Phone Lines icon GFI Support Home

Articles in this section

See more

Directory Harvesting is not Filtering Non-existent Email Addresses

Author: Luis Fernandes Updated

Overview

Directory harvesting attacks occur when spammers try to guess email addresses by attaching arbitrary usernames to your domain. These non-existent email addresses are invalid and consequently floods the email server unnecessarily.

This article describes the possible solution when the MailEssentials is failing to stop Directory Harvesting attacks by blocking emails addressed to users that are not in the organizations’ Active Directory or email server.

Diagnosis

  • The Directory Harvesting protection is enabled but not catching fake or non-existent email addresses
  • When a Directory Harvesting test is attempted from the MailEssentials Configuration UI, any of the following errors are presented:
    • Error in lookup - Failed to open LDAP connection[Server Down]
    • Error in lookup - Failed to perform query[Operations Error]
  • The debug log file for the Directory Harvesting spam filter ..GFI\MailEssentials\Antispam\DebugLogs\ase_dirharvest.gfi_log.txt contains any of the below or similar error messages:
    • "error  ","ase_dirharvest","5.FindUser failed [0x80004005, Failed to perform query[Operations Error]]. Cannot check this recipient"
    • "info  ","ase_dirharvest","UserExists processing failed."
    • "error ","ase_dirharvest","Lookup operation failed! [Internal error: 0x80004005, (null)"
    • "error ","ase_dirharvest","_com_error exception caught in CAwlCache::ExecuteSqlCommand:171 -> 'Unspecified error' (0x80004005)" 
    • Any other Internal errors with exception code 0x80004005 which usually indicate socket connectivity exceptions 

Solution

This issue occurs when the global catalog server becomes unreachable or unavailable because the default behavior is for Directory Harvesting to pass the items off to the next MailEssentials filter in the Anti-Spam chain and not block anything. All other filters will still process the messages accordingly as configured.

Usually, the root cause is when the Base DN is incorrect or the default port is not open to the global catalog or LDAP server. This is resolved by following the steps given below:

  1. Open the GFI MailEssentials configuration.
  2. Expand the Anti-Spam node > Anti-Spam Filters Directory Harvesting
  3. In the General tab, select Use LDAP lookups
  4. In the Server: field, specify the name or IP address of the Global Catalog server
  5. In the Port field, insert the port of your Global Catalog. By default, this is 3268
  6. In the Base DN: field, you need to specify the least restrictive Base DN. To ensure that Directory Harvesting will retrieve information from all domains, you can leave the Base DN empty. This can be achieved by entering a single space in the Base DN field
  7. Add administrator credentials with permissions to perform the lookup and click Apply to save the changes.

Testing

  1. Click the Test button and try using existing email addresses from all local domains to confirm that Directory Harvesting is working correctly by allowing these emails through.
  2. Key in a non-existent email address and click on the Test button. Directory Harvesting is working as expected by blocking the emails addressed to fake recipients.
  3. Send a test email from an external account to an account you know does not exist in your domain and monitor to ensure that the error does not display in the logs again and that the Email was correctly blocked by the Directory Harvesting filter. You can check this from the Dashboard logs or the ase_dirharvest.gfi_log.txt debug log file.

Related Articles

Back to top

Related articles