Directory Harvesting
Directory harvesting attacks occur when spammers try to guess email addresses by attaching well known usernames to your domain. The majority of the email addresses are non-existent. Spammers send emails to randomly generated email addresses and while some email addresses may match real users, the majority of these messages are invalid and consequently floods the victim’s email server.
GFI MailEssentials stops these attacks by blocking emails addressed to users not in the organizations’ Active Directory or email server.
Directory harvesting can either be configured to execute when the full email is received or at SMTP level, that is, emails are filtered while they are being received. SMTP level filtering terminates the email’s connection and therefore stops the download of the full email, economizing on bandwidth and processing resources. In this case the connection is terminated immediately and emails are not required to go through any other anti-spam filters.
This filter is enabled by default on installing GFI MailEssentials in an Active Directory Environment.
Directory Harvesting is set up in two stages as follows
Stage 1 - Configuring Directory Harvesting properties
- Go to Anti-Spam > Anti-Spam Filters > Directory Harvesting.
- Enable/Disable Directory Harvesting and select the lookup method to use:
Option | Description |
---|---|
Enable directory harvesting protection | Enable/Disable Directory Harvesting. |
Use native Active Directory lookups |
Select option to retrieve the list of local users from Active Directory (or from a Remote AD if GFI MailEssentials is installed in Remote Active Directory mode). |
Use LDAP lookups |
Select this option when GFI MailEssentials is installed in SMTP mode and you want to retrieve the list of users from a separate Acitve Directory instance using LDAP. Key in your Active Directory server details. If your LDAP server requires authentication, unmark the Anonymous bind option and enter the authentication details that will be used by this feature. |
- In Block if non-existent recipients equal or exceed, specify the number of nonexistent recipients that will qualify the email as spam. Emails will be blocked by Directory Harvesting if all the recipients of an email are invalid, or if the number of invalid recipients in an email equals or exceeds the limit specified.
NOTE
Avoid false positives by configuring a reasonable amount in the Block if non-existent recipients equal or exceed edit box. This value should account for users who send legitimate emails with mistyped email addresses or to users no longer employed with the company. It is recommended that this value is at least 2.
- Provide an email address and click Test to verify Directory Harvesting settings. Repeat the test using a non-existent email address and ensure that Active Directory lookup fails.
- Click Actions tab to select the actions to perform on messages identified as spam. For more information refer to Spam Actions - What to do with spam emails.
NOTE
If Directory Harvesting is set to run at SMTP level, only the Log rule occurrence to this file option will be available in the Actions tab.
- Click Apply.
Stage 2 - Selecting if Directory Harvesting should be done during the SMTP transmission.
- Navigate to Anti-spam > Filter Priority, and select SMTP Transmission Filtering tab.
- Click Switch to toggle the Directory Harvesting filtering between:
Option | Description |
---|---|
Filtering on receiving full email | Filtering is done when the whole email is received. |
Filtering during SMTP transmission |
Filtering is done during SMTP transmission by checking if the email recipients exist before the email body and attachment are received. NOTE If this option is chosen, Directory Harvesting will always run before the other spam filters. |
- Click Apply.