Getting the most out of Antigen’s Anti-Spam features

Hello – Andy Day from the EMEA Antigen/Forefront Support Team here to give you some tips on oiling your anti-spam engine in Antigen for Exchange/SMTP. Let the spring cleaning commence...


Over recent years, spam has emerged as a more prominent pain point than the traditional virus concerns that any company will have. Spammers are always trying to get the upper hand on anti-spam vendors, bringing out new ways to bypass scanners and hit as many inboxes as possible (sure, why wouldn’t they?...they get paid for doing that, after all!)

So, as an Antigen for Exchange administrator, how do you tweak the ASM component (Anti-Spam Manager) to maximise your spam protection, in order to outwit the spammers?


Well, first of all, you are probably using one or both of these Antigen ASM features already:

·         Spamcure anti-spam engine

·         RBLs (Realtime Block Lists)


Alongside these features, you may also have implemented the IMF feature in Exchange (Intelligent Message Filter).

All of these features and technologies are preventative measures. A configuration guide can be found in the Antigen Spam Manager Best Practices guide. The key points from this guide are to:


1.     Configure the Spamcure engine to check for updates every 15 minutes

 Spam is more dynamic than (other) malware; therefore anti-spam updates tend to be released more frequently than anti-virus updates. It is common to see several anti-spam engine version releases every hour, so getting Spamcure to check for updates this frequently is strongly advised.

2.     Configure RBL services

RBL lists, (non-Microsoft) lists of known spam mailhosts that are updated in realtime, are a good way of blocking spam from the source. Always try to use a reputable service here and be aware that free services may not always be the best. Note that Microsoft does not recommend any specific RBL providers. In Support, we do see a lot of customers using and, which might be a good place to start. Please ensure that you observe any usage terms and conditions when using these 3rd-party lists.

RBLs rely heavily upon DNS lookups (of mailhosts), so if there is any latency in doing this, you could see SMTP mail queuing on your server. As a rule of thumb, it’s best to limit RBL lookups by using a maximum of 1-3 RBL providers.

3.     Configure the Exchange Intelligent Message Filter

OK, this isn’t strictly an Antigen feature, but we strongly recommend its use in conjunction with Antigen. The Spamcure engine and other filtering features on the SMTP scanjob can be used to set a SCL Rating on messages. Basically, if you enable the SCL Rating option for a feature in Antigen, any detection on that feature will cause Antigen to set a SCL Rating of 9 for the message. The SCL scale ranges from 0 (definitely not spam) to 9 (definitely spam).

Exchange 2003’s IMF feature allows you to set a threshold for the SCL Rating. You can also set a SCL threshold in Outlook that can steer spam messages into Outlook’s Junk Mail Folder (also governable via a GPO).

An example of how these 3 technologies might work together is setting the IMF threshold to 8 and the Outlook threshold to 5. Here, messages tagged with a SCL Rating of 0-4 will go through to users’ inboxes, 5-7 will go to users’ Junk Mail Folders and 8-9 will be deleted by IMF. As Antigen sets only ‘9’ values for the SCL rating, any Antigen-tagged messages will therefore be deleted by IMF.

For more information on Exchange’s Intelligent Mail Filter, click here. 

4.       Submit Spam Messages: False Positives (legitimate emails that were falsely detected as spam) and False Negatives (spam emails that were not detected) should be submitted ASAP to Mail Filters.

As an administrator, you’ve experienced that no technology is perfect and it’s expected that some false-positives and false-negatives will crop up from time to time. Sending these to Mail Filters (our partner company that produces the Spamcure engine) through the appropriate addresses is an efficient way to flag the problem without having to open a Microsoft Support case.

·         Send False Positives to Spam.mail-filters "at"

·         Send False Negatives to Notspam.mail-filters "at"


From these Best Practices, the key actions to take away are to make sure that Antigen is checking for Spamcure updates every 15 minutes and submit false positives/negatives to the above addresses.

If you’re working in a large organisation, you may find that a lot of spam seems to get through (even though the actual detection rate is still pretty high), due to the sheer volume of mail that you receive every day. Consider setting-up a designated spam Mailbox or shared Public Folder to collect false negatives from users.


Before opening any support cases for false negatives, we recommend that you cover the 2 areas above, since we’re likely to suggest that you do this J.


In the case that Spamcure or other ASM components don’t seem to be working as they should, take a look at my troubleshooting tips and extra features that can help to provide additional spam defence:


Further Troubleshooting

If you want to minimise your dependency on Microsoft Support, you can always try to troubleshoot the issue by yourself.

For Spamcure-related issues, try to determine from any errors whether the problem relates to the download of the engine (the first part of the update process), or to the integration of a new engine into Antigen (the second part of the update process); then follow these steps:


Engine Download Issues:

·         Check that you can reach the file being downloaded through Internet Explorer.

·         Confirm that any proxy settings entered in the Antigen Administrator are still valid.

·         In general, try to stagger engine updates by 10-15min per engine.


Engine Integration Issues:

·         Make sure that the engine has updated at least once following install, to avoid this error:

"ERROR: Could not load SpamCure mapper."

·         Try rebuilding the scan engine, as per KB920304.



Secondary Defence

Antigen also gives you various filtering features that can be used in either a preventative or reactive manner to block spam.

·         Mailhost Filtering

·         ‘Content’ Filtering

o   Sender/Domain Filtering

o   Subject Line Filtering

·         Keyword Filtering

There’s a lot of information and syntax about filtering already explained in the Antigen for Exchange User Guide, so I won’t repeat it here. However, you might consider setting some filters for basic pre-emptive defence and perhaps more importantly to block prominent spam mail that got through. It’s not worth the effort to do this for every undetected spam, of course, but if you’re facing a sudden wave of similar spam, this could  warrant a Subject Line or Keyword Filter until engine definitions become available.



Following the guidance I outlined, we hope you find Spamcure is filtering out most of your spam just fine and you won’t really need to tackle this troubleshooting or use these extra features for this reason. If you do, however, I hope this post has been useful to you.



Kind Regards,

Andy Day

CSS Security Support Engineer (Antigen/Forefront Server Security)

Comments (4)

  1. Anonymous says:

    How to customize OWA in Exchange Server 2007 Top 10 Microsoft Exchange Server 2003 registry hacks What

  2. Anonymous says:

    The URLs are incorrectly mail links, not traditional URLs. This needs to be fixed.

  3. Ah — someone found the Easter eggs and passed our not-so-clever test!

    The links are now correct. Thanks for letting us know.

  4. Jim Mulvey says:

    I think you have the email addresses wrong (they should be switched).

    According to the last 2 paragraphs of this link :

    You should send false positives to Notspam.mail-filters "at"

    You shoudl send false negatives to Spam.mail-filters "at"

Skip to main content