group of IP Addresses and type the subnet address and mask.
4. Click OK (thrice) to close the dialog boxes.

Next, we need to enable Connection Filtering in SMTP virtual server properties.
5. Select the SMTP Virtual Server that receives inbound internet mail | select Properties | General tab | Advanced button next to IP address
6. Select an IP address (you can enable/disable filters by IP address)
7. Click the Edit button
8. Check Apply Connection Filter

Screenshot: Enabling Connection Filter in SMTP Virtual Server properties
Figure 2: Antispam filters can be selectively enabled or disabled in SMTP Virtual Server properties

By whitelisting sending hosts’ IP address(es), you’re telling Exchange the sending host is trusted. Arguably, this is more effective and secure than whitelisting SMTP addresses and domains. (Also read Alexander Zammit’s post regarding issues with having the same IP address on Global Accept list and on the local IP list).

Nevertheless, some folks would simply like to have the convenience of whitelisting addresses and domains. Almost every other anti-spam tool has it. (Update: Exchange 2007 has whitelisting. See Exchange 2007 Content FIlter: The Whitelist Is Here!)

2 Custom Weighting: If the messages you want to whitelist contain particular keywords in the subject or message body, you can use the Custom Weighting feature as described in Exchange Server 2003 SP2 Release Notes. This allows you to lower or raise the SCL values assigned by IMF.

This entails creating an XML file called MSExchange.UceContentFilter.xml– the syntax is described in the Release Notes. You can simply cut and paste the sample from the Release Notes and modify it – it is fairly easy to do.

This approach could have been made a little more effective by simply allowing to look for the keywords in message headers as well. Not sure why headers were not included in the scanning mechanism for Custom Weighting – hopefully I will come across a reasonable explanation for this as well. :)

3 IMF Tune: If the above methods don’t work for you, and you absolutely need the convenience of being able to whitelist addresses and domains, you can look at third party utilities like IMF Tune from WinDeveloper. IMF Tune is an inexpensive tool that adds important functionality to IMF, making it closer to a full-blown anti-spam tool that many want IMF to be.

Besides whitelisting, IMF Tune allows you to configure a quarantine mailbox (instead of IMF’s option to archive mail in the UceArchive folder), setup autoreplies for filtered mail, strip attachments, amongst other things.

Another likable IMF Tune feature is the ability to insert SCL values in message headers – which IMF will do for archived messages, but not for messages delivered to mailboxes. The SCL value is a MAPI property of a message that can be made to show up in Outlook [read ‘Exposing SCL (Spam Confidence Level) in Outlook‘ on Exchange team blog], but the procedure isn’t something most users would want to go through.

Having said this, I have always liked IMF and think Microsoft did a great job by including this – for free – as a web download with IMF v1, and as a part of Exchange Server 2003 SP2 with IMF v2. It serves a useful purpose in many small/SMB deployments where it meets the requirements to a good extent or where resource
constraints rule out buying a third-party anti-spam product.

Besides, much as product managers want, not all features can be implemented in any given version, and given historical data, by version 3 these features/products become much more mature. (Think of the anti-spam features in Exchange Server 2007 as version 3 of Exchange’s messaging hygiene features :).

{ 9 comments… read them below or add one }

Anonymous December 5, 2006 at 11:27 am

Thank you very much for hinting IMF Tune. I evaluated that tool and it really does what it promises – for a forgetable price.

Please continue with your excellent blog!

Stefan E.

Reply

Anonymous March 20, 2007 at 3:17 am

Author is wrong: There is whitelisting feature in IMF – look at: http://support.microsoft.com/?id=912587

Reply

Bharat Suneja March 20, 2007 at 10:31 am

KB 912587 refers to a MSGFILTER.DLL hotfix that allows it to configure inclusion list (IMF applies to messages for only those included in the list), or an exclusion list (IMF applies to messages for all except those recipients on the exclusion list).

Whitelisting refers to the ability to put *senders* on a list – typically by SMTP address (e.g. [email protected]), or SMTP domain (e.g. somedomain.com or *@somedomain.com).

IMF v1 & v2 do not have a whitelisting feature.

Reply

Anonymous October 30, 2007 at 8:20 am

Have a look at an inexpensive whitelist tool for the IMF called SmartIMF Manager.

http://www.n2nets.com/SmartIMF.html

Reply

Anonymous July 25, 2008 at 8:14 am

Rather than purchase any tool to view, move or delete archived messages you can simply do this by creating .htm and ASP pages with VBScript and install them on any IIS server. By assigning the new ASP site a port number, you can then access this information from anywhere on the network within your web browser. VBScript works in IE the best so I would use it to view the ASP site. I set it up on our Exchange server to View, Resubmit, and Delete messages. It also sends me an email when the UCEArchive reaches a certain amount of messages, this way it doesn’t continue to grow. Although there are some handy features in IMF Tune, all that stuff can be accomplished without purchasing anything. Search the net.

Reply

Bharat Suneja July 25, 2008 at 9:02 am

@Anonymous poster:
Writing code, even scripts or web pages, is not something every administrator feels comfortable with. More often than not, it’s simply more cost-effective to buy an off-the-shelf app.

Having said that, please feel free to post more details about your solution, including any links.

It’s the ability to do such cool things that makes IT fun for a lot of us!

Reply

Tuur October 17, 2008 at 3:32 am

I configured connection filtering as described but it sure don’t seem to work.

I have now stopped and started the SMTP service on the server. We will see…

Reply

Tuur October 27, 2008 at 3:18 am

Restarting the SMTP service every time a sender IP is added to the connection filtering accept list definitely seems necessary. But in our organisation some of those senders are still being blocked by IMF.

Our e-mails are being routed through the mailservers of our ISP. I have now started adding any IPs of them I find in the headers to the Global Accept list. Will try to post in a few weeks to report if that helped or not.

Reply

SysAdmin February 18, 2009 at 9:04 am

I have to agree with the above post, have a look at SmartIMF – much better value (cheaper) than IMF Tune. Much easier than hacking together your own scripts, ASP pages or using the custom weighting in IMF. We look after about 12 SBS servers and this really makes it easy to handle the IMF with the automatic whitelist, reporting, user release, auto cleaning of the spam folder, etc. for all our sites.

Have a look at their 30 day trial and see for yourself:

http://www.n2comms.com/SmartIMF.html

Reply

Cancel reply

Leave a Comment

Previous post:

Next post: