04-30-2009 04:01 PM
Hey all,
Been seeing a bunch of these messages over the past week in the logs:
Sun Apr 26 23:21:40 2009 Warning: Dropping connection due to potential Directory Harvest Attack from host=('xxxxxxxx, None), dhap_limit=1, sender_group=INVALID_DNS, listener=MailListener, reverse_dns=xxxxxxxxx, ICID 26690919
Sun Apr 26 23:21:40 2009 Info: ICID 26690919 close
Sun Apr 26 23:21:40 2009 Info: Connection Error: DCID: 2300172 domain: xxxxxxx IP: xxxxxxx port: 25 details: 550-'Too many invalid recipients' interface: xxxxxxxx reason: unexpected SMTP response
The problem is, the host is listed as the IronPort interface itself. Any idea what's going on here?
05-01-2009 05:57 PM
Bob
Check all the log entries for ICID 26690919. If the connection is really coming from an IronPort interface, you should be able to trace back and find the messages the IronPort is attempting to deliver to itself.
Karl Young
Cisco IronPort Product Support Engineer
Hey all,
Been seeing a bunch of these messages over the past week in the logs:
Sun Apr 26 23:21:40 2009 Warning: Dropping connection due to potential Directory Harvest Attack from host=('xxxxxxxx, None), dhap_limit=1, sender_group=INVALID_DNS, listener=MailListener, reverse_dns=xxxxxxxxx, ICID 26690919
Sun Apr 26 23:21:40 2009 Info: ICID 26690919 close
Sun Apr 26 23:21:40 2009 Info: Connection Error: DCID: 2300172 domain: xxxxxxx IP: xxxxxxx port: 25 details: 550-'Too many invalid recipients' interface: xxxxxxxx reason: unexpected SMTP response
The problem is, the host is listed as the IronPort interface itself. Any idea what's going on here?
05-12-2009 03:46 PM
The only place I'm seeing these ICIDs is in the mail log entry I pasted.
I thought about an injection debug log but being that the "from host=" is the MailListener interface itself, will that solve anything?
05-12-2009 04:56 PM
The only place I'm seeing these ICIDs is in the mail log entry I pasted.
I thought about an injection debug log but being that the "from host=" is the MailListener interface itself, will that solve anything?
Sat May 9 16:13:01 2009 Info: New SMTP ICID 5353529 interface eth0 (nnn.nnn.nnn.nnn) address nnn.nnn.nnn.nnn reverse dns host unknown verified no
05-12-2009 05:34 PM
Woops. You're correct. Just forgot to include the preceding lines:
Sun Apr 26 23:21:40 2009 Info: New SMTP ICID 26690919 interface MailInterface (xx.xx.xx.126) address xx.xx.xx.126 reverse dns host unknown verified no
Sun Apr 26 23:21:40 2009 Info: ICID 26690919 ACCEPT SG INVALID_DNS match nx.domain SBRS rfc1918
Sun Apr 26 23:21:40 2009 Warning: Dropping connection due to potential Directory Harvest Attack from host=('xx.xx.xx.126', None), dhap_limit=1, sender_group=INVALID_DNS, listener=MailListener, reverse_dns=xx.xx.xx.126, ICID 26690919
Sun Apr 26 23:21:40 2009 Info: ICID 26690919 close
FYI, all XX'd out addresses are the IP address of the MailInterface.
05-12-2009 07:24 PM
Woops. You're correct. Just forgot to include the preceding lines:
Sun Apr 26 23:21:40 2009 Info: New SMTP ICID 26690919 interface MailInterface (xx.xx.xx.126) address xx.xx.xx.126 reverse dns host unknown verified no
Sun Apr 26 23:21:40 2009 Info: ICID 26690919 ACCEPT SG INVALID_DNS match nx.domain SBRS rfc1918
Sun Apr 26 23:21:40 2009 Warning: Dropping connection due to potential Directory Harvest Attack from host=('xx.xx.xx.126', None), dhap_limit=1, sender_group=INVALID_DNS, listener=MailListener, reverse_dns=xx.xx.xx.126, ICID 26690919
Sun Apr 26 23:21:40 2009 Info: ICID 26690919 close
FYI, all XX'd out addresses are the IP address of the MailInterface.
grep "address xx.xx.xx.126" mail_logs
Tue May 12 10:50:45 2009 Info: New SMTP DCID 42658 interface xx.xx.xx.126 address xx.xx.xx.126 port 25
grep "DCID 42659" mail_logs
Tue May 12 11:04:45 2009 Info: New SMTP DCID 42659 interface xx.xx.xx.126 address xx.xx.xx.xx port 25
Tue May 12 11:04:45 2009 Info: Delivery start DCID 42659 MID 342967 to RID [0]
05-12-2009 08:11 PM
Ah ha! Got the sucker! I've only been working with IronPort for a short time and am learning on the fly.
Thanks again for your help, Karl!
05-21-2009 01:27 PM
Update:
This was triggered by someone setting up an auto-reply rule that replied to any and all incoming mail received. Including the undeliverable message being sent to the account from the Ironport. And like you said, Karl, because there was no PTR for that IP address, the Ironport would send back yet another undeliverable. And on and on and on we go.
Edited the rule in the offending account to omit the Ironport address from replies and the undeliverables and resulting DHAP notices eventually stopped.
Thanks again for the direction, Karl.
05-22-2009 06:01 PM
Update:
This was triggered by someone setting up an auto-reply rule that replied to any and all incoming mail received. Including the undeliverable message being sent to the account from the Ironport.
Thanks again for the direction, Karl.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: