Microsoft IMF Cans Spam at the Server

By David Coursey  |  Posted 2004-06-02

Microsoft IMF Cans Spam at the Server

The best thing about Microsofts new Intelligent Message Filtering add-on for Exchange Server isnt that its free—its that it really works. Of course, having the ultimate "nice price" makes choosing IMF almost a no-brainer.

I have been using IMF for several days—too early to really make a determination—but the early results have been excellent.

If the name doesnt ring a bell, IMF is the server version of the anti-spam technology built into Outlook 2003. An important limitation in Outlook is that the client software only works in "cached" mode, in which all your e-mail is downloaded to the client for filtering takes place.

Having to your download e-mail onto every machine you use seems to defeat the purpose of having an Exchange server, and certainly cripples Outlook Web Access. While Outlook 2003 could filter the incoming mail and provide a mostly spam-free desktop experience, the server itself remained spam city. Thus, OWA, which provides server access via any web browser, got a completely unfiltered view of the users inbox. With IMF, spam is filtered at the server, and OWA shows your filtered inbox—OWA has been rendered useful once again.

IMF was released last week at TechEd in San Diego. It didnt get nearly the attention it should have, which is part of the reason I am writing about it here. Based on my experience with the Outlook 2003 anti-spam technology, I was looking forward to installing the server version on my Exchange machine.

Over the weekend—Sunday night to be precise—I downloaded IMF from the Exchange 2003 Web site and installed it on my server. Actually, I first read the IMF Overview, which explains how the filtering works. I then downloaded the Deployment Guide, which explains how to use a single IMF installation for several Exchange mailbox servers in an enterprise environment.

Next Page: Ten Minutes to a Cleaner Mailbox

Ten Minutes to a

Cleaner Mailbox"> The actual installation process took about 10 minutes. The most difficult part was remembering where the SMTP protocol settings live so I could turn the filtering on.

Basically, IMF works by looking at incoming messages and, using techniques Microsoft isnt willing to fully disclose, assigned a numeric rating to each. These ratings reflect a confidence level in whether a particular message is spam and correspond to filter settings in IMF.

The server filters themselves work in two ways: The first is the gateway filter, which can delete or reject messages before they are ever sent to users mailboxes. The second determines whether a message is sent to the users inbox or "junk mail" folder.

The default number setting for both the gateway and mailbox filter is eight. Oddly, a lower number equates to more filtering while a higher number equals less. Lowering the number catches more spam, but also increases the likelihood of false positives.

It is probably best to set the gateway filter to a relatively low level and then have it reject or trash those messages most likely to be spam. The remaining messages would be filtered at a level that balances false positives with the amount of spam that clears the filter and ends up in users inboxes.

Right now, I have my gateway filter set to do nothing, while the mailbox filter was made tighter after the default setting allowed too much spam into my inbox. Lowering the threshold to 6 seems to have solved that problem.

Before going further, I should mention that my e-mail address has appeared in print and on Web sites on many occasions and if there is a spam list Im not on—sometimes several times—Id be pretty surprised. Some days I receive more than 2,000 spam messages.

So far, out of more than 400 messages processed, four spam messages have been delivered to my mailbox, a pretty impressive catch rate. On the other side, I have had a somewhat larger number of false positives, but only from two senders and all mailing list messages that could easily be mistaken for spam. Adding the senders to my "safe sender" list or my contact list ought to solve this problem.

This tallies up to an amazing 1 percent failure rate and just enough false positives to keep me from setting the filtering level any tighter until Ive had a chance to watch things for a while longer.

My guess is the astoundingly low failure rate is a bit unusual. The Outlook 2003 filters were letting about 5 percent of the spam through, with only occasional false positives. Even at that level, I was very pleased with the filters ability to solve my spam problems.

Again, your mileage will vary and so will everyones as the battle between Microsoft and spammers ebbs and flows, the bad guys finding new ways to get around the filters and the good guys creating new filters. Meanwhile, watch my Blog and I will report on my experiences with IMF over the next few weeks.

Rocket Fuel