Cisco Cisco Email Security Appliance X1070 Mode D'Emploi
24-30
Cisco AsyncOS 8.5.5 for Email Security User Guide
Chapter 24 LDAP Queries
Using LDAP For Directory Harvest Attack Prevention
Configuring Directory Harvest Prevention in the Work Queue
To prevent Directory Harvest Attacks, you first configure an LDAP server profile, and enable LDAP
Accept. Once you have enabled LDAP acceptance queries, configure the listener to use the accept query,
and to bounce mail for non-matching recipients:
Accept. Once you have enabled LDAP acceptance queries, configure the listener to use the accept query,
and to bounce mail for non-matching recipients:
Figure 24-9
Configuring the Acceptance Query to Bounce Messages for Non-Matching Recipients
Next, configure the Mail Flow Policy to define the number of invalid recipient addresses the system will
allow per sending IP address for a specific period of time. When this number is exceeded, the system
will identify this condition as a DHA and send an alert message. The alert message will contain the
following information:
allow per sending IP address for a specific period of time. When this number is exceeded, the system
will identify this condition as a DHA and send an alert message. The alert message will contain the
following information:
The system will bounce the messages up to the threshold you specified in the mail flow policy and then
it will silently accept and drop the rest, thereby informing legitimate senders that an address is bad, but
preventing malicious senders from determining which receipts are accepted.
it will silently accept and drop the rest, thereby informing legitimate senders that an address is bad, but
preventing malicious senders from determining which receipts are accepted.
This invalid recipients counter functions similarly to the way Rate Limiting is currently available in
AsyncOS: you enable the feature and define the limit as part of the mail flow policy in a public listener’s
HAT (including the default mail flow policy for the HAT).
AsyncOS: you enable the feature and define the limit as part of the mail flow policy in a public listener’s
HAT (including the default mail flow policy for the HAT).
For example, you are prompted with these questions when creating or editing a mail flow policy in a
public listener’s HAT in the CLI — the
public listener’s HAT in the CLI — the
listenerconfig -> edit -> hostaccess -> default | new
commands:
This feature is also displayed when editing any mail flow policy in the GUI, providing that LDAP queries
have been configured on the corresponding listener:
have been configured on the corresponding listener:
Figure 24-10
DHAP Prevention Feature in GUI
Entering a number of invalid recipients per hour enables DHAP for that mail flow policy. By default, 25
invalid recipients per hour are allowed for public listeners. For private listeners, the maximum invalid
recipients per hour is unlimited by default. Setting it to “Unlimited” means that DHAP is not enabled
for that mail flow policy.
invalid recipients per hour are allowed for public listeners. For private listeners, the maximum invalid
recipients per hour is unlimited by default. Setting it to “Unlimited” means that DHAP is not enabled
for that mail flow policy.
LDAP: Potential Directory Harvest Attack from host=('IP-address', 'domain_name'),
dhap_limit=n, sender_group=sender_group,
listener=listener_name, reverse_dns=(reverse_IP_address, 'domain_name', 1),
sender=envelope_sender, rcpt=envelope_recipients
Do you want to enable Directory Harvest Attack Prevention per host? [Y]> y
Enter the maximum number of invalid recipients per hour from a remote host.
[25]>