IMF: Archiving spam

As explained in previous posts, Intelligent Message Filter offers a few configuration options. The primary interface for configuring IMF is under Global Settings | Message Delivery properties | Intelligent Message Filter tab.

Here you specify a Gateway Blocking Configuration by telling Exchange what the gateway threshold value is and selecting an action to be taken when the threshold is met. IMF assigns each message scanned a rating called "Spam Confidence Level" or SCL. Messages with SCL values that meet or exceed the threshold (equal to or greater than) are blocked from users' mailboxes.

One of the following actions can be selected to treat such messages:
1) Do Nothing: This simply forwards the message to the Store, and depending on the Store configuration, typically the messages should end up in a user's Junk Mail folder. Important consideration: the Store threshold should be *lower* than the gateway threshold.
2) Reject: Exchange rejects the message during the SMTP session, and the sending server is responsible for generating a Non-Delivery Report (NDR) to the sender.
3) Delete: Exchange accepts the message and deletes it, without notifying the sending host and without generating a NDR. This is also referred to as silent delete.
5) Archive: When the Archive action is selected, Exchange delivers the message in the UCEArchive folder.

Some considerations and faqs about archiving messages - most of these are documented in the IMF Deployment Guide:
1. Where are the messages archived?
Messages are archived in the UCEArchive folder. By default this folder is created in \exchsrvr\mailroot\vsi 1 folder - where 1 is the instance number of SMTP virtual server.

2. Is there a way to change the location of the UCEArchive folder?
Yes, this is done by inserting a registry value of type String (REG_SZ)
HKLM\Software\Microsoft\Exchange\ContentFilter
Value: ArchiveDir
Type: REG_SZ (string)
Value data: path to archive folder

3. I set the action to Archive. Why don't I see the UCEArchive folder in the default location?
The UCEArchive folder is created when the first message meeting or exceeding the gateway threshold is received.

Things to check when you don't see the UCEArchive folder:
- Is the action set to Archive?
- Is IMF enabled on SMTP virtual server?
Read the earlier post on changes to IMF v2 introduced in Exchange Server 2003 Service Pack 2 "Exchange Server 2003 SP2 and IMF"
- Is IMF working? (Check performance counters)
Read the earlier post "Troubleshooting IMF: Important Performance Counter" for more info.
- Are you receiving any messages meeting or exceeding the gateway threshold?
Check performance counters (again!) - MSExchange Intelligent Message Filter\Total Messages Assigned an SCL Rating of (number) - where number is the SCL rating. Counters are available for SCLs 0-9.
- Is the archive folder location modified using the above registry value?

4. I see a bunch of files with .eml extension in the UCEArchive folders. How do I view them?
You can open these .eml files with Outlook Express or using Notepad.

5. Managing archive files using the above method (opening each .eml file in Outlook Express or using Notepad) isn't very efficient. Is there a better way?
There's a popular third-party tool called IMF Archive Manager that makes managing the archived messages easier. You can download it for free from gotdotnet.com.

6. I don't have the time or inclination to sort through so many archived messages. Should I just set it to delete or reject?
If you're just starting out with IMF, I would recommend archiving initially. This will allow you to review the archive folder to see if there are any false positives - messages that are not spam, but got a higher SCL rating for some reason. Archiving will also allow you to finetune your IMF configuration based on the number of false positives you get using the gateway SCL threshold you use. Once you are comfortable with what you see in the archived messages, you can choose to reject or delete messages if you want.

7. I don't see the SCL rating anywhere in the archived messages. Is there a way to save the SCL with the messages?
Yes, using another registry value.
Location: HKLM\Software\Microsoft\Exchange\ContentFilter
Value: ArchiveSCL
Type: DWORD
Value data: 1

IMF does not scan messages larger than 3 Mb

Microsoft has just released a knowledgebase article - KB 907691 - documenting the inability of its Intelligent Message Filter (IMF) - the anti-spam filter that was earlier offered as a free add-on for Exchange Server 2003 - to scan messages over 3 Mb. in size.

When IMF encounters a message that is larger than 3 Mb., it logs the following event in the Application Event Log:

Event ID: 7515
Category: SMTP Protocol
Source: MSExchangeTransport
Type: Error Message : An error occurred while Microsoft Exchange Intelligent Message Filter attempted to filter a message with ID <ID_Number>, Priority_Number From smtp:E-mail_ID and Subject Subject_Text. This message will not be filtered. The error code is 0x800710f0.

(In some of my tests IMF has behaved differently when scanning these large (over 3 Mb.) messages with and without attachments. I haven't been able to complete testing to come to any conclusion because of lack of time - will update this post if I find something - Bharat)

IMF became part of Exchange Server 2003 when Microsoft included it in Exchange Server 2003 Service Pack 2. The inability to scan messages over 3 Mb. in size is common to both IMF v1 and the new version 2 included with SP2.

The article states this is by design - typical spam messages are not as large, and it costs more to send such spam.

It'll be interesting to find out what Exchange administrators think about this!

Don't miss "Troubleshooting DNS for Exchange" session at TechEd

Another year goes by, and TechEd 2006 is already here! If you're going to be in Boston next month, as a TechEd attendee you'll have a long list of sessions to pick from, with more than a few sessions you're interested in being scheduled at the same time.

I've always faced this huge dilemma of choosing which sessions I want to devote my time (definitely a scarcer resource during TechEd) to.

Zenprise architect Sekou Page will be presenting a Birds of a Feather session titled: Troubleshooting DNS for Exchange: Confronting The "Black Box". Sekou is a principal Exchange knowledge architect at Zenprise, with plenty of infrastructure experience and over 50 Exchange migrations to his credit. He writes a column for Redmond magazine.

If you work with Exchange and DNS, this should be one of the interesting sessions to look forward to at TechEd.

Session Abstract:
Troubleshooting DNS for Exchange: Confronting The "Black Box"
Thursday, June 15, 11:45 AM - 1:00 PM
DNS is often considered a "black box". That is, once configured and working it is hard to figure out why it "breaks" or what might be wrong in a deployment where the service should be fully functional. The focus of this session is - how to troubleshoot DNS issues as they relate to email - specifically, Microsoft Exchange. This session will share in a group discussion on DNS and the core components of DNS and the approaches one should take when troubleshooting specific classes of issues: including connectivity, zone integrity, performance, Active Directory DNS and name resolution. So, by thoroughly understanding the different classes of DNS issues and the troubleshooting process required to approach a specific type of issue, DNS will no longer be considered the "black box" it once was.
Session Type(s): Birds of a Feather

Verizon first (and exclusive) with Moto Q

In one of the most anticipated product launches since about a year (for smartphone/Windows Mobile geeks anyway!), it appears Verizon will be the first and - for a while at least - exclusive provider to sell Motorola's new Moto Q smartphone.

Labelled as the "Blackberry Killer" ever since rumors and early details/photos appeared about a year ago (if I remember correctly, we were talking about Windows Mobile 5.0, and awaiting the release of Exchange Server 2003 SP2 which would bring the fruits of DirectPush to push email to Windows Mobile handhelds back then... ), the Moto Q will finally make an appearance sometime next week.

For what it's worth, the Moto Q is one sexy gadget. I haven't actually held one in my hands yet, but do look forward to the Razr-slim device - .45 inches thin - with a usable QWERTY keyboard and even the thumb-wheel navigation mechanism that's been sort of a trademark of the Blackberry devices.

Having recently used a Cingular 2125 and an Audiovox SMT5600 not very long ago, and being somewhat of a Blackberry fan (pre-Exchange ActiveSync and DirectPush) before that, I felt terribly "Blackberry-sick" with the smartphone devices that didn't offer a keyboard. Incredibly difficult, if not impossible, to type a simple one-liner email on those things!

I am out of a cell phone for over a week now - and surviving very well, thank you! Now it makes sense to not rush out and get a new one today or over the weekend, but wait for the Moto Q next week. Yes, that would require me to switch cell phone providers as well, something I don't mind doing if the Q turns out to be everything Motorola and the number of enthusiast web sites promise it will be.

Check out the Moto Q teaser page on Verizon's web site:
http://www.vzwshop.com/q/

Whether the Q actually turns out to be a "Blackberry Killer" remains to be seen.

Microsoft buys Whale Communications

Microsoft's buying Whale Communications - maker of SSL VPN appliances. Having used Whale in a secure Outlook Web Access deployment, I have high regard for their technology. It locks down OWA pretty tightly, without ever touching your Exchange server.

I've frequently recommended their appliances - which allowed integration of RSA SecurID authentication for OWA access, and wondered whether/when these would allow secure RPC over HTTP(S) access, since Outlook itself does not natively support any integration with SecurID authentication.

It is quite likely the Whale technology may be integrated into ISA Server.

What would really impress many enterprise users is Outlook (RPC over HTTPS), OWA, and ActiveSync working with two-factor authentication mechanisms like SecurID and smartcards, natively, out of the box.

Nevertheless, Microsoft has done it again - bought another best-of-breed technology.

Zenprise in InfoWorld's "Top 15 Tech Startups To Watch"

More news from the Zenprise front – we’re now one of the “Top 15 Tech Startups To Watch” according to InfoWorld magazine! In a cover feature in the magazine’s current issue, InfoWorld features the companies that they rate as "Top 15 Tech Startups To Watch". In InfoWorld’s words, “Look closely, and you’ll notice that today’s enterprise tech startups are much smarter and more targeted than the broad, change-the-world ventures of the go-go ’90s. During the past couple of years, we’ve seen countless demos from companies whose singular ingenuity has brought a smile to the face of even the most jaded editor" (Emphasis mine, because I'm particularly delighted about that observation!).

Needless to say, we're very excited to be on this list!

We're getting great feedback for the just-launched version of the product - Zenprise 2.0, and the stream of feedback we've started getting from customers about different Exchange (and related) issues - which regularly gets added to our Symptom Database - is helping us make Zenprise more capable in detecting and resolving Exchange issues in your deployments.

Read the complete article - 15 Tech Startups To Watch - on InfoWorld's web site. (Or go directly to the section of the article that talks about Zenprise - "Zenprise spots Microsoft Exchange failures".)

New Exchange fixes change permissions model, may disrupt Blackberry, Goodlink, and other services

A recent change in the Exchange permissions model may disrupt Blackberry, Goodlink and other services. Many folks may have already applied hotfixes that changed the behavior of "Send As" and "Full Mailbox Access" permissions. Here's a brief overview.

What: Separation of "Full Mailbox Access" and "Send As" permissions.

Why: Earlier, users with "Full Mailbox Access" permission on a mailbox were implicitly provided the "Send As" permission. This allowed them to send mail as that user. Services like Blackberry Enterprise Server and Goodlink commonly use Full Mailbox Access to be able to send mail as a user. This was a security issue for many customers and the permissions needed to be separated. With this change, users/services will now explicitly need "Send As" permission on a given user's mailbox to be able to send as that user.

Which versions: The above change was applied to the STORE.EXE file. You can tell by the version of STORE.EXE - if the version you have is equal to or later than the following, this change has already been made in your environment.
- Exchange 2000 SP3: version 6619.4 or later (first made available in hotfix KB 915358)
- Exchange 2003 SP1: version 7233.51 or later (first made available in hotfix KB 895949)
- Exchange 2003 SP2: version 7650.23 or later (first made available in hotfix KB 895949)

(Note About Today's Security Bulletin MS06-019: The security patch released today in Microsoft Security Bulletin MS06-019 also contains this fix for Exchange Server 2003 SP1. If you use Microsoft Update on your Exchange Servers, this will be applied as part of critical fixes. If you're on Exchange Server 2003 SP2, the SP2 version of the patch does not update Store.exe).

Do I need to do anything?: If your users or accounts used by services like Blackberry or Goodlink need to impersonate the user and use the "Full Mailbox Access" permission to do so, they will need to be assigned "Send As" permission explicitly.

Microsoft has included a script in KB 912918 that will dump all user accounts that have "Full Mailbox Access" permission. You can browse through the list and determine if any of those accounts need to impersonate users and therefore explicitly require "Send As" permission. You can then use the script to assign "Send As" permission to those accounts.

Are there any exceptions?: Yes, indeed. The following are exceptions where "Send As" permission is not required:
- the mailbox owner does not require "Send As" permission on its own mailbox
- Associated External Account - typically used in cross-Forest scenarios and while you're in mixed-mode with accounts in a NT 4.0 domain and Exchange in an AD Forest
- a delegate account that also has "Full Mailbox Access" permission

Zenprise Named Finalist in Best of TechEd 2006 Awards

This just came in - Zenprise has been named a finalist in Windows IT Pro magazine's Best of TechEd 2006 Awards in the Messaging category.

Close on the heels of becoming a finalist in the "Software Newcomer of The Year" category for this year's Codie Awards (read "Zenprise Named Finalist In Codie Awards 2006") and getting a big thumbs up from InfoWorld magazine (read "Infoworld gives a thumbs up to Zenprise 1.0.3"), this further validates the coming of age of the Zenprise approach to real-time troubleshooting and diagnostics of Microsoft Exchange and email environments.

Over 250 products were nomiated for the awards. Other finalists in the category are Research In Motion's Blackberry Enterprise Server, and Quest Software's Spotlight on Exchange.

All I can say is - it feels great to be in the company of RIM and Quest!