Planning Your Exchange Server Intelligent Message Filter


Topic Last Modified: 2007-01-19

Microsoft® Exchange Intelligent Message Filter is designed to identify messages that are likely to be unsolicited commercial e-mail (UCE). When administrators use Intelligent Message Filter, they can filter these messages by deleting, archiving, or rejecting them at the gateway, or moving them to a user's Junk E-mail folder on a mailbox store.

To filter UCE effectively, you must deploy Intelligent Message Filter on the Exchange gateway servers that accept incoming Internet e-mail messages. Additionally, Intelligent Message Filter must be enabled on each SMTP virtual server that accepts Internet e-mail messages on the Exchange gateway servers.

If you use non-Microsoft e-mail servers at the gateway to accept Internet e-mail messages, you must deploy Intelligent Message Filter on the Exchange bridgehead servers that accept incoming Internet e-mail messages from the non-Microsoft gateway servers. Additionally, you must enable Intelligent Message Filter on each SMTP virtual server that is accepting Internet e-mail messages on the Exchange bridgehead servers.

Intelligent Message Filter is not supported on either of the following:

  • Exchange 2000 Server or earlier servers

  • Exchange Server 2003 clusters

Dictionary attacks are brute force attacks that use common words as possible passwords to discover valid passwords for well-known accounts, such as the administrator account. Malicious users attempt dictionary attacks to gain access to computers.

To help protect your SMTP gateway servers from possible dictionary attacks, you can disable all forms of authentication on your inbound SMTP virtual servers that accept Internet mail. Because no authentication is permitted, malicious users cannot use dictionary attacks to discover passwords and authenticate to your computer to relay mail or perform other unauthorized actions.

To disable authentication on your SMTP virtual server
  1. In Exchange System Manager, expand Servers, expand <your inbound Exchange server>, expand Protocols, and then expand SMTP.

  2. Right-click the inbound SMTP virtual server, and then click Properties.

  3. Click the Access tab, and then click Authentication.

  4. In Authentication, clear the Basic authentication and Integrated Windows Authentication check boxes.

    Authentication dialog box


If you cannot disable authenticated access on your SMTP virtual server for business reasons, such as a partner company authenticating, follow these steps to increase security on your gateway server:

  • Enforce a strong password policy for all user accounts, specifically the administrator account.

  • Disable the guest account. For more information about disabling this account, see Microsoft Knowledge Base article 320053, "HOW TO: Rename the Administrator and Guest Account in Windows 2000" at Although this article applies to Microsoft Windows® 2000 Server, similar principles apply for Microsoft Windows Server® 2003.

In a multiple forest topology where an Internet bridgehead server in one forest accepts e-mail messages for users in another forest, you must enable cross-forest authentication for the spam confidence level (SCL) rating to be sent between forests.

Enabling cross-forest authentication also allows users in each forest to resolve to their display names in the global address list (GAL). To prevent spoofing (forging identities), Exchange Server 2003 requires authentication before a sender's name is resolved to its display name in the GAL. Therefore, in an organization that spans two forests, a user who sends e-mail messages from one forest to another forest is not authenticated. Moreover, the user's name is not resolved to a display name in the GAL, even if the user exists as a contact in the destination forest, unless authentication is enabled.

To enable cross-forest SMTP authentication, you must create connectors in each forest that use an authenticated account from the other forest. After you create these connectors, when e-mail messages are sent between the two forests, the extended properties of the messages are also sent, which allows the SCL rating to be passed to the appropriate mailbox store in the destination forest.

Consider a two-forest environment for A. Datum Corporation and Fabrikam, Inc. With the Adatum forest and Fabrikam forest, users in each forest are in contacts in the other forest. The following sections describe how to follow these steps to set up cross-forest authentication.

  1. Create an account in the Fabrikam forest that has Send As permissions. (For all users in the Adatum forest, a contact is also in the Fabrikam forest. Therefore, this account allows Adatum users to send authenticated e-mail messages.) Configure these permissions on all Exchange servers that will accept incoming e-mail messages from Adatum.

  2. On an Exchange server in the Adatum forest, create a connector that requires authentication using this account to send outbound e-mail messages.

Similarly, to set up cross-forest authentication from the Fabrikam forest to the Adatum forest, repeat these steps, creating the account in Adatum and the connector in Fabrikam.

Before you set up your connector in the connecting forest, you must create an account in the destination forest (the forest to which you are connecting) that has Send As permissions. Configure these permissions on all servers in the destination forest that will accept inbound connections from the connecting forest. The following procedures show you how to set up an account in the Fabrikam forest and a connector in the Adatum forest. This allows users in the Adatum forest to send e-mail messages to the Fabrikam forest with resolved e-mail addresses.

To create the account used for cross-forest authentication
  1. In the destination forest (in this case, the Fabrikam forest), create a user account in Active Directory Users and Computers. This account must be an active account, but it does not require the following permissions: log on locally or log on through terminal server.

  2. On each Exchange server that will accept incoming connections from the connecting forest, configure Send As permissions for this account:

    Be careful when you create the password policy. If you set the password to expire, ensure that you have a policy in place that changes the password before its expiration date. If the password for this account expires, cross-forest authentication will fail.
    • Start Exchange System Manager.

    • In the console tree, expand Servers, right-click an Exchange server that will accept incoming connections from the connecting forest, and then click Properties.

    • In <Server Name> Properties, on the Security tab, click Add.

    • In Select Users, Computers, or Groups, add the account you just created, and then click OK.

    • On the Security tab, under Group or user names, select the account.

    • Under Permissions, next to Send As, select the Allow check box.

      Allowing the Send As permission


After you create the account with the correct permissions in the destination forest, create a connector in the connecting forest and require authentication using the account you just created. In the following procedure, assume that you are creating a connector on an Exchange server in the Adatum forest that connects to the Fabrikam forest.

To configure a connector and require authentication for cross-forest authentication
  1. Start Exchange System Manager.

  2. In the console tree, right-click Connectors, point to New, and then click SMTP Connector.

  3. On the General tab, in the Name box, type a name for the connector.

  4. Click Forward all mail through this connector to the following smart hosts, and then type the fully qualified domain name or IP address of the receiving bridgehead server.

  5. Click Add to select a local bridgehead server and SMTP virtual server to host the connector.

    The General tab in an SMTP virtual server's Properties dialog box

  6. On the Address Space tab, click Add, select SMTP, and then click OK.

  7. In Internet Address Space Properties, type the domain of the forest to which you want to connect, and then click OK. In this example, because the connector is sending from the Adatum forest to the Fabrikam forest, the address space matches the domain for the forest,

    The Internet Address Space Properties dialog box


    Exchange will now route all e-mail messages destined to (the Fabrikam forest) through this connector.

  8. On the Advanced tab, click Outbound Security.

  9. Click Integrated Windows Authentication.

    The Integrated Windows Authentication button in the Outbound Security dialog box

  10. Click Modify.

  11. In Outbound Connection Credentials, in the Account, Password, and Confirm password boxes, specify an account and password in the destination forest (in this case, Fabrikam) that has Send As permissions and is an authenticated Fabrikam account. Use the following format for the account name: domain\username, where:

    • domain is a domain in the destination forest.

    • username represents an account in the destination forest with Send As permissions on all Exchange servers in the destination forest that will accept e-mail messages from this connector.

    The Outbound Connection Credentials dialog box

  12. Click OK.


Community Additions