Cisco Cisco Email Security Appliance X1070 Troubleshooting Guide

Contributed by Mark Strasheim and Robert Sherwin, Cisco TAC
Engineers.
Oct 14, 2014

This document describes the "Potential Directory Harvest Attack" error message as received on the Cisco
Email Security Appliance (ESA).

Administrators for the ESA have received the following Directory Harvest Attack Prevention (DHAP)
warning message:

The Warning message is:

Potential Directory Harvest Attack detected. See the system mail logs for more

information about this attack.

Version: 8.0.1−023

Serial Number: XXBAD1112DYY−008X011

Timestamp: 22 Sep 2014 21:21:32 −0600

These alerts are considered informational and you should not need to take any action. An outside mail server
attempted too many invalid recipients and triggered the DHAP (Directory Harvest Attack Prevention) alert.
The ESA is acting as configured based on the mail policy configuration.  

This is the maximum number of invalid recipients per hour the listener will receive from a remote host. This
threshold represents the total number of RAT rejections and SMTP call−ahead server rejections combined
with the total number of messages to invalid LDAP recipients dropped in the SMTP conversation or bounced
in the work queue (as configured in the LDAP accept settings on the associated listener). For more
information on configuring DHAP for LDAP accept queries, see the "LDAP Queries" chapter of the Email
Security User Guide. 

You can adjust your alert profile with alertconfig to filter these out if you do not wish to receive these alerts:

myesa.local> alertconfig