Directory harvesting

Directory harvesting attacks occur when a spammer uses known email addresses to generate other valid email addresses from corporate or ISP email servers. This technique allows the spammer to send emails to randomly generated email addresses. Some of these email addresses are real users in the organization however many of them are bogus addresses that flood the victim’s email server.

The Directory Harvesting Attacks feature in GFI MailEssentials stops these types of attacks by blocking emails addressed to users that do not exist on the organizations Active Directory or email server. This feature makes use of the Active Directory or LDAP server to search for known users within the organization.

Configuration is done from the Anti-Spam > Directory Harvesting node. Right click on this node to bring up the Directory Harvesting Properties dialog. Mark the Enable directory harvesting protection option to enable this feature.

NOTE: To avoid false positives, specify a reasonable number in the Block if non-existent recipients equal or exceed edit box. One should keep in mind that sometimes users send legitimate emails with mistyped email addresses or to users no longer employed with the company. By default, this is set to one, thus configuring Directory Harvesting to behave like in GFI MailEssentials 11.

If the amount of non-existent recipients is equal to or above the number specified, the action configured is triggered. If the total amount of recipients is less than the number specified, the action configured is triggered only if ALL the recipients do not exist, otherwise the email is not marked as SPAM.

Screenshot 48 - The directory harvesting feature

If GFI MailEssentials is installed in SMTP mode, fill in your LDAP server detail (i.e. server name, the rest can be left as default). If your LDAP server requires authentication, unmark the Anonymous bind option and enter the authentication details that will be used by this feature. You can test your LDAP configuration settings by clicking on the Test button or click on the Apply button to save the current settings.

If GFI MailEssentials is installed in Active Directory user mode, define the type of user lookup which best suits your company’s setup i.e., enable the Use native Active Directory lookups option to search for user information in the Active Directory or enable the Use LDAP lookups option and specify your LDAP setting to search for user information on your LDAP server.

NOTE 1: If GFI MailEssentials is installed in Active Directory user mode on a DMZ, the Active Directory of a DMZ, normally, does not include all the network users (i.e. email recipients) and as a result, you will be getting many false positives. In such cases, it is recommended that you perform Directory Harvesting checks using LDAP lookups (i.e. enable the Use LDAP lookups option and specify your LDAP server details).

NOTE 2: When GFI MailEssentials is setup behind a firewall, the Directory Harvesting feature will not be able to connect directly to the internal Active Directory because of the Firewall. In this case, although both options will be available, you must make use of LDAP lookups in order to enable the Directory Harvesting feature to connect to the internal Active Directory of your network (i.e., pass through your Firewall). Make sure to enable default port 389 on your Firewall

NOTE 3: When connecting to an Active Directory using LDAP (i.e. when GFI MailEssentials in installed on a DMZ or behind a Firewall), you have to specify the authentication credentials in this form: Domain\User (e.g. master-domain\administrator).

NOTE 4: In an Active Directory, normally the LDAP server is the Domain Controller.

Actions tab

After you have configured Directory Harvesting, click on Actions to specify what you want to do with emails marked as spam by this filter. For more information on possible actions, please refer to the ‘Actions – what to do with spam email’ section in this chapter.

Other tab

Please refer to the ‘Other options’ section in this chapter.