Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Warning <Directory Harvest Attack Prevention>

Hello,

Guys how do you proceed when you got lots of this warnings?

I mean, how do you avoid to receive Harvest attack without the risk of lossing real emails? Because if we put those IP's in the IronPort device blacklist we may also block real emails?

Currently we have set the DHAP to a max. invalid recipients per hour: 10
Drop connection is ON when threslod is reached.

Would you use set DHAP as default (unlimited)?


Error message:
Warning <Directory>: Potential Directory Harvest Attack detected. See the system ...

Potential Directory Harvest Attack detected. See the system mail logs for more information about this attack.
Last message occurred 43 times between Mon Dec 31 14:10:12 2007 and Mon Dec 31 15:08:20 2007.

We checked the system mail log and we determinted the potential attackers.

Dropping connection due to potential Directory Harvest Attack from host=('85.1.112.129', '129-112.1-85.cust.bluewin.ch'), dhap_limit=10, sender_group=SUSPECTLIST, listener=External_listener, reverse_dns=85.1.112.129"

thanks in advance for your kind assistance.
Best regards

3 REPLIES
New Member

Re: Warning <Directory Harvest Attack Prevention>

These alerts are informational. An outside mail server attempted too many invalid recipients and triggered the DHAP (Directory Harvest Attack Prevention) alert. This threshold is set in the mail flow policy: Mail Policies tab > Mail Flow Policies.

For more information about this feature please see the Advanced User Guide: Using LDAP For Directory Harvest Attack Prevention.
[ https://support.ironport.com/docs/c_series/5.0/HTML_5.0_Compilation/Advanced_Guide/ldap.8.9.html ]

You can adjust your alert profile with "alertconfig" to filter these out if you do not wish to receive these alerts.

You don't necessarily want to just blacklist every IP that triggers the DHAP though. The Directory Harvest Attack Prevention is a self-defense mechanism that the Ironport appliances initiate to basically tell that sending MTA to come back later because you have submitted too many invalid recipients.

My recommendation is to leave things as is and to just monitor the IP and domain/hostname of the sender.

Here are some support portal kb articles that should help.

How is the DHAP limit calculated?
http://tinyurl.com/2g5map


Hello,

Guys how do you proceed when you got lots of this warnings?

I mean, how do you avoid to receive Harvest attack without the risk of lossing real emails? Because if we put those IP's in the IronPort device blacklist we may also block real emails?

Currently we have set the DHAP to a max. invalid recipients per hour: 10
Drop connection is ON when threslod is reached.

Would you use set DHAP as default (unlimited)?


Error message:
Warning : Potential Directory Harvest Attack detected. See the system ...

Potential Directory Harvest Attack detected. See the system mail logs for more information about this attack.
Last message occurred 43 times between Mon Dec 31 14:10:12 2007 and Mon Dec 31 15:08:20 2007.

We checked the system mail log and we determinted the potential attackers.

Dropping connection due to potential Directory Harvest Attack from host=('85.1.112.129', '129-112.1-85.cust.bluewin.ch'), dhap_limit=10, sender_group=SUSPECTLIST, listener=External_listener, reverse_dns=85.1.112.129"

thanks in advance for your kind assistance.
Best regards

Re: Warning <Directory Harvest Attack Prevention>

ok, Thanks for your adivce!

New Member

Re: Warning <Directory Harvest Attack Prevention>

On DHAP you probably won't lose any email as long as you have:

1) decided not to do SMTP error 5xx's - as then all connections rejected by DHAP will permanently fail the message(s). The default may have changed from 5xx to 4xx in more recent AsyncOS versions.
2) reasonable sending MTA's - for example we often have a debacle where some group or another sends email (typically a survey) to "all staff" based on a staff email dump from a few months (years?) ago. The survey sending mail server typically has no queuing mechanism and noone from the survey sending company reads their logs etc...

6938
Views
0
Helpful
3
Replies
CreatePlease to create content