IMF Tune Server Manual - WinDeveloper Software
Contents
1. Addresses or Domains ls Specify address or domain Add Address Domain list imftune com support windeveloper com Remove eet Page 126 User Manual WinDeveloper Software Ltd 4 12 2 3 Keyword Expression Based Conditions Most condition types perform a text matching operation supporting keyword expressions Thus the AND OR NOT operators and double quotes have a special meaning These conditions include the words link in their name Following the link brings a list interface where keyword expressions may be entered Words Specify words or phrases ada Search list pills pharmacy l Remove Although supported for consistency complicated expressions are normally not necessary when configuring Advanced Rules Keyword expressions were discussed in detail in Constructing Search Expressions This section helps appreciating these points e The AND operator is always implied when entering multiple keywords e The effect of the OR operator can be achieved by entering multiple list entries e The NOT operator can be avoided by using the Exception list Keep in mind that exceptions always produce the opposite effect of conditions Conditions must be matched whereas exceptions must NOT be matched Page 127 User Manual WinDeveloper Software Ltd 4 12 2 4 Custom Standard Header Conditions Configuring conditions for custom and standard headers involve similar steps2. From lt support windeveloper com gt Date Time 27 12 2010 20 34 14 To lt user1 imftune com gt Subject Re What s new in IMF Tune v5 6 Initial SCL 5 Final SCL whitelisted Matches 2 Header Expression Source Body Subject imftune OR imf tune What s new in IMF Tune v5 6 Operation set SCL to whitelisted support windeveloper com Operation set SCL to whitelisted Note how the header name is shown as Sender AWL And this is how the same match is shown at the Moderator Reporting Web Interface WinDeveloper ZR IMF Tune inDeveloper Sign ou E mails General Spzm Detection Report Detaled Spam Detection Report Ny Account T o Tine Rein Summary All Headers SMTP Protocol Keywords Report IMF Tune Processing Keyword Reporting From esupport windevelopercom gt Date Time 12 27 20008 4PM To eusert imiunecom gt o Subject Re WhatsnewinIMFTuevS6 O O S Initial sce FS Final SCL Whitelisted Matches pi Header Expression Sender AWL support windeveloper com Operation set SCL to Whitelisted Header Expression Body Subject imftune OR imf tune What s new in IMF Tune v5 6 Operation set SCL to Whitelisted Page 60 User Manual WinDeveloper Software Ltd The Moderator Reporting Web Interface will also identify Auto Whitelist matches at the Keyword Performance report under Detailed Spam Detection Report Here we can see a couple of addresses being matched WinDevelope
3. amp fa IMF Tune Configuration 848 Email Handling m Auto Reply Specify automatic reply options for email based on their Spam Confidence Level SCL rating Th Add HE Remove E Edit Profle Assigned SCL Auto Reply 3 4 Page 40 User Manual WinDeveloper Software Ltd 4 4 1 Auto Reply Profiles Auto Reply options are grouped into Profiles Each of these includes 1 Profile Display Name 2 Auto Reply email properties including sender subject and email body text 3 SCL ratings to which the profile settings are to be applied General SCL Profile name ActoReply From admin windeveloper com Subject wl Set original subject as the reply subject Body The mail was not delivered ts content was classtied as breaching the company policy regerds Administrator Choose the SCL values you want to assign this profile to The disabled SCLs are already in use by other profiles Unprocessed F Whitelisted E SCLO FI SCL4 F SCL2 Y SCL3 V SCL 4 El SCL5 F SCL6 F SCL7 SCL 8 Fi SCL9 E Blacklisted Page 41 User Manual WinDeveloper Software Ltd 1 3 At the From edit box specify an SMTP email address This will be set as the auto reply sender Alternatively we may select a user from Active Directory by clicking on the Users button Select User Select this object type User From this locat
4. Clicking Next we move to the Conditions configuration page Here we find various condition types that may be activated by setting the adjacent checkbox An email must satisfy all of the selected conditions in order for the rule to be matched Page 118 User Manual WinDeveloper Software Ltd PDF ZIP FDF spam Rules Wizard Condition a From the list below select and tick the items that you wish to set up as the rule conditions B g gt d it domains _ Sent to recipient addresses or domains C Total number of recipients is within range Subject contains words _ Body contains words C Body or Subject contains words Standard header s are present and not empty _ Standard header s contain words C Custom headeris are present and not empty _ Custom header s contain words m Email has NO body text Email contains HTML body _ Email contains attachments _ Attachment name contains words 5 Attachment name is exacily matches fdt OR zip OR pdf C Email character set matches words _ Content media type matches words C Sending host matches IPs or subnets B Email size is less or equal to 40KB LJ Received time is within range _ Spam Confidence Level SCL is within range C SMTP protocol HELO EHLO command contains words X CEJ lie jfc Most conditions necessitate the configuration of additional properties These include a link within the condition description that when clicked provide ac
5. Process if at least one recipient matches domain list Process only if all recipients match the domain list For this purpose IMF Tune provides a list interface where to enter the domains 1 Select Process emails addressed to specific domains to activate the domain list 2 Click on the Add button to specify local domains in the format domain Here enter all the SMTP domains in use when assigning email addresses to Exchange mailboxes Whenever the local domain list is enabled the licensing logic changes as follows e Only emails addressed to recipients matching one of the local domain list entries are processed e Only mailboxes having an email address matching the local domain list will be counted for licensing purposes Page 172 User Manual WinDeveloper Software Ltd Warning Because of the behavior described above it is important that whenever the local domain list is enabled the list of local domains is not left empty Otherwise IMF Tune won t process any emails The same problem may arise if some or all of the local domains are not included in this list IMF Tune will automatically detect licenses for which configuring the local domains is mandatory Warning dialogs will pop up to alert of this fact In this case it is important to correctly configure the local domain list Otherwise the product may stop processing emails and report that the number of allowed users was exceeded Whenever the loc
6. eeeseseeeeeseeeeesreerreeresressrreresresss 57 4 71 2 Auto Whitelist Exceptions ssesseeeseseeesessessrssresresserssesressersrsereseessrsreesreses 59 4 1 3 Reporting Auto Whitelist Matches sseesseeeseseesessresseereesresrrseresressrseresresss 60 4 7 4 Extracting the List of Auto Whitelisted Addresses seeeeeeeeeeeeeeeeee 62 4 8 Working with Whitelists eeeesseeeeeeeeseesesseessrserestrssrrrresressesereseesseseresressessresees 65 4 8 1 Accept Senders and Accept Recipients Lists eeeeesseeeseeceseeeeeeeeneees 65 4 8 2 Accept Subjects and Accept Bodies Lists ceeceeeseeeesceseseeeenteeeeneeeenes 70 4 8 3 Accept IPS sirpi ress e e eea EOE EEE EEAS TE Ea 71 BS eb Accept Attachments ores e EE EE E 82 4 9 Working with Blacklists ic2cis chscesenctedectesdoceeindicediapebecedeaebedeneastoeieaduceiesealeceuniane 87 4 9 1 Fot ign Spam Blacklist ssion riers risintia esiin 88 4 10 DNS List Filtering Exchange 2007 2010 2013 sesssssseesessrrerrresrrsree 89 4 10 1 DNS Server Configuration ss ccticgsude ctccncsetucedagostvetusasdaaspasb nce neaedeaygecbiciest 90 410 2 DNS IP Test nenesie aer ecules eee E 91 User Manual WinDeveloper Software Ltd 4 TAS DNS URT EIS ec oo adelaide i cies Dash Be oe a ate ee 97 4 OE DNS List Reporting siia ou end agian aes Gam eas ea aoe 102 Aol Simple SC1s Rules tes cates plore a N ties ete aa R R N dates 103 4 11 1 Working with Simple SCL Rules 0 eee eeeeeseceseeeeeeeeaeesnaeeneensee
7. Page 106 User Manual WinDeveloper Software Ltd 4 11 3 1 Identifying the Email Information Type Each SCL Mapping must be processed against some specific piece of information within the analyzed emails The Header SMTP Command combo box lists various email information types PI Simple SCL Mapping Configuration General Details 00090000Q o 0 OO 0 Teo S amp S amp HO Ri amp SRERRERER g RR RRR RE Hn i reise OK Cance lt m The above screenshot shows some of the options available at this list Here entries not identifying email headers are enclosed in triangular brackets The list includes e Remote IP Sender and Recipient Addresses Email bodies Combined Subject Body data Attachment names Various standard email headers Mappings against non standard custom email headers may also be configured In this case just type the header name directly into the combo box Page 107 User Manual WinDeveloper Software Ltd Simple SCL Mapping Configuration General Details Header SMTP Command X SPAM Operation set value to Note that for a single email the sender address may be identified in a number of ways IMF Tune checks all of these locations MAIL FROM protocol address From header Sender header Resent From header Resent Sender header Page 108 User Manual WinDeveloper Software Ltd 4 11 3 2 Choosing a Ma
8. E Edit B Disk Maintenance Name Status Operation SCL SpamHaus enabled increment by 3 GM Block Subjects Gl Block Bodies amp Block Subjects Bodies amp Block Attachments a Block Foreign Spam B ONS Lists DNS Allow IP Lists J Exceptions DNS Block IP Lists Exceptions aa B P SCL Rules BA Simple SCL Rules BA Advanced SCL Rules AR Svtemal SCIP ilee We manage List providers using the Add Remove and Edit buttons Page 97 User Manual WinDeveloper Software Ltd 4 10 3 1 Adding Editing DNS URI List Providers At the DNS Block URI Lists category click Add to open the DNS List Provider configuration dialog V Enable DNS list provider Test Provider name SpamHaus DNS list zone dbl spamhaus org Operation SCL Change increment by l3 Y Return status codes Only these status codes x Add Retum Codes 127 0 0 0 127 255 255 255 The options here are identical to those for DNS Block IP Lists For more details on how to configure the list provider check Adding Editing DNS IP List Providers Page 98 User Manual WinDeveloper Software Ltd 4 10 3 2 DNS URI List Provider Testing From the DNS List Provider configuration dialog we can also submit test queries At the DNS Block URI Lists category click Edit to open one of the configured List Providers or click Add and configure a new one Next click the Test button
9. Gl Blackiists g Biock IPs g Block Senders GM Block Recipierts gi Block Subjects amp Block Bodies g Block Subjects Bodies RB Rink Ararhmante Here we enter email addresses that IMF Tune should never auto whitelist Consider the case where some local user starts an email exchange with a malicious contact or the case where a contact turns out to be a pest We can instruct IMF Tune to stop auto whitelisting an address by entering this to the Exception list Here we can also enter entire domains using the domain format This instructs IMF Tune not to whitelist any address from that domain For example users might be using their work mailbox both for business and personal use Some domains providing personal email addresses might be irrelevant to our Organization business That s when this list again comes handy Note that the Auto Whitelist Exceptions are not a blacklist Specifying an address or domain here will only exclude the address from being auto whitelisted Emails from these senders will still be processed and might match other static whitelists blacklists and rules Page 59 User Manual WinDeveloper Software Ltd 4 7 3 Reporting Auto Whitelist Matches Keyword Reporting and the Moderator Reporting Web Interface provide special support for Sender Auto Whitelisting This is how a Sender Auto Whitelist match looks like at the Server HTML Keyword Report WinDeveloper IMF Tune Keyword Reporting
10. t be deposited to the recipient junk email folder unless this is enabled at the recipient mailbox See Enabling the Junk Email Folder for more details 6 We could also configure an SCL and an action at the Gateway Blocking Configuration These settings are used for the higher range of SCL values where the level of certainty of an email being spam is high Three possible actions are available Archive Delete and Reject Setting the action to No Action effectively disables Gateway Blocking When using IMF in combination with WinDeveloper IMF Tune it is best to disable Gateway Blocking by setting the action to No Action Warning Emails filtered by Gateway Blocking are not processed by IMF Tune IMF Tune can perform all the Gateway Actions itself Hence the correct setup is that to set the Gateway Action to No Action and configure any of Archive Delete or Reject at the IMF Tune Configuration Note The Archive Gateway Blocking action effectively saves the email to disk and then deletes it from the transport queue To get the equivalent from IMF Tune configure Delete as the Email Handling action and then configure the Archiving options Note The Store SCL is required to be lower than the Gateway SCL Whereas the Store settings cause emails to be deposited into a sub folder within the recipient mailbox the Gateway settings block emails from reaching the mailbox altogether 7 Once configured IMF must be enabled This is described in th
11. 1 Working with Advanced SCL Rules To enable disable Advanced SCL Rules set clear the checkbox at the top Setting the checkbox will activate the list and IMF Tune will process the configured rules against incoming emails a WinDeveloper IMF Tune Configuration dejes Back S Forward Folder Up faf Home E Apply 2 FRetresi Ea IMF Tune Configuration e p Advanced SCL Rules 88 Emal Handing Specify a list of conditions and exceptions to match standard custom headers a ee SMTP protocol data IP and email properties Emails can be whitelisted blacklist ng Qa Auto Reply J Apply advanced SCL Rules Hif Quarantine H Disk Maintenance de S e i Cy Export 3 8 Auto Whitelist Senders Eh Add DK Remove E Eat AF meot BS H 8 Whiteists i Blackists a emme amp Block IPs BA FAXto Email amp Block Senders M2 Orders Bl Block Recipients a Block Subjects Gl Block Bodies a Block Subjects Bodies a Block Attachments Gl Block Foreign Spam B ONS Lists a g DNS Allow IP Lists Es ONS Block IP Lists h a DNS Block URI Lists amp amp SCL Rules BA Simple SCL Rules F Emai contains HTML body 7 BA Advanced SCL Rules and Attachment name is exactly matches pdf BA Stemal SCL Rules and Emai size is less or equal to 20KB a Keyword Reporting Except if Sent to recipient mariod windeveloper com tta Exchange Forefront SCLs oe action O _Metaile a hs Apart for enabling disabling the entire set of advanc
12. Command setting configured at the Rule General Property page This setting is documented exhaustively at the Simple SCL Rules documentation The file format is identical to that supported by the white black list import export functionality So it can be useful to export values from these lists for an example of a correctly formatted file NOTE Whenever IMF Tune processes external files its entries undergo a validation process Any invalid entries will be silently ignored Page 138 User Manual WinDeveloper Software Ltd 4 13 3 External File UNC Path External Rule files may be placed on a shared drive to facilitate access from different machines In this case the rule is configured with the UNC file path in the format lt machine name gt lt share name gt lt any directories gt lt filename gt This is especially useful when running IMF Tune on more than one machine At IMF Tune we then configure External Rules to pull the keywords from this central file In many cases this eliminates the need to replicate configuration settings from one machine to another Page 139 User Manual WinDeveloper Software Ltd 4 13 4 External File Access Permissions When using External Rules it is important to ensure that IMF Tune is able to read the file being configured The IMF Tune Attendant service is the process responsible for fetching these files This service runs under the LocalSystem account Thus when configuring any permissio
13. Erom this location windev leeal Locations Enter the object names to select examples ExServer Check Names 9 The Exchange Server object should now be in your Permissions list IMF Tune will only require Read access 10 Save changes to complete the configuration Page 142 User Manual WinDeveloper Software Ltd 4 14 Constructing Search Expressions The IMF Tune configuration supports advanced keyword expressions These may be used in Subject Body and Subject Body white black lists Furthermore expressions are also supported in SCL Rules An expression is composed of one or more keywords phrases These are combined together with the use of the AND OR NOT operators In this manner complex expressions may be constructed so as to better identify the matching criteria Expressions also support the use of double quotes This enables combining multiple keywords into a single phrase It also forces handling the phrase literally as we shall see later In general constructing expressions should be fairly intuitive Furthermore the configuration provides the Expression Builder This takes care to construct well formed expressions with minimal effort Nevertheless it is sometimes useful to understand the rules behind valid expressions as it helps us construct more effective email filtering rules Page 143 User Manual WinDeveloper Software Ltd 4 14 1 Basic Expression Syntax The simplest form of expression is one
14. Going Back from Forefront 2010 Anti Spam to the Exchange Content Filter Page 11 User Manual WinDeveloper Software Ltd 3 5 Installing WinDeveloper IMF Tune Installing the IMF Tune server cannot be any simpler Given that the necessary requirements discussed above are satisfied it is just a matter of clicking Next Next Next to complete the installation Wizard Unless the default is changed the application will be installed to lt Program Files gt WinDeveloper IMF Tune The installation will not cause any service restarts or downtime Once completed IMF Tune will be ready to process emails Page 12 User Manual WinDeveloper Software Ltd 4 Email Processing Configuration The IMF Tune configuration is available from the application program group at Windows Start Programs WinDeveloper IMF Tune IMF Tune The configuration is organized in two panes The left pane shows the main configuration categories while the right pane shows the options for the currently selected category The exact set of configuration categories depends on the MS Exchange version The Unprocessed Emails and Exchange System Manager categories are only available when running Exchange 2003 Likewise the DNS Lists and Exchange Forefront SCLs categories are only available when running Exchange 2007 2010 2013 Here is what the IMF Tune configuration looks like in Exchange 2007 2010 2013 Gem Da WinDeveloper IMF Tune Configuration p Eo Ee Ca
15. Match One of WinDeveloper IMF Tune H E DNS Allow IP Lists cy DNS Block IP Lists es NNS Rinek LIRI Liste As the name of the lists imply the Accept Subjects list is applied against the email subject whereas the Accept Bodies is enforced against the email text and html bodies The Accept Subjects Bodies list is applied against the combined email subject and body information The keywords are searched against both of them This saves us from entering the same keywords in both Subject and Body lists when the exact keyword location is not relevant Note that when an expression is composed of multiple keywords it is possible that one keyword is matched at the subject and another is matched at the body These lists support fairly advanced keyword expressions The operators AND OR NOT may be used to combine multiple keywords into a single expression Double quotes may also be used to enforce exact matching For more details check the section Constructing Search Expressions The SCL Rules configuration also provides the ability to whitelist emails by subject and body Additionally SCL Rules provide more control over email processing Page 70 User Manual 4 8 2 1 Working with Keyword Lists To enable disable any of the keyword lists set clear the checkbox at the top Setting the checkbox will activate the list and IMF Tune will process the keywords against incoming emails WinDeveloper Software Ltd la Tune Config
16. Remove addresses from the whitelist afier 365 days 5 amp Exceptions a8 Vihtelsts Gather foreign addresses from emails sent by Accept s Any local domain user Accept ers amp J Accept Recipients Any local domain user except for amp Accept Subjects D Only these local users domains amp Accept Bodes Accept Subjects Bodies 7 add SE Remove lt i Ect amp Accept Attachments Ike x Lait Gi Brackiste s a Bock IPs Email address Doman GM Block Senders guest windeveloper com GM Block Recipients newsletter windeveloper com GH Block Subjects ai Block Bodies g Block Subjects Bodies RB Pinel diparhenante The checkbox Enable Sender Auto Whitelisting activates this functionality Limit List to nnnn addresses specifies the maximum number of addresses this list may store Remove addresses from the whitelist after nnnn days allows IMF Tune to automatically purge addresses for contacts with whom no emails were exchanged for a long time We may choose to whitelist addresses for unlimited time However in practice very often a contact is only required for a few days such as the duration of a support incident Furthermore AWL restarts the day count for an address whenever a new email exchange takes place In this manner regular contacts are never removed from the list Gather foreign addresses from emails sent by allows us to identify the list of local users whose contacts are to be gathered for whitelisting We can c
17. Reporting functionality is available from the IMF Tune Application Program Group Please check this document for full details on this topic The Archives Quarantine category includes a number of fields specific to the maintenance of the Database server where emails are being published At the top of Maintenance Archives Quarantine we find a Warning saying Email files moved to backup will also be deleted from quarantine If the Archive Maintenance option Compress and backup files after is enabled emails at the disk archive reaching the specified age limit are moved to backup At this point the email may no longer be resubmitted for delivery from the Web Moderator Thus IMF Tune also deletes the emails from the database server At the bottom of Maintenance Archives Quarantine category we have a checkbox Delete files from archive on resubmitting deleting quarantines This option determines whether archived emails should be immediately deleted from disk as soon as these are moderated from the Web interface Consider a user resubmitting and deleting emails at the moderator IMF Tune on fulfilling these operations removes the emails from the database In addition it checks this setting to determine whether or not a copy of the email should be retained on disk Retaining emails on disk is useful in a multi layer backup system where a predictable audit trail is required You can choose to keep all emails on disk until the archives are back
18. archiving The core maintenance settings are available under the Disk Maintenance Logs Reports category These comprise the root log directory path settings for breaking files by size and date and settings for the backup and deletion of old files WinDeveloper IMF T Configuratio nfo Back S Forward Ble categories Folder Up faf Home EY Apply A Retest p monet _ Logs Reports ae n Identify the primary location where the logs reports will be stored IMF Tune will ita Archiving Quarantine manage files saved here aA Logging Qa Auto Reoly Reports maintenance directory E Hij Quarantine C Program Files WinDeveloper IMF Tune logs Browse B Disk Maintenance va ii i m aiis Create a new Log Report file when size reaches KB 10240 J Auto Whitelist Senders a d Create a new Log Report file every days 1 B f Blackksts Gl Block IPs 3 7 Compress and backup files after days Gl Block Senders 1 Gl Block Recipients 7 Schedule Gl Block Subjects l Block Bodies J Delete backup files after days amp Block Subjects Bodies 7 GM Block Attachments amp Block Foreign Spam GB ONS Lists H A DNS Allow IP Lists ca DNS Block IP Lists l DNS Block URI lists BA SCL Rules w Keyword Reporting tm Exchange Forefront SCLs Q Details E _Lirensina Page 50 User Manual WinDeveloper Software Ltd 4 5 2 1 Logs Reports Maintenance Root Having a root maintenance directory for logs and repo
19. are saved zip compressed Clicking on the schedule button we can choose the days and time when the backup process is triggered Schedule On these days V Sunday V Monday v Tuesday T Wednesday J Thursday v Friday Saturday Once a month on the Run process at this time OK J Cancel For daily or weekly backups we choose the On these days schedule option We can then select the exact days when to run this operation In cases where the number of files is small we could instead opt for monthly backups by selecting the Once a month radio box At the bottom of the Schedule dialog Run process at this time allow us to provide the exact time when the backup is to start Although in general the backup operation is not very resource intensive it is advisable to set a time when the server is not under heavy demand Backups will provide more efficient disk usage because of its compression functionality However files will still continue to accumulate unless these backups are periodically purged This functionality is enabled by selecting Delete backup files after days Again here we can specify the number of days the backups must age before purging This functionality follows the same schedule configured for the backup operation Page 47 User Manual WinDeveloper Software Ltd 4 5 1 3 Quarantine Database Maintenance NOTE A dedicated User Guide for configuring the IMF Tune Quarantine
20. each time these are rediscovered Whenever local users exchange new emails with a foreign contact the foreign address is removed from the old batch and inserted in the latest address batch In this manner contacts with which local users are regularly exchanging emails never get purged 4 7 4 3 ManageA WL is a Read Only Tool ManageAWL only gives us read access to the AWL data It does not allow for deleting addresses The reason for this is that deleting AWL entries is not all that useful Let say we have an address we don t want to whitelist any longer Removing the address from the AWL will stop IMF Tune from whitelisting it However this won t block the AWL process from re discovering the same address This is why the correct solution is to add any such addresses to the AWL Exception list under Auto Whitelist Senders Exceptions When adding an exception IMF Tune will 1 Stop whitelisting the address 2 Learn not to whitelist it again in the future Page 64 User Manual WinDeveloper Software Ltd 4 8 Working with Whitelists Whitelisting enables identifying legitimate emails Through it emails avoid the risk of being misclassified as spam On whitelisting any previously assigned SCL rating is overridden Thus this classification takes priority over SCLs assigned by IMF and by the IMF Tune Blacklisting and SCL Rules The Whitelists category groups IP Sender Recipient Subject Body combined Subject Body and Attachme
21. identify other Exchange built in whitelists To enable this functionality go to the Exchange Forefront SCLs category 7 Se ix WinDeveloper IMF Tune Configuration Lode Back Fle Categories Folder Up tat Home Apply RX Ba IM Cort a Exchange Forefront SCLs Ga Archiving Quarantine pay se the Exchange Forefront Content Filter SCL ratings are to be s Logging i Qa Auto Reply When an email is assigned SCL 1 m Hij Quarantine 2 pe ae ee Keep SCL 1 and handle as whitelisted ics o Whitelist Send 5 3 8 Whtetsts i ii Change SCL to 0 and process normally E Blackists Gl Block IPs al Block Senders GH Block Recipients E a Block Subjects GM Block Bodies Gl Block Subjects Bodies Keywords amp Block Attachments Ml Block Foreign Spam AllRecipientsBypassed r g DNS Usts Content FiterConfig BypassedRecipient E E DNS Allow IP Lists Content FiterConfigBypassedSender ONS Block IP Lists IPOnAllow List DNS Block URI Lists Message SecurttyAntispamBypass amp SCL Rules SenderBypassed BA Simple SCL Rules BA Advanced SCL Rules BDS amp emal SCL Rules ei Keyword Reporting 2J Exchange Forefront SCLs A_Netaile By default IMF Tune is configured with Keep SCL 1 and handle as whitelisted In this mode IMF Tune won t apply any blacklists and SCL rules to emails having an SCL 1 rating This is the correct behaviour when employing the built in Exchange 2007 2010 2013 Content Filter When run
22. responses may be configured to be fired for specific SCL ratings The Quarantine category groups connectivity and other administrative options for managing the Quarantine Reporting database server The Disk Maintenance category allows for automating the management of disk archives log files and the quarantine reporting database This includes the ability to schedule automatic backups and purging of email information older than the specified age limit The Auto Whitelist Senders category controls the automatic discovery and whitelisting of foreign contacts with whom local users are exchanging emails The Whitelists category groups the IP Sender Recipient Subject Body combined Subject Body and Attachment whitelisting functionality Whitelisting overrides any previously assigned SCL making sure the email is not classified as spam The Blacklists support the same categories as the Whitelists with the addition of Language blacklisting Blacklisting identifies emails that are to be handled as spam The DNS Lists category only available in Exchange 2007 2010 2013 provides support for DNS blacklists and whitelists The sender IP and URIs extracted from the email body are checked against the DNS Lists configured here The SCL Rules category provides finer control on SCL assignments From here one can construct rules combining multiple conditions and exceptions to accurately identify legitimate and soam emails The rules can test all kind
23. this condition type click on the filename link This brings a list interface to which we can add and remove filenames Specify filenames Filename list fdf Zip pdf Note This discussion does not apply to the condition Attachment name contains words This condition takes regular keyword expressions as discussed in Keyword Expression Based Conditions Page 130 User Manual WinDeveloper Software Ltd 4 12 2 7 Range Based Conditions Whenever configuring conditions involving numeric or temporal time based value matching the ability to specify a range is available Specify the number of recipients Is Equal to Is Less or Equal to 0 Is Greater or Equal to Is within range From The interface allows us to choose an operator and the upper and lower limits defining the range to be matched Page 131 User Manual WinDeveloper Software Ltd 4 13 External SCL Rules External SCL Rules provide the opportunity to host rule values in external files EE Sales Back Forward Ee categories Folder up a Home E Aly 2 Relves Ta a E External SCL Rules Archivi ng Specify conditions to match emails against keywords from external files Emails ti ving Quarantine can be whitelisted blacklisted or have their SCL rating adjusted as required a Logging Qa Auto Reply 7J Apply external SCL Rules fff Quarantine Disk Maintenance z a S Aut
24. to be published to database is controlled from the Archiving profile SCL page Most typically we will want to publish emails blocked at the server so that we can review these Thus we select the SCL ratings that are configured for Deletion or Rejection Having said that publishing accepted emails is also possible One reason why we might want to do this is to analyze the type of emails being assigned midrange SCL ratings for example SCL4 It is not unusual for us to receive support questions on how to best handle emails assigned such ratings By publishing these emails an administrator may gain better understanding of the type of emails falling in this category and thus choose the most appropriate email handling action It really is totally up to us We can choose to only publish emails blocked at the server but we can also choose to publish emails that were delivered to the user mailboxes The Archiving interface immediately highlights the tight coupling that exists between disk archiving and the database server Indeed for an email to be published to the database a copy must also be archived to disk The database server is not fed with a full copy of the email Most notably the database is only supplied with up to 32Kb of body text no html body content and no file attachments These potentially large pieces of data are kept at the disk archive Let s see what happens when a user through the IMF Tune Web interface releases a quarant
25. with typical character encodings from these languages will be blocked fifi Quarantine 5 Disk Maintenance Language amp Auto Whitelist Senders B 48 Whiteists z akio amp Accept IPs Z Baltic amp Accept Senders Central European amp Accept Recipients V Chinese Simplified amp Accept Subjects 7 Chinese Traditional amp Accept Bodies V Cyrillic amp Accept Subjects Bodies 7 Greek amp Accept Attachments T Hebrew S Blackists Vl Japanese Gl Block IPs EZ Korean GM Block Senders Southem European Block Recipients Y Thai Block Subjects F Turkish E Block Bodies F US Westem European Gl Block Subjects Bodies FI Vietnamese a Block Attachments Block Foreign Spam E E ond ONS Lists Match emails whose character encodings are typically used with Arabic Baltic Chinese Simplified B A DNS Allow IP Lists Chinese Tradtional Cyrilic Greek Hebrew Japanese Korean Thai Turkish Vietnamese ca DNS Block IP Lists Emails can be authored in different languages with the help of character sets A character set for a given language includes those characters and symbols in use for expressing that language In the Foreign Spam blacklist IMF Tune provides a list of language categories Selecting a language category instructs IMF Tune to block emails authored using the character sets associated to it IMF Tune identifies the character sets by analyzing the encodings in use within the various e
26. words Matches text within the body or email subject Used when the exact text location is not important This condition supports keyword expressions Standard header s are present and not empty Tests for the presence of standard headers Standard header s contain words Matches text within any of the standard headers This condition supports keyword expressions Custom header s are present and not empty Tests for the presence of custom headers and any other headers not included under the standard headers list Custom header s contain words Matches text within any custom headers and other headers not included under the standard headers list This condition supports keyword expressions Email has NO body text Tests whether the email body contains any text Email contains HTML body Tests if the email includes an HTML body Emails only having a plain text body fail to match Email contains attachments Tests if email contains any attachments Attachment name contains words Matches keywords within attachment filenames This condition supports keyword expressions Attachment name is exactly matches filename Matches either the exact filename or using the wildcard the last part of the filename The may only be used at the beginning as follows something Email character set matches words Matches against the email character set code identified at the MIME heade
27. 2 age ONS Lists X SPAM contains spameyes set value to blacklisted t 4 DNS Allow IP liss X SPAM contains spam no set value to whitelsted amp ONS Block IP Lists G DNS Block URI Usts B B SCL Rules Ba B amp Advanced SCL Rules amp Stemal SCL Rules e Keyword Reporting tt Exchange Forefront SCLs O Nataile ba 4 m p On finding a match the current SCL may be changed in one of the following manners e Whitelisted Blacklisted or replaced by any of SCL 0 to 9 e Incremented by a value from 1 to 9 e Decremented by a value from 1 to 9 SCL increments decrements add up such that if multiple matches are found the final SCL is set to the net result Simple SCL Rules provide a more advanced alternative to the basic white black lists All of the email information processed by these lists is also processed by SCL Rules In addition here we have more control on the assigned SCL Furthermore we also have the opportunity to test against headers not covered by the white black lists For example one might search the Received headers for IPs Page 103 User Manual WinDeveloper Software Ltd 4 11 1 Working with Simple SCL Rules To enable disable Simple SCL Rules set clear the checkbox at the top Setting the checkbox will activate the list and IMF Tune will process the configured rules against incoming emails Developer MF Tone Corliqaretion sro Oma O ors EE cam ree Ge ae re p era
28. 8 Final SCL 9 Matches Header Expression Source subject pills rgement Herbal Pills rpchk Operation increment SCL by 1 From lt spam testing local gt Date Time 5 21 2010 14 12 11 To lt userl horizon local gt Subject Please complete your application Mon 19 Mar 2010 08 15 44 0800 Initial SCL 5 Final SCL 6 Matches 1 Body Subject mortgage OR home loan do Hancock Bay Home Loans In any free Operation set SCL to 6 The above sample shows a report for two different emails For each email the report is composed of a header area with general information and a tabular body illustrating how the email was matched Page 156 User Manual WinDeveloper Software Ltd The following table describes the fields presented at the report header area Field Name Description Date Time The date and time when IMF Tune processed the email From The email From header This is the sender information shown at the email client To The email To header This is the set of To recipients shown at the email client Note that these may not be the true or complete list of recipients to which the email was addressed Subject The email subject Initial SCL The SCL value assigned by the Exchange Content Filter Intelligent Message Filter Forefront before IMF Tune starts processing Final SCL The final SCL value that resulted after IMF Tune completes its filtering Matches The total number of matches
29. Column will set clear all hours for the selected day External SCL Mapping Configuration es General Schedule Detais Fixed Custom a rf gt Cc 00 02 04 06 08 10 12 14 16 18 20 22 00 Sunday Monday Tuesday Thursday Friday Saturday Read file interval for every hour selected Once per hour OK Cancel Likewise clicking the boxes in the first row will set clear an entire column configuring the same hour for all days Page 135 User Manual WinDeveloper Software Ltd Custom O 00 02 04 06 08 10 12 14 16 18 20 22 0 j TTI T Read file interval for every hour selected Once per hour If we click the box at the top left corner we set clear the entire matrix with one Click Custom O Q 04 06 08 10 12 14 16 18 20 22 0 Once per hour Underneath the Schedule matrix the Read file interval for every hour selected list provides a selection of how often should the file be refreshed within the selected hours Here we can choose to refresh the file once twice or four times an hour Page 136 User Manual Generi Schedule Fixed iT WinDeveloper Software Ltd Custom O Ke iE ER a OMA Twice per hour Four times per The External SCL Rules dialog also provides a detai
30. IP entry select this from the whitelist and click on the Edit button Page 79 User Manual WinDeveloper Software Ltd 4 8 3 3 Importing IPs IMF Tune enables the insertion of IPs into white black lists through the import functionality For the import to work the source file must meet the following requirements 1 Importing only supports plain text files The file may be encoded in 7 bit ASCII UTF 8 or UTF 16 2 Multiple IP entries must be separated by a carriage return line feed CRLF sequence For files generated on non Windows platforms the line feed only separator LF is also supported 3 Single IP entries must be in the format XXX XXX XXX XXX 4 IP Mask pairs must be in the format XXX XXX XXX XXX mmm mmm mmm mmm Here the mask portion is enclosed in brackets 5 IP Ranges must be in the format XXX XXX XXX XXX yyy yyy yyy YYY XXX XXX XXX XXX is the lower IP limit yyy yyy yyy yyy is the upper IP limit In the same file we can have a mix of single IPs IP Mask pairs and IP Ranges We just need to follow the above formatting rules To see a sample of a correctly formatted file use the Export functionality The import process includes a validation procedure that could reject some of the entries being imported For example if an IP does not match the required formats that entry would not be imported When importing a large number of IPs it may be difficult to determine which IPs failed to be imported For this r
31. MAIL FROM command contains words Matches against the sender address specified at the SMTP FROM protocol command The Received from addresses or domains condition type also tests this sender address amongst others However here this condition does not support the wildcard Instead it performs a text matching operation supporting keyword expressions SMTP protocol RCPT TO command contains words Matches against the email recipient addresses This SMTP protocol command gives the list of true recipients an email is addressed to This may not be the same set of addresses shown at the email client The Sent to recipient addresses or domains condition type also test this list of addresses However here this condition does not support the wildcard Instead it performs a text matching operation supporting keyword expressions Note For types supporting keyword expressions see details under Constructing Search Expressions Page 125 User Manual WinDeveloper Software Ltd 4 12 2 2 Address Based Conditions The condition types Received from addresses or domains and Sent to recipient addresses or domains support the use of the wildcard for identifying entire domains Any of the following formats may be used alias domain domain domain When selecting these condition types click on the addresses or domains link This brings a list interface to which we can add and remove addresses
32. Qa Auto Reply 4 Add 2 fj Quarantine Disk Maintenance SCL Action oo Senders B unprocessed Accept E a ais B whitelisted Accept Gl Block IPs W foom A Block Senders B1 3 Accept i Block Recipients f 4 5 Accept 8 Block Subjects A s Reroute 8M Block Bodies X7 8 Delete E Block Subjects Bodies Bs Reject Block Attachments blacklisted Reject amp Block Foreign Spam D ONS Lists t DNS Allow IP Lists ONS Block IP Lists ies DNS Block URI Usts amp SCL Rules ta Keyword Reporting tm Exchange Forefront SCLs Details Ucensing Local Domains fa Mieralianenne gt In this case email handling for unprocessed whitelisted blacklisted and SCLs 0 1 3 4 5 6 7 8 and 9 are configured The icons and Action column show that four different actions are configured Unprocessed whitelisted and SCLs 0 5 are set to Accept SCL 6 is set to Reroute SCLs 7 8 are set to Delete SCL 9 and blacklisted are set to Reject Note how ranges with action set to Accept have a white background Other actions have a light shade of red signifying the increased level of action severity Page 16 User Manual WinDeveloper Software Ltd Working with the list interface is fairly trivial To specify actions for a new SCL range click the Add button This opens the Email Handling Action Edit dialog Email Handling Action Edit Es SCL Level Range E J gt Action Accept 7 BCC email to Inse
33. R2 x64 1 IMF Tune must be installed on the Edge or Hub transport server roles The Exchange Content Filter or Forefront Protection 2010 for Exchange must also be installed 2 IMF Tune must be installed on the Exchange 2013 Mailbox Server The Exchange Content Filter must also be installed NET 2 0 Framework SP2 Note On Windows 2012 and later add the NET Framework 3 5 Feature from the Server Manager This includes NET Framework 2 0 satisfying this installation requirement Page 8 User Manual WinDeveloper Software Ltd 3 2 Setup Exchange 2003 Intelligent Message Filter Microsoft released two versions of the Exchange 2003 Intelligent Message Filter IMF the latest being IMF v2 Both are supported but IMF v2 is recommended for the best filtering results IMF v2 is included as part of Exchange 2003 SP2 This means that once SP2 is installed IMF is ready to be enabled IMF v1 was the first filter version available for Exchange 2003 systems preceding SP2 This used to be available from the Microsoft download center and deployed as a separate installation step It is very important to remember that IMF v1 should never be installed on Exchange 2003 SP2 machines Doing so is likely to break IMF leading it to stop filtering any spam IMF must be installed before IMF Tune It is also recommended to deploy IMF and IMF Tune in separate steps In this manner one can make sure that IMF is functioning correctly before IMF Tune is de
34. Selecting a lower number for the SCL rating blocks more messages that could be unsolicited commercial e mail UCE but t also increases the tkelihood of false postives Gateway Blocking Configuration Set the threshold for blocking UCE on gateway servers Block messages with an SCL rating greater than or equal to 7 xj When blocking messages No Acton A Store Junk E mai Configuration Set the threshold for moving UCE to a user s Junk E mail folder Move messages with an SCL rating greater than or equal to 4 z 4 The IMF configuration is organized in two sections the Store Junk Email Configuration and the Gateway Blocking Configuration These specify how emails are to be handled based on the SCL rating An SCL is a value between 0 and 9 identifying the likeliness of an email being spam This value is assigned by IMF to each processed email An SCLO is assigned to emails that are most likely NOT spam Likewise SCL9 is assigned to emails that are almost certainly spam Page 178 User Manual WinDeveloper Software Ltd Values in between reflect a varying level of certainty between the two extremes 5 Specify the Store Junk Email Configuration SCL threshold This is the SCL at which emails are deposited to the recipient junk email folder Warning The System Manger here incorrectly specifies SCL rating greater than or equal whereas this should just read SCL rating greater than Warning Emails won
35. Standard headers require choosing a header name from a fixed list On the other hand custom headers require typing the name manually Text value A Select standard header from list below Keywords Zi Once the header name is in place a list interface is available to specify the keyword expressions to be matched against the header value Words Specify words or phrases Add Search list pils pn Page 128 User Manual WinDeveloper Software Ltd 4 12 2 5 IP Condition Configuration Conditions requiring the entry of IPs will have the IPs link within their name Following the link will bring the IP entry list IPs x Specify IPs using Ps Subnets IP Ranges IP Range Start IP Range End lt lt lt a 192 168 0 0 192 168 0 10 Remove To specify a single IP select IPs Subnets and enter the IP keeping the default subnet mask to 255 255 255 255 Changing the subnet mask effectively defines a set of IPs matching the IP Mask pair To specify a range select IP Ranges and enter the lower and upper IP range limits Page 129 User Manual WinDeveloper Software Ltd 4 12 2 6 Filename Based Conditions The condition type Attachment name is exactly matches filename supports the use of the wildcard for identifying filenames ending with a common extension Any of the following formats may be used FullFilename ext ext something When selecting
36. W Software TRR IMF Tune v7 0 Server IMF Tune User Manual WinDeveloper Software Ltd Contents 1e WECOME eissour saanee aee dace RETETE a SEEE Eanna 4 2 Key Fea o eiicnscnasainea sine aana aE NEE aTe EES EEES 5 3 System SEUD areia E E EE eee T 3 L Minimum Requirements eraan aa EE Ei 8 3 2 Setup Exchange 2003 Intelligent Message Filter eee eeeeeeeeeeneeeneeeeseeeeeee 9 3 3 Setup Exchange 2007 2010 2013 Content Filter Agent 0 cee eeeeeeeseeeeeeee 10 3 4 Installing Removing Forefront Protection 2010 for Exchange cceseeeee 11 3 5 Installing WinDeveloper IMF Tune sccscssscssseccsessscesnsccsensccesneccsensesesnes 12 4 Email Processing Configuration eeeesssesesereeseeseeseteerressetsreseesserseesreeseestesreesresee 13 4 1 Email Handling siioisiisicesissinrnsea naisasia aiiai 16 4 1 1 SCL Handling Action Configuration eseeeseseeseesrrsseerresresrireresresseseresreses 19 41 2 A I A ga usta eles east eats ea aig eae eae ieee eee eee 20 BN POTIONS oi ccbscecesdpedanidicediascbeetanceedenticbesiasedicsiuandkadeieindedensscloeiesadacadeaueceusiatte 21 4 1 4 Grabbing a Copy of Accepted Emails 0 eee eeeeseeeeeeeneeeneeceneeteneeeneees 22 4 1 5 Rerouting Emails to a Central Mailbox sseeesesesseeeeseeeesressrseresressereresresse 23 4 1 6 Emal Modifications sssini saare r a a aaa 24 4 1 7 Customizing Insertion of SCLs in the Email Subject eee 25 4 1 8 Headers Inserted in Accepted Rerout
37. a Archiving Quarantine wi Logging Qa Auto Reply fff Quarantine 5 Disk Maintenance 8 Auto Whitelist Senders al Block Attachments amp Block Foreign Spam B S ONS Lists J DNS Allow IP Lists Exceptions S DNS Block IP Lists lt Exceptions J ONS Block URI Lists dE amp amp SCL Rules BA Simple SCL Rules BA Advanced SCL Rules BR Evtemal SCI Rilae Dramu Gre oy Sree a m 2 Exceptions Identify URIs that should never be looked up in DNS URI block lists Do not use wildcards Just enter the root URI such as company com This will also match an Wk Add emove fi Ed URIs A 126 com 163 com about com adobe com E akamainet amazon com apache org apple com ask com baidu com bbc co uk bcentral com bellsouth net bing com blogspot com ctibank com cnet com cox net debian org The Exception list is initialized with URIs of well known domains that may safely skip processing Exceptions eliminate many DNS queries and thus are beneficial in improving scanning performance We recommend adding entries to this list starting from your own public domains referred by users in their everyday work Page 100 User Manual WinDeveloper Software Ltd To add new URIs to the Exception list click the Add button URIs x Add new URIs Separate multiple entries with carriage returns Just enter the root URI such as company com This will also match any URI ending with company com microsof
38. acy OR pharmacies OR pharmaceutical pills OR pit1s OR pill2 NOT Identifies keywords that must not be matched This acts on the keyword immediately following the operator For example IMF stands for Intelligent Message Filter It may also stand for International Monetary Fund So could specify one of these to match IMF but not International Monetary Fund IMF NOT International NOT Monetary NOT Fund IMF NOT International Monetary Fund Note that the above two expressions are not equivalent IMF Tune expression processing is completely case insensitive This is true also for operators that may be written in any upper lower case combination Within an expression keywords can be re ordered without changing the meaning In general what is most important is to keep any set of ORed keywords side by side The following expressions are equivalent Note how we changed the keyword order and dropped the AND which is the default operator Page 149 User Manual WinDeveloper Software Ltd Pills OR pi11s AND pharmacy OR pharmaceutical OR ph rm cy Pharmacy OR ph rm cy OR pharmaceutical Pills OR pi11s IMF Tune whenever meeting the operators will automatically handle these as special expression elements Sometimes we may need to match these as literal text In this case just enclose the keyword in double quotes as shown below Exchange and Sharepoint Newsletter one two or three Page 150 User Manual WinDeveloper Software L
39. administrative notes to be inserted In this manner changes may be documented for future reference To specify a comment select the Details category and enter the text under the Administrative note edit box r DN V S E PE i D TETE TTE a IMF Tune Configuration Details E pasaar mo Keep notes regarding the configuration E pitt Creation date fifi Quarantine MRI 5 A Disk Maintenance Laimei GI Auto Whitelist Senders 16 09 2014 12 10 12 8J Whielsts ah eae 4 Blackists m ONS Lists H B SCL Rules Keyword Reporting te Exchange Forefront SCLs 6 2 Licensing Local Domains fig Miscellaneous Page 169 User Manual WinDeveloper Software Ltd 4 20 Product Version Disabling IMF Tune The Miscellaneous configuration category provides access to key product information including the version and build numbers WinDeveloper IMF Tune Configuration Fo es Back G Forwar Ie categories Folder up Lah Home EY Apply 2 Refres ia IMF Tune Configuration Miscellaneous Pe pastor i About the program the company and the technical information 7 Logging Qa Auto Reply G Hi Quarantine WinDeveloper IMF Tunex7 0 7 0 109 11 S a Copyright c 2014 All Rights Reserved 3 WinDeveloper Software Ltd H 4 Whiteists ererat rel E Blackists G pos DNS Lists If you have any sales or licensing questions please contact 7 SCL a N sales windeveloper com Keyword Reporting re gala SCls Any technical su
40. administrator can insert comments to better keep track of configuration changes The Licensing category shows the type of license currently in place Some examples include time limited evaluation licenses user limited licenses and unlimited users licenses The Local Domains category configures the list of SMTP domains Exchange mailboxes are using This information is required for some features Such as Sender Auto Whitelisting to work The Miscellaneous category gives quick access to product version and contact information Page 15 User Manual WinDeveloper Software Ltd 4 1 Email Handling Under the IMF Tune configuration the Email Handling category provides a set of actions to be applied to emails based on their SCL rating An SCL is assigned to an email by the Content Filter Intelligent Message Filter Forefront as a means to classify its likeliness of being spam The higher the SCL value the more likely the email to be spam IMF Tune processing may change this rating reaching the final SCL The IMF Tune Email Handling category presents a list interface Each list entry specifies actions to be applied for a specific range of SCL values Ba WinDeveloper IMF Tune Configuration Back Forwar Folder Up faf Home EY Apoy lt 2 fis IMF Tune Configuration Sul Eral Handing BE Email Handling Ga Archiving Quarentine Identify how emails are to be handled based on their Spam Confidence Level A Logging SCL rating
41. al domain list is edited IMF Tune will prompt for a service restart The exact service requiring restarting depends on the type of IMF Tune installation This is necessary in order for the domain list to fully come into effect Again allowing IMF Tune to restart the service is important If the local domain list does not come into effect promptly the product may stop processing emails and report that the number of allowed users was exceeded Page 173 User Manual WinDeveloper Software Ltd 6 Contacting WinDeveloper The Miscellaneous configuration category provides links to the most important contact information Ea WinDeveloper IMF Tune Configuration Eatas Beck G i Folderup gh Home EY ay lt fla IMF Tune Configuration 84 Email Handling tii Archiving Quarentine 7 Logging Qa Auto Reply 2 fff Quarantine 3 Disk Maintenance GL Auto Whitelist Senders H 8 Whiteists a g Blackists a ONS Lists BA SCL Rules ta Keyword Reporting sm Exchange Forefront SCLs Miscellaneous About the program the company and the technical information WinDevel IME Tune v7 7 0 109 11 Copyright c 2014 All Rights Reserved WinDevel war If you have any sales or licensing questions please contact sales windeveloper com Any technical support should be addressed to Q Details Licensing support wingeveloper com Local Domains ta F Disable IMF Tune From here the following links are a
42. any other reports Integrate any Anti Spam Filter into Exchange Run spam filtering on ANY platform firewall appliance external service provider without losing Exchange integration CSV Logging Keep record of each email including any actions applied the source IP addresses subject and SCL rating as a concise audit trail Multiple Condition Exception Filtering Rules Construct rules by combining multiple conditions and exceptions to accurately identify legitimate and spam emails Page 5 User Manual WinDeveloper Software Ltd Insertion of SCL Ratings in Subject Expose SCL ratings to all users from the server Insert an SCL subject tag or add a custom header Fine Tune SCL Assignments Influence the email filtering logic Identify keywords that should lead to higher or lower SCL ratings Attachment Filtering Block Allow email delivery by attachment name or attachment media type Foreign Spam NDR Spam SMTP Protocol Command Data Let IMF Tune dig all the information for you to express the most effective email filtering criteria Spam Rerouting to Mailbox or Public Folder Retain all emails within a single repository Eliminate disk archiving and access filtered soam from Outlook Page 6 User Manual WinDeveloper Software Ltd 3 System Setup The IMF Tune installation is made up of two components 1 IMF Tune Server for Exchange 2003 2007 2010 and 2013 2 IMF Tune Moderator Reporting Web Interface T
43. any value entered will be matched literally Page 109 User Manual WinDeveloper Software Ltd 4 11 3 3 Performing an SCL Change Operation Once IMF Tune establishes that a specific mapping matches an email the current SCL value will be modified based on the type of Operation configured Here an operation is composed of an Operation type and an SCL value The Operation dropdown list box provides a selection of operation types Simple SCL Mapping Configuration Ea General Details Header SMTP Command Match type X SPAM v contains x Operation SCL Change decrement by incremert z spamano supported Matching is not in double quotes Advanced Description F X SPAM contains spam no set value to whitelsted OK Cancel The following summarizes the meaning for each of these operation types decrement by Decrement the current SCL value by the specified amount increment by Increment the current SCL value by the specified amount set value to Replace the current SCL value by another value Each operation requires an SCL increment decrement or a new SCL value to be applied Valid increments decrements range from 1 to 9 Valid overriding SCL values include whitelisted blacklisted and SCL 0 to 9 Choose this value from the SCL change dropdown list box Page 110 User Manual WinDeveloper Software Ltd Simple SCL Mapping Configuratio
44. atches Thus when matching body information extra care is required and this limit is intended to alert administrators against keywords of this type On the other hand email headers are normally much shorter in length Thus the risk of unexpected matches is lower and no minimum limit is imposed Page 148 User Manual WinDeveloper Software Ltd 4 14 6 AND OR NOT Operators In the previous sections we looked at expressions composed of keywords phrases separated by white space Each of these had to be matched in order for the entire expression to be matched IMF Tune also supports the use of the AND OR NOT operators These change the matching requirements for the keywords on which they operate The following summarizes the behavior of each operator AND Combines keywords that must be matched unless the NOT operator is in use It joins the two keywords on each side of the operator Indeed this is the default behavior Keywords separated by just a white space are also assumed to be combined in this manner Thus even though AND has a special meaning to IMF Tune it may be simply replaced by a white space All of the following expressions are equivalent Original Replica Watch Original AND Replica AND Watch Original Replica AND Watch OR Combines a set of keywords out of which at least one must be matched Again this joins the keywords on each side of the operator Here are some examples of keywords combined in this manner pharm
45. aximum number of days a file can cover For performance reasons the size limit cannot be smaller than 1024KB 1MB If breaking files by days is preferable a large size limit can be set so that this is never reached in normal situations However it is always a good practice to have a size limit however large that limits the system in case of unexpected load levels When breaking files by days the starting time is always the beginning of the day i e time 00 00 Page 53 User Manual WinDeveloper Software Ltd 4 5 2 3 Logs Reports Backup and Purging The backup and purging functionality for logs and reports is identical to that for email archives Again we can set the number of days files are allowed to age before backup and before final deletion The same schedule interface is also available For configuration details please refer to Disk Archive Backup and Purging Page 54 User Manual 4 6 Quarantine WinDeveloper Software Ltd The Quarantine category groups two sub categories Quarantine Database and Users m WinDeveloper IMF Tune Configuration Po amp Back G Forward EE categories T Folder Up at Home EJ Apoy AO Reirest y svete A Quarantine Database fda Archiving Q ii Connect IMF Tunatoa Cuaranina Database omnia iha qiaranining of g7 Logging Lip Prat SQL Server B Disk Maintenance IMFTuneQuar GQ Auto Whitelist Senders E A Whiteists J Blackists GM Block IPs 8 Block Senders a Bloc
46. by the ESM It breaks down the various Exchange settings in order to better highlight each of the available features As an example the IP allow and deny lists are separated from the RBL configuration Another issue typically causing confusion is the enablement of the various anti spam protection options The ESM presents this functionality at the virtual server configuration rather than together with the filtering lists Furthermore the enablement settings differ depending on the Exchange SP level IMF Tune presents the list of virtual server for each feature side by side This immediately clarifies the enablement status Finally IMF Tune provides export functionality for the extraction of settings to external files These exports are useful when shifting anti spam protection settings from Exchange to IMF Tune Page 163 User Manual WinDeveloper Software Ltd 4 18 1 Exchange Intelligent Message Filter Settings The IMF Tune configuration enables quick review of the IMF settings at the Exchange System Manager WinDeveloper IMF Tune Configuration Collapsing the IMF node the Virtual Servers node shows the SMTP virtual servers for which IMF is enabled WinDeveloper IMF Tune Configuration var IP Address A Detouk SMTP Vetual Server AI Unassigned O Second Vitus Server Al Unassigned Page 164 User Manual WinDeveloper Software Ltd These are the same settings available from the Exchange System Manager Global Se
47. cess to these properties Clicking Next we move to the Action configuration page Here we select the type of operation to be performed on matching the rule Just like in Simple Rules the action is employed to adjust the current SCL rating in one of the following manners e Whitelist Blacklist or replace by any of SCL 0 to 9 e Increment by a value from 1 to 9 e Decrement by a value from 1 to 9 Page 119 User Manual WinDeveloper Software Ltd POF ZIP FDF spam Rules From the list below select and tick the items that you wish to set up as the rule action OME Blacklist Set Spam Confidence Level SCL to value Increment Spam Confidence Level SCL by yalue _ Decrement Spam Confidence Level SCL by value The Next Wizard page leads us to the Exception configuration step Page 120 User Manual WinDeveloper Software Ltd PDF ZIP FOF spam Rules Wizard Exceptio CU es From the list below select and tick the items that you wish to set up as the rule exceptions d iro DOresses Of Come C Sent to recipient addresses or domains C Total number of recipients is within range Subject contains words Body contains words C Body or Subject contains words Standard header s are present and not empty C Standard header s contain words Custom headers are present and not empty _ Custom header s contain words _ Email has NO body text C Email contains HTML body _ Email contains at
48. chive Directory Path allows us to specifically set the path to any local disk location Archive Maintenance relies on a central disk path configured under the Disk Maintenance Archives Quarantine category These settings are discussed in detail later in this manual However it is good to appreciate that using Disk Maintenance the configuration of disk paths is centralized Consider having multiple archiving profiles Using Disk Maintenance we avoid specifying an absolute path for each profile If we later decide to relocate the archive disk location we simply reconfigure the maintenance root under Disk Maintenance Archives Quarantine IMF Tune would then take care to compute all archive paths relative to the new maintenance root If we were to use the Override Archive Directory Path option an absolute path would be required This leads to setting of paths for each profile Relocating all archives would thus involve manually editing each profile Page 32 User Manual WinDeveloper Software Ltd 4 2 3 Archived Emails Modifications Archived emails have modification options similar to those available under Email Handling The difference is that archiving acts on a separate copy of the email Changes made by Email Handling are visible to the end recipient Changes made to archived emails are only effective on the copy of the email saved to disk Possible archive email modifications include e Insert SCL in email subject e Inse
49. composed of a set of keywords separated by white space such as original replica watch Looking at this expression we can already identify some important characteristics 1 Number of keywords This expression is composed of three keywords Each of these must be matched against the email information in order for the entire expression to be matched Position of keywords The keyword order is not relevant Emails containing the keywords in any order would still match the expression original watch replica replica watch original Keywords will also be matched in case these are separated by other text or punctuation Again IMF Tune only requires the presence of the three keywords Example Get your replica watch now Same as the original Case Sensitivity Matching is never case sensitive The expression will also match ORIGINAL RepLicA watch Whole Word Matching The keywords will also match sub strings such as The original footage was replicated and watched various times Page 144 User Manual WinDeveloper Software Ltd 4 14 2 Exact Matching IMF Tune gives special meaning to double quotes These are used to group keywords into one phrase and instruct IMF Tune to handle the enclosed text literally Consider this expression original replica watch This is the same expression considered in the previous section except for the introduction of double quotes The expression is now processed as follows 1 Number of k
50. ctions are selected Since Delete and Reject completely block email delivery configuring modifications is useless as these would be lost anyway If the action is set to Accept or Reroute the following email modifications are possible e Insert SCL in email subject e Insert SCL in email headers e Remove all email attachments In case of Reroute the following is also possible e Insert SMTP Sender Recipients IP and EHLO in email headers Email modifications are disabled for unprocessed emails Also whitelisted and SCL 0 do not allow the removal of email attachments These ratings are meant to identify legitimate emails Thus modifications should be kept to a minimum Inserting SCLs in the email subject can be very useful when dealing with spam Emails ending in the recipient junk email folder could then be sorted by SCL rating In this manner one can quickly review all trapped email whose SCL is lowest Exposing SCL values is also useful when fine tuning configuration settings We can analyze the performance of a set of settings in terms of false positives negatives and then apply adjustments to the SCL thresholds Another way of doing this is to use SCL based logging which is discussed later in this manual Removing email attachments reduces the waste in storage caused by spam Retaining spam in Junk Folders for a long time may stretch the mailbox size requirements This option removes any email attachments and images reducing this probl
51. d List interface The Expression Builder offers a simple interface to easily construct complex keyword expressions It helps with correctly using the AND OR NOT operators and with double quoting phrases when necessary Click on the Add button at one of the Subject Body Subject Body keyword lists to open the Expression Builder dialog Expression Builder xa Add phrases to build the search expression Enter the phrases below and click on Add to build the expression Match all keywords Match the exact phrase Match at least one keyword Do not match any keywords Expression parts We may now construct the expressions by inserting different types of keywords and phrases Fill in any of the four edit boxes and click on the adjacent Add button This will insert each of the sub expressions into the Expression Parts list at the bottom When done click OK to add the new expression For more details on how to use this interface check the section Working with the Expression Builder Page 72 User Manual WinDeveloper Software Ltd 4 8 2 3 Adding a List of Keyword Expressions IMF Tune provides two interfaces for adding new keyword expressions the Expression Builder and the Add List interface The Add List interface provides a simple interface through which multiple expressions may easily be entered Nevertheless it does not provide assistance with using the AND OR NOT operators Thus constructing more complex
52. der DNS List Provider DNS list zone Apart for the standard test IPs from here we can also test any other IP We could verify our own public IP or check IPs shown at the IMF Tune logs for example Page 94 User Manual WinDeveloper Software Ltd 4 10 2 3 DNS IP Exception List Under the DNS Block IP Lists and DNS Allow IP Lists categories we have the Exceptions categories Basically here we enter IPs that should skip DNS List filtering j nDevelone Y r Confiauration o fon Px r Ain mee Folder up faf Home FEY Apy Retest Ca Exceptions Archivi pera fad rebel rec Include the local e subnet and other perimeter servers routing incoming ng Qa Auto Reply i Add Ed fil Quarantine 6 H Disk Maintenance IP address 8 Auto Whitelist Senders H 8 Whiteists ER 10 0 0 0 10 255 255 255 127 0 0 0 127 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 m B S ONS lists DNS Allow IP Lists 3 DNS Block IP Lists Exceptions S A DNS Block URI Lists is B A SCL Rules BA Simple SCL Rules BA Advanced SCL Rules AR Evtemal SCI Riac IMF Tune initializes the Exceptions list with standard IP ranges used in local subnets To these we should add any other IPs used in routing incoming emails We may also add other foreign IPs that should here To add new IPs to this list click the Add button skip DNS List filtering Add new IP addresses Separate multiple
53. ders that can be inserted into archived emails Header Description x scl The email SCL rating x smtp ip The email sender IP x smtp helo The SMTP HELO EHLO host name x sender The SMTP FROM originator address x receiver An SMTP RCPT TO recipient address Multiple SMTP recipients will cause the creation of multiple x receiver headers Page 34 User Manual WinDeveloper Software Ltd 4 2 5 Publishing Emails to Quarantine NOTE A dedicated User Guide for configuring the IMF Tune Quarantine Reporting functionality is available from the IMF Tune Application Program Group Please check this document for full details on this topic One of the most significant design changes introduced in IMF Tune v5 5 is the shift from email disk archiving to SQL database quarantining Disk archiving is still 100 backwards compatible We can easily implement archiving exactly in the same manner as we did in previous releases However we now have the option to do more by publishing archived emails to a central database server This is done by selecting the checkbox at the archive profile configuration Also add archived email to quarantine database If we do not set this checkbox we have the traditional disk archiving where emails are saved to the specified HDD location On selecting this option we instruct IMF Tune to also publish emails to the database server Just as in the case of disk archiving the set of emails
54. e IMF ann aian a a a N a a ees 178 A 3 Enabling IMF v2 Exchange 2003 SP2 eessssesessessresressessrerreesersresrersresreee 180 A 4 Enabling IMF v1 Exchange 2003 SP1 and Earlier eeeeeeeeereeree 182 Acs Enabling the Junk Email Polder 2 2 44 41034 2 keeles 183 Page 3 User Manual WinDeveloper Software Ltd 1 Welcome ay Softy are WinDeveloper IMF Tune enables the Microsoft Exchange built in spam filters and Forefront Protection 2010 for Exchange to unleash their full power Today all Exchange versions from 2003 to 2013 come complete with free anti spam filtering The powerful underlying engine is bottled in an interface exposing minimal functionality IMF Tune changes this transforming the filter into a full featured anti spam solution Even if running Forefront Protection 2010 for Exchange IMF Tune brings significant improvements Additional spam filters email moderation from the browser reporting and a much more effective configuration interface are some of the enhancements MS Exchange IMF Content Filter Central SPAM Repository Quarantine Database Recpient Mailbox Page 4 User Manual WinDeveloper Software Ltd 2 Key Features Exchange 2003 2007 2010 2013 Support Extensive Exchange version support including all of Exchange 2003 2007 2010 and 2013 Server platform support includes Windows 2003 2008 2008 R2 2012 2012 R2 and Small Business Server 2003 2008 201 1 Multiple SCL Thresh
55. e SCL Mapping Configuration ES General Details Header SMTP Command Match type lt Remote IP gt y contains Operation SCL Change set value to v whitelisted K 5 Single IP 5 IP subnet IP range IP Range Start 192 168 0 0 IP Range End 192 168 0 10 Description f lt Remote IP gt matches 192 168 0 0 192 168 0 10 set value to whitelisted Co Cana On the other hand on mapping against email headers a keyword expression is required In this case a simple edit box is presented for entering the necessary text Here the Advanced button is also enabled This brings up the Expression Builder interface enabling easy construction of complex expressions Page 112 User Manual WinDeveloper Software Ltd Header SMTP Command X SPAM Operation Expression to match Operations AND OR and NOT are supported Matching is not case sensitive Enclose phrases containing white space in quotes spam yes Description E X SPAM contains spam yes set value to blacklisted To facilitate data entry the interface will also dynamically update the information summarizing what type of data is expected This is handy because of the change in requirements taking effect as we configure the other SCL Mapping options General Details Header SMTP Command X SPAM Operation Expression to match Operations AND OR and NOT are supported Matching is not case sensitive Enclose phrases containing white space i
56. e always encoded in UTF 8 For details on the format of the exported file refer to Importing Email Addresses Page 69 User Manual WinDeveloper Software Ltd 4 8 2 Accept Subjects and Accept Bodies Lists The Accept Subjects Accept Bodies and Accept Subjects Bodies categories enable the whitelisting of emails based on the email subject and body text IMF Tune attempts to match the subject and body against keywords within these lists If a match is found the email is whitelisted Ea WinDeveloper IMF Tune Configuration ocr C Sa Back G Forwar T FolderUp gh Home EY Apply lt 2 l j eiaeia ong Accept Subjects i Specify search expressions to white list emails by subject Expressions may ri include the use of the AND OR NOT operators Matching is not case sensitive ogging Qa Auto Reply J Emails containing this text in the subject will be accepted Hfj Quarantine EI S Ae sal Add Add list X Remove qa Edit Import R Export 3 8 Whitelsts amp Accept IPs ome amp Accept Senders Microsoft Security Bulletin OR Advisory OR Newsletter amp Accept Recipients RTX amp Accept Subjects SUPPORT amp Accept Bodies TICKET Accept Subjects Bodies WinDeveloper OR IMF Tune Accept Attachments Blackists amp Block IPs a Block Senders GM Block Recipients a Block Subjects amp Block Bodies GM Block Subjects Bodies GM Block Attachments l Block Foreign Spam 3 ONS Lists
57. e identified in a number of ways IMF Tune checks all of these locations SMTP MAIL FROM address From header Sender header Resent From header Resent Sender header Page 65 User Manual WinDeveloper Software Ltd 4 8 1 1 Working with Address Lists To enable disable an address list set clear the checkbox at the top Setting the checkbox will activate the list and IMF Tune will process the addresses against incoming emails Back Forward fis IMF Tune Configuration gad Email Handling tit Archiving Quarantine s Logging Ga Auto Reply fifi Quarantine H Disk Maintenance E amp i Auto Whitelist Senders 8J Whiteists amp Accept IPs a Block Bodies E Block Subjects Bodies a Block Attachments a Block Foreign Spam B L ONS Lists H A DNS Allow IP Lists ic DNS Block IP Lists ies NNS Alark LIRI lice Next we can add remove and edit email addresses using the buttons at the Te Categories Folder Up G Home EY Apply 2 Retest a Accept Senders Specify the addresses for senders whose emails are to be white listed Enter addresses in the format something something You may also use wildcards as Th Add HE Remove E Edit ES import ES Export Email address domain com imftune com feedback windeveloper com sales windeveloper com Match all addresses from this domain and any of its sub domains domain com top Everything is fairly intuitive We just need to be aware of ho
58. e limit is selected from a combo box This lists all available values SCL values that have already been set as the lower limit for other entries are excluded IMF Tune gives special handling to unprocessed whitelisted blacklisted and SCL 0 These are always present and cannot be removed For this reason their SCL range is not editable and the combo box is grayed Page 20 User Manual WinDeveloper Software Ltd 4 1 3 Actions At the Email Handling Action dialog one out of four possible actions must be set These are Accept Permits the email to reach the recipient mailbox Reroute Redirects the email to the specified address Delete Deletes the email blocking it from reaching its destination Reject Rejects the email returning an SMTP error response to the sender On accepting or rerouting the email may still be deposited to the Junk Email folder The IMF configuration to deposit emails to this folder is not overridden In fact Accept is the correct IMF Tune action when emails are required to finish into the end recipient Junk Email folder The set of possible actions configurable depend on the current SCL range setting This is so as to enforce the rule that the higher the SCL the stricter the Action Consider SCL 6 is configured to reroute emails In that case on configuring SCL 7 only reroute delete or reject are possible It doesn t make sense to first Reroute emails with SCL 6 and then Accept emails with h
59. e section that follows Page 179 User Manual WinDeveloper Software Ltd A 3 Enabling IMF v2 Exchange 2003 SP2 Exchange 2003 SP2 changed the interface for enabling IMF Thus here we must follow the procedure matching our current IMF Exchange SP version 1 Open the Exchange System Manager 2 Browse the left pane tree and open the properties for lt Organization gt Servers lt Exchange Server gt Protocols SMTP lt SMTP Virtual Server gt Note that lt Exchange Server gt is the name of the Exchange 2003 SP2 machine where the Intelligent Message Filter is to be enabled A 9 Global Settings gt 9 Respients Servers SERV BOXL 19 Queues 4 gf First Storage Group 9 Protocols iy HTTP iy maps H 0 NTP a POPS a SMTP cme Default SMTP Virtual Server et 3 XC stop C Connectors eO Tools 9 Fokers 3 From the General property sheet click on Advanced Page 180 User Manual WinDeveloper Software Ltd Default SMTP irtual Server Properties B ET 4 In the Advanced dialog that opens select the IP on which IMF is to be enabled and click on the Edit button 5 Set the Apply Intelligent Message Filter checkbox zs f identification 6 Save changes Page 181 User Manual WinDeveloper Software Ltd A 4 Enabling IMF v1 Exchange 2003 SP1 and Earlier 1 Open the Exchange System Manager 2 Browse the left pane tree and open the
60. e to work However if you want to limit access on this share you can remove this entry and specifically assign the Read permission to the Exchange server on which IMF Tune is running NOTE IMF Tune uses the IMF Tune Attendant service to read External SCL Rule files This means that in order for IMF Tune to be assigned rights over network resources the machine account must be used Windows creates an AD object for each computer within a network The computer object for the Exchange server on which IMF Tune is running should be identifiable using the computer name In the steps that follow we see how to assign the rights to an Exchange server named ExServer 6 Click Add to choose the Exchange server AD object Page 141 User Manual WinDeveloper Software Ltd Select Users Computers or Groups Select this object type Users Groups or Built in security principals Object Types Erom this location windev oeal Locations Enter the object names to select examples Check Names Advanced 7 Click on Object Types button and set the checkbox for Computers All other checkboxes may be cleared in this case When ready click OK to complete object type selection Object Types Wiks Select the types of objects you want to find Object types o Fang o Groups O B users 8 Enter the Exchange server name at the bottom and click OK Select this object type Computers Object Types
61. eason whenever importing the ImportReport log file will be generated This file is located in the main IMF Tune program directory and is overwritten on each import The log file will show how each of the imported entries was handled and whether or not the entry was rejected due to validation reasons Page 80 User Manual WinDeveloper Software Ltd 4 8 3 4 Exporting IPs IMF Tune also supports exporting IP lists to an external text file The export is correctly formatted to the IMF Tune import specifications Thus we may use the export and import functionality in order to quickly replicate configurations on multiple IMF Tune installs Exports are always encoded in UTF 8 For details on the format of the exported file refer to Importing IPs Page 81 User Manual WinDeveloper Software Ltd 4 8 4 Accept Attachments The Accept Attachments category enables the whitelisting of email attachments IMF Tune attempts to match attachment names against this list If a match is found the email is whitelisted Back GQ Forward EE categories Folder Up gh Home FE Apoy A Retires ia a 3 Accept Attachments E Li Specify the attachment filenames whose emails are to be whitelisted Enter the a exact filename to be matched or use the wildcard as follows something Qa Auto Reply 7 Emails with file attachments matching these names will be accepted fil Quarantine 4 Disk Maintenance n 5 3 i Auto Whitelist S
62. ed Emails 0 eecceseeeseesseeeereeeeees 27 4 1 9 Overriding the Default SMTP Rejection Text ee eee eeeeceeeeeeeeeeees 28 Bhs 2 AreMying Quarantine ges dec vnee vexcicel caecaodearaiauecadtvwtacaseisled Audubdedencdiadautueereieeds 29 4 2 1 Archiving Profiles occc scsuseecaceetuedeeeetaehoeudtadieevasieuaectics dude vacdoedcaaeuvesideteestuadus 30 4 2 2 Choosing an Archive Directory Path 2s ccssiaees acccearenstedtunestrpestevdaeres entensaniece 32 4 2 3 Archived Emails Modifications seseeseeeesesseseesereseeressessreseresersresreeseesresene 33 4 2 4 Headers Inserted in Archived Emails eseeesesesseeeeeseeeesresrrseresressrseresreses 34 4 2 5 Publishing Emails to Quarantine seeeeeseesesseeeseesessrrsresressersrrrrrnsressrseesresss 35 BS LQ GING rinri riegos EE Ea EEEE AEEA ERE AR 36 4 3 1 Login Professioni iiini saja aA E AE ASAE 37 4 3 2 Log Fil Fields carnosa E E 39 4 4 Auto ReplieS sissie iins ieii aaia aiia is aTa ian 40 44 1 A to Reply Profiles sociscienca tieien 41 4 5 Disk Maintenant sssrin rr A EA 43 4 5 1 Archive Quarantine Maintenance ccccccceessssecececeeeceesenseceeeceeeeeessnseaes 44 4 5 2 Logs Reports Maintenance sssseeeseseeesessessresresressersresressrtsrrseresressrseeesresee 50 4 6 Quarantine essien eoa aa aao RE E EEE EEA AE EEAS 55 4 7 Auto Whitelist Senders ssseeeeseeeeseeeseesesseesrsereserserrresrestserestessesseesresseseresees 56 4 7 1 Configuring Sender Auto Whitelisting
63. ed rules we can enable disable individual rules This can be done by opening the rule and setting clearing the enablement checkbox shown later Disabling a rule is handy especially if we only want to stop enforcing it temporarily Next we can manage the rule list using the Add Remove and Edit buttons Page 117 User Manual WinDeveloper Software Ltd 4 12 2 Adding Advanced SCL Rules Click on the Add button to start creating a new Advanced rule This will start the Advanced Rules Wizard It provides the necessary steps for constructing rules composed of conditions exceptions and an action In order for the rule action to be applied the email must match all conditions without matching any of the exceptions The Wizard starts from the Details page exposing some general properties At the Display Name field a rule name must be supplied Under Comments an administrative note may be entered typically to describe the intent of the rule The Enable rule checkbox controls the rule state If cleared the rule will be saved without being applied to any emails At the bottom this page also shows the creation and last modified dates POF ZIP FOF spam Rules Wizard Details g Fill up the rule details 1J Enable rule Display name PDF ZIP FDF spam Comments Rule to block empty bodied emails whebe the spam content is delivered as an attachment Created 03 July 2010 12 230 08 Last modified 03 July 2010 12 34 57
64. ed up and later purged by disk maintenance This renders the availability of emails archived to disk predictable If we need to go back and dig some old email from the disk archive it will still be available The last option at the bottom of Maintenance Archives Quarantine category is Retain quarantine information for reporting purposes for days This is the age limit for email retention at the database server Emails reaching this limit are purged completely Note how there is no way to disable this purging and the maximum value here is 999 days Some might be tempted to employ the IMF Tune database as some kind of permanent email archive However the Quarantine functionality has not been designed for this purpose Thus we discourage employing the system in this manner The option reads Retain quarantine information for reporting purposes because this age limit determines the number of days reporting information is Page 48 User Manual WinDeveloper Software Ltd retained within the database In other words the number of days configured here will determine the span of time covered by all reports As an example let s say we set this to 30 days The bar chart showing the number of accepted rerouted rejected and deleted emails will show the totals for the last 30 days Page 49 User Manual WinDeveloper Software Ltd 4 5 2 Logs Reports Maintenance The Logs Reports Maintenance functionality is very similar to that for disk
65. efront assigns SCL 1 with less restraint Indeed it uses SCL 1 to also stamp emails classified as legitimate by the Forefront Content Filter This is the case even if the email does not match any whitelist The distinction between whitelisted emails and emails classified as legitimate through content analysis is useful to IMF Tune When IMF Tune finds a whitelisted email SCL 1 no blacklists or SCL Rules are applied So with Forefront s rating system we end up with many more emails bypassing blacklist processing Let s say our Organization wants to blacklist a mailing list that sends out daily jokes This is an opt in mailing and Forefront correctly classifies these emails as legitimate assigning SCL 1 The IMF Tune blacklists will be bypassed unless we change the settings at the Exchange Forefront SCLs category Page 159 User Manual WinDeveloper Software Ltd 4 16 1 Customizing SCL 1 Handling IMF Tune can be configured to further analyze emails having an SCL 1 rating Normally the goal is to distinguish between emails that are explicitly whitelisted and emails classified as legitimate by Forefront content filtering IMF Tune does this by looking for special keywords within the header X MS Exchange Organization Antispam Report This header gives details on how the SCL rating was arrived at For example if an email matches the Exchange IP Allow List the report will contain the keyword IPOnAllowList Other keywords are used to
66. elists blacklists and SCL a Rules This allows you to see how IMF Tune is matching processed emails ng Qa Auto Reply N a Hil Quarantine V Enable keyword reporting B Disk Maintenance g Archives Quarantine Save file to the reporting maintenance directory aag oilan iaai C Program Fies Win Developer IMF Tune ogs imfrpt_ lt date ime gt _Keywords htr D 4 Whitelsts Gl Blackists Override reporting path Gl Block IPs E g Block Senders E amp Warning Reporting maintenance won t be applied MJ Block Recipients Block Subjects nhac a Block Bodies amp Block Subjects Bodies g Block Attachments a Block Foreign Spam a bnd ONS Lists H A DNS Allow IP Lists cy DNS Block IP Lists E DNS Block URI Lists amp SCL Rules f Keyword Reporting fe Exchange Forefront SCLs Details B Licensina Keyword reporting only generates a global report file To enable maintenance the Save to the Reporting Maintenance Directory should be selected The file would then be named using the format imfrpt_ lt date time gt _Keywords htm Page 52 User Manual WinDeveloper Software Ltd 4 5 2 2 Breaking Files by Size and Date Log and report files are appended whenever an event relevant to their reporting scope occurs This could lead a single file to grow very large making it more difficult to open and review For this reason IMF Tune requires the configuration of 2 limits 1 The maximum file size in KB 2 The m
67. em Insertion of SMTP headers is only available when rerouting emails and on archiving emails which is discussed later in this manual This option discloses the complete list of SMTP recipients including BCCs This information is normally considered to be confidential Thus the option is disabled for the Accept action Page 24 User Manual WinDeveloper Software Ltd 4 1 7 Customizing Insertion of SCLs in the Email Subject When performing Accept or Reroute actions it is possible to insert the SCL rating into the email subject 5 Microsoft Outlook Web Access Microsoft Internet Eeplorer Be Junk E mail p Outlook Web Access i Comacts OLY a Doleted home H Orelts Inbox 7 JA Jounal Ca Maer ta Notes B Oudox L See Mern Take tuz H L Lewis Orval Pare ee L Kitty Norwood 2 Don t be lefts scursu ye S T o SCL 7 New 2005 Models s blood Wed 23 02 2700 Z abetterse Wed 23 02 200 1 KB 8 Dont be lent out i Wed 23 02 200 40 6 SCL 9 PW FW your priv Wed 23 02 200 2KB SCL 8 Sfelime member Wed 23 02 200_ 2 KB IMF Tune provides a number of customization options in this area Start by selecting the Insert SCL Custom Tag in email subject checkbox V Insert SCL Custom Tag in email subject T Insert SCL in email headers By default this will prefix the subject with the text SCL lt n gt Here lt n gt is the SCL rating a
68. enders MJ Block Recipients GM Block Subjects a Block Bodies amp Block Subjects Bodies a Block Attachments a Block Foreign Spam B L ONS Lists S L DNS Allow IP Lists ic 4 DNS Block IP Lists E NNS lank LRI lite Next we can add remove and edit IP entries using the buttons at the top of the list a m ard EE categories Folder Up faf Home Fy Aly lt 2 Retest Accept IPs Specify the IP addresses from which emails are to be white listed Th Add HE Remove E eai ESF impor P export IP address 123 123 123 0 255 255 255 0 127 0 0 1 192 168 0 0 192 168 0 10 Match emails originating from this IP 192 168 0 54 Page 78 User Manual WinDeveloper Software Ltd 4 8 3 2 Adding Editing IP Entries IMF Tune allows the entry of single IPs IP ranges and IP Mask pairs In an IP range we specify the lower and upper IP limits IMF Tune would then match all IPs between these two limits An IP Mask pair also identifies a set of IPs This time the relevant IPs are determined by combining the IP and Mask as in subnetting Click on the Add button to open the IP configuration dialog Edit IP Address Ex Single IP address Group IPs by subnet IP Range IP Range Start 192 168 0 0 IP Range End 192 168 0 10 _Cancel_ From here select Single IP address Group IPs by subnet or IP Range Next we fill the edit boxes that follow with the IPv4 values to be matched To edit an
69. enders Th Add DK Remove E Eai RE import PE Export 6 8 Whiteists ER z doc docx invoice po GB ONS Lists Match this specific filename invoice pdf E3 DNS Allow IP Lists DNS Block IP Lists e NNS Aian LRI lite Page 82 User Manual WinDeveloper Software Ltd 4 8 4 1 Working with the Attachment List To enable disable the attachment list set clear the checkbox at the top Setting the checkbox will activate the list and IMF Tune will process the attachment names against incoming emails onfiqura eloper IMF Tune Ci ion WinDev r Back Forw faa IMF Tune Configuration 84 Email Handling tia Archiving Quarantine s Logging Gag Auto Reply fifi Quarantine 5 Disk Maintenance Gi Auto Whitelist Senders B 48 Whiteists amp Accept IPs amp Accept Senders a ard EE categories Folderup Gh Home Fy Aly A amp O Retest Accept Attachments Specify the attachment filenames whose emails are to be whitelisted Enter the exact filename to be matched or use the wildcard as follows something Ei Add HK Remove E Edit ES import ES Export Filename doc amp J Accept Recipients amp Accept Subjects amp Accept Bodies amp Accept Subjects Bodies Accept Attachments Gi Blackists GM Block IPs GM Block Senders MM Block Recipients GM Block Subjects Gl Block Bodies amp Block Subjects Bodies Gl Block Attachments Gl Block Foreign Spam iB ONS List
70. ensing i License Key Domains Ea Miscelaneous WinDeveloper IMF Tune Configuration joj xj Back Foed EE coteores Folder Up Ai Home is Apply Q Refresh IMF Tune Conligueation gig Emal Handing Deny Senders 2 Ga Acting diel DICKIE eich cS tie avale hat fot il 7 o change ary of these settings use the Exchange System Manager w7 Logging Qe AutoReply General Vitual Servers E Disk Maintenance E gd Whtelais Emails from these senders wil be blocked amp Blacklts E B SCL Rules P Simple SCL Rules spam spammer com PA Advanced SCL Rules somecne kdomain2 com S Extemeal SCL Rules doman cam te Keyword Reporting fae Unprocessed Emails Deaik BAB Exchange System Menager IR IMF DP Sender ID B Allow IPs Directory Havesting E O Licensing License Key Domains Ea Miscelaneous Page 167 User Manual WinDeveloper Software Ltd The lists are exported to text files whose format is consistent with the import export functionality provided by the IMF Tune white and black lists Organizations that prefer to let IMF Tune handling IP sender and recipient filtering may thus quickly move the settings from Exchange to IMF Tune by exporting and re importing to the appropriate lists Page 168 User Manual WinDeveloper Software Ltd 4 19 Details IMF Tune keeps track of the global configuration creation and last modification dates Furthermore the configuration provides the space for
71. entries with carriage returns Enter single IP addresses in the format 10 0 0 0 10 255 255 255 127 0 0 0 127 255 255 255 enn 123 22 444 OR ranges using the format 4 4 4 2 2 Page 95 User Manual WinDeveloper Software Ltd Here we can enter single values in the IPv4 format or ranges in the format XXX XXX XXX XXX vyy yyy yyy yyy lower IP limit upper IP limit We can mix single IPs and ranges as needed We just separate these with a carriage return Page 96 User Manual WinDeveloper Software Ltd 4 10 3 DNS URI Lists DNS URI Lists allow us to test if links within the email body point to sites affiliated to spammers Spammers wanting to sell something provide links to their order pages A phishing email normally links to a site where users are tricked to hand over their personal data Other spam emails use links to download images from the internet In all cases links are a very important hook for a spammer to reach his goal IMF Tune will dig links from the message body and submit them to the DNS URI Block list of our choice To begin go to DNS Lists DNS Block URI Lists Here we configure the details of the DNS URI List providers we want to query eer Or Gm mr O Ea IMF Tune Corfigurton E DNS Block URI Lists 84 Email Handling ae Configure DNS URI List providers that identify URIs known to be found in spam ita Archiving Quarantine and malicious emails Qa Auto Reply Th Add HE Remove
72. er is all that is required We may check which Exchange SP is installed through the System Manager Console 1 Browse to the Exchange Server object me Exc hange System Manager 2 The General property page will show the SP number installed TESTBOX 1 Properties Page 176 User Manual WinDeveloper Software Ltd For systems running Exchange 2003 SP1 or earlier we strongly recommend to upgrade to SP2 In this case make sure to first uninstall IMF v1 from the Add Remove Programs Warning Installing IMF v1 on an Exchange SP2 machine is very likely to corrupt IMF leading it to stop processing any emails Recovering from such a corruption requires uninstalling IMF v1 and re applying SP2 Page 177 User Manual WinDeveloper Software Ltd A 2 Configuring IMF Follow these steps to configure IMF 1 Open the Exchange System Manager 2 Open the Message Delivery properties under Global Settings Lo TSS wes Fest Organization Exchar Name C Gobal Settings New Window From Here ca iFirst Organization Exchange amp Gobal Settings Internet Message Fc i Q Mobile Servic C Recipients Refresh O Servers SERV 50x1 aS E 3 Select the Intelligent Message Filtering property sheet 2x General Defaults SenderFiterng ConnectionFilering Recipient Fitering Detals Inteligent Message Fitering Sender ID Fitering Configure spam confidence level SCL thresholds
73. expressions requires understanding the expression syntax rules Check the Constructing Search Expressions section for details on expression syntax Click on the Add List button at one of the Subject Body Subject Body keyword lists to open the expression list dialog Expressions Add new expressions Separate multiple entries with carriage returns Operators AND OR NOT are supported Enclose phrases containing white space in double quotes Microsoft Securty Bulletin OR Advisory OR Newsletter RTX SUPPORT TICKET WinDeveloper OR MF Tune COK cancel Enter each expression in a separate line by hitting the carriage return key The list can handle up to 64Kb of data at a time To enter more keywords click OK to save and close the dialog Next click Add List again to re open the dialog and enter more keywords Otherwise we may use the keyword list import functionality to quickly add large lists of expressions Expressions here may also include the AND OR NOT operators and the use of double quotes The list interface will automatically validate each of the expressions on clicking OK and notify us of any invalid expressions Page 73 User Manual WinDeveloper Software Ltd 4 8 2 4 Editing Existing Keywords IMF Tune supports editing expressions through the Expression Builder interface Double click the expression or select the expression and click on the Edit button Expression Builder xa Add p
74. eywords This expression is composed of two elements original replica and watch 2 Position of keywords Since original replica is now one phrase IMF Tune will only match this when found in that exact order On the other hand watch may appear anywhere Example Watch out for this original replica 3 Case Sensitivity Matching is always case insensitive even when double quotes are used Thus the expression will also match Watch out for this Original REPLICA 4 Whole Word Matching Despite the use of double quotes the phrase may match other words with similar spelling such as Watch Aboriginal Replicas Page 145 User Manual WinDeveloper Software Ltd 4 14 3 Whole Word Word Start End Matching In the Exact Matching section we have seen how the phrase original replica matched Aboriginal Replicas The double quotes here only enforced literal matching but did not exclude sub string matching In order to exclude such a match the expression must be changed as follows original replica watches Here we inserted a white space between the double quotes and the first and last characters The phrase now will only match whole words The same logic may be used to match words starting or ending with specific text For example here the keyword is enclosed by double quotes and the leading quote is followed by a white space watch This will match each of these words Watches Watcher Watchin
75. g On the other hand in the next example IMF Tune will only match words ending with the text watch The expression here contains a white space preceding the closing quote watch This will match each of these words Baywatch Stopwatch Page 146 User Manual WinDeveloper Software Ltd 4 14 4 Punctuation Handling When discussing whole word matching white space was considered as the delimiter identifying the word boundaries Nevertheless words are also very often separated by punctuation For this reason IMF Tune also allows whole words to be surrounded by punctuation Specifically the following punctuation marks are allowed gt I 7 7 e e Consider a phrase requiring whole word matching such as 77 watc JJ This would successfully match all of these Original replica watch Replica watch get yours now Indeed the phrase will match any combination of surrounding punctuation including less meaningful ones watch watch watch Page 147 User Manual WinDeveloper Software Ltd 4 14 5 Minimum Keyword Length IMF Tune supports expression processing against email headers and bodies Apart for one exception the same expression syntax rules apply in all cases The only difference is the minimum keyword length Keywords to be matched against email bodies must be at least 3 characters in length In general email bodies are made up of long text runs Any short keyword is likely to lead to unexpected m
76. g the junk email folder can be done either through OWA or through scripting Using OWA 1 Open OWA and select Options shown in the lower left corner of the image that follows 44 Microsoft Outlook Web Access Microsoft Internet Explorer c E 101 x Ele Edt Yew Favorkes Tools Help j Outlook Web Access Options Gy Administrator ASi Tose Open T Calendar Download g Contacts a Deleted tems Privacy and Junk E mail Prevention DA Drafts i Are xf gA f M Fiter Junk E mat fcheck the Junk E mail folder regularly to ensure that lt a esso9es the you want to receive Manage Junk E mail Lists Choose how to respond to requests For read receipts Always send a response Do not automaticaly send a response You can control whether external content in HTML e mail messages is automi displayed when you open an HTML message Block external content in HTML e mail messages Annearance Fa gt 2 Scroll the Options in the right pane and identify the Privacy and Junk E mail Prevention section 3 Thick the Filter Junk E mail checkbox 4 Click on Save and Close button to save changes Using Scripting Evan Dodds a Program Manager in the Exchange Admin SysMgmt team provides an excellent script for enabling the Junk Email folder The script must be fed with a text file listing the mailboxes for which the folder is to be enabled We will also need an account having the necessary rights over the
77. hat immediately pushes newly discovered addresses to the whitelist Because of this some of the addresses may not yet be visible ManageAWL exe ManageAWL exe help ManageAWL exe Show this help screen ManageAWL exe simple Show flat address list ManageAWL exe simple gt file path Dump flat address list to a file located at file_path ManageAWL exe detail Show detailed address list ManageAWL exe detail gt file_path Dump detailed address list to a file located at file_path The tool is very simple it only requires one of these parameters Simple Return a flat list of addresses Detail Return addresses grouped by date Important The help screen alerts us of an important limitation that is worth highlighting ManageAWL is normally unable to show us the very latest addresses collected by the whitelisting process Addresses may take up to 24 hours until these become visible The reason for this has to do with making the process as efficient as possible IMF Tune immediately starts applying newly discovered addresses for whitelisting however it only renders the latest Page 62 User Manual WinDeveloper Software Ltd addresses visible in batches Thus even though some emails might start being whitelisted ManageAWL may take some time until it catches up 4 7 4 1 ManageA WL exe Simple In this mode ManageAWL will produce a flat list of whitelisted addresses e Administrator Command Prompt C P
78. he Web interface component is optional In fact IMF Tune can be run without it ever being installed but of course we would be missing all the functionality this interface delivers If installing IMF Tune for the first time we recommend focusing on the IMF Tune server installation upgrade first Completing this step we have a fully functional IMF Tune delivering all the filtering functionality The Web component installation can be completed later without causing any disruption The primary focus of this manual is the installation and configuration of the IMF Tune Server Even though this manual visits the Moderator Reporting functionality in various sections a full discussion of the Web component installation configuration and usage is not included here Instead the Web component has a dedicated document Look for this under the IMF Tune application program group Page 7 User Manual WinDeveloper Software Ltd 3 1 Minimum Requirements 1 Platform Support The IMF Tune server is installed on the Exchange server machine Exchange versions 2003 2007 2010 and 2013 are supported The following is the list of supported platform Exchange server combinations Exchange 2003 SP2 e Windows 2003 x86 SBS 2003 x86 Exchange 2007 e Windows 2003 x64 Windows 2008 2008 R2 x64 SBS 2008 x64 Exchange 2010 e Windows 2008 2008 R2 x64 SBS 2011 x64 Exchange 2013 e Windows 2008 R2 x64 Windows 2012 x64 Windows 2012
79. hoose to simply enable this for all users using Any local domain user Otherwise we can choose to specify a list of users to exclude or include in the discovery process Page 57 User Manual WinDeveloper Software Ltd As an example imagine we have some guest using our email services for a short while We might not want to whitelist contacts for such guests As another example consider the case where we have a mailbox that sends out automated emails to anyone filling some web form We may choose not to auto whitelist foreign contacts interacting with this mailbox Page 58 User Manual WinDeveloper Software Ltd 4 7 2 Auto Whitelist Exceptions Under the Auto Whitelist Senders category we find the Exceptions list aw Tn Col E Beck FTE Categories D Folder Up Bi Home f AY Re Ga IMF Tune Configuration Exceptions a f identify foreign addresses domains that should never be automatically big Acchiving Quarantine whitelisted Logging Qa Auto Reply ij Quarcrtne fi Quarantine Database amp 3 Users 4 Add Xx Remove ia E it if Email address Domain Disk Mantenance some_funry_domain com ta Archives Quarantine bob domain com ge Logs Reports H 8 Auto Whtelst Senders amp Whtelsts amp J Accept IPs amp Accept Senders amp J Accept Recipients amp Accept Subjects amp J Accept Bodes amp J Accept Subjects Bodies amp Accept Atachmarts
80. hrases to build the search expression Enter the phrases below and click on Add to build the expression Match all keywords Match the exact phrase Match at least one keyword Do not match any keywords Expression parts WiinDeveloper OR IMF Tune KT cereal To delete any expression part select this from the Expression Parts list and click on the Remove button Likewise we may add keywords by filling the appropriate edit box and clicking the corresponding Add button When done click OK to save changes For more details on using the Expression Builder check Working with the Expression Builder Page 74 User Manual WinDeveloper Software Ltd 4 8 2 5 Importing Keyword Expressions IMF Tune enables the insertion of keyword expressions into white black lists through the import functionality For the import to work the source file must meet the following requirements 1 Importing only supports plain text files The file may be encoded in 7 bit ASCII UTF 8 or UTF 16 Although two UTF encoding formats are supported all characters are expected to be within the standard Windows 1252 character set 2 Multiple keyword expressions must be separated by a carriage return line feed CRLF sequence For files generated on non Windows platforms the line feed only separator LF is also supported In order to see a sample of a correctly formatted file use the Export functionality The import process includes a validation
81. igher SCL ratings The action for unprocessed whitelisted and SCL 0 is fixed to Accept These classifications are meant to identify legitimate emails Thus any action other than Accept would cause loss of valuable email Depending on the type of action selected the configuration will automatically provide a set of additional options The sections that follow discuss these options in more detail Page 21 User Manual WinDeveloper Software Ltd 4 1 4 Grabbing a Copy of Accepted Emails IMF Tune allows us to grab a copy of the emails reaching recipient mailboxes This can be useful when analyzing the performance of specific SCL ratings On selecting the Accept action the BCC Email to option is exposed Set the checkbox to enable this functionality We may then specify the address to which emails are to be copied Since the new address is BCCed the email content is unchanged Thus emails may be analyzed unobtrusively Email Handling Action Edit aoe SCL Level Range z z Action Accept v V BCC email to G 2 scl2 windeveloper com Users F Insert SCL Custom Tag in email subject Insert SCL in email headers Remove all email attachments We can either type the BCC address directly or click on Users to lookup an address from Active Directory Select User Select this object type Usa From this location Entes the object name to select examples Alex Check Na
82. in text files The file may be encoded in 7 bit ASCII UTF 8 or UTF 16 Although two UTF encoding formats are supported all characters are expected to be within the standard Windows 1252 character set 2 Multiple filename entries must be separated by a carriage return line feed CRLF sequence For files generated on non Windows platforms the line feed only separator LF is also supported In order to see a sample of a correctly formatted file use the Export functionality The import process includes a validation procedure that could reject some of the entries being imported For example if a filename contains illegal use of the wildcard that entry would be rejected When importing a large number of filenames it may be difficult to determine which of these failed to be imported For this reason whenever importing the ImportReport log file will be generated This file is located in the main IMF Tune program directory and is overwritten on each import The log file will show how each of the imported entries was handled and whether or not the entry was rejected due to validation reasons Page 85 User Manual WinDeveloper Software Ltd 4 8 4 4 Exporting Filenames IMF Tune also supports exporting filenames to an external text file The export is correctly formatted to the IMF Tune import specifications Thus we may use the export and import functionality in order to quickly replicate configurations on multiple IMF Tune installs Expor
83. inDeveloper Software Ltd 4 1 1 SCL Handling Action Configuration Adding or editing actions for an SCL range is done through the SCL Handling Action dialog Email Handling Action Edit fs SCL Level Range E J gt Action Accept z BCC email to Insert SCL Custom Tag in email subject Insert SCL in email headers Remove all email attachments teed It provides the following configuration options e An SCL range for which these settings are to be applied e An action to be performed on the emails e Aset of additional email modifications The actions and modifications configured here are applied directly to incoming emails Once the Exchange Content Filter completes its processing IMF Tune takes over and performs its own spam filtering Combining the outcome of the two filtering stages gives us the final SCL rating Thus the Email Handling configuration with matching SCL range is identified and applied Page 19 User Manual WinDeveloper Software Ltd 4 1 2 SCL Range The configuration only enables the setting of the lower SCL range limit value The upper range limit is automatically set This is done by referring to the already configured SCL ranges and setting it so as not to leave gaps IMF Tune SCL ranges are always inclusive of the lower and upper limits This means that a range 3 to 5 includes emails assigned any of the SCL values out of 3 4 and 5 The lower SCL rang
84. ined email for delivery In this case the IMF Tune server fulfills the request by fetching the email from the disk archive and submits the email for delivery Page 35 User Manual WinDeveloper Software Ltd 4 3 Logging IMF Tune logging keeps record of processed email in a CSV formatted log file ten WinDeveloper IMF Tune Configuration ay CE ia So Back 3 i Fle Categories Folder Up Ai Home E ay RA Re IMF Tune Configuration a ye Ema Handing Logging Specify logging options for email based on their Spam Confidence Level SCL b a Archiving Guarartine rating vw Jrg Qa Ato Reply 6 fij Guaantne fi Quarantine Database 88 Users Whitelsted Logs a a pest 7 Rereted ives Quarantine g5 Loge Rapoits Blacklisted Logs Bd Wheelsts E Accept IPs Eid Accept Senders amp Accept Recipients SJ Accept Subjects amp d Accept Bodes amp Accept Subjects Bodies E Accept Atachmerts Gl Blackiists GM Block IPs SH Block Senders GM Block Recipierts g Block Subjects GM Bock Bodies g Block Subjects Bodies gi Block Attachments a Block Foreign Spam The logging information has wide spread applicability For example it is always wise to keep a list of all rejected deleted emails This gives us the ability to verify which emails were blocked if the necessity arises Logged fields such as the remote host IP and the Sender address could be used to populate blacklis
85. ion Entire Directoy Enter the object name to select examples Alex Check Names In the Select User dialog we may then specify a user name Clicking on Check Names would then resolve the address Click OK to close the Select User dialog and set the From address Next specify the subject of the auto reply email The Set original subject as the reply subject checkbox instructs IMF Tune to simply set the original subject and prefix it with the standard Re text Otherwise a fixed subject may be set by clearing the checkbox and entering the text in the Subject edit box Finally fill in the body text of the auto reply body Page 42 User Manual WinDeveloper Software Ltd 4 5 Disk Maintenance IMF Tune may be configured to archive to disk quarantine to a database server and generate CSV reports on all processed emails If not controlled these operations may exhaust disk space something that would stop IMF Tune from functioning and potentially affecting other applications running on the same machine For this reason IMF Tune provides the Disk Maintenance functionality to automate the backup and purging of old email information Additionally Disk Maintenance also provides the following benefits e Centralized management of all directories used for archiving logging and reporting e A consistent file directory naming scheme e The ability to break logs and reports by date and size Page 43 User Manual WinDe
86. ion fill in any of the edit boxes and click on the adjacent Add button This will automatically validate and transfer the keywords to the Expression Parts list at the bottom Here the order of the individual expression parts is not relevant To add multiple phrases into the same expression just enter the keywords in the appropriate edit box click on Add and repeat the procedure as necessary To delete any of the Expression Parts just select it and click on the Remove button Once all necessary keywords are entered and added click on OK to save the expression Page 153 User Manual WinDeveloper Software Ltd 4 15 Keyword Reporting Keyword Reporting allows us to see how emails are matching the various IMF Tune filtering srages An HTML formatted report is generated that is especially useful when verifying the effectiveness of our current configuration If we are uncertain why an email was white black listed or whether an SCL rule is only matching the intended class of emails then this is the report to look at Configuring Keyword Reporting is a trivial matter We just enable it and specify the location for the report file under the Keyword Reporting category Da WinDeveloper IMF Tune Configuration koae Back Forwat Folder Up Gh Home EY Apey lt 2 Osi IMF Tune Configuration a 84 Email Handling ita Archiving Quarentine A Logging Qa Auto Reply fifi Quarantine V Enable keyword reporting 3 Disk Maintena
87. ist Clicking on Add opens the External SCL Mapping configuration dialog External SCL Mapping Configuration n parrrarerrararay i General i Schedule Detais Header SMTP Command Match type lt Remote IP gt 7 corte Operation SCL Change set value to blacklisted x External file C Program Rles WinDeveloper IMF Tune Etemal lPs bt Browse The dialog is organized in three configuration pages General Schedule and Details The General page comprises setting for identifying 1 The email information IP address header or body the rule is to test 2 The operation to perform on matching an email 3 The path to an external file containing values to be matched against processed emails The interface provides plenty of flexibility We can setup an External SCL Rule against any standard or custom header email bodies sender recipient addresses or IPs Through these rules we can choose to whitelist blacklist emails set the SCL to any fixed value or to apply an increment decrement to the current SCL rating Apart for the external file path the General property page presents the same configuration elements available for Simple SCL Rules The only difference is that whereas Simple Rules are directly fed with the value to be matched External Rules are fed with a file path From here IMF Tune will load the list of values Page 133 User Manual WinDeveloper Software Ltd External files a
88. isted a Logging Qa Auto Reply 7 Emails originating from these IP addresses will be accepted Hfj Quarantine H 2 Disk Maintenance aula 3 fi Auto Whitelist Senders TE Add DE Remove cE Eait ASF impor P Export amp J Whiteists amp Accept IPs IP address amp Accept Senders 123 123 123 0 255 255 255 0 amp Accept Recipients 127 0 0 1 j 192 168 0 0 192 168 0 10 a Block Bodies LJ amp Block Subjects Bodies g Block Attachments a Block Foreign Spam GB ONS Lists Match emails originating from this IP 192 168 0 54 es 3 DNS Allow IP Lists DNS Block IP Lists DG NNS Rink LRI liste The IP list can be fed with single IPs IP ranges and IP Mask pairs Page 77 User Manual 4 8 3 1 Working with the IP Lists To enable disable the IP lists set clear the checkbox at the top Setting the checkbox will activate the list and IMF Tune will process the IPs against WinDeveloper Software Ltd incoming emails ee an nD slop J une Ce Back Forw onfiqura ion is IMF Tune Configuration 84 Email Handling tia Archiving Quarantine s Logging Qa Auto Reply fifi Quarantine 5 Disk Maintenance i Auto Whitelist Senders amp Whiteists amp Accept IPs amp Accept Senders amp Accept Recipients amp Accept Subjects amp Accept Bodies amp Accept Subjects Bodies amp Accept Attachments Gi Blackists amp Block IPs GH Block S
89. ives negatives e Responsiveness and Availability The response time and uptime of the DNS list servers It is important to be aware of these differences Subscribing to a list that is not well maintained can adversely affect filtering Page 89 User Manual WinDeveloper Software Ltd 4 10 1 DNS Server Configuration IMF Tune requires some network information in order for it to submit DNS queries Under the DNS Lists category we identify the servers available for IMF Tune to connect to the DNS IMF Tune uses these as a stepping stone to the DNS Lists Back T Folder Up faf Home EY Apply Gs IMF Tune Configuration a DNS Lists as DISAS Identify the DNS servers through which IMF Tune can submit queries to DNS lida Archiving Quarantine A List providers 7 Logging Qa Auto Reply Get DNS servers from 2 Hfj Quarantine 0 Disk Maintenance All network adapters IPv4 only 0 8 Auto Whitelist Senders i 0 8 Whtelsts D Only this network adapter Gi Gi Blackists Gl Block IPs MM Block Senders Custom DNS server list Gl Block Recipients a Block Subjects amp Block Bodies Gl Block Subjects Bodies 8l Block Attachments DNS Servers Gl Block Foreign Spam T DNS Allow IP Lists Rd Exceptions DNS Block IP Lists Exceptions 3 DNS Block URI Lists 2 Exceptions BA SCL Rules BA Simple SCL Rules BA Advanced SCL Rules BR Evtemal SCI Aiae Test Under Get DNS servers from we ca
90. k Recipients Block Subjects a Block Bodies amp Block Subjects Bodies g Block Attachments Gl Block Foreign Spam GB ONS Lists B A DNS Allow IP Lists ca DNS Block IP Lists E DNS Block URI lists JA SCL Rules w Keyword Reporting fm Exchange Forefront SCLs Details E _Lirensina m Resubmit approved emails through this directory C Program Files Microsoft Exchange Server V14 Transpor V Store information on all processed emails for reporting purposes Process Moderator approve delete operations every min 5 Upload new quarantines to database every min 5 A dedicated User Guide for configuring the IMF Tune Quarantine Reporting functionality is available from the IMF Tune Application Program Group Please check this document for full details on this topic Page 55 User Manual WinDeveloper Software Ltd 4 7 Auto Whitelist Senders Sender auto whitelisting allows the automatic discovery and whitelisting of foreign contacts with whom local users are exchanging emails Once discovered subsequent emails are automatically whitelisted eliminating the need for manual whitelist configuration Within a few days from enabling auto whitelisting a significant number of legitimate emails will be whitelisted bypassing any further filtering Once the initial discovery is completed the only legitimate emails undergoing spam filtering will be those from new contacts Whitelisting a large proportion of legitima
91. legal Operator Sequences 000 ee eeeeeeseeeseeeeeeenaeeneeeeees 151 4 14 8 Working with the Expression Builder eee eeseeeeceeeeeeneeeeaeenseeeeees 152 4 15 Keyword Reporting essesseesseessesssesessetesseesseesseesseeesseeessresseesseeesetessseesseesse 154 4 15 1 Understanding the Keyword Report eccceeeecceesseceeeseeeenteeeeneeeenaeeees 156 4 16 Exchange Forefront SCLs Exchange 2007 2010 2013 esseere 159 4 16 1 Customizing SCL 1 Handling eeseseeesesesessessrerrresersrrsresseesreseresressese 160 4 17 Unprocessed Emails Exchange 2003 Only sssssssessssseessssssesssesssseeesseesseesse 162 4 18 Exchange System Manager Anti Spam Settings Exchange 2003 Only 163 4 18 1 Exchange Intelligent Message Filter Settings 0 0 0 lees eeeeesseceeeeeeeee 164 4 18 2 Exporting Exchange Anti Spam Settings 00 eeceeeeeeeeereeeseeeseeeeees 167 4 19 Details Sirci eet eases neva siii Sint sacatved Guay ere e hus o iari 169 4 20 Product Version Disabling IMF Tune cece eeeccecsseceesteceesneeeeneeeeneeeeaees 170 5 Licensing WinDeveloper IMF Tune seesessseesessrsesseresseseresresseseresresseseresreeseesesees 171 9 Licensed Emal Domains serisini ana eek atte ie idle ela eects 172 6 Contacting WinDeveloper ssiueciicietni tide edi eee dn needs 174 Annex A Exchange 2003 Intelligent Message Filter ee eeeceeeseeeeeeeeeeeteeeennees 175 A L Tnstallme IME mann e Sut oe a eh eas E a E ERE 176 Pr DC Orin Sinn s
92. ls page where we can keep track of the creation and last modification times for the rule Here space is also available for Administrative notes ppa 15 37 45 Last modification 14 08 2008 11 39 15 Administrative note Page 137 User Manual WinDeveloper Software Ltd 4 13 2 External File Format The External SCL Rules source file must meet the following requirements 1 The file may be encoded in 7 bit ASCII UTF 8 or UTF 16 Although two UTF encoding formats are supported all characters are expected to be within the standard Windows 1252 character set 2 Multiple values must be separated by a carriage return line feed CRLF sequence For files generated on non Windows platforms the line feed only separator LF is also supported Of course depending on the type of rule being setup file entries will also have additional format requirements For example an IP rule will only accept entries in one of these formats XXX XXX XXX XXX single IPs XXX XXX XXX XXX yyy yyy yyy yyy IP range XXX XXX XXX XXX yyy yyy yyy yyy IP subnet pair A rule being applied against sender or recipient addresses will expect address in the format something something something or something Likewise a rule applied to an email header or body supports the expression syntax including the use of AND OR NOT operators and double quotes The type of values an external file is expected to contain depends on the Header SMTP
93. lt Organization gt Servers lt Exchange Server gt Protocols SMTP Intelligent Message Filtering Page 165 User Manual WinDeveloper Software Ltd Intelligent Message Filtering Properties E Default SMTP Virtual Server AI Unassigned O Second Virtual Server All Unassigned For more details on IMF configuration check Anex A Page 166 User Manual WinDeveloper Software Ltd 4 18 2 Exporting Exchange Anti Spam Settings The IMF Tune configuration also provides support for the various anti spam options provided by Exchange 2003 One of the most useful features of this interface is the ability to export Exchange settings Export is provided for the Allow IPs Deny IPs Deny Senders and Deny Recipients lists WinDeveloper IMF Tune Configuration IMF Tune Conligueation Eia Emal Handing Allow IPs y g Archiving Exchange IP Accept List cettings These are available here for quick reference To al Ghani change ary of these settings use the Exchange System Manager i Qa Auto Reply General Vitual Servers HQ Disk Maintenance EJ Whielsts s g Bleckliste Emails from these IPs wil be accepted 1 8 SCL Rules PA Simple SCL Rules PA Advanced SCL Rules 8 Estemal SCL Rules e Keyword Reporting fi Unprocessed Emails Details BAB Exchange System Manager IR IMF R Sender ID 6 RO IR Dery IPs iR RBL WD Dery Senders P Dery Recipients i IA Directoy Harvesting Lic
94. m tenet Explorer WinDeveloper IMF Tune Keyword Reporting From lt spam testing local gt Date Time 5 21 2010 14 12 08 To lt userl horizon local gt Subject Over 1 500 000 bottles sold Safe amp Effective PenisEnlargement Herbal Pills rpchk Initial SCL 8 Final SCL 9 Matches 1 Header Expression Source subject pills gement Herbal Pills rpchk Operation increment SCL by 1 From lt spam testing local gt Date Time 5 21 2010 14 12 11 lt userl horizon local gt Please complete your application Mon 19 Mar 2010 08 15 44 0800 InitialSCL 5 6 Source Body Subject mortgage OR home loan do Hancock Bay In any free Operation set SCL to 6 d Page 155 User Manual WinDeveloper Software Ltd 4 15 1 Understanding the Keyword Report The Keyword Report file contains all the necessary information for us to understand why and how an email triggered a match If an SCL Rule was composed of multiple conditions then the report will show how each of the individual conditions was matched Furthermore if an email matches more than one rule or matches a mix of rules and white black lists then again the report will highlight each individual match that was involved WinDeveloper IMF Tune Keyword Reporting From lt spam testing local gt Date Time 5 21 2010 14 12 08 To lt userl horizon local gt Subject Over 1 500 000 bottles sold Safe amp Effective PenisEnlargement Herbal Pills rpchk Initial SCL
95. mail headers and the bodies Configuring this blacklist is just a matter of setting the checkboxes of the Language categories to block Page 88 User Manual WinDeveloper Software Ltd 4 10 DNS List Filtering Exchange 2007 2010 2013 DNS List filtering is only supported in IMF Tune for Exchange 2007 2010 and 2013 For Exchange 2003 we recommend using the Exchange Connection Filter DNS Lists open another window of information helping us to better identify spam and legitimate emails List providers gather information using various listing criteria and publish their data for public consumption using the standard DNS infrastructure The most popular DNS List type is the one listing IPs of known spam sources Other list types also exist IMF Tune supports three of these e DNS IP Whitelists IPs of known legitimate senders Some of these may be engaged in opt in email marketing e DNS IP Blacklists IPs of hosts involved in the distribution of spam and other unsolicited emails e DNS URI Blacklists URIs found in the body of spam emails Typically these link back to spammers trying to sell a service or deliver other content over the internet Apart for listing different information DNS Lists also differ from each other in other ways Some of these differences include e Price Some are free but others are available against payment e Accuracy Their effectiveness in identifying spam legitimate emails varies false posit
96. mailboxes being accessed For a copy of the script and complete details check his article IMF and the Junk E mail folder in Outlook Exchangelnbox com also includes an article that discusses in great detail all the issues relevant to Junk E mail folder enablement Exchange 2003 2007 2010 2013 Junk Email Folder Page 183
97. mails and to apply white black lists and SCL Rules as usual Handling of unprocessed emails can be enabled for un authenticated anonymous and or authenticated connections through separate checkboxes ia WinDeveloper IMF Tune Configuration Beck ETE Categories Folder up ay Home J Aor Q wid Achives Quarartne Unprocessed Emails a Logs Reports i H A Vihtelists Define how to handle unprocessed emails a Blackiists Block IPs Any emails left unprocessed by the MS Exchange Intelligent Message Block Senders Filter by default will not be processed by IMF Tune either Override this by gi Block Recipients assigning unprocessed emails an initial SCL value of Zero and process Sl Block Subjects these as usual Sl Block Bodies x i e S audias J fons processing of unprocessed emails from Non authenticated il Block Attachments a m Force processing of unprocessed emails from Authenticated B amp SCL Rules connac ona S Simple SCL Rules DS Advanced SCL Rules DS Etemal SCL Rules J i Exchange System Manager iR IMF i Sender ID i Aow IPs ie Dary IPs iR RBLe i Dany Senders iR Deny Recipients iR Directory Harvesting FD lrengnn The MS IMF does not process emails larger than 3Mb Through this functionality IMF Tune could be forced to still process these emails In the same manner IMF Tune could even be employed when the MS IMF is disabled altogether This is sometimes useful when r
98. meaa 2 Simple SCL Rules fda Archiving Q i Specify conditions to match standard custom headers SMTP protocol data and uarantine IP Emails can be whitelisted blacklisted or have their SCL rating adjusted as re sA Logging Boron 6 Disk Maintenance Gi r E Auto Whitelist Senders 1 Add K Remove J Edit SS import LS Export H 8 Whiteists Bld Black Header Match Value Operation SCL SM Block IPs lt Body Subject gt contains male enhancement increment by 4 Block Senders lt Body Subjectt gt contains mortgage OR home loan set value to 6 amp Block Recipients Subject contains refinance incremert by 1 g Block Subjects Subject contains replica watch increment by 1 GM Block Bodies Subject contains pills increment by 1 amp Block Subjects Bodies Subject contains online dating increment by 1 amp Block Attachments Subject contains OEM software increment by 1 amp Block Foreign Spam Subject contains sex increment by 2 G e an veg Piki X SPAM contains spameyes set value to blackisted Ey low f DNS Block IP Lists X SPAM contains spam no set value to whitelisted E DNS Block URI Lists BA SCL Rules F Simple SCL Rules Ba Advanced SCL Rules amp Stemal SCL Rules i Keyword Reporting tm Exchange Forefront SCLs OO Detale 4 m r Next we can add remove and edit rules using the buttons at the top of the list Page 104 User Manual WinDeveloper Software Ltd 4 11 2 Adding Editing New SCL Mappi
99. mes In the Select User dialog that opens enter a user name and click on Check Names to resolve the email address Click OK to set this as the BCC email address Page 22 User Manual WinDeveloper Software Ltd 4 1 5 Rerouting Emails to a Central Mailbox The Reroute action diverts email delivery to a central mailbox Selecting Reroute will enable the Reroute email to edit box and the Users button Enter a valid SMTP address to which emails are to be rerouted Email Handling Action Edit sa SCL Level Range Action Reroute v Reroute email to s gt spambox windeveloper com Insert SCL Custom Tag in email subject Insert SCL in email headers Remove all email attachments Insert SMTP Sender Recipients IP and HELO in email headers OK Cancel Otherwise click on Users to lookup an address from Active Directory Select User Select this object type Use From this locatiorc Erie Desay L J Entes the object name to select examoles lex Check Names In the Select User dialog that opens enter a user name and click on Check Names to resolve the email address Click OK to set this as the reroute email address Page 23 User Manual WinDeveloper Software Ltd 4 1 6 Email Modifications The Email Handling Action dialog also enables the selection of additional email modifications These options are only available in case Accept or Reroute a
100. mpler alternative to remembering these details This is the Expression Builder an interface through which complex expressions may be constructed Expression Builder Match all keywords Expression parts Match the exact phrase WinDeveloper OR IME Tune Add phrases to build the search expression Enter the phrases below and click on Add to build the expression Match at least one keyword Do not match any keywords The dialog provides for entering four different types of keywords phrases as summarized below Match all keywords Enter a set of keywords separated by white space Each of these keywords must be found in order for the Expression to be matched Keywords may be matched in any order when compared against the email content Match the exact phrase Enter a phrase composed of any number of words to be matched literally and in the exact order specified Match at least one keyword Enter a set of keywords separated by white space At least one of these must be found in order for the Expression to be matched For example in a blacklist we could specify different ways for spelling pharmacy in order to match this category of spam Page 152 User Manual WinDeveloper Software Ltd Do not match any keywords Enter a set of keywords separated by white space The Expression will only be matched if none of these keywords are found In order to construct the express
101. n Ea General Details Header SMTP Command Match type X SPAM v contains x Operation SCL Change set value to 0 Expression to match Operations AND OR and NOT are 1 case sensitive Enclose phrases containing white space 2 spam no E l 6 g Q blacklisted Description F X SPAM contains spam no set value to whitelisted OK Cancel Applying SCL increments decrements enables us to directly influence the way emails are rated If we feel that some form of spam is not being rated high enough then we can identify keywords and allocate an SCL increment to it Using set value to we may white black list emails or choose to set the SCL to any other absolute value In this manner emails can be forced to go to the Junk Email folder for example Indeed based on how the SCL thresholds were configured under the Email Handling category the exact type of operation to be applied can be selected by forcing a specific SCL value Page 111 User Manual WinDeveloper Software Ltd 4 11 3 4 Specifying Expressions Data to Match Unless we are trying to map an empty missing header the SCL Mapping dialog will provide the necessary interface to enter the data to be matched This interface will change depending on the type of email information being mapped For example on mapping the sending host IP the interface provides for entering a single IP an IP range or an IP Mask pair Simpl
102. n choose e All network adapters IPv4 only IMF Tune will automatically discover all network adapters and read the DNS settings from them e Only this network adapter From the drop down list that follows select a network adapter from which IMF Tune is to read the DNS configuration When multiple network adapters are installed one might be pointing at the internal DNS whereas another might be pointing to the internet facing DNS Since IMF Tune has to connect to external DNS Lists we would select the internet facing network adapter e Custom DNS server list Specify one or more DNS server IPs at the list that follows Use the Add Remove and Edit buttons to update this list Only IPv4 is allowed Note If IMF Tune is configured to read network adapter settings changes at the network adapter DNS configuration require an IMF Tune Engine service restart Page 90 User Manual WinDeveloper Software Ltd 4 10 2 DNS IP Lists IMF Tune supports both DNS IP Allow lists and Block lists We discuss both of these here since the configuration elements are almost identical To begin go to the configuration nodes DNS Lists DNS Allow IP Lists DNS Lists DNS Block IP Lists At the DNS IP List configuration we configure the details of the DNS List providers we want to query i Ra WinDeveloper IMF rr sto Ome Dm TET TETT oe a DNS Allow IP Lists fa Archiving fae aes comune DNS IP List providers that identify known legi
103. n quotes Description E X SPAM contains spam yes set value to blacklisted Page 113 User Manual WinDeveloper Software Ltd The following table summarizes the type of information expected for various types of mappings lt Remote IP gt Choose between a single IP an IP range or an IP Mask pair lt SMTP Sender gt Enter an email address in the format something something We lt SMTP Recipient gt may also use wildcards to match addresses by domain domain domain lt Body gt Enter a keyword expression Operators AND OR NOT and lt Body Subject gt double quotes are supported Click on the Advanced button to use the Expression Builder Check the sections Constructing Search Expressions and Working with the Expression Builder for more details lt Attachment gt Enter the exact filename or use the wildcard as follows something Standard or When mapping against email headers the matching type adds Custom Headers some more options All possible combinations follow contains Enter a keyword expression Same as for lt body gt is empty missing No value is required is exactly starts with Enter the exact text to be matched All text will be matched literally and operators are not supported Page 114 User Manual WinDeveloper Software Ltd 4 11 3 5 Details For each of the configured SCL mappings IMF Tune will keep track of the creation and last modification dates F
104. n the format 4 2 4 OR ranges using the format 4 4 4 EEEE 127 0 0 2 127 0 1 0 127 0 1 255 Here we can add single status code values in the IPv4 format or status code ranges in the format xxx xxx xxx xxx yyy yyy yyy yyy lower value limit upper value limit Ranges are inclusive of the limit values We can mix single status code values and ranges as needed We just separate multiple entries with a carriage return Page 93 User Manual WinDeveloper Software Ltd 4 10 2 2 DNS IP List Provider Testing From the DNS List Provider configuration dialog we can also submit test queries At the DNS Block IP Lists or DNS Allow IP Lists category click Edit to open one of the configured List Providers or click Add and configure a new one Next click the Test button to open the DNS List Test dialog DNS List Test x Enter the IP to be looked up at the DNS List DNS IP Lists should always return Listed for 127 0 0 2 and return NOT Listed for 127 0 0 1 IP 127 0 0 2 Test Close Enter the IP to be looked up and click Test WinDeveloper IMF Tune Configuration DNS List Response Listed Status Codes 127 0 2 2 All DNS IP Lists support these standard test IPs 127 0 0 2 should always return Listed 127 0 0 1 should always return NOT Listed It is good practice to try these out whenever checking a DNS IP List If the expected response is not returned double check the setting un
105. nce ij Archives Quarartine Save file to the reporting maintenance directory o Logs Reports amp Auto Whitelist Senders C Program Files WinDeveloper IMF Tune logs imfnpt_ lt date Aime gt _Keywords htn amp J Whiteists Gl Blacktsts Override reporting path amp Block IPs L a amp i Block Senders 3 Warming Reporting maintenance won t be applied MJ Block Recipients GM Block Subjects a Block Bodies amp Block Subjects Bodies Gl Block Attachments amp Block Foreign Spam 4D ONS Lists H DNS Allow IP Lists a q DNS Block IP Lists DNS Block URI lists B8 SCL Rules fe Exchange Forefront SCLs Q Details Keyword Reporting Generate a detailed HTML report for matched whitelists blacklists and SCL Rules This allows you to see how IMF Tune is matching processed emails z e E lirensinn Just like for Email Logging selecting Save File to the Reporting Maintenance Directory will allow Disk Maintenance to automatically manage backup and purge these report files Otherwise we can go for any other local disk location by selecting Override Reporting Path However in this case we lose the Disk Maintenance functionality Once enabled IMF Tune will start reporting on each email matching some filtering rule Emails that don t trigger any filter won t show up in this report This is how the report looks like Page 154 User Manual WinDeveloper Software Ltd pveue Ceyword Re ng Wind ws Int er
106. ne to compute the path based on the Logs Reports Maintenance configuration The third option Override Reporting Path allows us to specifically set the path to any local disk location Similar to email archiving IMF Tune provides Disk Maintenance support facilitating the administration of log files For more details refer to the discussion under Choosing an Archive Directory Path Page 38 User Manual WinDeveloper Software Ltd 4 3 2 Log File Fields The following table lists the information logged by IMF Tune Field Name Description Date Date when the log entry was created Time Time when the log entry was created SCL The SCL rating assigned to the email Subject The original email subject Action The type of action performed by IMF Tune Archive If enabled the filename of the archived email Auto Reply If enabled the entry will confirm the successful submission of the auto reply email IP The email sender IP HELO The SMTP HELO EHLO host name Sender The SMTP FROM originator address Recipients A comma separated list of SMTP RCPT TO recipient addresses Page 39 User Manual 4 4 Auto Replies WinDeveloper Software Ltd Auto Replies provide the ability to setup an automated response to be sent whenever an email within the configured SCL range is received WinDeveloper IMF Tune Oma Q oms camme raw htm Eon Sr ee 2 m
107. ngs To add new SCL Mappings click on the Add button This will open the Simple SCL Mapping Configuration interface Simple SCL Mapping Configuration ox General Details Header SMTP Command Match type X SPAM v contains x Operation SCL Change set value to v blacklisted X Expression to match Operations AND OR and NOT are supported Matching is not case sensitive Enclose phrases containing white space in double quotes spams yes Advanced Description E X SPAM contains spam yes set value to blacklisted From here we can choose the email information to be analyzed specify a condition to be matched and select the operation to perform on matched emails For a detailed discussion on using this interface check the SCL Mapping Configuration section Page 105 User Manual WinDeveloper Software Ltd 4 11 3 SCL Mapping Configuration The SCL Mapping interface provides two property pages At the General page the various mapping options are available At the Details page the configuration keeps track of the creation and last modification date for the mapping It also provides space for an administrative note A mapping is composed of three pieces of information e the type of email information to analyze e keywords data to be matched against processed emails e the operation to perform on finding a match We discuss how to configure these three components in the sections that follow
108. ning Forefront we may want to change this setting to Change SCL to 0 and process normally Page 160 User Manual WinDeveloper Software Ltd With this setting IMF Tune is allowed to change the initial rating from 1 to 0 IMF Tune is then able to process the email normally applying whitelists blacklists and rules to reach the final SCL rating This change in SCL is not done blindly The process is controlled through a set of configurable exceptions that are enabled through the checkboxes Except if connection is authenticated Except if the anti spam report contains any of these keywords Following these checkboxes we have the keyword list to be tested against the anti spam report header This is initialized with a set of standard keywords obtained from official documentation and through testing Thus WinDeveloper recommends caution when modifying this list Page 161 User Manual WinDeveloper Software Ltd 4 17 Unprocessed Emails Exchange 2003 Only IMF Tune is tightly integrated with the MS Intelligent Message Filter Amongst other things this means that IMF Tune only processes emails that the MS IMF itself processes If for whatever reason IMF skips email processing IMF Tune classifies this as unprocessed In that case white black lists and SCL Rules are not applied This behavior can be overridden from the configuration Unprocessed Emails category IMF Tune can be instructed to assign an initial SCL value of zero to unprocessed e
109. ns these have to be assigned to the Exchange Server Active Directory machine object The following steps show how to configure the necessary permissions on a network share However the important point to appreciate is the fact that permissions are being assigned to the Exchange server machine object Similar steps would be followed when assigning NTFS permissions on local drives 1 In Windows Explorer locate the directory to be shared 2 Open the directory properties Right Click Properties 3 Select the Sharing Property Page 4 Select Share this folder and set the share name IMFTune_Lists Properties 2h xi General Sharing Securty Web Sharing Customize You can share this folder with other users on your network To enable sharing for this folder chek S Share this folder C Do not share this folder Shere this folder Share name fimitune Comment User limit C Marinum allowed C Allow this number of users a To set permissions for users who access this folder over the network chek Permissions To configure settings for offline access click Cac Caching 5 Click on the Permissions button Page 140 User Manual WinDeveloper Software Ltd Permissions for imtune 2x Share Permissions Group user names fr Everyone Permissions for Everyone Full Coritral o o Change Oo o Read zl m By default Everyone is given the Read permission This should be enough for IMF Tun
110. nt whitelisting 4 8 1 Accept Senders and Accept Recipients Lists The Accept Senders and Accept Recipients categories enable the whitelisting of email addresses and domains IMF Tune attempts to match SMTP addresses against these lists If a match is found the email is whitelisted Ea WinDeveloper IMF Tune Configuration E faa Back G Forwa Folder Up fg Home EY Apply I Retres marmo oem a Accept Senders ae Specify the addresses for senders whose emails are to be white listed Enter e addresses in the format something something You may also use wildcards as Qa Auto Reply J Emails from these senders will be accepted fil Quarantine 6 H Disk Maintenance 0 4 Auto Whitelist Senders iva al XxX Remove a ae cS Eyni 6 8 Whiteists amp Accept IPs Email address amp Accept Senders domain com amp Accept Recipients E imftune com amp Accept Subjects feedback windeveloper com amp J Accept Bodies sales windeveloper com amp Accept Subjects Bodies support windeveloper com amp Accept Attachments 4 Blackists amp Block IPs GM Block Senders GM Block Recipients Gl Block Subjects a Block Bodies e amp Block Subjects Bodies a Block Attachments a Block Foreign Spam G 3 DNS lists Match all addresses from this domain and any of its sub domains domain com H A DNS Allow IP Lists o DNS Block IP lists s NNS Alark LRI lice Z Note that for a single email the sender address may b
111. o Whitelist Senders 6 Add x Remove 0 Edit Import B Export E a ee Header Match File Operation SCL Gl Block IPs lt Body Subject gt contains BodySubjectb set value to blacklisted GH Block Senders lt Remote IP gt contains IPs bt set value to blacklisted GM Block Recipients E lt Sender gt contains Sender txt set value to blacklisted amp Block Subjects Subject contains Subject bt set value to whitelisted amp Block Bodies g Block Subjects Bodies amp Block Attachments amp Block Foreign Spam ONS Lists t DNS Allow IP Lists a 4 DNS Block IP lists DNS Block URI Lists BA SCL Rules HA Simple SCL Rules BA Advanced SCL Rules 3 Beet a Keyword Reporting tm Exchange Forefront SCLs O _Metaile D External rules mimic closely the functionality of Simple SCL Rules and have nearly identical interfaces However these rules will pull the list of keywords addresses or IPs to be tested against incoming emails from external files Because of the similarities between External and Simple Rules it is recommended to first review the documentation for Simple SCL Rules before reading through this section Here we go through the unique characteristics of External SCL Rules Page 132 User Manual WinDeveloper Software Ltd 4 13 1 Working with External SCL Rules The configuration provides a list interface through which External Rules can be managed The list interface is identical to the Simple SCL Rules l
112. o be an IP SMTP Protocol Data or other computed email information Expression The white black list entry Rule condition value or DNS list that was matched This may be a keyword expression an email address or domain an IP an email size or any type of configuration element that IMF Tune allows for identifying the information to be matched Source The source email data that was actually matched If for example a subject blacklist is matched here we see part of the email subject highlighting the exact text sequence that triggered the match Page 158 User Manual WinDeveloper Software Ltd 4 16 Exchange Forefront SCLs Exchange 2007 2010 2013 The Exchange Forefront SCLs category is especially useful when running IMF Tune with Forefront Protection 2010 for Exchange From here you configure how IMF Tune is to deal with emails having an initial SCL 1 rating IMF Tune processes emails after that the Exchange IMF Content Filter Forefront completes its own processing So IMF Tune starts from an initial SCL that can be anything from 1 to 9 Exchange 2003 IMF and Exchange 2007 2010 2013 Content Filter assign SCL 1 only when an email matches a whitelist or in case of internal emails Note that here we are referring to Exchange whitelists not IMF Tune whitelists For example Exchange provides the IP Accept List If an email is received from a host whose IP matches this Accept List an SCL 1 rating is assigned For
113. of email properties including headers bodies addresses IPs etc Once a match is found the current SCL value may be incremented decremented or replaced by a new value The Keyword Reporting category provides the necessary functionality to generate a detailed HTML report on all emails matching any of the whitelists blacklists and SCL Rules In this manner one can see exactly how the configuration at IMF Tune is influencing the final SCL ratings assigned to each email The Exchange Forefront SCLs category only available in Exchange 2007 2010 2013 determines how IMF Tune is to handle emails having an initial SCL 1 rating This is especially useful when running Forefront Protection 2010 for Exchange The Unprocessed Emails category only available in Exchange 2003 caters for any emails the MS Exchange IMF leaves unhandled From here IMF Tune may be instructed to scan emails that would otherwise go through unprocessed Page 14 User Manual WinDeveloper Software Ltd The Exchange System Manager category only available in Exchange 2003 exposes various other anti spam settings This is a read only view of the options available from the Exchange 2003 System Manger console It includes the Intelligent Message Filter settings Sender ID settings and the various Exchange 2003 out of the box options for Connection Sender and Recipient filtering The Details category provides the necessary space for administrative notes In this manner an
114. old Configuration Configure individual SCL ratings or ranges with a unique set of options including archiving logging attachment stripping subject tagging auto replies rerouting rejection deletion and more Sender Auto Whitelisting Let IMF Tune automatically discover the foreign contacts your users are exchanging emails with Subsequent emails are automatically whitelisted relieving you from manual configuration DNS White Block List Filters Subscribe to DNS List providers to block allow emails or just raise lower the current spam rating only for Exchange 2007 2010 2013 Whitelisting Blacklisting At the server maintain global and per user white black lists Identify legitimate emails and spam by IP sender recipient subject any email header body keywords attachment names and more Central Email Quarantine Retain copies of blocked emails on disk Optionally publish Quarantines to an SQL Database Let IMF Tune automatically manage the email archive compressing backing up and deleting old emails Resubmit Blocked Emails from Browser Install the included IIS Web Moderator Reporting interface for the Quarantine system to be accessible from anywhere The moderator supports the latest version of all major browsers Filter Performance Graph Chart Reports From the browser access real time reports to monitor the filtering effectiveness See how emails are being rated the rejection rate the list of top spam sources and m
115. on usage exclusively Evaluation will expire on 14 4 Ei DNS Lists October 201 B8 SCL Rules e Keyword Reporting fe Exchange Forefront SCLs Q Details 2 Local Domains fig Miscellaneous On ordering an IMF Tune license a key will be supplied together with step by step instructions on how to license the product The exact licensing procedure will depend on the type of license key ordered thus it is important to follow the instructions accompanying the key Page 171 User Manual WinDeveloper Software Ltd 5 1 Licensed Email Domains Depending on the type of license IMF Tune may require the list of local email domains Typically this is necessary for licenses servicing a limited number of mailboxes Ca WinDeveloper IMF Tune Configuration Lojto Beck G i Folderup af Home EY ay lt 2 ne aera ag Local Domains Archi Identify the set of email domains for which your mail server is either hosting cae tine mailboxes or acting as a relay Required in case of User Limited License Keys a ng Qa Auto Reply 2 fff Quarantine 3 Disk Maintenance Process emails addressed to specific domains j Si Auto Whitelist Senders 3 8 Whitelsts i Blackists EA Add a ONS Lists BA SCL Rules Domain name s Keyword Reporting windeveloper com fm Exchange Forefront SCLs Q Details 2 Licensing fig Miscellaneous Process emails addressed to all domains Handling of emails addressed to multiple recipients
116. ployed This simplifies troubleshooting in case of problems For further details on the Exchange Intelligent Message Filter please refer to Annex A Page 9 User Manual WinDeveloper Software Ltd 3 3 Setup Exchange 2007 2010 2013 Content Filter Agent The Content Filter Agent forms part of a set of anti spam transport agents that ship with Exchange 2007 2010 2013 These must be run on a server having the Edge or Hub transport server role The Edge server installation automatically installs the anti spam agents However in case of Hub Transport servers the agents must be installed manually from the command shell In Exchange 2013 unlike earlier versions there is no distinct Hub Transport Server role Instead the Hub Transport is included within the Mailbox Server role Thus in Exchange 2013 IMF Tune is installed on servers running the Mailbox Server role The installation script is located under lt Exchange Server dir gt Scripts install AntispamAgents ps1 1 On the Hub transport server machine from the Exchange program group open the Exchange Management Shell Note If User Access Control is enabled make sure to run the Shell with Run as Administrator 2 Change the directory to lt Exchange Server dir gt Scripts 3 Run gt install AntisoamAgents ps1 Note When running the installation script include the leading to the command Otherwise the installation may fail 4 Restart the Microsoft Exchange Tran
117. pport should be addressed to support windeveloper com Disable IMF Tune Always check with the WinDeveloper website at http www windeveloper com imftune for the latest product builds and updates At the bottom the Disable IMF Tune checkbox allows you to stop IMF Tune processing completely If the checkbox is set IMF Tune will let all emails through as if it were not installed Page 170 User Manual WinDeveloper Software Ltd 5 Licensing WinDeveloper IMF Tune WinDeveloper IMF Tune on installing for the first time runs in free evaluation mode Once evaluation is over IMF Tune stops processing emails At this point a license key must be supplied in order to restore full product functionality The currently active licensing mode can be verified at the configuration Licensing category On installing IMF Tune check out the information at this page It will show until when the product is licensed for evaluation In case an extended evaluation period is required email WinDeveloper sales at sales windeveloper com x WinDeveloper IMF Tune Configuration fn foe Ome tom Drawn Ghee wy Kha IMF Tune Cordiguratio Licensing 184 Email Handling IMF Tune li S our B k Ge Archiving Quarantine Manage une licensing by entering your license key A Logging Qa Auto Reply E Quarantine i cade Mibienanca License Evaluation License o oe Senders Details 3 Blackists The product is licensed for evaluati
118. procedure that could reject some of the entries being imported For example if an expression contains illegal use of the AND OR NOT operators that entry would not be imported When importing a large number of expressions it may be difficult to determine which expressions failed to be imported For this reason whenever importing the ImportReport log file will be generated This file is located in the main IMF Tune program directory and is overwritten on each import The log file will show how each of the imported entries was handled and whether or not the entry was rejected due to validation reasons Page 75 User Manual WinDeveloper Software Ltd 4 8 2 6 Exporting Keyword Expressions IMF Tune also supports exporting expression lists to an external text file The export is correctly formatted to the IMF Tune import specifications Thus we may use the export and import functionality in order to quickly replicate configurations on multiple IMF Tune installs Exports are always encoded in UTF 8 For details on the format of the exported file refer to Importing Keyword Expressions Page 76 User Manual WinDeveloper Software Ltd 4 8 3 Accept IPs The Accept IPs category enables the whitelisting of emails based on the originating host IP Back S Forward EE categories Folder Up faf Home EY Apoy KY Relves fq IMF Tune Configuration a Accept IPs SiS Gi Hteniing Specify the IP addresses from which emails are to be white l
119. properties for lt Organization gt Servers lt Exchange Server gt Protocols SMTP Intelligent Message Filtering Note that lt Exchange Server gt is the name of the Exchange Server where IMF v1 is installed 1 Global Settings fj Recipients gt Servers 4 SERY BOx1 413 Queues SF Lf First Storage Group Protocols jy HTTP 6 09 IMAP4 9 NNTP H POPS 5 0 sP B Default SMTP Virtual Server Inteligent Message Filtering g x 400 New Window from Here G Connectors ia Tools Refresh ae hae Help 3 The property sheet will show the list of virtual servers for the local Exchange Server on which IMF may be enabled Tick the checkbox next to the virtual servers Intelligent Message Filtering Properties 2px General F Inteligent Message Fitering Apply inteligent message fitering to the Following virtual servers IP addresses Virtual Server IP Address E default SMTP virtual Server AI Unassigned O Second Virtual Server All Unassigned 4 Click OK to save changes Page 182 User Manual WinDeveloper Software Ltd A 5 Enabling the Junk Email Folder Activation of the junk email folder requires a setting at the recipient mailbox As explained in Configuring IMF the Store SCL identifies the threshold at which emails are classified as soam However unless the junk email folder is enabled SPAM would still end up in the Inbox together with legitimate emails Enablin
120. r 4 R IMF Tune E mails General Spam Detection Report Header Expression Email Character Set iso 2022 jp subject VIAGRA FREE subject OFF PFIZER Email Character Set shift_jis subject 70 off Sender windeveloper com IP 192 168 0 5 Has HTML Body true Has NO Body Text true Email Size Value is between 51200 and 66560 Body Content Media Type image jpeg Body Subject imftune OR imf tune Sender AWL winfo windeveloper com subject pills S Which are the recpients getting most e mails N m fe f e o o Page 61 User Manual WinDeveloper Software Ltd 4 7 4 Extracting the List of Auto Whitelisted Addresses Email addresses gathered at the auto whitelist AWL are not visible from the configuration interface ManageAWL is a little command line tool for extracting the Sender AWL This tool is available at the IMF Tune application directory To learn more follow these steps 1 Open the command prompt Important On platforms supporting User Access Control make sure to open the command prompt using Administrative rights Run as Administrator 2 Change the directory to the IMF Tune application directory 3 Run ManageAWL exe without any parameters to see the usage options ox Administrator Command Prompt a 2 WinDeveloper IMF Tune Sender futo Whitelist Management WARNING Potentially an address may take up to 24 hours until it is visible fron here ANL is a real time feature t
121. re processed periodically based on the settings configured at the Schedule property page IMF Tune supports two types of schedule configuration interfaces Fixed and Custom General Sched Fixed Custom Interval between reading files in minutes 15 Only on these days 7 Sunday V Monday V Tuesday 7 Wednesday V Friday X Saturday G 00 02 04 06 08 10 12 14 16 18 20 22 00 EAN Once per hour Choose the schedule type from the radio buttons at the top Switching the schedule type also changes the interface as shown in the above screenshots Page 134 User Manual WinDeveloper Software Ltd In Fixed Schedule mode the edit box Interval between reading files specifies the time between successive file reads On each time interval IMF Tune fetches the file and refreshes the rule values The interval is expressed in minutes and cannot be less than 15 Apart for the interval time the Fixed Schedule provides seven checkboxes one for each day of the week IMF Tune only fetches the external file on the days whose checkbox is set In Custom Schedule mode the configuration provides a 24 x 7 matrix interface The 24 columns represent the hours of the day whereas the 7 rows represent the days of the week Click the matrix boxes to set clear individual hours within the schedule IMF Tune will only read the external file on the selected hours Clicking the boxes in the first
122. ress Reroute x smtp receiver A comma separated list of SMTP RCPT TO Reroute recipient addresses Page 27 User Manual WinDeveloper Software Ltd 4 1 9 Overriding the Default SMTP Rejection Text IMF Tune also provides the ability to immediately reject emails at SMTP protocol level By default the following SMTP rejection response is issued 550 5 7 1 Requested action not taken message refused The default rejection reason is very generic It is sometimes useful to change this text so as to supply a more informative response When doing so typically we would consider the case where some legitimate email is being rejected In such a case we might want to supply information enabling the sender to report the problem in some other way for example by phone To customize the rejection response select the Custom Reject Message Text checkbox and fill in the new message text Email Handling Action Edit x SCL Level Range ig 7 gt 9 Action Reject J Custom Reject message text Requested action not taken message refused kD Geet Page 28 User Manual WinDeveloper Software Ltd 4 2 Archiving Quarantine IMF Tune disk archiving saves a copy of processed emails to disk In addition it also gives the option to publish a copy of the email to a central database for Moderation and Reporting purposes m WinDeveloper IMF Tune Configuration tolaj Back G Forws EE ca
123. rogram Files WinDeveloper IMF Tune gt ManageAWL simple bob adminstop com joe somedomain mt supportP windeve loper com bill adminstop com mart in testing windey com We can choose to dump the list to the command prompt using ManageAWL exe simple or else we can redirect the output to a file using ManageAWL exe simple gt c temp address list txt 4 7 4 2 ManageA WL exe Detail In this mode ManageAWL gives us a better insight of how AWL is working Addresses Added on 26 64 2611 62 66 08 Addresses Last Changed on 27 64 2611 14 56 49 Address block size 3 joe somedomain mt support windeve loper com Addresses Added on 27 64 2611 62 66 06 Addresses Last Changed on 28 64 2611 16 61 47 Address block size 2 bill adminstop com mart in testing windey com Again we can choose between dumping the information to the prompt or to a file ManageAWL exe detail ManageAWL exe detail gt c temp address list txt Each address batch starts with the header area including Addresses Added on Addresses Last Changed on Page 63 User Manual WinDeveloper Software Ltd The date shown by Addresses Added on is used to implement the purging of old addresses The relevant setting for this is available at the configuration under Auto Whitelist Senders Remove addresses from the whitelist after Addresses Last Changed on is also interesting IMF Tune moves around addresses
124. rs This condition supports keyword expressions Content media type matches words Matches against the media types identified at the MIME headers In MIME encoded emails attachments and bodies are contained within different parts for which a media type is used to specify the nature of the data held within it This condition supports keyword expressions Sending host matches IPs Matches against the IP of the host connecting to Exchange for submitting emails Single IPs IP ranges and IP Mask pairs may be configured for this purpose Page 124 User Manual WinDeveloper Software Ltd Email size is within range Matches against the total raw email size Type supports defining a size range to be matched Received time is within range Matches against the time when the email reaches Exchange Type supports defining a time range to be matched Spam Confidence Level SCL is within range Matches against the SCL value as assigned by the MS Exchange Content Filter before IMF Tune starts its processing Type supports defining an SCL range to be matched SMTP protocol HELO EHLO command contains words Matches against the parameters the sending host supplied on issuing the HELO EHLO command as part of the SMTP protocol session Legitimate email senders will typically identify a host name that could be used for whitelisting purposes This condition supports keyword expressions SMTP protocol
125. rt SCL Custom Tag in email subject Insert SCL in email headers Remove all email attachments teed This dialog presents a set of operations that can be applied to an Email with matching SCL rating Refer to SCL Handling Action Configuration for more details on each of these options To edit email handling options for an already defined SCL range select the entry from the list and click on Edit Note that we may only edit one entry ata time To remove email handling options select the SCL ranges and click on the Remove button Note that entries for unprocessed whitelisted blacklisted and SCL 0 cannot be removed Page 17 User Manual WinDeveloper Software Ltd a J Forward a E cames EIE Categories Folder up ah Home Ey ay O Bas IMF Tuno Cordiguration BE Email Handling SCL rating Add x Remove E Edit Action Accept Accept Accept Accept Reject Reject ag ONS Lists DNS Allow IP Lists a DNS Block IP Lists DNS Block URI Lists Refresh a ene iheir Spam Cee 1 eval On removing an SCL range the range that immediately precedes it is extended to cover the gap generated by the deletion re Email Handling SCL rating T Add YK Remove qf Edit scL B unprocessed paa B 1 5 DNS Allow IP Lists DNS Block IP Lists DNS Block URI Lists eae handled based on fhair Spam Confidence Lavel Page 18 User Manual W
126. rt SCL in email headers e Remove all email attachments e Insert SMTP Sender Recipients IP and EHLO in email headers The applicability scenarios of these options are very similar to those described for Email Handling Please refer to the Email Modifications section under Email Handling for more details Page 33 User Manual WinDeveloper Software Ltd 4 2 4 Headers Inserted in Archived Emails The set of headers that may be inserted into archived emails is very similar to those configurable at the Email Handling category Nevertheless there is an important difference Email archiving inserts x sender and x receiver headers instead of x smtp sender and x smtp receiver The x sender and x smtp sender end up with the same value i e the SMTP FROM originator address So the change here is purely in the header name The difference between x receiver and x smtp receiver is more substantial Whereas x smtp receiver is assigned a comma delimited list of recipients x receiver holds a single recipient per header This means that multiple SMTP recipients RCPT commands will cause the insertion of multiple x receiver headers The change in the headers makes the IMF Tune archiving 100 compatible with the Exchange pickup replay email submission mechanism and with the Exchange 2003 IMF archiving functionality Hence third party applications typically used to manage IMF disk archives may also be used with IMF Tune The following table lists the hea
127. rts gives the same benefits already discussed for email archiving in Archive Maintenance Root The logs reports maintenance root path works in combination with 1 Email Logging 2 Keyword Reporting Configuring email logging involves creating a profile under the Logging configuration category Logging Profile Exes General sci Profile name erouted Save to Common Maintenance Log File Save to Specific Maintenance Log File E _IMFTUNE_Nogs wenfrt_ lt dateAime gt _Common log 5 Override Reporting Path 2 Warning Reporting Maintenance won t be applied The options leveraging disk maintenance here are Save to Common Maintenance Log File Used when logging is to be centralized to a single file The log file name is automatically generated with the format imfrpt_ lt date time gt _Common log Save to Specific Maintenance Log File Used when logs are to be broken by SCL range Here the filename is always kept in sync with the SCL range and is named using the following format imfrpt_ lt date time gt _a_b_c n log where a b c and n are SCL levels configured for this profile Page 51 User Manual WinDeveloper Software Ltd Apart for email logging maintenance is also applied to the Keyword Reporting HTML file fig WinDeveloper IMF Tune Configuratio S57 Back GZ Forward ewe Ors ah Home Ey Aly Reres ia m Keyword Reporting i Generate a detailed HTML report for matched whit
128. s es 4 DNS Allow IP Lists docx invoice p pid Match this specific filename invoice pdf a DNS Block IP Lists D NNS Alark LIRI I icta Next we can add remove and edit attachment names using the buttons at the top of the list Page 83 User Manual WinDeveloper Software Ltd 4 8 4 2 Adding New Attachments To add new attachment names click on the Add button A dialog opens where multiple names may be entered k Add new attachment filenames Separate multiple entries with carriage returns Enter the exact filenames to be matched or you may also use the wildcard as follows something doc docx invoice pdf Enter each name in a separate line by hitting the carriage return key The list can handle up to 64Kb of data at a time To enter more names click OK to save and close the dialog Next click Add again to re open the dialog and enter more filenames Otherwise we may use the import functionality to quickly add large lists of filenames We may include all filenames with a specific extension using the wildcard The wildcard is only supported at the very beginning of the filename something Page 84 User Manual WinDeveloper Software Ltd 4 8 4 3 Importing Filenames IMF Tune enables the insertion of filenames into white black lists through the import functionality For the import to work the source file must meet the following requirements 1 Importing only supports pla
129. s 104 4 11 2 Adding Editing New SCL Mappings cceesccecsseceeeseeeeseeeeenteeeenaeeees 105 4 11 3 SCL Mapping Configuration y c seco hi hein hice ne ai el aveeeees 106 4 12 Adyanced SCE RULES esisin ots Lone deeded eiaa a a aided aS Seve hdeat aca 116 4 12 1 Working with Advanced SCL Rules seseseeeeeseseeeeeseresisreesersrrseresresseee 117 4 12 2 Adding Advanced SCL Rules ssonsseesseesssseessesseesseessssesseeesseessersseeeseee 118 4 13 External SO E RUES ean a A E aA ea RERS 132 4 13 1 Working with External SCL Rules sssessesseseseeseseerresersresreesersresrrssressese 133 4 13 2 External File Format kesscsisecnnsssinsininiia tsia 138 4 13 3 Extetnal File UNG Path oasis cts en e an 139 4 13 4 External File Access Permissions cssccccssceeoesecetscecesseeseneeecertenee 140 4 14 Constructing Search EXpressions ssssesesssesesresseseresressessrerreesersresreeseesee 143 4 14 1 Basic Expression Syntax sseseseseseesessessresressessrerressereresreeseeseseresreseeee 144 4 14 2 Exact Mate line sssncncsrsenie pnn e in aca sdsecn suangeacea cutter tose 145 4 14 3 Whole Word Word Start End Matching cceeseceesseceeeseeeenteeeenaeeees 146 414 4 Punctuation Handling osion a a a aS 147 4 14 5 Minimum Keyword Length 0000 eee eeeccecesececesececseeeecneeeeseeeenaeeesnaeeees 148 4 14 6 AND OR NOT Operators cccceecceeesececssececseeeecseeeeseeeeseeeeneeeenaeeess 149 4 14 7 Invalid and Il
130. s really showing settings for the Maintenance of two distinct repositories e HDD directories where emails are archived to disk e Database server where emails are published for moderation reporting purposes We have Maintenance for both of these repositories grouped together because of the tight coupling between the two storages This was highlighted in Publishing Emails to Quarantine Page 44 User Manual WinDeveloper Software Ltd 4 5 1 1 Archive Maintenance Root Defining a root archive directory is very beneficial when it comes to managing archiving for different SCL ranges This point was introduced in the section discussing Email Archiving under Choosing an Archive Directory Path Configuring archiving involves creating a profile under the Archiving configuration category s General sct Profile name Save Emails to Archive Maintenance Directory Root Save Emails to Archive Maintenance Sub Directory C Program Files VWin Developer IMF Tune aechive Nenfeml_ lt SCL Levels gt Override Archive Directory Path Q Warning Archive Maintenance won t be applied F Also add archived email to quarantine database 7 Insert SCL in archived email subject V Insert SCL in archived email header Remove all attachments from archived emails 7 Insert SMTP Sender Recipients IP and HELO in archived email headers Archiving provides three options for specifying the destination directory The firs
131. setting is supplied by the List Provider Operation SCL Change The change in SCL to be applied when the email source IP is found to be listed In DNS Block Lists choose an Operation from set value to or increment by The former replaces the current SCL with the one configured under SCL Change The latter applies an increment raising the current SCL In DNS Accept Lists choose an Operation from set value to or decrement by So we can either replace or lower the current SCL Return status codes Identifies the possible response status codes the DNS List returns when a match is found This information is supplied by the List Provider By default any answer response code is interpreted as a match However it is possible to configure a list that only matches specific response codes Page 92 User Manual WinDeveloper Software Ltd The Status Codes list is enabled whenever Return Status codes is set to Only these status codes It is normal for DNS Lists to return status codes where the first octet has the decimal value of 127 For this reason in the above screenshot we configured IMF Tune to register a match whenever the status code starts with 127 i e range 127 0 0 0 127 255 255 255 To add new status codes click the Add button to open the DNS Status Codes dialog DNS Status Codes Ex Add new DNS status codes Separate multiple entries with carriage returns Enter single status codes i
132. sport service Page 10 User Manual WinDeveloper Software Ltd 3 4 Installing Removing Forefront Protection 2010 for Exchange In Exchange 2007 2010 we can run IMF Tune together with Forefront Protection 2010 for Exchange anti spam Both the built in and the Forefront Content Filters are supported so we can employ any of the two For details on how to install Forefront refer to the product documentation Here we highlight some important points By default the Forefront 2010 installation does not enable the anti spam component Enablement can be done from the Forefront installation wizard or from the Forefront Management console It is simpler to install and enable Forefront anti spam before IMF Tune is installed The IMF Tune installation automatically detects Forefront anti spam and initializes itself with the correct transport agent priority If Forefront anti spam is enabled after that IMF Tune is installed we may need to refresh the transport agent priority When such a system change is done re open the IMF Tune configuration On startup the configuration performs automatic problem detection If the agent priority needs refreshing a warning will be raised together with instructions on how to fix the problem Uninstalling Forefront or disabling Forefront anti spam leaves Exchange without any active Content Filter In this case we need to enable the built in Content Filter manually Details on how to do this is available from
133. ssigned to the email To customize this click on the Tag Format button Page 25 User Manual WinDeveloper Software Ltd Subject Tag Format Ea Subject Tag insertion type Prefix Append Text to be inserted Include SCL SCL lt SCL gt Fixed text Sample SCL 7 Original Replica Watches From here we can choose between prefixing and appending the inserted text to the subject We may also choose to insert a fixed text phrase rather than a tag containing the SCL rating This type of customization can be very useful in case Outlook client rules are in place at the recipient mailboxes Very often these rules are configured to match the initial part of the email subject Thus prefixing the subject with the SCL rating could break such rules Customizing the insertion so as to append rather than prefix the subject resolves this type of issue At the bottom of the dialog we can immediately see an example of the tagging as applied to a sample email subject Page 26 User Manual WinDeveloper Software Ltd 4 1 8 Headers Inserted in Accepted Rerouted Emails The following table lists the headers that can be inserted into emails when the action specified is Accept or Reroute Header Description Action x scl The email SCL rating Accept Reroute x smtp ip The email sender IP Reroute x smtp helo The SMTP HELO EHLO host name Reroute x smtp sender The SMTP FROM originator add
134. st like any other blocked email emails blocked by DNS Block Lists can be resubmitted for delivery from the Moderator interface Page 102 User Manual WinDeveloper Software Ltd 4 11 Simple SCL Rules Simple SCL Rules allow the setup of keyword to SCL mappings Conditions are tested against the sending host IP addresses attachment names headers bodies and the combined subject body data n Da WinDeveloper IMF Tune Configuration Back G Forwe D Folder Up at Home EY Apply RO Retre ne amare aig l Simple SCL Rules n Specify conditions to match standardicustom headers SMTP protocol data and tifa Archiving Quarantine IP Emails can be whitelisted blacklisted or have their SCL rating adjusted as re A Logging Qa Auto Reply 7 Apply simple SCL Rules ff Quarantine 5 Disk Maintenance n 8 Auto Whitelist Senders val Add eh HE Import B Export l eee Header Match Value Operation SCL amp Block IPs lt Body Subject gt contains male enhancement increment by 4 a Block Senders lt Body Subject gt contains mortgage OR home loan set value to 6 amp Block Recipients Subject contains refinance incremert by 1 a Block Subjects Subject contains replica watch increment by 1 GM Block Bodies Subject contains pills incrementby 1 Gl Block Subjects Bodies Subject contains online dating increment by 1 g Block Attachments Subject contains OEM software increment by 1 a Block Foreign Spam Subject contains sex incrementby
135. t com windeveloper com imftune com Here enter the root URI such as windeveloper com This will also match any URI with the same root such as www windeveloper com or some other windeveloper com Page 101 User Manual WinDeveloper Software Ltd 4 10 4 DNS List Reporting Keyword Reporting and the Moderator Reporting Web Interface will also report on DNS List matches This is how a DNS Block IP List match looks like at the Moderator WinDeveloper y 2 IMF Tune WinDevelope E mails General Spam Detection Report Detailed Spam Detection Report My Account Sign Se amp P T Delete Resubmit Summary All Headers SMTP Protocol Keywords Report IMF Tune Processing Keyword Reporting From Levitra Online lt canadian_drugs8 kysorpanel co Date Time 9 14 2014 11 25AM To lt support windevelopercom gt Subject AUTUMN SALE SEASON STARTED GRAB EXTRA 23 OFF Support SCS Initiaisc 9 Finalsch 9 Matches J Header Expression DNS IP Block List SpamHaus Operation increment SCL by 9 Header Expression Source subject Off GRAB EXTRA 23 OFF Support Operation increment SCL by 9 At the report we can see Header shows the type of DNS List involved in this case a DNS IP Block List Expression shows the Provider Name set at the DNS List Provider configuration Source shows the actual email information that was matched In this case we have the email originating IP Ju
136. t two are based on Archive Maintenance Here the destination directory is computed relative to the root configured under Disk Maintenance Archives Quarantine In this manner we can have all archive directories relative to one single root Thus in case archiving needs to be relocated we just edit a single path Archiving Profiles provides the following two options when it comes to disk maintenance based archiving Save Emails to Archive Maintenance Directory Root Emails are simply archived to the maintenance root Save Emails to Archive Maintenance Sub Directory Emails are archived in a sub directory to the maintenance root The sub directory name is generated based on the SCL range and uses the format imfeml_a_b_c_ n where a b c and n are SCL levels configured for this profile Page 45 User Manual WinDeveloper Software Ltd Using this option the sub directory is always kept in sync with the SCL range If the SCL range changes IMF Tune generates a new sub directory to which subsequent emails are archived Page 46 User Manual WinDeveloper Software Ltd 4 5 1 2 Disk Archive Backup and Purging Selecting the Compress amp backup files after days under Archive Maintenance enables the backup functionality Here we can define the number of days files must age before being backed up On running for the first time a sub directory named backup is created under the maintenance root Here batches of emails
137. tachments _ Attachment name contains words C Attachment name is exacily matches filename C Email character set matches words Content media type matches words C Sending host matches Ps or subnets _ Email size is within range Received time is within range _ Spam Confidence Level SCL is within range C SMTP protocol HELO EHLO command contains words X The exceptions interface is identical to that for conditions However exceptions have the opposite meaning i e for the rule action to be applied an email must not match any exceptions Clicking Next we reach the final Summary page From here we can review all the conditions exceptions and action type configured This page also gives us the opportunity to revise and modify the rule settings Editable properties are again accessible through links Page 121 User Manual WinDeveloper Software Ltd zard Summary This is 8 summary of the configured rule You can now tweak the settings before finalizing it If Email has NO body text and Attachment name is exactly matches icf OR zip OR pct and Email size is less or equal to 40KB Withno exceptions Performthe following action Blacklist Page 122 User Manual WinDeveloper Software Ltd 4 12 2 1 Condition Exception Types The conditions and exceptions lists provide access to various email properties These include all properties available from white black lists and Simple SCL Rules Addi
138. tch Type The Match Type dropdown list box is available when setting up mappings against standard or custom email headers Simple SCL Mapping Configuration General Details Header SMTP Command Match type X SPAM Sd Operation emoty MEST is emety mssing exactly set value to y s execty sats wah Expression to match Operations AND OR and NOT are supported Matching is not case sensitive Enclose phrases containing white space in double quotes spamsno Description F X SPAM contains spam no set value to whtelsted OK Cancel The list identifies the type of matching operation to be performed when analyzing emails against this rule The following matching operations are possible contains The header must match the keyword expression specified in the value edit box The expression may include the use of the AND OR NOT operators and double quotes For details on keyword expression check Constructing Search Expressions is empty missing The mapping is matched if the header is not found or is empty valued is exactly The header must have exactly the same value specified in the value edit box ignoring any extra white space Operators are not supported and any value entered will be matched literally starts with The header value must start with the text specified in the value edit box ignoring any extra white space Operators are not supported and
139. td 4 14 7 Invalid and Illegal Operator Sequences The AND OR NOT operators are meant to combine keywords to construct more advanced expressions Nevertheless there exists many ways how these operators may be used incorrectly Some operator sequences are invalid by definition For example the NOT operator acts upon the keyword that follows Thus a NOT operator may never be followed by any other operator Similarly the AND OR operators are meant to combine two keywords Thus these may never appear next to each other It is ok to have AND followed by a NOT operator such as IMF AND NOT Monetary Nevertheless it is illegal not invalid to have an expression entirely composed of NOTed keywords such as NOT International NOT Monetary NOT Fund Although the above is a valid expression it is deemed to be illegal as it would lead many matches Indeed such expressions would match almost all emails Similarly the NOT operator may not be used in combination with the OR operator Again this causes the ORed set to match most emails Here are some examples of illegal expressions IMF OR NOT Monetary NOT Monetary OR IMF The above two expressions are equivalent Both are illegal since NOT Monetary would cause many matches Page 151 User Manual WinDeveloper Software Ltd 4 14 8 Working with the Expression Builder Constructing Search Expressions described the rules for composing valid keyword expressions IMF Tune provides a much si
140. te emails significantly reduces the likeliness of false classification In turn this gives us the opportunity to filter spam more aggressively In other words we are able to lower our filtering thresholds and trap more spam Our recommendation is that to let Auto Whitelisting run for some days Monitor the number of whitelist hits using Keyword Reporting or even better the Moderator Reporting Web Interface refer to dedicated user guide for details Both of these allow us to distinguish between Auto Whitelist hits and Static Whitelist hits Once we confirm that many legitimate emails are being auto whitelisted we can try lowering the SCL blocking threshold at the IMF Tune configuration Email Handling category Page 56 User Manual WinDeveloper Software Ltd 4 7 1 Configuring Sender Auto Whitelisting The IMF Tune Sender Auto Whitelisting configuration offers a lot of control over this functionality es i a U Beck ETE Categories Categories l D Folder Up Ai Home Ga IMF Tune Configuration C QC Auto Whitelist Senders amp 88 Emai Handing Collects foreign addr from local Is to automatically whitelist bite Archiving Quarantine allen eng esses from local user emails to automatically whitelist any Logging Qa Auto Reply Hij Quarantine IH Quarantine Database Linit list to S Users 10000 B Disk Mantenance wa Archives Quarantine g Logs Reports vV Enable Sender Auto Whitelisting addresses V
141. tegories Folder Up Lah Home EY Apoy A Reres yo Peamome ag Archiving Quarantine z n Specify archiving options for email based on their Spam Confidence Level SCL PM chang Cuarerine 7 Logging Qa Auto Reply Th Add HE Remove E Edit fifi Quarantine Disk Maintenance Profile Assigned SCL iG Auto Whitelist Senders Accepted Emails 0 1 2 3 4 5 Gd Whitelsts Rejected 6 7 8 9 blacklisted Gl Blacktsts Whitelisted Emais whitelisted Gl Block IPs a Block Senders amp Block Recipients amp Block Subjects 7 E Block Bodies amp Block Subjects Bodies a Block Attachments amp Block Foreign Spam G ed ONS Lists t DNS Allow IP Lists G 4 DNS Block IP lists cs DNS Block URI Lists BA SCL Rules s Keyword Reporting sm Exchange Forefront SCLs Q Details Licensing Local Domains Ra Merafianeniie amp IMF Tune archiving is always available independently of whether the email is accepted rerouted deleted or rejected Thus archiving could be used to keep a simple backup of processed emails or could be used to review emails that were blocked from reaching user mailboxes Archiving provides a list interface where each entry groups the settings for a set of SCL ratings Manipulating the Archiving list simply involves the use of the Add Remove and Edit buttons Page 29 User Manual WinDeveloper Software Ltd 4 2 1 Archiving Profiles Archiving options are grouped into Profiles Each of these incl
142. tegories i tat IMF Tune Configuration Select items to configure WinDeveloper IMF Tune Bs IMF Tune Configuration 84 Email Handling tig Archiving Quarantine s Logging Ga Baa Email Handlin EZ Auto Reply H g Archiving Quarantine E Hi Quarantine 5 9 Disk Maintenance 0 4 Auto Whitelist Senders cA Logging Auto Reply H A Whiteists Gj Blackists HH Quarantine a Disk Maintenance Gl Block IPs ae z amp Auto Whitelist Senders amp Whitelists ecipients g Block Subjects z amp Block Bodies aA Blacklists amp DNS Lists Gl Block Subjects Bodies BHI Block Attachments pa SCL Rules EDH Keyword Reporting Block Foreign Spam B ONS Usts ch DNS Allow IP Lists Kpa Exchange F orefront SCLs Details G DNS Block IP Lists DNS Block URI Lists Licensing Local Domains BA SCL Rules Si Keyword Reporting Ba Miscellaneous ty Exchange Forefront SCLs Q Details Licensing Local Domains Ra Meralanenie The Email Handling category provides a selection of actions from Accepting Rerouting Deleting and Rejecting emails based on the final SCL ratings The Archiving Quarantine category allows us to archive emails to disk and to also Quarantine emails for review from the IMF Tune Web Moderator The Logging category exposes the configuration for enabling detailed CSV logging of processed emails Page 13 User Manual WinDeveloper Software Ltd At the Auto Reply category automated email
143. text files The file may be encoded in 7 bit ASCII UTF 8 or UTF 16 Although two UTF encoding formats are supported all characters are expected to be within the standard Windows 1252 character set 2 Multiple address entries must be separated by a carriage return line feed CRLF sequence For files generated on non Windows platforms the line feed only separator LF is also supported In order to see a sample of a correctly formatted file use the Export functionality The import process includes a validation procedure that could reject some of the entries being imported For example if an address contains illegal wildcards that entry would be rejected When importing a large number of addresses it may be difficult to determine which addresses failed to be imported For this reason whenever importing the ImportReport log file will be generated This file is located in the main IMF Tune program directory and is overwritten on each import The log file will show how each of the imported entries was handled and whether or not the entry was rejected due to validation reasons Page 68 User Manual WinDeveloper Software Ltd 4 8 1 4 Exporting Email Addresses IMF Tune also supports exporting address lists to an external text file The export is correctly formatted to the IMF Tune import specifications Thus we may use the export and import functionality in order to quickly replicate configurations on multiple IMF Tune installs Exports ar
144. the email triggered If an email matches the same white black list multiple times this is only counted once The Report body area is composed of a sequence of tables one for each match In the following sample we see a report for an email that matched both a sender blacklist and an SCL Advanced Rule composed of 3 conditions WinDeveloper IMF Tune Keyword Reporting From lt spammer domain com gt Date Time 6 27 2010 12 01 03 To lt user3 square local gt Subject Check this message InitialSCL 7 Final SCL 8 Matches 2 Header Expression Source Sender spammer domain com spammer domain com Operation set SCL to blacklisted Header Expression Source Has NO Body Text true true Attachment Name pdf message pat Email Size Value is less or equals to 40960 3681 Operation set SCL to 8 Page 157 User Manual WinDeveloper Software Ltd The table is formed of three main columns that describe individual matches An Advanced Rule composed of multiple conditions will have one row for each At the bottom a final row shows the type of action this match has triggered It is important to note how the Final SCL shown at the report header area is the result of the Initial SCL and the individual actions triggered by each match The following is a description of the report body columns Column Name Description Header The type of email information that was matched This may be an email header but may als
145. timate email senders by s Logging Qa Auto Reply sal Add x Remove ra Edit fff Quarantine 5 Disk Maintenance Name Status Operation SCL G2 Auto Whitelist Senders SpamHaus enabled decrement by 2 H 4 Whiteists gt MJ Blackists Gl Block IPs amp Block Senders Gl Block Recipients 8 Block Subjects amp Block Bodies amp Block Subjects Bodies a Block Attachments amp Block Foreign Spam B ONS Lists o lt DNS Allow IP Lists S Exceptions S DNS Block IP Lists a Exceptions S a DNS Block URI Lists A Exceptions 8 SCL Rules BA Simple SCL Rules BA Advanced SCL Rules AR Evtemal SCI Riac m We manage List providers using the Add Remove and Edit buttons Page 91 User Manual WinDeveloper Software Ltd 4 10 2 1 Adding Editing DNS IP List Providers At the DNS Allow IP Lists DNS Block IP Lists category click Add to open the DNS List Provider configuration dialog DNS List Provider l General Details V Enable DNS list provider Tiis Provider name SpamHaus DNS list zone swl spamhaus org Operation SCL Change decrement by X 2 v Return status codes Only these status codes gt Add Retum Codes 127 0 0 0 127 255 255 255 OK Cancel The List Provider configuration includes Provider name A display name used to report matches in Keyword Reporting and at the IMF Tune Moderator DNS list zone The DNS zone to be queried This
146. tionally Advanced Rules exposes some more properties that are unique to this interface The following is the list of condition exception types available Condition Exception Type Description Received from addresses or domains Matches the email sender address For a single email the sender address may be identified in a number of ways IMF Tune checks all of these locations e MAIL FROM protocol address From header Sender header Resent From header Resent Sender header This condition supports using the wildcard in order to identify an entire domain In all one of these formats must be used alias domain domain domain Sent to recipient addresses or domains Matches email recipient addresses This condition supports using the wildcard in order to identify an entire domain In all one of these formats must be used alias domain domain domain Total number of recipients is within range Matches the number of recipients the email is addressed to including any BCCs Subject contains words Matches email subjects This condition supports keyword expressions Body contains words Matches text extracted from plain text and HTML bodies Also processed against the raw HTML for matching of tags and other content that is normally invisible This condition supports keyword expressions Page 123 User Manual WinDeveloper Software Ltd Body or Subject contains
147. to open the DNS List Test dialog DNS List Test Ex Enter the URI to be looked up at the DNS List Consult the DNS List Provider documentation for URIs to be used when testing Test l Close Enter the URI to be looked up and click Test WinDeveloper IMF Tune Configuration DNS List Response Listed Status Codes 127 0 1 2 Unlike DNS IP Lists URI Lists do not consistently adopt the same test URI to be used when testing the list Each provider defines his own test URI IMF Tune automatically initializes the Test dialog with the correct test URI for most providers However it is always recommended to check the provider documentation Apart for testing the designated test URI we can of course also test any other URI If the expected response is not returned double check the setting under DNS List Provider DNS list zone When testing URIs it is recommended to just use the root part of the URI For example if have the link http www windeveloper com imftune at the test dialog would just enter windeveloper com Some URI List providers require the use of the root portion others don t have this requirement Page 99 User Manual WinDeveloper Software Ltd 4 10 3 3 DNS URI Exception List Under the DNS Block URI Lists category we have the Exceptions category Basically here we enter URIs that should skip DNS List filtering orwarc Ra IMF Tune Configuration 88 Email Handling if
148. ts Since the log file is in standard CSV format one could easily open these in MS Excel or MS Access In this manner we can benefit from the interface and functionality provided by these tools The performance of individual SCL ratings could also be monitored through logging In this case one could setup different log files for each of the SCL ranges configured at IMF Tune This will immediately separate the information permitting a more focused analysis Of course a similar result could be obtained with the help of a database application such as MS Access and the use of SQL queries Page 36 User Manual WinDeveloper Software Ltd 4 3 1 Logging Profiles Logging options are grouped into Profiles Each of these includes 1 Profile Display Name 2 Log file path 3 SCL ratings to which the profile settings are to be applied General SCL Profile name Save to Common Maintenance Log File Save to Specific Maintenance Log File E _IMFTUNE_Nogs wnfpt_ lt dateAime gt _Common log Override Reporting Path Warning Reporting Maintenance won t be applied Choose the SCL values you want to assign this profile to The disabled SCLs are already in use by other profiles Page 37 User Manual WinDeveloper Software Ltd The log file path can be identified in one of three ways The Save to Common Maintenance Log File and Save to Specific Maintenance Log File options instruct IMF Tu
149. ts are always encoded in UTF 8 For details on the format of the exported file refer to Importing Filenames Page 86 User Manual WinDeveloper Software Ltd 4 9 Working with Blacklists Blacklists identify emails to be handled as spam This is most useful when dealing with spam that still manages to reach the recipient inbox Blacklisting is applied only in case the email is not Whitelisted or set to some fixed SCL value by an SCL Rule The Blacklists category groups IP Sender Recipient Subject Body combined Subject Body Attachments and Language blacklisting IMF Tune provides a nearly identical set of whitelists and blacklists The only difference is the Foreign Spam Language Blacklist This has no corresponding whitelist Whenever a list type is present under both the Whitelist and Blacklist category group the interface for the corresponding lists is identical Hence for details on configuring the IP Sender Recipient Subject Body combined Subject Body and Attachment blacklists please refer to Working with Whitelists Page 87 User Manual WinDeveloper Software Ltd 4 9 1 Foreign Spam Blacklist The Foreign Spam blacklist filters emails by character set NNS Rinek LIRI Liste Back G Forward Folder Up gh Home EY Apply A Reires go Parag Block Foreign Spam Archivi 9 i Select the languages you would like to identify and block through MIME e a character set encodings Qa Auto Reply Emails
150. ttings Message Delivery Intelligent Message Filter Message Delivery Properties 2px General Defaults SenderFiterng ConnectionFilering Recipient Fitering Detals Inteligent Message Fitering Sender ID Fitesing Configure spam confidence level SCL theesholds Selecting a lower number for the SCL rating blocks more messages that could be unsolicited commercial e mail UCE but also increases the ikelihood of false positives Gateway Blocking Configuration Set the threshold for blocking UCE on gateway servers a merges with an SCL rating greater than or FP H When blocking messages NoActon J Store Junk E mai Configuration Set the threshold for moving UCE to a user s Junk E mail folder Move messages with an SCL rating greater than or equal to 4 z The interface for enabling IMF changed in Exchange 2003 SP2 IMF Tune automatically detects the IMF version in use and shows the enablement status consistently IMF v2 is the latest version and is included with Exchange SP2 In this case enablement is located under the SMTP Virtual Server properties lt Organization gt Servers lt Exchange Server gt Protocols SMTP lt SMTP Virtual Server gt I x IP addiess All Unassigned v I Apply Sendes Fikes T Apply Sender ID Filter I Apply Connection Fike en e For IMF v1 i e before Exchange SP2 enabling the filter was done through a dedicated object located at
151. udes 1 2 Profile Display Name Path to the Archiving directory Publishing the email to a database server Enablement of Additional Email Modifications SCL ratings to which the profile settings are to be applied Gere SCL Profile name Piccested Emails Save Emails to Archive Maintenance Directory Root Save Emails to Archive Maintenance Sub Directory C Program Files WinDeveloper IMF Tune zechive inffeml_ lt SCL Levels gt Override Archive Directory Path amp Warning Archive Maintenance won t be applied E Also add archived email to quarantine database 7 Insert SCL in archived email subject V Insert SCL in archived email header 0 Remove all attachments from archived emails 7 Insert SMTP Sender Recipients IP and HELO in archived email headers Page 30 User Manual WinDeveloper Software Ltd Sore MO E VENNA VONNE 1o zeon Da pea The disabled SCLs are already in use by other profiles lea ars wscLo Asc W SCL2 W scL3 F ScL4 mses Page 31 User Manual WinDeveloper Software Ltd 4 2 2 Choosing an Archive Directory Path IMF Tune provides three options for specifying the directory where emails are to be archived The first two Save Emails to Archive Maintenance Directory Root and Save Emails to Archive Maintenance Sub Directory instruct IMF Tune to compute the path based on the Archive Maintenance configuration The third option Override Ar
152. unning other anti spam filters in front of Exchange Some examples include dedicated anti spam appliances or external anti spam service providers In this case IMF Tune could be just employed for its Exchange Integration functionality without involving the MS IMF as an extra filtering layer Page 162 User Manual WinDeveloper Software Ltd 4 18 Exchange System Manager Anti Spam Settings Exchange 2003 Only The Exchange System Manager IMF Tune configuration category exposes key anti spam settings as configured at the Exchange management console This category is only available in IMF Tune for Exchange 2003 It includes the Exchange Intelligent Message Filter settings and the various Exchange 2003 options for sender id connection sender and recipient filtering IMF Tune gives read only access to these settings and any changes must still be done through the Exchange Management console Once IMF Tune is installed we effectively have three anti spam processing layers Firstly we have Exchange 2003 sender id connection sender and recipient filtering secondly we have IMF and finally IMF Tune Bringing all settings into a single dedicated interface enables the administrator to more effectively visualize the overall system setup From the feedback received at WinDeveloper it is clear there is lack of awareness of the functionality readily available from Exchange IMF Tune organizes the Exchange settings in a different way from that presented
153. uration eje ard EE categories Folderup faf Home EY Apoy KY FRetres nDevelover IMF Back Forw fis IMF Tune Configuration 84 Email Handling iia Archiving Quarantine s Logging Qa Auto Reply fii Quarantine 5 A Disk Maintenance m amp Auto Whitelist Senders B 48 Whiteists amp Accept IPs amp Accept Senders amp J Accept Recipients amp Accept Subjects amp d Accept Bodies amp Accept Subjects Bodies amp Accept Attachments Gi Blackists amp Block IPs GH Block Senders a amp i Block Recipients GM Block Subjects a Block Bodies amp Block Subjects Bodies GH Block Attachments GM Block Foreign Spam B L ONS Lists rs 4 DNS Allow IP Lists a DNS Block IP Lists x NNS Rinek LIRI lice Next we can add remove and edit keyword expressions using the buttons at the top a Accept Subjects Specify search expressions to white list emails by subject Expressions may include the use of the AND OR NOT operators Matching is not case sensitive Th Add EL Addlist HQ Remove E Eait RE import PE export Expression Microsoft Security Bulletin OR Advisory OR Newsletter RTX SUPPORT TICKET WinDeveloper OR IMF Tune Match One of WinDeveloper IMF Tune Page 71 User Manual WinDeveloper Software Ltd 4 8 2 2 Adding a New Keyword Expression IMF Tune provides two interfaces for adding new keyword expressions the Expression Builder and the Ad
154. urthermore the configuration provides the space for administrative notes to be inserted In this manner changes may be documented for future reference To specify a comment under the SCL Mapping configuration select the Details page and enter the text under the Administrative note edit box Simple SCL Mapping Configuration r General Details Creation date 11 08 2008 21 16 11 Last modification 11 08 2008 21 16 11 Administrative note OK Cancel Page 115 User Manual WinDeveloper Software Ltd 4 12 Advanced SCL Rules Advanced SCL rules bring even more power Rules here are composed of multiple conditions and exceptions that must be satisfied for the action to be applied In this manner for example we could create a subject whitelist that is only applied to a number of recipients Indeed the ability to combine multiple conditions together adds a new level of flexibility Advanced SCL Rules also give access to other email properties not available from anywhere else within IMF Tune Some examples include the email size the recipient count the reception time and others Just like Simple Rules the action set allows for incrementing decrementing the SCL rating and for setting it to any fixed value including the whitelist and blacklist levels Thus the rules can be employed both as an advanced white black list and to fine tune SCL assignments Page 116 User Manual WinDeveloper Software Ltd 4 12
155. vailable 1 A link to the IMF Tune product homepage http www windeveloper com imftune Check here for the latest information on the product and FAQs 2 Alink to the WinDeveloper Software homepage http www windeveloper com 3 Sales Licensing email address sales windeveloper com 4 Technical support email address support windeveloper com When contacting WinDeveloper please choose the correct email address as outlined above This will help us provide the quickest response If you encounter problems with sending emails go to the WinDeveloper website and use the contact form Page 174 User Manual WinDeveloper Software Ltd Annex A Exchange 2003 Intelligent Message Filter The Exchange Intelligent Message Filter is freely available to all Exchange 2003 servers Two versions of this filter were released the latest being version 2 IMF v2 is included with Exchange 2003 Service Pack 2 Once this SP is installed the filter is ready to be configured and enabled For Exchange 2003 systems preceding SP2 IMF v1 was available as a separate install from the Microsoft Download center IMF Tune supports both IMF versions Nevertheless today IMF v1 is outdated and IMF v2 is highly recommended The sections that follow give a brief introduction to the Exchange 2003 IMF Page 175 User Manual WinDeveloper Software Ltd A 1 Installing IMF The latest IMF version is included with Exchange 2003 SP2 Thus installing SP2 or lat
156. veloper Software Ltd 4 5 1 Archive Quarantine Maintenance The core archive quarantine maintenance settings are available under the Disk Maintenance Archives Quarantine category These comprise the root archive directory path and settings for the backup and deletion of old emails YR WinDeveloper IMF Tune Configuration Eolas Back 3 Forwar Categories T Folder Up Home LJ Apply 3 r a Tee anin Archives Quarantine i 9 P Identify the primary location where the archived emails will be stored IMF Tune a ving Quarantine will manage files archived here ogging H Sore Archive maintenance directory aranti Disk Maintenance C Program Files Win Developer IMF Tune archive td Bier cee Email files moved to backup will also be deleted from quarantine g Logs Reports E Auto Whitelist Senders J Compress and backup files after days amp amp J Whiteists aG Blacktsts 4 Schedule Block IP 5 a ea F7 Delete backup files after days GJ Block Recipients 7 Block Subjects a Block Bodies a Block Subjects Bodies J Delete files from archive on resubmitting deleting quarantines g Block Attachments amp Block Foreign Spam Retain quarantine information for reporting purposes for days a ONS Lists 30 B S DNS Allow IP Lists o 4 DNS Block IP lists i ONS Block URI Lists BA SCL Rules ta Keyword Reporting fe Exchange Forefront SCLs Details E3 Lirencina cy This category i
157. w to use wildcards This is discussed in the section that follows Adding New Addresses Page 66 User Manual WinDeveloper Software Ltd 4 8 1 2 Adding New Addresses To add new addresses click on the Add button A dialog opens where multiple email addresses may be entered Email Addresses ee Add new email addresses Separate multiple entries with carriage returns Enter addresses in the format something something You may also use wildcards as follows domain and domain domain com a imftune com feedback windeveloper com sales windeveloper com support windeveloper com tae Enter each address in a separate line by hitting the carriage return key The list can handle up to 64Kb of data at a time To enter more addresses click OK to save and close the dialog Next click Add again to re open the dialog and enter more addresses Otherwise we may use the address list import functionality to quickly add large lists of addresses We may include all email addresses for a specific domain by using the wildcard The following wildcard formats are supported lt domain gt lt domain gt Page 67 User Manual WinDeveloper Software Ltd 4 8 1 3 Importing Email Addresses IMF Tune enables the insertion of addresses into white black lists through the import functionality For the import to work the source file must meet the following requirements 1 Importing only supports plain
Download Pdf Manuals
Related Search