Views:
Configure DHA protection settings to prevent senders from using a directory harvest attack (DHA) to obtain user email addresses for spam message transmission.
Note
Note
  • Before you enable this feature, configure Microsoft Active Directory settings.
    For more information, see Configuring an LDAP Server.
  • When SMTP traffic volume is extremely high, Deep Discovery Email Inspector might not precisely block email messages based on the configuration due to the time delay between rule trigger and activation.

Procedure

  1. Go to AdministrationSender Filtering/AuthenticationDHA Protection.
  2. Select Enable directory harvest attack protection.
  3. Configure the following settings.

    Field
    Description
    Monitoring duration
    Select the number of hours that Deep Discovery Email Inspector monitors email traffic to see if the percentage of messages signaling a DHA threat exceeds the specified threshold.
    Rate
    Type the maximum percentage of messages with detected threats (the numerator).
    Total messages
    Type the total number of messages (received from the same sender) that Deep Discovery Email Inspector uses to calculate the threshold percentage (the denominator).
    Recipient threshold
    Type the maximum number of recipients allowed.
    Non-existing recipients
    Type the he maximum number of non-existent recipients allowed for the threshold value. DHA often include randomly generated email addresses in the receiver list.
    Action
    Select one of the following block actions:
    • Block temporarily: Blocks messages from the IP address temporarily and allow the upstream MTA to try again after the block duration ends
    • Block permanently: Never allow another message from the IP address and do not allow the upstream MTA to try again
    Blocking duration
    If you select the Block temporarily action, select the number of hours to block.
    Note
    Note
    After blocking a sender for the specified time, Deep Discovery Email Inspector removes the sender from the Blocked Senders list.
    For example, if you configure the following settings:
    • Monitoring duration: 1 hour
    • Rate: 20
    • Total messages: 100
    • Recipient threshold: 10
    • Non-existing recipients: 5
    During each one-hour period that DHA protection is active, Deep Discovery Email Inspector starts blocking senders when it receives more than 20% of the messages that were sent to more than 10 recipients (with more than five of the recipients not in your organization) and the total number of messages exceeds 100.
  4. Click Save.
    To use the default settings, click Restore Default to discard your configuration.
Keywords: directory harvest attack (DHA)