Invalid Recipients - over 50% of daily volume

sherane_ironport · ‎01-29-2008

Hi,

I searched this forum for DHAP related issues, but can't seem to find an answer to my question. We have a C100 and have DHAP enabled. The typical setting for a mail policy is about 10 invalid recipients, and a 5xx "Too many recipients for this hour" is returned.

For the past week, we've been getting so much invalid from recipeints from google.com, rr.com, and yahoo.com (domains that typically don't do this to us) that we've gone up to over 50% of our daily volume is invalid recipient. Typically this is somewhere around 2% to 7% on a daily basis.

My main concern is how does this affect the performance of the ironport? So far, the cpu usage/queue is looks ok. After the DHAP threshold is met, does the c100 silently drop the connection or does it always send the 5xx response?

I understand that the DHAP counter gets resets at the beginning of every hour. Does this mean that once google.com reaches the DHAP threshold that the entire domain is denied until the next hour when the counter resets or is the DHAP counter set specifically for servers and only the servers get denied?

I've read in some posts to change the 5xx response to 4xx - how does this affect the ironport and the mail servers who got blocked for the hour? Does this mean that the servers will simply keep trying over and over again later? How does this make the situation better?

Thank you in advance for any input.

staylor_ironport · ‎01-29-2008

Hi,
This really depends on what version you are on, Version 5.5 doesn't drop rcpts based on the attackers IP address anymore.
What version are you running?
Plus changing the 4xx code within the listener settings for the accept query is really on stating what to do if the LDAP server is unreachable.
What traditionaly happens is once the 10 invalid rcpts is reached the rest are silently dropped so that no notifications are sent apart from alerts to yourself.
Also in 5.5 both RAT rejects and LDAP accept rejects count towards the invalid rcpts number.

More information is available on the KB, search for asnwer id: 514

sherane_ironport · ‎01-30-2008

Hi Monkeymadness,

Thank you for your answers. We have c100 version 4.7.1. So after the threshold is reached, the rest is silently dropped until the counter resets. So, I assume this includes dropping valid emails from the offending server.

I will check out KB 514.

staylor_ironport · ‎01-30-2008

Hi There,
Absolutely correct, anything that goes over the DHAP limit within that hour will be silently dropped.
I would suggest upgrading to the latest version as you are missing out on a great lot of functionality being on 4.7. Not just the enhanced LDAP features but also bounce verification, DKIM and also Encryption.
Plus the reporting is a load better too :)

sherane_ironport · ‎01-31-2008

Hi, thank you for the clarifications. Yes, we are considering on doing some upgrades. Having a better reporting tool instead of going through the ugly logs to find more details would be great.