To prevent Directory
Harvest Attacks, you first configure an LDAP server profile, and enable LDAP
Accept. Once you have enabled LDAP acceptance queries, configure the listener
to use the accept query, and to bounce mail for non-matching recipients:
Next, configure the
Mail Flow Policy to define the number of invalid recipient addresses the system
will allow per sending IP address for a specific period of time. When this
number is exceeded, the system will identify this condition as a DHA and send
an alert message. The alert message will contain the following information:
LDAP: Potential Directory Harvest Attack from host=('IP-address', 'domain_name
'), dhap_limit=n, sender_group=sender_group,
listener=listener_name, reverse_dns=(reverse_IP_address, 'domain_name
', 1), sender=envelope_sender, rcpt=envelope_recipients
The system will
bounce the messages up to the threshold you specified in the mail flow policy
and then it will silently accept and drop the rest, thereby informing
legitimate senders that an address is bad, but preventing malicious senders
from determining which receipts are accepted.
This invalid
recipients counter functions similarly to the way Rate Limiting is currently
available in AsyncOS: you enable the feature and define the limit as part of
the mail flow policy in a public listener’s HAT (including the default mail
flow policy for the HAT).
You can also
configure this in the command-line interface using the
listenerconfig command.
This feature is also
displayed when editing any mail flow policy in the GUI, providing that LDAP
queries have been configured on the corresponding listener:
Entering a number of
invalid recipients per hour enables DHAP for that mail flow policy. By default,
25 invalid recipients per hour are allowed for public listeners. For private
listeners, the maximum invalid recipients per hour is unlimited by default.
Setting it to “Unlimited” means that DHAP is not enabled for that mail flow
policy.