Directory harvesting attacks occur when spammers send emails to randomly generated email addresses and while some email addresses may match real users, the majority of these messages are invalid and consequently floods the victim’s email server. This article describes the process to set up Directory Harvesting.
GFI MailEssentials stops these attacks by blocking emails addressed to users that are not in the organizations’ Active Directory or email server.
Directory Harvesting is set up in two stages:
Stage 1 - Configuring Directory Harvesting Properties
- Open the GFI MailEssentials configuration.
- Go to Anti-Spam > Anti-Spam Filters > Directory Harvesting.
- Enable Directory Harvesting and choose the lookup method to use:
Option Description Enable directory harvesting protection Enable/Disable Directory Harvesting. Use native Active Directory lookups
Choose the option to retrieve the list of local users from Active Directory (or from a Remote AD if GFI MailEssentials is installed in Remote Active Directory mode).
Use LDAP lookups
Choose this option when GFI MailEssentials is installed in SMTP mode and you want to retrieve the list of users from a separate Active Directory instance using LDAP.
Enter the Active Directory server details. If the LDAP server requires authentication, uncheck the Anonymous bind option and enter the authentication details that will be used by this feature.
Note: Specify authentication credentials using Domain\User format (e.g. master-domain\administrator).
- On the "Block if non-existent recipients equal or exceed" box, specify the number of non-existent recipients that qualify the email as spam. This enables the following behavior:
- All recipients of the email are invalid - it will be blocked by Directory Harvesting.
- At least one recipient exists and the rest do not exist:
- The number of non-existing emails is lower than the configured value - it will not be blocked since there is at least one valid recipient and the configured threshold has not been reached
- The number of non-existing emails is equal or higher than the configured value - it will be blocked since the set threshold has been reached
Avoid false positives by configuring a reasonable amount in the Block if non-existent recipients equal or exceed box. This value should account for users who send legitimate emails with mistyped email addresses or to users no longer employed by the company. It is recommended to set the value to a minimum of 2.
- Enter an email address and click on Test to verify Directory Harvesting settings. Repeat the test using a non-existent email address and ensure that Active Directory lookup fails.
- Click on the Actions tab to select the actions to perform on messages identified as spam. For more information, refer to the GFI MailEssentials Spam Actions article.
If Directory Harvesting is set to run at the SMTP level, only the Log rule occurrence to this file option will be available in the Actions tab.
- Click on Apply.
Stage 2 - Selecting if Directory Harvesting should be done during the SMTP transmission.
- Go to Anti-spam > Filter Priority, and choose the SMTP Transmission Filtering tab.
- Click on Switch to toggle the Directory Harvesting filtering between:
Option Description Filtering on receiving full email Filtering is done when the whole email is received. Filtering during SMTP transmission
Filtering is done during SMTP transmission by checking if the email recipients exist before the email body and attachment are received.Note
If this option is chosen, Directory Harvesting will always run before the other spam filters.
- Click on Apply.