Solved: First up you should be

B G · ‎09-13-2016

We have a cloud-based IronPort ESA and we perform LDAP lookup on all incoming mail. The problem we are having is that we want to turn off the NDR that is generated from the IronPort when an email is sent to a non-existent email address. In other words, if you send an email to nonexistentuser@domain.com, we do not want to send an NDR to the sender.

The reason behind this is that we have seen evidence of email address enumeration on the device. Someone is sending massive amounts of emails to all possible user name combinations and when they DON'T get an NDR, they have found a legitimate email address. We have seen these attempts hit a legitimate email address and the next day phishing attempts start on the legitimate email address.

Exchange has had the functionality to shut off NDRs since 2003. We have been working with IronPort support for weeks on this issue and they tell us there is no way to disable NDRs generated by LDAP lookup. However, it is not clear whether or not IronPort support truly understands what we are asking for. So I wanted to get a second opinion: Can NDRs generated by LDAP lookup be suppressed? If not, how else can we prevent email enumeration from NDRs?

ironport99 · ‎09-13-2016

Not sure if this is any different because you are using cloud ESA but I think they had the same config available.

First up you should be configuring DHAP to stop the dictionary attacks against your LDAP server. If you set the level low enough (we use 10 invalid recipient per hour for a 50,000 user customer) then it should prevent most attackers. Check your DHAP settings in the mailflow policy.

If that doesn't work for you then you can set the LDAP recipient check to be done in the work queue rather than on acceptance and then just set non-matching users to drop rather than bounce. Obviously this means that you have to accept all the messages first before dropping them but it is one of the first actions once the message is in the work queue so shouldn't add too much overhead. Move the recipient check to the workqueue under LDAP queries in your listener.

View solution in original post

ironport99 · ‎09-13-2016

Not sure if this is any different because you are using cloud ESA but I think they had the same config available.

First up you should be configuring DHAP to stop the dictionary attacks against your LDAP server. If you set the level low enough (we use 10 invalid recipient per hour for a 50,000 user customer) then it should prevent most attackers. Check your DHAP settings in the mailflow policy.

If that doesn't work for you then you can set the LDAP recipient check to be done in the work queue rather than on acceptance and then just set non-matching users to drop rather than bounce. Obviously this means that you have to accept all the messages first before dropping them but it is one of the first actions once the message is in the work queue so shouldn't add too much overhead. Move the recipient check to the workqueue under LDAP queries in your listener.

B G · ‎09-13-2016

Thank you! That is exactly the info I was looking for! Wonder why IronPort support was unable to help us on that?

dmccabej · ‎09-13-2016

Hello,

It's very possible that the engineer you were working with was simply not knowledgeable enough in this area to provide that recommendation, or that there was a miscommunication and the engineer just did not understand the behavior you were referring to.

Either way, I'm glad you seem to have gotten it figured out.

Also, we have more info here on how to enable/modify that if you need : How to use LDAP Accept Query to validate the recipients of inbound messages using Microsoft Active Directory (LDAP)?

Thanks!

-Dennis M.

IronPort LDAP Lookup Email Enumertion