Exchange 2003 Server SP2 rounds out the anti-spam capabilities of Exchange Server 2003. With addition of Sender ID and IMF filters Exchange server is now capable of protecting an Exchange organization from many spam attack vectors. The flexible, reliable, and robust Exchange 2003 anti-spam framework proved to be very effective and instrumental in protecting Microsoft IT infrastructure from Unsolicited Commercial E-Mail (UCE). However, the anti-spam solution offered by Exchange 2003 SP2 would not be complete without regular updates to the filter and spam definitions.  Spammers constantly change tactics to find new ways to penetrate anti-spam defenses.  And while spam attack vectors become obsolete rather quickly, it is necessary to keep track of them to prevent potential future ‘re-use’ of the attack scheme.  All of this means that getting new spam definitions into production e-mail environments is truly imperative.   

 

The regular updates to the Intelligent Message Filter (IMF) will allow administrators to place the newest spam definitions onto mail processing Exchange Servers. 

 

The regular IMF updates functionality can be enabled on Exchange 2003 SP2 servers that have IMF turned on (meaning these servers process inbound Internet mail).  To make the functionality available on the server, new ContentFilterState registry key with the DWORD value 1 must be created under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange.  The registry entry should look similar to this:

 

 

After you create this registry key, the next step would be to go to the Microsoft Update website and select the “Custom” button to scan for IMF Updates package (as shown below):

 

 

IMF Updates detection logic will detect the key and offer the package.  

 

Both the regular IMF updates and the Exchange Intelligent Message Filter itself are language agnostic and supported on all Exchange Server languages.

 

The update mechanism will maintain the last three versions of the IMF data and binary files on the Exchange 2003 that the updates are being applied to.  Once installed, the IMF update package will appear in Add/Remove Programs under the following name: “Update for Intelligent Message Filter on Exchange Server 2003: 2005.12.09 (KB907747)”.  You should see an entry in the ‘Add or Remove Programs’ (ARP) Control Panel similar to the below:

 

 

If you look closely at the name, you will see that ‘2005.12.09’ corresponds to the date when the package was released.  Over the course of the regular update cycle, this date will change while the name/number of the KB itself ‘(KB907747)’ will remain intact.  For example, for the package released on January 18th 2006, the full name will be: “Update for Intelligent Message Filter on Exchange Server 2003: 2006.1.18 (KB907747)”. 

 

The IMF update package can be uninstalled through the Add or Remove Programs Control Panel.  Removing an update package will trigger Exchange 2003 SP2 IMF binary registration, which will cause the server to use the IMF update binary that was shipped in the original SP2 package.  Uninstalling the IMF updates package will remove the Add/Remove Programs entry, delete an appropriate registry key for the update, and re-register the SP2 IMF binary.  However, as I said earlier, the IMF updates installer will maintain the three most recent last packages on the system.  An actual directory structure should be similar to the below:

 

 

It is important to understand that these directories will remain on the system intact and will be available for manual registration if needed so that, for example, you could remove the current package through Add/Remove Programs and run IMF using the previous package.  Corresponding KB907747 goes into great details how to achieve this.

 

You may be wondering about the frequency IMF updates…  The good news is that updates will be offered every first and third Wednesday of the month!  IMF updates will be available not only through manual installation but also via scheduled Automatic Updates (AU)!  The updates are cumulative (as they incorporate the latest spam definitions and data derived from the continuous learning and feedback loop processes), classified as Rollup Updates, and will be available for WSUS and SMS distributions!  The bottom line is that the IMF Updates will be available through Microsoft Update technologies and the method of implementing an update – e.g. manual, Automatic Update, SMS, etc. – is flexible. 

 

IMF updates will only be supported on Exchange 2003 SP2 servers with IMF enabled.  For the updates to take effect, IMF updates installer will restart IISADMIN, so the best time to apply updates will be the time when the least amount of mail traffic is expected (e.g. during the night).  The IMF updates installer will always offer the DAT and binary files to keep the Exchange IMF server implementation up to date with the latest anti-spam protection.  IMF is not supported on Exchange clusters and as such IMF updates will not be offered for Exchange clusters.  To summarize IMF updates offerings in a few words:

 

  1. IMF updates are twice per month
  2. IMF updates are only supported on Exchange 2003 Servers with SP2 where IMF is enabled 
  3. IMF updates are supported on all Exchange server languages
  4. IMF updates are available from Microsoft Update via both manual and AU
  5. IMF updates supports uninstall through Add/Remove Programs and manual rollback

- Alexander Nikolayev