Directory Harvesting Non-existing Recipient Limit not working
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Directory Harvesting Non-existing Recipient Limit not w... - 30.May2008 8:17:04 AM
|
|
|
rralston
Posts: 24
Joined: 9.Feb.2006
Status: offline
|
I have just found a problem with Directory Harvesting where it is ignoring the non-existant recipient limit. I have ME 12 build 20080508 installed as a Perimeter Server, and MailSecurity 10 build 20071129 on the same machine (those are the only applications on this server (Exchange is on a separate server.)
DH is configured using LDAP and has the non-existant recipient limit set to 2. Emails with exactly 1 recipient, which is mispelled, are being blocked by ME. I tested this by sending in a mispelled recipient email from an external account.
I tried setting the limit to other values (all the way to 9) but the emails are still blocked. Not sure which build this started happening in, but it is definitely a problem in the latest.
Also, yes I tested the LDAP lookup of the DH module and it is working fine.
This is pretty serious, as now potentially legitimate emails are not passed to Exchange, so an NDR is not being generated when it should be.
As a temporary work around, I configured the DH module to generate an NDR. This ME NDR I found is being sent to the Exchange Server instead of being returned to the recipient, which in itself is a big problem.
I have now had to disable DH altogether until this is fixed.
(Note: this is happening on two separate systems in two different networks. This ME and MSEC setup is identical)
Rob Ralston
< Message edited by rralston -- 30.May2008 8:28:49 AM >
|
|
|
|
|
RE: Directory Harvesting Non-existing Recipient Limit n... - 17.Jun.2008 8:12:57 AM
|
|
|
rralston
Posts: 24
Joined: 9.Feb.2006
Status: offline
|
This problem exists on two different networks. If possible, it would be helpful if others using DH with ME12 build 20080508 would test this from an external mailbox, as it doesn't let any misspelled recipient to get through to Exchange, when it should. So legitimate NDRs are not being generated.
Thanks for any feedback.
Rob Ralston
|
|
|
|
|
RE: Directory Harvesting Non-existing Recipient Limit n... - 17.Jun.2008 11:10:05 AM
|
|
|
John Letourneau
Posts: 1124
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline
|
rralston,
I just did this test on my test network and did not receive the same results as you. I configured my installation of GFI MailEssentials 12 build 20080508 to use LDAP lookups on Directory Harvesting and then set the value to 2. After doing this I sent a test message in from gmail.com to one valid user and one non valid user. The message was delivered to the valid user without a problem. No log was generated by the Directory Harvesting module reporting that it blocked the non valid message. If I send to two non valid addresses the messages are blocked.
_____________________________
Regards,
John Letourneau - Senior Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Directory Harvesting Non-existing Recipient Limit n... - 17.Jun.2008 11:22:24 AM
|
|
|
rralston
Posts: 24
Joined: 9.Feb.2006
Status: offline
|
John,
Thank you for testing. I also have the limit value set to 2. I get the same results if I send to one valid and one misspelled address.
However, please try sending to a single email address which is misspelled, without any legitimate addresses included. I suspect it will get caught be DH.
Rob Ralston
|
|
|
|
|
RE: Directory Harvesting Non-existing Recipient Limit n... - 19.Jun.2008 6:48:52 AM
|
|
|
rralston
Posts: 24
Joined: 9.Feb.2006
Status: offline
|
Hi John,
Were you ever able to test this by sending in only one non-valid recipient (i.e., no other valid or non-valid recipients included)?
Rob Ralston
|
|
|
|
|
RE: Directory Harvesting Non-existing Recipient Limit n... - 23.Jun.2008 11:04:17 AM
|
|
|
John Letourneau
Posts: 1124
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline
|
rralston,
The message sent to the single non-valid user was not blocked.
_____________________________
Regards,
John Letourneau - Senior Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Directory Harvesting Non-existing Recipient Limit n... - 23.Jun.2008 11:07:48 AM
|
|
|
rralston
Posts: 24
Joined: 9.Feb.2006
Status: offline
|
Hi John,
I'm using LDAP lookup. Is that what you are using or are you using Native AD lookups? Perhaps that is the difference?
Rob Ralston
|
|
|
|
|
RE: Directory Harvesting Non-existing Recipient Limit n... - 23.Jun.2008 11:10:06 AM
|
|
|
John Letourneau
Posts: 1124
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline
|
rralston,
I configured my server to use LDAP lookups as well.
_____________________________
Regards,
John Letourneau - Senior Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Directory Harvesting Non-existing Recipient Limit n... - 23.Jun.2008 1:11:26 PM
|
|
|
rralston
Posts: 24
Joined: 9.Feb.2006
Status: offline
|
What do you need to troubleshoot this further?
Rob
|
|
|
|
|
RE: Directory Harvesting Non-existing Recipient Limit n... - 28.Jun.2008 12:50:26 PM
|
|
|
rralston
Posts: 24
Joined: 9.Feb.2006
Status: offline
|
Hi John,
Before I opened a case, I was doing a little more digging myself. I found the following KB article http://kbase.gfi.com/showarticle.asp?id=KBID003271 which describes how to configure the number of incorrect addresses for DH, and how the DH filter will handle different cases.
In that article, it says:
"If the total amount of recipients is less than the number specified, the action configured is triggered only if all the recipients do not exist, otherwise the email is not blocked as SPAM by Directory Harvesting."
So, this actually says DH in my case is working as designed (not a good design, but as designed). Since I have a limit of 2, if a message contains only a SINGLE recipient, which is misspelled, then the above statement says it should be blocked, because it is less than 2. This is the "problem" I reported.
So, if that is the design, then how is it that your test did not produce these same results? And if this is the design, there really is nothing to troubleshoot.
I say this is a bad design, because this does not allow for the obvious case of a legitimate email, to one recipient, having an accidentally misspelled email address. An NDR needs to be generated for this, so the email needs to go to Exchange so it can generate the NDR.
If it doesn't work this way, I don't see how anyone can use this if they want NDRs generated for such a case.
As a result, I guess this is now a request to allow an option for the admin to determine how this case is actually handled. For now, I have to leave it disabled, so I am paying for a feature that cannot be used.
I think if other users really look at how this works, a lot will likely agree this is a problem.
Rob Ralston
< Message edited by rralston -- 28.Jun.2008 1:00:18 PM >
|
|
|
|
|
RE: Directory Harvesting Non-existing Recipient Limit n... - 29.Jun.2008 12:52:45 AM
|
|
|
John Letourneau
Posts: 1124
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline
|
Rob,
As you see in the article it does say "If the total amount of recipients is less than the number specified, the action configured is triggered only if all the recipients do not exist, otherwise the email is not blocked as SPAM by Directory Harvesting."
What this would mean is that in your situation if you have Directory Harvesting set at a limit of 2 and someone sent you a message to 1 recipient and that recipient did not exist Directory Harvesting would block this message. It is saying that if the limit is not met but all of the users the message is sent to do not exist it will still block the message.
My test scenario displayed the correct results. If I have a limit set of 2 and I send a message to a valid user and a non valid user the message is not blocked. If I send a message to one valid user the message is not blocked. If I send a message to one non valid user the message is blocked.
_____________________________
Regards,
John Letourneau - Senior Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Directory Harvesting Non-existing Recipient Limit n... - 29.Jun.2008 5:20:36 AM
|
|
|
rralston
Posts: 24
Joined: 9.Feb.2006
Status: offline
|
John,
I guess I was confused by your reply on June 23 at 11:04:17 AM when you said:
"The message sent to the single non-valid user was not blocked"
So, I get it. The DH module is working as designed. However, I still maintain there needs to be an option for an admin to allow a message, which has only one and only one recipient, which happens to be misspelled, to not be blocked.
If you want to attempt to adhere to the RFC, then this scenario needs to allow for Exchange to receive the email and generate an NDR. Yes, I know it could be SPAM, but it is also very likely to be legitimate, and the sender needs to know this happened.
When initially introduced, the original DH filter did not have the ability to set a limit. The limit was added at customers' request because of exactly this scenario which we are discussing. It would seem the design was changed somewhere along the line.
John, please add an enhancement request to allow admins to set an optional DH parameter which will allow a message with one and only one recipient, which is non existent, to not be blocked. Such an option will allow admins that want this scenario to generate the proper RFC response to do so, while also allowing for the current operation for admins that prefer the current behavior.
Thank you.
Rob Ralston
|
|
|
|
|
RE: Directory Harvesting Non-existing Recipient Limit n... - 6.Jul.2008 1:30:07 PM
|
|
|
John Letourneau
Posts: 1124
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline
|
rralston,
As this is going to require a close look at logs from your system I would recommend submitting a support request at http://crm.gfi.com/Customizations/SupportIssue/support.aspx?lcode=en to get this resolved.
_____________________________
Regards,
John Letourneau - Senior Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Directory Harvesting Non-existing Recipient Limit n... - 6.Jul.2008 2:56:42 PM
|
|
|
rralston
Posts: 24
Joined: 9.Feb.2006
Status: offline
|
John,
I don't understand. I thought we just established that the DH module is actually working as designed. So what is the point of looking at my logs?
What I asked for in my last post was for you to submit an enhancement request. If you can't do this, what is the correct procedure for me to request an enhancement to the operation of the DH module?
Rob Ralston
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
