Using blacklists for spam protection in Exchange 2003 cuts down a lot of spam for my company. However, we decided to enable IMF to do even better. However, it is imperative these caught messages get monitored for false positives. We’re small enough that monitoring the IMF archive is reasonable, but it wasn’t immediately apparent how to do this.
Luckily I found this tool: http://imfam.codeplex.com/ (IMF Archive Manager)
Setup
To begin, you want to make sure the your IMF settings are set to Archive:
By default this archive location is:
%ExchangeInstallPath%\Exchsrvr\Mailroot\vsi 1\UceArchive
However, you can change that location by modifying this registry value:
HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilter\ArchiveDir
Once you’ve found or set your archive location, open IMF Manager on your client computer, and click Settings > Archive Folder:
Set this to your archive location, and you should see it populated with the IMF messages. This gives you a safe way to view the spam and identify false positives.
Dealing with False Positives
Identifying false positives isn’t very helpful if you can’t do anything with them. What I’ve done to solve this problem is created a Windows share of the IMF Archive folder, and then using IMF Archive Manager, delete all the spam leaving only false positives. I then open the shared folder, and copy the .eml files out:
Once you have an .eml file, you may need to re-configure Outlook 2003 or Outlook 2007 to natively open them.
Office 2003:
http://support.microsoft.com/kb/967346
Office 2007
http://support.microsoft.com/kb/956693
Office 2010 appears to open these files properly.
