Specifying Sender Filtering Directory Harvest Attack (DHA) Settings Parent topic

Procedure

  1. Go to Sender FilteringRules.
    The Rules screen appears with five tabs, one for each type of threat.
  2. Click the DHA Attack tab.
    The DHA Attack screen appears.
  3. Select the Enable check box to enable blocking of directory harvest attacks.
  4. Configure the following:
    • Duration to monitor: The number of hours that IMSVA monitors email traffic to see if the percentage of messages signaling a DHA attack exceeds the threshold you set.
    • Rate (%): The maximum number of allowable messages with DHA threats (the numerator).
    • Total messages: The total number of DHA messages out of which the threshold percentage is calculated (the denominator).
    • Sent to more than: The maximum number of recipients allowed for the threshold value.
    • Non-existing recipients exceeds: The maximum number of non-existent recipients allowed for the threshold value. DHA attacks often include randomly generated email addresses in the receiver list.
      Note
      Note
      The LDAP service must be running to determine non-existing recipients.
    Consider the following example.
    Duration to monitor: 1 hour at a rate of 20 out of 100 sent to more than 10 recipients when the number of non-existing recipients exceeds 5.
    During each one-hour period that DHA blocking is active, IMSVA starts blocking IP addresses when it receives more than 20% of the messages that were sent to more than 10 recipients (with more than five of the recipients not in your organization) and the total number of messages exceeds 100.
    Tip
    Tip
    Technically, the LDAP server is not a must-have. The DHA rule of IMSVA can also obtain the DHA results returned from Postfix, which in turn passes these results to FoxProxy through the LDAP server or other means. FoxProxy then analyzes the results to determine if they are DHA attacks.
    LDAP server is only one of the means by which Postfix checks if a user's mailbox exists.
  5. Next to Triggering action, select one of the following
    • Block temporarily: Block messages from the IP address temporarily and allow the upstream MTA to try again after the block duration ends.
    • Block permanently: Never allow another message from the IP address and do not allow the upstream MTA to try again.
  6. Optional: If you select Block temporarily, specify the block duration.
  7. Click Save.