Cisco Cisco Email Security Appliance C190 Guía Del Usuario
4-225
Cisco IronPort AsyncOS 7.3 for Email Advanced Configuration Guide
OL-23081-01
Chapter 4 LDAP Queries
Figure 4-14
Configuring the Acceptance Query to Bounce Messages for
Non-Matching Recipients
Non-Matching Recipients
Next, configure the Mail Flow Policy to define the number of invalid recipient
addresses the system will allow per sending IP address for a specific period of
time. When this number is exceeded, the system will identify this condition as a
DHA and send an alert message. The alert message will contain the following
information:
addresses the system will allow per sending IP address for a specific period of
time. When this number is exceeded, the system will identify this condition as a
DHA and send an alert message. The alert message will contain the following
information:
LDAP: Potential Directory Harvest Attack from host=('IP-address',
'domain_name'), dhap_limit=n, sender_group=sender_group,
listener=listener_name, reverse_dns=(reverse_IP_address,
'domain_name', 1), sender=envelope_sender, rcpt=envelope_recipients
The system will bounce the messages up to the threshold you specified in the mail
flow policy and then it will silently accept and drop the rest, thereby informing
legitimate senders that an address is bad, but preventing malicious senders from
determining which receipts are accepted.
flow policy and then it will silently accept and drop the rest, thereby informing
legitimate senders that an address is bad, but preventing malicious senders from
determining which receipts are accepted.
This invalid recipients counter functions similarly to the way Rate Limiting is
currently available in AsyncOS: you enable the feature and define the limit as part
of the mail flow policy in a public listener’s HAT (including the default mail flow
policy for the HAT).
currently available in AsyncOS: you enable the feature and define the limit as part
of the mail flow policy in a public listener’s HAT (including the default mail flow
policy for the HAT).
For example, you are prompted with these questions when creating or editing a
mail flow policy in a public listener’s HAT in the CLI — the
mail flow policy in a public listener’s HAT in the CLI — the
listenerconfig ->
edit -> hostaccess -> default | new
commands:
Do you want to enable Directory Harvest Attack Prevention per host?
[Y]> y
Enter the maximum number of invalid recipients per hour from a remote
host.
[25]>