Руководство Пользователя для Cisco Cisco Email Security Appliance C170

Next, configure the Mail Flow Policy to define the number of invalid recipient 
addresses the system will allow per sending IP address for a specific period of 
time. When this number is exceeded, the system will identify this condition as a 
DHA and send an alert message. The alert message will contain the following 
information: 

LDAP: Potential Directory Harvest Attack from host=('IP-address', 

'domain_name'), dhap_limit=n, sender_group=sender_group, 

listener=listener_name, reverse_dns=(reverse_IP_address, 

'domain_name', 1), sender=envelope_sender, rcpt=envelope_recipients

The system will bounce the messages up to the threshold you specified in the mail 
flow policy and then it will silently accept and drop the rest, thereby informing 
legitimate senders that an address is bad, but preventing malicious senders from 
determining which receipts are accepted.

This invalid recipients counter functions similarly to the way Rate Limiting is 
currently available in AsyncOS: you enable the feature and define the limit as part 
of the mail flow policy in a public listener’s HAT (including the default mail flow 
policy for the HAT). 

For example, you are prompted with these questions when creating or editing a 
mail flow policy in a public listener’s HAT in the CLI — the 

listenerconfig -> 

edit -> hostaccess -> default | new 

commands:

Do you want to enable Directory Harvest Attack Prevention per host?   

[Y]> y

Enter the maximum number of invalid recipients per hour from a remote 

host.

[25]>