The Directory Harvesting filter does not work correctly. The configured action is to move to "Exchange Mailbox Sub-Folder". But all the blocked emails are sent to the users' Inbox, and not to the configured folder.
With tracing enabled, the logs show the following errors:
<GFI MailEssentials installation path>\GFI\MailEssentials\Antispam\DebugLogs\QAS.MoveToInbox.log
2020-09-15,15:02:00,413,1,"#00004FF8","#00000005","info ","QAS.MoveToInbox","Actions Move To Inbox and/or Move to Junk Folder is not enabled"
<GFI MailEssentials installation path>\GFI\MailEssentials\Antispam\DebugLogs\QAS.MTEF.log
2020-09-15,15:02:00,319,1,"#00004FF8","#00000005","info ","QAS.MTEF","AutoDiscover::Discover <<"
2020-09-15,15:02:00,319,1,"#00004FF8","#00000005","error ","QAS.MTEF","ERROR: AutoDiscover() returned false"
<GFI MailEssentials installation path>\GFI\MailEssentials\Attendant\DebugLogs\PFTrainEWS.log
error:Failed to Process: There is an error in XML document (238, 28).
This is linked to Exchange Autodiscover issues, that can be confirmed by running the following command in an Exchange Management Shell:
Test-OutlookWebServices <email@example.com> -MailboxCredential (get-credential <domain\alias>) | fl result
<firstname.lastname@example.org> is a legitimate email address from your organization, and
<domain\alias> is the Exchange user configured for MailEssentials.
Running the command above generates inconsistent results, similar to the image above.
This is an environmental issue, that cannot be solved from MailEssentials. The workaround in this case is to re-configure the Directory Harvesting filter to quarantine the emails.
To limit the number of quarantined emails, it is recommended to enable keyword checking. This will help reduce the number of quarantined emails.