Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2290
Views
0
Helpful
1
Replies

Potential Directory Harvest Attack detected

j.muozmellado
Level 1
Level 1

‎06-08-2020 11:30 PM

Hi Guys:

 

I have a Cisco Ironport Cluster with C370 & C670 devices, I have seen many Potential Directory Harvest Attack detected 3 days ago and some guys got affected during that event. We finally found out the MTA Client involved in this situation and the domains, and  we need to know the following in order to take some action.

 

1.- Is there aby document that mentions the best practice for DHAP, I meant 10, 25, unlimited (default), etc ?

2.- How long does it take to setup again the SMTP connection with the involved MTA, 10, 20 minutes ? or on whom it depends on ?  ESA or MTA client ?

 

Thanks a lot guys, I´d really appreciate your help.

 

 

 

Labels:
0 Helpful
1 Reply 1

ppreenja
Cisco Employee
Cisco Employee

‎06-22-2020 04:56 AM

Hello,

Below documentation articles will be helpful for you to check on the DHAP configuration on ESA.
The default value for DHAP on ESA is 25 which is usually the recommended configuration from Cisco, however, you can tweak the values as per your requirement.

Also, to answer your second query, once the limit is reached it take 1 hour (60 minutes) for SMTP connection to get established again.

Articles:-
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117847-technote-esa-00.html
cisco.com/c/en/us/support/docs/security/email-security-appliance/118496-technote-esa-00.html
cisco.com/c/en/us/support/docs/security/email-security-appliance/118936-technote-esa-00.html

I hope the above information helps.

Cheers,
Pratham
0 Helpful
Customers Also Viewed These Support Documents