Procedure

1. Go to IP Filtering → Rules.
   The Rules screen appears with 4 tabs, one for each type of threat.
2. Click the DHA Attack tab.
   The DHA Attack screen appears.
3. Select the Enable check box to enable blocking of directory harvest attacks.
4. Configure the following:
   • Duration to monitor: The number of hours that IMSS monitors email traffic to see if the percentage of messages signaling a DHA attack exceeds the threshold you set.
   • Rate (%): Type the maximum number of allowable messages with DHA threats (the numerator).
   • Total mails: Type the total number of DHA messages out of which the threshold percentage is calculated (the denominator).
   • Sent to more than: Type the maximum number of recipients allowed for the threshold value.
   • Non-existing recipients exceeds: Type the maximum number of non-existent recipients allowed for the threshold value. DHA attacks often include randomly generated email addresses in the receiver list.

     Note The LDAP service must be running to determine non-existing recipients.

   Consider the following example.

   Duration to monitor: 1 hour at a rate of 20 out of 100 sent to more than 10 recipients when the number of non-existing recipients exceeds 5.

   During each one-hour period that DHA blocking is active, IMSS starts blocking IP addresses when it receives more than 20% of the messages that were sent to more than 10 recipients (with more than five of the recipients not in your organization) and the total number of messages exceeds 100.
5. Next to Triggering action, select one of the following
   • Block temporarily: Block messages from the IP address and allow the upstream MTA to try again.
   • Block permanently: Never allow another message from the IP address and do not allow the upstream MTA to try again.
6. Click Save.