Directory Harvest Attach Prevention : beware !

eluyten_ironport · ‎05-07-2007

[AsyncOS 5.1.0 on a dual C300 cluster]

We had Directory Harvest Attack Prevention switched 'on' in all
our mail flow policies until we found out that trying N invalid
recipients in one hour caused ALL subsequent SMTP
connections from that particular IP address to fail with a
'550 Too many invalid recipients' SMTP error reply by the
IronPorts.

The IP address belonged to one of the outgoing mail relays
of the largest commercial provider in the country.

In other words : one bad sender could cause thousands of
legitimate mail transactions (by other users) to fail.

tminchin_ironport · ‎05-09-2007

yeah - we did that once :(

You can change it to a temporary (4xx) error.

Pat_ironport · ‎06-16-2007

@eluyten: And what is your solution? Do you have switched off the "Directory Harvest Attack Prevention" completely or just increased the number N?

Erich_ironport · ‎06-16-2007

Remember you can adjust the DHAP limit "N" based on the sendergroup.
Throttled groups have a low DHAP limit.
Accepted groups have a medium DHAP limit.
Trusted groups have a higher DHAP limit.

jbivens_ironport · ‎06-18-2007

My recommendation would be to create a new/special Sender Group & Mail flow policy for organizations that fall into this category. I would either recommend setting it to unlimited (for MTA IP's only) or increase the DHAP limit for that domain/network owner.

Sincerely,

Jay Bivens
IronPort Systems

eluyten_ironport · ‎06-20-2007

@Pat : Yes, we disabled DHAP.