Configuring Intelligent Message Filter involves two settings:
Gateway Blocking Configuration - In Gateway Blocking Configuration, you establish a threshold based on a spam confidence level (SCL) rating above which the gateway server takes action on the message. You also define the type of action you want the gateway to take.
Store Junk E-mail Configuration - In Store Junk E-mail Configuration, you define the thresholds based on an SCL rating that Microsoft Exchange 2003 mailbox stores use to determine whether to deliver messages to a user's Inbox or Junk E-mail folder.
In order to configure IMF follow these steps:
Open the Exchange System Manager snap-in (ESM).
Expand your Organization object, expand Global Settings. Right-click Message Delivery and choose Properties.
Click on the "Intelligent Message Filtering" tab.
In the Gateway Blocking Configuration section enter the number you chose, based upon your own preferences. I use 7, but you may want to experiment with lower or higher numbers. Selecting a lower number for the SCL rating filters more messages, but also increases the likelihood of false positives, which are legitimate messages that appear to be UCE. Selecting a higher number for the SCL rating filters fewer messages, but also reduces the likelihood of false positives.
Note: There is a known bug (or issue as Microsoft like to call it) with the SCL threshold. Basically if you set the SCE level to 7 IMF will block from 8 onwards, it allows SCL's equal to your setting through.
Now choose the action to perform when blocking messages. You can select Archive, for example, in order to archive all the messages with the SCL rating higher than 7 (for example).
In the Store Junk E-mail Configuration select your desired threshold. I use 4. but again, you may want to experiment with higher numbers. Again, read the articles below for more info, and don't forget about that "small issue" with the UI. That's all there is to it. Click Ok.
After you configure Intelligent Message Filter, you must enable this filter on all inbound gateway SMTP virtual servers. You do NOT need to enable IMF on ALL Exchange servers, do so only on the server(s) that is responsible for the incoming SMTP traffic.
Expand the Administrative Group folder, then expand the Servers folder, then expand each server that will be configured with IMF.
Expand the server object and click to expand the Protocols folder. Expand the SMTP folder.
Right-click the Default SMTP Virtual Server and choose Properties.
In the General tab click on the Advanced button.
In the Advanced window, click to select the (All Unassigned) IP Address and click on the Edit button.
In the Identification window, click to select the Apply Intelligent Message Filter checkbox. Click Ok all the way out.
(as noted above, replace C:\ with the drive letter of your Exchange installation, and replace VSI 1 with the folder name for your SMTP Virtual Server).
When you run the program executable it will get a UI that will allow you to view the message headers and delete, resubmit and do other things to the any selected message.
If you've performed the procedure "Add the SCL Rating to Archived Messages" below, you'll also see the SCL rating of each message:
Realtime Black Lists
It's always good to have layers. Why not have 2 spam filters?
I use 2 public RBL sites, spamcop and spamhaus, to reverse look-up spammers and strip even more spam from my system.
When you do this, keep in mind tha the IMF will happen first, then this filter, so your IMF spam folder might also contain messages that are on known spam lists.
How to configuret:
In Exchange System Manager expand Global Settings
Right-click Message Delivery and choose Properties
Select Connection Filter tab to add the RBL info
Click Add... to add a new filter
In Display Name type the name of the filter so you can recognize it (It also appears in a default NDR message shown later in this bullet), like SpamCop. In the DNS Suffix of Provider is where you enter the RBL sites DNS suffix, for example, spamcop.net's suffix is bl.spamcop.net, spamhaus is zen.spamhaus.org. In the field Custom Error Message to Return leave blank since it will return an email in the form of {Sender IP Address} has been blocked by {Display Name}....
Now we have created the filter we need to tell Exchange to use it. Drill down into Servers, {Servername}, Protocols, SMTP and right-click on Default SMTP Virtual Server and select Properties
On the General tab, choose Advanced
Highlight All Unassigned and choose Edit
Check the box Apply Connection Filter, and click OK until you're back to Server Management
That's all there is to it, two layers are better than one!
Add the SCL rating to the archived message:
Open Registry Editor.
Note: As always, before making changes to your registry you should always make sure you have a valid backup. In cases where you're supposed to delete or modify keys or values from the registry it is possible to first export that key or value(s) to a .REG file before performing the changes.
In Registry Editor, navigate to the following registry key: