One of the features built in to Exchange 2003 SP2 is Intelligent Message Filtering. While this is a major step forward in blocking incoming spam, IMF does have its limitations. The limitation that I have encountered most frequently is the misclassification of some email as spam, and the inability to “whitelist” certain senders without implementing third-party workarounds.
Recently, a contributor to a Yahoo group suggested that it might be possible to use IMF’s built-in Custom Weight List (CWL) functionality to whitelist senders. The theory was that if the CWL’s BODY element has access to the entire email message, including headers, it could be used to allow emails that contain a certain “From:” string.
Today I was able to test this idea.
Sending Spam to Myself
A few days ago, I made an airline reservation with Express Jet, but never got the confirmation email. Even when I went back to their web site and asked it to send me the itinerary by email, it never arrived.
It turns out that IMF consistently flags Express Jet reservation mails with a very high SCL rating (8 – 81.8%). So using the Express Jet reservation site gave me an easy way to send myself an email from an external source that IMF was treating as spam.
Test the CWL with BODY
I implemented a CWL with
<CustomWeightEntry Type=”BODY” Change=”MIN” Text=”From: firstname.lastname@example.org”/>
but still IMF flagged the email as spam.
Test the CWL with SUBJECT
Well, is the CWL working at all? The blocked emails always have the same subject (“Booking confirmation from ExpressJet”). So I changed the CWL to include
<CustomWeightEntry Type=”SUBJECT” Change=”MIN” Text=”ExpressJet”/>
and the mail was no longer classified as spam.
Apparently, the BODY element of the CWL does not have access to the email headers. Too bad–that means there is still no good way to whitelist by sender.
Another “gotcha” I discovered along the way is that the CWL file (MSExchange.UceContentFilter.xml) must be re-copied to the latest IMF subfolder every time IMF updates itself, then the SMTP service must be restarted. In other words, it is not good enough to put the .xml file in
it (currently) has to go into
This is correctly explained at the end of this TechNet article:
but is incorrect in this KB article:
This is another area where Microsoft could improve IMF: always read the CWL file from the same location. Automatic updates to a product should not break the product’s functionality. In the meantime, remember to re-copy the CWL file every time IMF updates itself!