Guys how do you proceed when you got lots of this warnings?
I mean, how do you avoid to receive Harvest attack without the risk of lossing real emails? Because if we put those IP's in the IronPort device blacklist we may also block real emails?
Currently we have set the DHAP to a max. invalid recipients per hour: 10
Drop connection is ON when threslod is reached.
Would you use set DHAP as default (unlimited)?
Warning <Directory>: Potential Directory Harvest Attack detected. See the system ...
Potential Directory Harvest Attack detected. See the system mail logs for more information about this attack.
Last message occurred 43 times between Mon Dec 31 14:10:12 2007 and Mon Dec 31 15:08:20 2007.
We checked the system mail log and we determinted the potential attackers.
Dropping connection due to potential Directory Harvest Attack from host=('220.127.116.11', '129-112.1-85.cust.bluewin.ch'), dhap_limit=10, sender_group=SUSPECTLIST, listener=External_listener, reverse_dns=18.104.22.168"
thanks in advance for your kind assistance.