Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Directory Harvest Attach Prevention : beware !

[AsyncOS 5.1.0 on a dual C300 cluster]

We had Directory Harvest Attack Prevention switched 'on' in all
our mail flow policies until we found out that trying N invalid
recipients in one hour caused ALL subsequent SMTP
connections from that particular IP address to fail with a
'550 Too many invalid recipients' SMTP error reply by the
IronPorts.

The IP address belonged to one of the outgoing mail relays
of the largest commercial provider in the country.

In other words : one bad sender could cause thousands of
legitimate mail transactions (by other users) to fail.

5 REPLIES
New Member

Re: Directory Harvest Attach Prevention : beware !

yeah - we did that once :(

You can change it to a temporary (4xx) error.

New Member

Re: Directory Harvest Attach Prevention : beware !

@eluyten: And what is your solution? Do you have switched off the "Directory Harvest Attack Prevention" completely or just increased the number N?

New Member

Re: Directory Harvest Attach Prevention : beware !

Remember you can adjust the DHAP limit "N" based on the sendergroup.
Throttled groups have a low DHAP limit.
Accepted groups have a medium DHAP limit.
Trusted groups have a higher DHAP limit.

New Member

Suggest adding a new Sender Group for these guys

My recommendation would be to create a new/special Sender Group & Mail flow policy for organizations that fall into this category. I would either recommend setting it to unlimited (for MTA IP's only) or increase the DHAP limit for that domain/network owner.

Sincerely,

Jay Bivens
IronPort Systems

New Member

Re: Directory Harvest Attach Prevention : beware !

@Pat : Yes, we disabled DHAP.

570
Views
0
Helpful
5
Replies
CreatePlease to create content