Solved: ESA Vulnerability: fingerprinting valid emails

spacemeb · ‎09-12-2021

Hello,

Following best practices, we performed an annual pentest.

We found out that the attacker is able to fingerprint valid e-mail accounts via brute-force after connecting to the ironport and change the recipient of the message to an e-mail.

In case the e-mail is invalid ironport with "550 #5.1.0 Address rejected", otherwise it answers with "250 recipient <valid_mail> ok"

What we should do to strengthen our email security gateway and avoid this kind of attacks in the future?

Thanks in advance,

Spacemeb

Ken Stieers · ‎09-13-2021

There are a couple of things you can do:

1. Turn on Directory Harvest Attack Prevention in Mail Polices/Mail Flow Policies, to stop someone hitting your boxes with many bad addresses.... This may slow them down enough.
2. On your incoming listener configuration, you can tell it where/when to execute the LDAP query. If you do it in the SMTP conversation, you get what you're seeing now, if you do it in the Work Queue, the mail is accepted and then dropped with no notification. This does add some load to your ESAs...

View solution in original post

spacemeb · ‎09-13-2021

any advise?

Ken Stieers · ‎09-13-2021

There are a couple of things you can do:

1. Turn on Directory Harvest Attack Prevention in Mail Polices/Mail Flow Policies, to stop someone hitting your boxes with many bad addresses.... This may slow them down enough.
2. On your incoming listener configuration, you can tell it where/when to execute the LDAP query. If you do it in the SMTP conversation, you get what you're seeing now, if you do it in the Work Queue, the mail is accepted and then dropped with no notification. This does add some load to your ESAs...