How does Cisco IronPort prevent Directory Harvest Attacks (DHA)?

Below, Tom Topping - director of federal operations for Cisco IronPort gives his take on how IronPort prevents Directory Harvest Attacks (from a Q&A featured on the Cisco NetPro Forum).

How does the IronPort prevent Directory Harvest Attacks? Directories are harvested when a sender delivers thousands of common email recipient addresses to a domain; for example asmith@, bsmith@, csmith@, ajones@....... The attacker is seeking to understand which addresses DO NOT generate an Invalid Recipient Bounce. By knowing which addresses do not bounce the attacker knows which addresses are valid for that domain. Therefore in order to stop these attacks the IronPort does two things:
1. It validates the recipient email address, via an LDAP query, during the SMTP Conversation.
2. It counts the number of invalid recipients from each sender and stops responding after a configurable number of invalid recipients during each hour.
More questions and answers... Does the IronPort Email Security Appliance support Authentication Mechanisms such as Domain Keys? Yes, the IronPort Email Security Appliance authenticates received messages that are signed with SIDF, Domain Keys and DKIM. The appliances also can sign outbound messages with DKIM and Domain Keys. How many real emails does the IronPort misclassify and stick into the Spam Bucket? IronPort's advertised False Positive Rate is "Less Than One In One Million", IronPort customer actually experience far fewer False Positives than that. Effectively, the typical end-user behind an IronPort never experiences a false positive. Does the IronPort Anti-Spam system have Centralized Management so that a change can be made to one systems and that change get propagated to the others? Yes, the system does support Centralized Management. This is implemented on-system, without the need for an additional Centralized-Management appliance. How many interfaces do the IronPort C-Series systems have? The IronPort C160 has two network interfaces (copper 10/100/1000). The IronPort C360, C660, X1060 all have three network interfaces (copper 10/100/1000). The X1060 has a 4 x gigabit fiber option.

Read more about Directory Harvest Attacks. View more info on the Cisco spam and virus blocker.

What's your take on how to prevent Directory Harvest Attacks? BradReese.Com Cisco Refurbished

  1. Used Cisco equals gypsies at a flea market
  2. Are these the real reasons for the fall of Nortel?
  3. Could Cisco EnergyWise kill the thriving secondary-market for Cisco equipment?
  4. Cisco to release new February 2009 edition of its famous product quick reference guide!
  5. HP ProCurve wrestles Cisco with new tag teams
  6. Cisco distributor says customers demanding HP ProCurve
  7. Nortel chief flying in corporate jet as company files for bankruptcy protection
  8. Padmasree Warrior as Obama choice for U.S. CTO: Huge win for Cisco, total disaster for America!
  9. Nortel employee severance payments frozen by bankruptcy
  10. Nortel employees speak out: Hopes of becoming multimillionaires dashed
  11. View Brad Reese on Cisco Story Archives
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.