Microsoft Announces Intelligent Message Filter for Exchange 2003

Microsoft has announced that its much-anticipated Microsoft Exchange Intelligent Message Filter for Exchange 2003,  will be available in the first half of 2004 at a price that "has not been finalized" (which probably means not free). The anti-spam technology involved is based on an analysis of message characteristics in the huge test corpus that Microsoft gets from Hotmail users who have volunteered to classify mail as legitimate or spam. Administrators can set separate gateway and store thresholds, blocking some messages completely and allowing others to pass through to users' Junk E-mail folders for further review. (18 Nov)

Critical Security Update for Exchange 2000; Updates Also for Exchange 5.5

Microsoft has released a critical security patch for Exchange 2000 to eliminate a vulnerability in the SMTP service that could result in a denial-of-service attack or an attacker running malicious programs in the security context of the SMTP service. The Internet Mail Service in Exchange 5.5 is also vulnerable to a similar denial-of-service attack. Patches are available for Exchange 5.5 Service Pack 4 and Exchange 2000 Service Pack 3. Microsoft also suggests several workarounds, such as SMTP authentication, that can provide some protection until you install the patch. See:

• Microsoft Security Bulletin MS03-046: Vulnerability in Exchange Server Could Allow Arbitrary Code Execution

Another patch for Exchange 5.5 addresses a cross-site scripting vulnerability related to HTML encoding in a new mail message. Because this patch affects the .asp pages that drive Outlook Web Access, you should back up any customized pages before applying the patch. You will then need to reapply the customizations to the updated pages. More information on this patch is available at:

• Microsoft Security Bulletin MS03-047: Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack

Exchange 2003 does not exhibit either vulnerability. (15 Oct)

Outlook 2003 Rules May Halt Exchange 5.5

Using Outlook 2003 to modify or import rules may cause the Exchange 5.5 store to halt when it tries to process a rule with a malformed property. Microsoft has released a post-SP4 hotfix to correct the problem. Contact Microsoft Product Support Services to obtain Exchange 5.5 Information Store Patch 2657.74. See:

• XADM Information Store Intermittently Stops Responding and an Access Violation Occurs in EcDSDNFromSz

• Exchange 5.5 Information Store Patch 2657.74

(14 Oct)

Update CDO on Exchange Server before Using Outlook 2003

Microsoft is now making an important CDO hotfix  for Exchange servers available via public download rather than requiring you to contact PSS for the patch. These articles explain the problem:

• Collaborative Data Objects Heap Corruption Occurs When You Try to Access an Exchange Mailbox

• Outlook Web Access Stops Responding When You Try to Access a Mailbox on an Exchange 5.5 Computer

For the patch downloads, see:

• Exchange 2003 CDO Patch 6980.3

• Exchange 2000 CDO Update 6487.1

• Exchange 5.5 CDO Patch 2657.55

This is a critical issue, especially for Exchange 5.5 environments, if you plan to install Outlook 2003 on client machines. Once you use Outlook 2003 against an Exchange mailbox, a change takes place in the mailbox properties that is incompatible with earlier versions of CDO. The result is that Exchange 5.5 OWA users will no longer be able to access the mailbox, and Exchange 2000 or 2003 applications that use CDO to access the mailbox may fail completely if they call the PR_FREEBUSY_ENTRYIDS MAPI property.

No client fixes are available yet, but pre-Outlook 2003 client applications using CDO for calendaring functions may encounter similar problems. (9 Oct)