Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
3-30
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 3 LDAP Queries
•
Drop Connection if DHAP Threshold is reached within an SMTP conversation. Configure the
Cisco IronPort appliance to drop the connection if the Directory Harvest Attack Prevention
threshold is reached.
Cisco IronPort appliance to drop the connection if the Directory Harvest Attack Prevention
threshold is reached.
•
Max. Recipients Per Hour Code. Specify the code to use when dropping connections. The default
code is 550.
code is 550.
•
Max. Recipients Per Hour Text. Specify the text to use for dropped connections. The default text
is “Too many invalid recipients.”
is “Too many invalid recipients.”
If the threshold is reached, the Envelope Sender of the message does not receive a bounce message when
a recipient is invalid.
a recipient is invalid.
Directory Harvest Attack Prevention within the Work Queue
You can prevent most DHAs by entering only domains in the Recipient Access Table (RAT), and
performing the LDAP acceptance validation within the work queue. This technique prevents the
malicious senders from knowing if the recipient is valid during the SMTP conversation. (When
acceptance queries are configured, the system accepts the message and performs the LDAP acceptance
validation within the work queue.) However, the Envelope Sender of the message will still receive a
bounce message if a recipient is not valid.
performing the LDAP acceptance validation within the work queue. This technique prevents the
malicious senders from knowing if the recipient is valid during the SMTP conversation. (When
acceptance queries are configured, the system accepts the message and performs the LDAP acceptance
validation within the work queue.) However, the Envelope Sender of the message will still receive a
bounce message if a recipient is not valid.
Configuring Directory Harvest Prevention in the Work Queue
To prevent Directory Harvest Attacks, you first configure an LDAP server profile, and enable LDAP
Accept. Once you have enabled LDAP acceptance queries, configure the listener to use the accept query,
and to bounce mail for non-matching recipients:
Accept. Once you have enabled LDAP acceptance queries, configure the listener to use the accept query,
and to bounce mail for non-matching recipients:
Figure 3-14
Configuring the Acceptance Query to Bounce Messages for Non-Matching Recipients
Next, configure the Mail Flow Policy to define the number of invalid recipient addresses the system will
allow per sending IP address for a specific period of time. When this number is exceeded, the system
will identify this condition as a DHA and send an alert message. The alert message will contain the
following information:
allow per sending IP address for a specific period of time. When this number is exceeded, the system
will identify this condition as a DHA and send an alert message. The alert message will contain the
following information:
The system will bounce the messages up to the threshold you specified in the mail flow policy and then
it will silently accept and drop the rest, thereby informing legitimate senders that an address is bad, but
preventing malicious senders from determining which receipts are accepted.
it will silently accept and drop the rest, thereby informing legitimate senders that an address is bad, but
preventing malicious senders from determining which receipts are accepted.
This invalid recipients counter functions similarly to the way Rate Limiting is currently available in
AsyncOS: you enable the feature and define the limit as part of the mail flow policy in a public listener’s
HAT (including the default mail flow policy for the HAT).
AsyncOS: you enable the feature and define the limit as part of the mail flow policy in a public listener’s
HAT (including the default mail flow policy for the HAT).
LDAP: Potential Directory Harvest Attack from host=('IP-address', 'domain_name'),
dhap_limit=n, sender_group=sender_group,
listener=listener_name, reverse_dns=(reverse_IP_address, 'domain_name', 1),
sender=envelope_sender, rcpt=envelope_recipients