However, MailEssentials' directory harvesting feature appears to have been an afterthought, because the program only checks recipient validity after it accepts a message. The program does offer a "Generate a Non Delivery Report (NDR)" option, but this is a fake NDR (aka a delivery status notification, or DSN) because it's only sent after your server has accepted transmission of a misaddressed message.
Why is this behavior a bad thing? First, if the NDR option is disabled (the default), a sender that misspells an e-mail address is never notified that the recipient name is not valid. This is good for spammers (you don't want them to know your valid addresses), but it's not good for valid senders (they're never notified that the address doesn't exist). So, you decide to enable the fake NDR feature. This is even worse, because it lets spammers exploit your server to send backscatter.
What's backscatter? Backscatter is spamming via DSNs. Imagine this scenario:
- Spammer sends a message to your server. The "from" address is the address he's spamming, and the "to" address is a non-existent recipient on your server.
- MailEssentials accepts the message, then determines that the recipient doesn't exist.
- MailEssentials generates an NDR to the fake "from" address.
The right way to reject invalid recipients is to do it during the SMTP conversation, before the message even gets transmitted. This way, the sending server is forced to deal with the failure. This way of doing things has two good side effects:
- Your server spends a lot less time dealing with mail sent to invalid recipients.
- Legitimate users that misspell an e-mail address will get an NDR from their own server (not yours).
The point is that you should not rely on GFI MailEssentials to be your only spam filtering solution. I opted for a smarter product: Vamsoft's Open Relay Filter Enterprise Edition (ORFEE). Like MailEssentials, it uses Microsoft's SMTP server, but unlike MailEssentials, it lets you filter mail during the SMTP conversation. It can do address lookups in an Active Directory domain and reject recipients before the e-mail gets sent. ORFEE can also delay server response on invalid recipients (sometimes called tarpitting), discouraging spammers that are attempting to harvest your directory. You get all the benefits: Legitimate senders are notified if they send to a non-existent recipient, the spammers will most likely not tolerate the delays when they attempt to gather valid addresses, and they can't use your server to send backscatter.