cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1639
Views
5
Helpful
2
Replies

ESA Vulnerability: fingerprinting valid emails

spacemeb
Level 1
Level 1

Hello, 

 

Following best practices, we performed an annual pentest.

We found out that the attacker is able to fingerprint valid e-mail accounts via brute-force after connecting to the ironport and change the recipient of the message to an e-mail.

In case the e-mail is invalid ironport with "550 #5.1.0 Address rejected", otherwise it answers with "250 recipient <valid_mail> ok"

 

What we should do to strengthen our email security gateway and avoid this kind of attacks in the future? 

 

Thanks in advance,

Spacemeb

1 Accepted Solution

Accepted Solutions

There are a couple of things you can do:

1. Turn on Directory Harvest Attack Prevention in Mail Polices/Mail Flow Policies, to stop someone hitting your boxes with many bad addresses.... This may slow them down enough.
2. On your incoming listener configuration, you can tell it where/when to execute the LDAP query. If you do it in the SMTP conversation, you get what you're seeing now, if you do it in the Work Queue, the mail is accepted and then dropped with no notification. This does add some load to your ESAs...

View solution in original post

2 Replies 2

spacemeb
Level 1
Level 1

any advise? 

There are a couple of things you can do:

1. Turn on Directory Harvest Attack Prevention in Mail Polices/Mail Flow Policies, to stop someone hitting your boxes with many bad addresses.... This may slow them down enough.
2. On your incoming listener configuration, you can tell it where/when to execute the LDAP query. If you do it in the SMTP conversation, you get what you're seeing now, if you do it in the Work Queue, the mail is accepted and then dropped with no notification. This does add some load to your ESAs...