IMF Tune v6.1 - Forefront Protection 2010 for Exchange Support
Setting up a Low Priority Whitelist in IMF Tune
In IMF Tune, whitelisting takes priority over any other SCL rating. If an email matches both a whitelist and a blacklist, the Whitelist rating is stamped as final. Although this is the standard behavior, occasionally we receive requests for setting up a low priority whitelist. This is possible with the help of SCL Rules that whitelist emails only if no blacklist is matched.
Influencing SCL Ratings
IMF Tune provides various options for an administrator to influence email spam ratings. This includes various Whitelists, Blacklists and SCL Rules.
The SCL spam rating can be set to a specific fixed value. This is what Whitelists and Blacklists do. They replace the current email rating with their own. SCL Rules provide extra flexibility. These allow us to fix SCL ratings to any possible value not just the extreme Whitelist or Blacklist levels. Alternatively SCL Rules may be configured to move ratings up or down. Here we can say that if a rule is matched, the current SCL rating should be raised or lowered by the specified value.
Multiple Matches - SCL Rating Priority
With the various Whitelists, Blacklists, and SCL Rules, it is possible for a single email to hit multiple matches. IMF Tune follows a "play safe" rule applying the lowest SCL rating. For example if an email contains both a blacklisted keyword and a whitelisted keyword, the email is whitelisted.
Extending this concept further, if an email matches an SCL Rule configured to fix the SCL to 5 and also matches a blacklisted keyword, the email is finally assigned SCL 5. This happens since SCL 5 is lower than the Blacklist level (Blacklist is the highest SCL rating possible).
SCL Rules applying 'increment by' and 'decrement by' operations are considered to have the lowest priority. The increments and decrements are only computed if no other match is found that would set the email to a fixed SCL rating. If computed, increments and decrements add up so that the final SCL value is the net result.
To recap, these are the priority rules followed when determining the final email SCL rating:
Low Priority Whitelists
In this article our goal is to create a Whitelist that is lower in priority than Blacklists. This is done with the help of the SCL Rules 'decrement by' operation. A rule that is configured to lower the current SCL rating by 9 will effectively Zero any currently assigned SCL rating.
Since a 'decrement by' operation is only applied to emails that do not match any other standard Whitelist or Blacklist, the SCL Rule effectively behaves as a low priority whitelist.
This solution is not perfect. IMF Tune does distinguish between Whitelisted and SCL 0 emails when it comes to reporting. However as far as the email user is concerned there is no noticeable difference. Both of these ratings identify legitimate emails that are delivered straight to the Inbox.
IMF Tune supports 3 SCL Rule types; Simple, Advanced and External. All of these have the ability to perform a 'decrement by' operation.
Simple and Advanced SCL Rules are most appropriate when dealing with a specific type of email or solving a one-off problem. Once the rule is setup and working an Administrator would hardly ever modify the rule configuration again.
External SCL Rules are more appropriate when setting up a low priority whitelist that needs more regular updating. If we plan to keep adding new keywords/addresses to the whitelist, External Rules provide a simpler (even if more raw) interface.
Simple SCL Rule Configuration
Advanced SCL Rule Configuration
For a detailed discussion on Advanced Rules configuration please check the IMF Tune Server Manual. Here we skim through the configuration just to illustrate the most important steps in the setup of a low priority whitelist.
External SCL Rule Configuration