Export (0) Print
Expand All

Understanding Exchange Server Intelligent Message Filter

 

Topic Last Modified: 2007-01-19

This topic provides an overview of Microsoft® Exchange Server Intelligent Message Filter. This topic also explains how Intelligent Message Filter works in an Exchange Server organization on Exchange gateway servers and on Exchange mailbox stores.

Intelligent Message Filter is based on patented machine learning technology from Microsoft Research. During its development, Intelligent Message Filter learned distinguishing characteristics of legitimate e-mail messages and unsolicited commercial e-mail (UCE). This learning was based on e-mail messages submitted by Microsoft partners and classified as either legitimate messages or UCE.

Based on the characteristics of millions of messages, Intelligent Message Filter recognizes indicators of both legitimate messages and UCE messages. Intelligent Message Filter can accurately assess the probability that an incoming e-mail message is either a legitimate message or UCE. Unlike many other filtering technologies, Intelligent Message Filter uses characteristics from a statistically sound sample of e-mail messages. In addition to UCE, the inclusion of legitimate messages in this sample reduces the chance of mistakes. Because Intelligent Message Filter recognizes characteristics of both legitimate and UCE messages, the accuracy of Intelligent Message Filter is increased.

In a typical Exchange Server 2003 topology, e-mail servers that are connected to the Internet are deployed at the Internet perimeter and are isolated from the enterprise intranet. These e-mail servers (known as gateway servers), accept incoming Internet e-mail messages and forward these messages to the appropriate mailbox server. Generally, gateway servers do not contain user mailboxes. However, in smaller organizations, a gateway server may also contain user mailboxes. Intelligent Message Filter is installed on these gateway servers to filter incoming Internet e-mail messages. If you use a non-Microsoft e-mail system as your Internet gateway server, you should enable Intelligent Message Filter on the Exchange bridgehead server that accepts incoming Internet e-mail messages from your gateway servers.

A typical Exchange Server 2003 topology is shown in the following figure.

Exchange server topology with Intelligent Message

When an external user sends e-mail messages to an Exchange server that has Intelligent Message Filter enabled, Intelligent Message Filter evaluates the textual content of the messages and assigns the message a rating based on the probability that the message is UCE. This rating is stored as a message property called a spam confidence level (SCL) rating with the message itself. This rating is persisted with the message when the message is sent to other Exchange servers.

An administrator sets two thresholds that determine how Intelligent Message Filter handles e-mail messages that have various SCL ratings: a gateway threshold with an associated action to take on messages greater than this threshold, and a mailbox store threshold. If a message has a rating that is greater than or equal to the gateway threshold, Intelligent Message Filter takes the action specified. If the message has a rating lower than the gateway threshold, the message is sent to the Exchange mailbox store of the recipient. At the Exchange mailbox store, if the message has a rating greater than the mailbox store threshold, the mailbox store delivers the message to the user's Junk E-mail folder instead of to the Inbox.

Exchange 2003 provides a set of filtering features, which are also used to reduce UCE. These features are sender, recipient, and connection filtering. Each of these Exchange filters is checked during the SMTP session, when a connecting SMTP server tries to send e-mail messages to an Exchange server. Intelligent Message Filter is applied after the SMTP session. E-mail messages filtered by recipient, sender, or connection filtering are handled individually and do not go through Intelligent Message Filter.

On the client side, Microsoft Office Outlook® 2003 and Microsoft Office Outlook® Web Access for Exchange Server 2003 let users create a list of safe senders from whom they always want to accept e-mail messages and a list of blocked senders from whom they always want to reject e-mail messages. At the mailbox store, regardless of the SCL rating assigned to the message, Exchange delivers all messages from safe senders to the user's Inbox and all messages from blocked senders to the user's Junk E-mail folder. However, if the e-mail message has been blocked by the gateway threshold, it is not delivered to the user's Inbox because it is never delivered to the mailbox store.

If a user is running an earlier version of Outlook than 2003, the Safe Senders and Blocked Senders lists cannot be modified from that e-mail client. However, these lists can be modified using Outlook Web Access 2003. If Outlook Web Access 2003 is used in this manner to enable junk e-mail filtering, messages where the sender is on the Blocked Senders list or messages that are marked as UCE will be delivered to the user's Junk E-mail folder. Messages marked as UCE whose sender is on the Safe Senders list will be delivered to the user’s Inbox. If Outlook Web Access 2003 has not been used to enable junk e-mail filtering, every message, including those marked as UCE, is delivered directly to the user's Inbox.

The following figure shows how Intelligent Message Filter works with these Exchange and Outlook features.

Message flow with Intelligent Message Filter

As shown in the figure, filters are applied in the following order:

  1. An SMTP server connects to Exchange and initiates an SMTP session.
  2. During the SMTP session, Exchange applies connection filtering using the following criteria:
    1. Connection filtering checks the global accept list. If an IP address is on the global accept list, no other connection, recipient, or sender filtering is applied, and the message is accepted.
    2. Connection filtering checks the global deny list. If the IP address of the sending server is found on the global deny list, the message is automatically rejected and no other filters are applied.
    3. Connection filtering checks the real-time block lists of any providers that you have configured. If the sending server's IP address is found on a block list, the message is rejected and no other filters are applied.
  3. After connection filtering is applied, Exchange checks the sender address (the P1 information specified in the SMTP conversion by the RFC2821 MAIL FROM command) against the list of senders that you configured in sender filtering. If a match is found, Exchange rejects the message and no other filters are applied.
  4. Exchange checks the recipient against the recipient list that you have configured in recipient filtering. If the intended recipient matches an e-mail address that you filter, Exchange rejects the message and no other filters are applied.
  5. After this action (if enabled), Exchange checks and filters recipients who are not in the directory (Directory Lookups).
  6. After recipient filtering is applied, Exchange checks the resolved sender address (the P2 data from RFC2822 headers) against the Blank Sender. If a match is found, Exchange filters the message based on the options that you configured and no other filters are applied.
  7. Sender ID filter is applied (if enabled) before Intelligent Message Filter.
  8. If a message is not filtered by connection, recipient, or sender filtering, Intelligent Message Filter is applied, and one of two actions occurs at the gateway:
    • If Intelligent Message Filter assigns the message an SCL rating that is greater than or equal to your gateway threshold, Intelligent Message Filter takes the appropriate gateway action.
    • If Intelligent Message Filter assigns the message an SCL rating that is lower than to your gateway threshold, the message is passed to the Exchange server that has the user's mailbox store.
  9. If a user is using Outlook 2003 or Outlook Web Access with Exchange 2003, the user's mailbox store compares the message's SCL rating with the store threshold you configured, and one of two things occurs:
  • If the message rating is lower than or equal to the store threshold, the mailbox store checks the user's blocked senders list configured in Outlook or Outlook Web Access, and one of two things occurs:
    • If the sender of the message is not on a blocked senders list configured in Outlook or Outlook Web Access, or if a blocked senders list is unavailable or defined, the message is delivered to the recipient's Inbox.
    • If the sender appears on the blocked senders list configured in Outlook or Outlook Web Access, the message is delivered to the user's Junk E-mail folder.
  • If the message rating is greater than the store threshold, the mailbox store checks the user's safe senders list configured in Outlook or Outlook Web Access, and one of two things occurs:
    • If the sender appears on the safe senders list, the message is delivered to the recipients Inbox.
    • If the sender does not appear on the safe senders list, or if a safe senders list is unavailable or defined, the message is delivered to the recipient's Junk E-mail folder.
importantImportant:
If users are using versions of Outlook earlier than Outlook 2003, the mailbox store thresholds have no effect and messages that are filtered in step 9 are instead delivered to the users' Inboxes. However, if clients can access e-mail using Outlook Web Access 2003, the store thresholds are applied as described in step 9.
 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft