Enable Recipient Filtering to Prevent Directory Harvesting
Posted by Carlos Rios on 16 November 2017 07:18 PM

Recipient filtering is a very important, often overlooked setting. It allows you to fight spam attacks. Take a dictionary attack, for example. Spammers send mail to a list of common names, hoping to find users that exist in your domain by reading NDRs generated by Exchange.

Exchange 2013 

To enable recipient filtering, run the following command:

Set-RecipientFilterConfig -Enabled $true

When you disable recipient filtering, the underlying recipient filter agent is still enabled. To disable the recipient filter agent, run the following command: 

Disable-TransportAgent "Recipient Filter Agent"

To verify that you have successfully enabled or disabled recipient filtering:

  • Run the following command: Get-RecipientFilterConfig | Format-List Enabled
  • Verify the value displayed is the value you configured

Exchange 2007/2010

In Exchange 2007/2010, the process of rejecting emails sent to invalid users is called recipient validation. Enabling this is made complicated in Exchange 2007/2010 by the way Microsoft split the functions of Exchange into different roles.  

Recipient validation is part of the anti-spam features that are present by default only on the server performing the edge transport role.

The problem is that if you only have one Exchange server in your company, as most people do, it will be performing the hub transport, client access and mailbox roles but not the edge transport role, as this has to be on a separate server (an Exchange email system will work fine without the edge transport role).

The solution is to install the anti-spam features on the hub transport role, so we'll start by doing this. If you do happen to have a separate edge transport server, then skip ahead to the next section.

Step 1: Install the anti-spam agent on the hub transport role

  1. Open the Exchange Management Shell and enter the command: cd c:\Program Files\Microsoft\Exchange Server\Scripts (this changes the directory to the folder containing a PowerShell script, provided by Microsoft, for installing the anti-spam features on the hub transport)
  2. Type the following command to run this script: .\install-antispamagents.ps1
  3. Close the Exchange Management Shell window and either reboot the server or go to: Start > Run and type services.msc then click OK
  4. Locate the service called Microsoft Exchange Transport, right-click on it and select Restart

Step 2: Configure Recipient Validation

  1. Open the Exchange Management Console and go to Organization Configuration > Hub Transport and select the new Anti-Spam tab (if you have a separate edge transport server then you'll find the Anti-Spam tab under Edge Transport)
  2. Right-click on Recipient Filtering and select Properties
  3. Go to the Blocked Recipients tab and select "Block messages sent to recipients not in the Global Address List"
  4. Click OK

Step 3: Disable all other anti-spam features

If you just installed the anti-spam agents in Step 1, some of these features will now be active by default. Whether you enable or disable these other anti-spam features is something you need to think about carefully and perhaps experiment with a little. Today's job is to enable recipient filtering, not to reconfigure your entire anti-spam system. So we recommend that, for now, you disable all the other new features by right-clicking on each feature, in turn, (except Recipient Filtering, of course!) and selecting Disable.

Exchange 2003

  1. In Exchange System Manager, navigate to Global Settings, right-click on Message Delivery and chose Properties
  2. On the Recipient Filtering tab, select "Filter recipients who are not in the Directory" then click OK
  3. Click OK to the warning message that pops up (it's just saying we need to perform a further step)
  4. Go to Servers > [SERVER NAME] > Protocols > SMTP > then right-click on Default SMTP Virtual Server and click Properties
  5. On the General tab, click Advanced, select the listed IP address, and then click Edit
  6. Select Apply Recipient Filter then click OK > OK > OK

ERROR: This domain name does not match domain registered in the license key file (, allowed domains:,localhost, please change the product path to match the domain under Admin CP > Settings > General Settings
This product will not work properly unless untill that value is changed.

For more information please contact Kayako support at