Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4843
Views
5
Helpful
5
Replies

Directory Harvest Attack Prevention Problem

rockbd
Level 1
Level 1

‎07-10-2018 12:54 AM - edited ‎03-08-2019 03:37 PM

I am new in Ironport management.

 

Last 12 hour i am getting the following warning

 

Potential Directory Harvest Attack detected.  See the system mail logs for more information about this attack.

 

Version: 11.1.0-128

Serial Number: 564DA1C84C7E64303E18-53FE25D3BF80

Timestamp: 10 Jul 2018 13:06:30 +0600

 

Can you please tell me what i should look in the mail log.

 

Waiting for a suggestion.

 

Labels:
0 Helpful
5 Replies 5

Eric101
Level 1
Level 1

‎07-10-2018 08:16 AM

Hello,

These alerts are essentially informational. An outside mail server attempted too many invalid recipients and triggered the Directory Harvest Attack Prevention alert. This threshold is set in the mail flow policy: Mail Policies > Mail Flow Policies under the Host Access Table (HAT) heading.

The best course of action is to do nothing. The ESA is protecting you by automatically telling the remote server to back off as it has sent too many emails to invalid recipients in the last hour. If you find that it is always the same host generating the alert and it is valid you can adjust your thresholds, or reach out to them to find out what is sending so many invalid-recipient emails. (We had people with mailing lists who had recipients who had left the organisation)

More information about the feature can be found here
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118496-technote-esa-00.pdf

rockbd
Level 1
Level 1
In response to Eric101

‎07-12-2018 08:27 AM - edited ‎07-13-2018 09:29 PM

Too much warning message. In every 1 hour i am getting this warning. Hope IronPort isn't compromise. anything else i can do to control this with Ironport.

 

0 Helpful

Eric101
Level 1
Level 1
In response to rockbd

‎07-16-2018 09:06 AM

Hello, the appearance of this message is not an indicator that your email appliance is compromised. 

If you no longer wish to receive notifications for this event you can disable it. The process is outlined in the document link in my previous response.


https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118496-technote-esa-00.pdf

Otherwise you will need to investigate and play with the alert thresholds, and/or investigate messages that are causing the alert to see if from a legitimate source (e.g. mailing list with outdated recipients) or illegitimate which you can block with whatever tool is available to you (e.g. firewall, mail policy, etc..)
0 Helpful

guy.zwerdling
Level 1
Level 1
In response to Eric101

‎01-26-2020 04:54 AM

The is a way to find out the sender for that attack?

0 Helpful

Eric101
Level 1
Level 1

‎10-28-2022 10:26 AM

Hello, the following article will help you identify the sending host which is triggering the DHAP alert.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118936-technote-esa-00.html

The entries that describe the DHAP event reside in the mail logs. Here is an example mail log entry when DHAP occurs:

Tue Oct 18 00:25:35 2005 Warning: LDAP: Dropping connection due to potential Directory
 Harvest Attack from host=(192.168.10.1', None), dhap_limit=4, sender_group=SUSPECTLIST

Enter this query into the CLI in order to view the mail logs:

myesa.local> grep "dhap_limit=" mail_logs

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card