Directory Harvest Attach Prevention : beware !

Unanswered Question
May 7th, 2007

[AsyncOS 5.1.0 on a dual C300 cluster]

We had Directory Harvest Attack Prevention switched 'on' in all
our mail flow policies until we found out that trying N invalid
recipients in one hour caused ALL subsequent SMTP
connections from that particular IP address to fail with a
'550 Too many invalid recipients' SMTP error reply by the
IronPorts.

The IP address belonged to one of the outgoing mail relays
of the largest commercial provider in the country.

In other words : one bad sender could cause thousands of
legitimate mail transactions (by other users) to fail.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Pat_ironport Sat, 06/16/2007 - 16:16

@eluyten: And what is your solution? Do you have switched off the "Directory Harvest Attack Prevention" completely or just increased the number N?

Erich_ironport Sat, 06/16/2007 - 16:58

Remember you can adjust the DHAP limit "N" based on the sendergroup.
Throttled groups have a low DHAP limit.
Accepted groups have a medium DHAP limit.
Trusted groups have a higher DHAP limit.

jbivens_ironport Mon, 06/18/2007 - 14:55

My recommendation would be to create a new/special Sender Group & Mail flow policy for organizations that fall into this category. I would either recommend setting it to unlimited (for MTA IP's only) or increase the DHAP limit for that domain/network owner.

Sincerely,

Jay Bivens
IronPort Systems

Actions

This Discussion