cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-227
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

921
Views
5
Helpful
2
Replies
spacemeb
Beginner

ESA Vulnerability: fingerprinting valid emails

Hello, 

 

Following best practices, we performed an annual pentest.

We found out that the attacker is able to fingerprint valid e-mail accounts via brute-force after connecting to the ironport and change the recipient of the message to an e-mail.

In case the e-mail is invalid ironport with "550 #5.1.0 Address rejected", otherwise it answers with "250 recipient <valid_mail> ok"

 

What we should do to strengthen our email security gateway and avoid this kind of attacks in the future? 

 

Thanks in advance,

Spacemeb

1 ACCEPTED SOLUTION

Accepted Solutions
Ken Stieers
Advocate

There are a couple of things you can do:

1. Turn on Directory Harvest Attack Prevention in Mail Polices/Mail Flow Policies, to stop someone hitting your boxes with many bad addresses.... This may slow them down enough.
2. On your incoming listener configuration, you can tell it where/when to execute the LDAP query. If you do it in the SMTP conversation, you get what you're seeing now, if you do it in the Work Queue, the mail is accepted and then dropped with no notification. This does add some load to your ESAs...

View solution in original post

2 REPLIES 2
spacemeb
Beginner

any advise? 

Ken Stieers
Advocate

There are a couple of things you can do:

1. Turn on Directory Harvest Attack Prevention in Mail Polices/Mail Flow Policies, to stop someone hitting your boxes with many bad addresses.... This may slow them down enough.
2. On your incoming listener configuration, you can tell it where/when to execute the LDAP query. If you do it in the SMTP conversation, you get what you're seeing now, if you do it in the Work Queue, the mail is accepted and then dropped with no notification. This does add some load to your ESAs...

View solution in original post

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (50%)

Content for Community-Ad