Archiving Dos and Don'ts
Find out how to handle IMF's archiving options.
June 27, 2004
Archiving messages that meet the Microsoft Exchange Intelligent Message Filter (IMF) gateway spam confidence level (SCL) threshold gives you an opportunity to check for false positives. By default, Exchange Server 2003 moves IMF-archived messages to the ExchsrvrMailrootvsi nUCEArchive directory (where vsi stands for "virtual server instance" and n is the instance number—1 is the default—of the SMTP virtual server). You can review captured messages by opening them in Notepad or Microsoft Outlook Express, and you can resubmit a message that you discover to be a false positive by moving it to the ExchsrvrMailrootvsi nPickup directory, which forces the SMTP virtual server to process the message. (Note that Exchange removes the SCL rating from archived messages, unless you add a new REG_DWORD entry called ArchiveSCL, with a value of 1, under the HKEY_LOCAL_MACHINESoftwareMicrosoftExchangeContentFilter registry subkey. This entry and value instruct IMF to write the SCL rating into the message properties' X-SCL attribute. However, you might not want to make this registry change; if you review a message and decide that it's safe for delivery to the destination mailbox, you don't want the Store to drop the message because it has an SCL rating that meets the Store threshold.)
Apart from the physical effort required to examine archived messages to locate and then process false positives, archiving messages to the disk that stores program and other files means that you must be careful that the disk never exhausts free space, or your SMTP service will crash. You're unlikely to encounter this problem on a test system, but when you put IMF into production on a server that handles heavy messaging traffic, consider relocating the archive directory to another disk. The only way to accomplish this task is through a registry change. Create a new REG-SZ entry called ArchiveDir under the HKEY_LOCAL_MACHINE SoftwareMicrosoftExchangeContentFilter registry subkey. Set the entry's value to be the full directory path to which you want to store the archived messages (e.g., F:ExchsrvrArchive). Stop and restart the SMTP service to make the change take effect. You need to apply the same change on all Exchange servers that host IMF.
Archiving is a good capability, but other antispam systems (such as NetIQ MailMarshal) provide a more comprehensive set of features (e.g., the ability to search the archive set, the ability to view messages by date). You might also wonder why Microsoft didn't provide the necessary UI to make basic archive-management changes and avoid the need to mess with the registry. The answer is linked to internal Microsoft rules that govern when products can update the UI and is driven by many factors including documentation, support, and translation into multiple languages. I anticipate that Microsoft will update the UI at some point, perhaps in a future Exchange 2003 service pack.
About the Author
You May Also Like