No results found. You can ask us instead.
No results found. You can ask us instead.
Phone Lines icon GFI Support Home Start a conversation Sign in
No results found. You can ask us instead.
Start a conversation
  1. GFI MailEssentials
  2. GFI MailEssentials - Directory Harvesting
  3. Articles

Determining why Directory Harvesting blocked or allowed a message

Overview

This Directory Harvesting Anti-Spam plug-in checks if the SMTP recipients of incoming mail are real users or the result of a directory harvesting attack.

In this article, you will learn how to determine why the Directory Harvesting Anti-Spam filter blocked or allowed a message as part of the troubleshooting process.

  

Introduction

Directory Harvesting is an Email attack where known email addresses are used as a template to guess other likely email addresses. MailEssentials stops these attacks by blocking emails addressed to users that are not in the organizations’ Active Directory or email server.

There will be scenarios where customers open support requests wanting to understand why the Directory Harvesting filter blocked or allowed specific messages against their expectations. The next section outlines the troubleshooting process to determine the reason behind the actions taken by this filter.

  

Description

If you are questioning why an email was blocked or allowed by the Directory Harvesting filter and would like more information, the best place to start the troubleshooting process is to examine the debug logs.
Follow the below procedure to find the log file and information regarding the email message under review, and thereafter use the examples provided to interpret and determine why the message was either blocked or allowed:
  1. Find the Message-ID of the email in question by either obtaining it from the headers of the message itself or by looking for it in the MailEssentials Dashboard > Logs > Details tab. Refer to this linked article for more information on Reading Email Headers to extract the Message-ID.
  2. Navigate to ..\GFI\MailEssentials\AntiSpam\DebugLogs and locate the log file for the module. The debug log filename is ase_dirharvest.gfi_log.txt
    • This debug log file for the module corresponds to GFI MailEssentials > Anti-Spam > Anti-Spam Filters > Directory Harvesting on the configuration UI.
  3. Open the debug log file in a text editor and search for the Message-ID obtained in step 1.
  4. Refer to the scenarios below to determine the reasons behind the action taken by the module. Pay close attention to the lines in bold to understand what happened and why.
The debug log file will indicate whether Directory Harvesting protection is enabled and any actions taken by the filter while scanning emails. If the module is disabled the log file will simply show: 
ProcessMessage Exiting, plug-in is disabled from the configuration
The following lines after the Message-ID confirm the filter is enabled and has successfully loaded the configuration. In this extract MailEssentials is installed in SMTP mode: 
"info ","ase_dirharvest","---------------------------------------------------------"
"info ","ase_dirharvest","Message ID: <b99202b5439565bbd8053e6de39d9d07@EC2AMAZ-TEDQDCP>"
"info ","ase_dirharvest","---------------------------------------------------------"
"info ","ase_dirharvest","Refresh Context"
"info ","ase_dirharvest","RefreshContext (0xB8427D0)"
"info ","ase_dirharvest","Loading settings."
"info ","ase_dirharvest","Loading exclusion list..."
"info ","ase_dirharvest","No entries found in dir harvest exclusion table"
"info ","ase_dirharvest","SetupLDAP: LDAP is enabled"
"info ","ase_dirharvest","SetupLDAP: connection string[server=EC2AMAZ-TEDQDCP;port=389;version=3;basedn=;ssl=0;bind=anonymous;user=administrator@EC2AMAZ-..."
"info ","ase_dirharvest","SetupLDAP: connection string changed, reopening the connection..."
"info ","ase_dirharvest","RefreshContext Done..."
"info ","ase_dirharvest","Setting LDAP for lookups..."

 

Scenario 1: Email was allowed by the module 

ProcessMessage (0x87B79D8) - In Full Email mode, this will be a message ID
Getting SMTP recipients
SMTP Recipients [1]
B.Processing UserExists
0. Inexistent threshold 1
1.Checking if user gfitest@gfitest.com exists
2.User exists
C.UserExists Processed
UserExists tested. [Not performing action]
Note: If a user that does not exist is found, check your connection to Active Directory using the Test button in the Active Directory Settings within the configuration.
 

Scenario 2: Email was blocked by the module

ProcessMessage (0x87B78B8) - In Full Email mode, this will be a message ID
Getting SMTP recipients
SMTP Recipients [1]
B.Processing UserExists
0. Inexistent threshold 1
1.Checking if user noname@gfi.com exists
2.User does not exist
3.Checking if user is excluded... - Instructions to set exclusions can be found by clicking on this line
No excluded users
3.User is not excluded
4. Performing action
C.UserExists Processed
UserExists tested. [Performing action]

Note: If a user exists but was blocked, restart all MailEssentials services and run the Test for Active Directory from the filter settings in the configuration.
  

Related Articles

Back to top

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted 17 days ago
  3. Updated 17 days ago

Comments