Cisco Cisco Email Security Appliance C160 Mode D'Emploi
24-29
Cisco AsyncOS 8.5.5 for Email Security User Guide
Chapter 24 LDAP Queries
Using LDAP For Directory Harvest Attack Prevention
Figure 24-8
Configuring the Mail Flow Policy to Drop Connections in the SMTP Conversation
In the mail flow policy associated with the listener, configure the following Directory Harvest Attack
Prevention settings:
Prevention settings:
•
Max. Invalid Recipients Per hour. The maximum number of invalid recipients per hour this
listener will receive from a remote host. This threshold represents the total number of RAT
rejections combined with the total number of messages to invalid LDAP recipients dropped in the
SMTP conversation or bounced in the work queue. For example, you configure the threshold as five,
and the counter detects two RAT rejections and three dropped messages to invalid LDAP recipients.
At this point, the appliance determines that the threshold is reached, and the connection is dropped.
By default, the maximum number of recipients per hour for a public listener is 25. For a private
listener, the maximum number of recipients per hour is unlimited by default. Setting it to
“Unlimited” means that DHAP is not enabled for that mail flow policy.
listener will receive from a remote host. This threshold represents the total number of RAT
rejections combined with the total number of messages to invalid LDAP recipients dropped in the
SMTP conversation or bounced in the work queue. For example, you configure the threshold as five,
and the counter detects two RAT rejections and three dropped messages to invalid LDAP recipients.
At this point, the appliance determines that the threshold is reached, and the connection is dropped.
By default, the maximum number of recipients per hour for a public listener is 25. For a private
listener, the maximum number of recipients per hour is unlimited by default. Setting it to
“Unlimited” means that DHAP is not enabled for that mail flow policy.
•
Drop Connection if DHAP Threshold is reached within an SMTP conversation. Configure the
appliance to drop the connection if the Directory Harvest Attack Prevention threshold is reached.
appliance to drop the connection if the Directory Harvest Attack Prevention threshold is reached.
•
Max. Recipients Per Hour Code. Specify the code to use when dropping connections. The default
code is 550.
code is 550.
•
Max. Recipients Per Hour Text. Specify the text to use for dropped connections. The default text
is “Too many invalid recipients.”
is “Too many invalid recipients.”
If the threshold is reached, the Envelope Sender of the message does not receive a bounce message when
a recipient is invalid.
a recipient is invalid.
Directory Harvest Attack Prevention within the Work Queue
You can prevent most DHAs by entering only domains in the Recipient Access Table (RAT), and
performing the LDAP acceptance validation within the work queue. This technique prevents the
malicious senders from knowing if the recipient is valid during the SMTP conversation. (When
acceptance queries are configured, the system accepts the message and performs the LDAP acceptance
validation within the work queue.) However, the Envelope Sender of the message will still receive a
bounce message if a recipient is not valid.
performing the LDAP acceptance validation within the work queue. This technique prevents the
malicious senders from knowing if the recipient is valid during the SMTP conversation. (When
acceptance queries are configured, the system accepts the message and performs the LDAP acceptance
validation within the work queue.) However, the Envelope Sender of the message will still receive a
bounce message if a recipient is not valid.