Potential Directory Harvest From Internal Host??

Unanswered Question
Apr 30th, 2009
User Badges:

Hey all,

Been seeing a bunch of these messages over the past week in the logs:

Sun Apr 26 23:21:40 2009 Warning: Dropping connection due to potential Directory Harvest Attack from host=('xxxxxxxx, None), dhap_limit=1, sender_group=INVALID_DNS, listener=MailListener, reverse_dns=xxxxxxxxx, ICID 26690919
Sun Apr 26 23:21:40 2009 Info: ICID 26690919 close
Sun Apr 26 23:21:40 2009 Info: Connection Error: DCID: 2300172 domain: xxxxxxx IP: xxxxxxx port: 25 details: 550-'Too many invalid recipients' interface: xxxxxxxx reason: unexpected SMTP response

The problem is, the host is listed as the IronPort interface itself. Any idea what's going on here?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
karlyoun Fri, 05/01/2009 - 17:57
User Badges:
  • Cisco Employee,

Bob

Check all the log entries for ICID 26690919. If the connection is really coming from an IronPort interface, you should be able to trace back and find the messages the IronPort is attempting to deliver to itself.

Karl Young
Cisco IronPort Product Support Engineer

Hey all,

Been seeing a bunch of these messages over the past week in the logs:

Sun Apr 26 23:21:40 2009 Warning: Dropping connection due to potential Directory Harvest Attack from host=('xxxxxxxx, None), dhap_limit=1, sender_group=INVALID_DNS, listener=MailListener, reverse_dns=xxxxxxxxx, ICID 26690919
Sun Apr 26 23:21:40 2009 Info: ICID 26690919 close
Sun Apr 26 23:21:40 2009 Info: Connection Error: DCID: 2300172 domain: xxxxxxx IP: xxxxxxx port: 25 details: 550-'Too many invalid recipients' interface: xxxxxxxx reason: unexpected SMTP response

The problem is, the host is listed as the IronPort interface itself. Any idea what's going on here?
fyrefighter77 Tue, 05/12/2009 - 15:46
User Badges:

The only place I'm seeing these ICIDs is in the mail log entry I pasted.

I thought about an injection debug log but being that the "from host=" is the MailListener interface itself, will that solve anything?

karlyoun Tue, 05/12/2009 - 16:56
User Badges:
  • Cisco Employee,


The only place I'm seeing these ICIDs is in the mail log entry I pasted.

I thought about an injection debug log but being that the "from host=" is the MailListener interface itself, will that solve anything?


There should be more entries than that. Did the log roll over? Every incoming connection will start with something like

Sat May  9 16:13:01 2009 Info: New SMTP ICID 5353529 interface eth0 (nnn.nnn.nnn.nnn) address nnn.nnn.nnn.nnn reverse dns host unknown verified no


Injection debug log could be helpful, but you may want to just use message tracking to figure out what messages your gateway is trying to deliver back to itself. Under the advanced criteria you can search by sender IP.

You may want to open a support ticket for this.

Karl Young
Product Support Engineer
Cisco IronPort Customer Support.
fyrefighter77 Tue, 05/12/2009 - 17:34
User Badges:

Woops. You're correct. Just forgot to include the preceding lines:

Sun Apr 26 23:21:40 2009 Info: New SMTP ICID 26690919 interface MailInterface (xx.xx.xx.126) address xx.xx.xx.126 reverse dns host unknown verified no
Sun Apr 26 23:21:40 2009 Info: ICID 26690919 ACCEPT SG INVALID_DNS match nx.domain SBRS rfc1918
Sun Apr 26 23:21:40 2009 Warning: Dropping connection due to potential Directory Harvest Attack from host=('xx.xx.xx.126', None), dhap_limit=1, sender_group=INVALID_DNS, listener=MailListener, reverse_dns=xx.xx.xx.126, ICID 26690919
Sun Apr 26 23:21:40 2009 Info: ICID 26690919 close

FYI, all XX'd out addresses are the IP address of the MailInterface.

karlyoun Tue, 05/12/2009 - 19:24
User Badges:
  • Cisco Employee,


Woops.  You're correct.  Just forgot to include the preceding lines:

Sun Apr 26 23:21:40 2009 Info: New SMTP ICID 26690919 interface MailInterface (xx.xx.xx.126) address xx.xx.xx.126 reverse dns host unknown verified no
Sun Apr 26 23:21:40 2009 Info: ICID 26690919 ACCEPT SG INVALID_DNS match nx.domain SBRS rfc1918
Sun Apr 26 23:21:40 2009 Warning: Dropping connection due to potential Directory Harvest Attack from host=('xx.xx.xx.126', None), dhap_limit=1, sender_group=INVALID_DNS, listener=MailListener, reverse_dns=xx.xx.xx.126, ICID 26690919
Sun Apr 26 23:21:40 2009 Info: ICID 26690919 close

FYI, all XX'd out addresses are the IP address of the MailInterface.


OK, that makes more sense now. Your ESA is trying to deliver mail back to itself, reinject. Since you have no PTR its matching your INVALID_DNS sendergroup, which only allows one recipient per hour.

To find out which messages are getting reinjected, you can look for the delivery attempts.

grep "address xx.xx.xx.126" mail_logs


Should return all the delivery attempts:

Tue May 12 10:50:45 2009 Info: New SMTP DCID 42658 interface xx.xx.xx.126 address xx.xx.xx.126 port 25


Once you have a DCID, you can grep for it and get an MID

grep "DCID 42659" mail_logs
Tue May 12 11:04:45 2009 Info: New SMTP DCID 42659 interface xx.xx.xx.126 address xx.xx.xx.xx port 25
Tue May 12 11:04:45 2009 Info: Delivery start DCID 42659 MID 342967 to RID [0]


now grep for the MID and you can figure out which messages are triggering the reinjection.
fyrefighter77 Tue, 05/12/2009 - 20:11
User Badges:

Ah ha! Got the sucker! I've only been working with IronPort for a short time and am learning on the fly.

Thanks again for your help, Karl!

fyrefighter77 Thu, 05/21/2009 - 13:27
User Badges:

Update:

This was triggered by someone setting up an auto-reply rule that replied to any and all incoming mail received. Including the undeliverable message being sent to the account from the Ironport. And like you said, Karl, because there was no PTR for that IP address, the Ironport would send back yet another undeliverable. And on and on and on we go.

Edited the rule in the offending account to omit the Ironport address from replies and the undeliverables and resulting DHAP notices eventually stopped.

Thanks again for the direction, Karl.

karlyoun Fri, 05/22/2009 - 18:01
User Badges:
  • Cisco Employee,


Update:

This was triggered by someone setting up an auto-reply rule that replied to any and all incoming mail received. Including the undeliverable message being sent to the account from the Ironport.

:) Auto-reply comes in handy, but it sure can cause problems.



Thanks again for the direction, Karl.


You're welcome. I'm glad it was useful

Actions

This Discussion