VMUNIX Blues

What’s a DHA look like?

More IronPort fun. Here’s what a Directory/Dictionary Harvest Attack looks like:

Wee! Just imagine an Exchange server having to deal with something like that! Ha! In this case the IronPort cut off the attack at the network level based on the SenderBase reputation of the hosts doing the dictionary searches, so it didn’t have to even scan the messages at all. A few thousand messages per second and the CPU was 95% idle. I was skeptical of SenderBase’s value before, but now I can see why it’s so effective.

What this graph really shows you is the connections getting blocked. Because the remote mail system is not able to even send a MAIL FROM: SMTP command, there is no way to know if this really is a DHA. If you have DHAP enabled on the ironport and someone tried to do a directory harvest, you will get an email once they reach the limit for invalid recipients you configure on the box.

Based on this graph you could presume that you were under some sort of DOS attack where many machines around the internet were trying to send email to your system and each of the IPs had a fairly negative SBRS score. The other interresting thing is that the number that defines the connections blocked by reputation filtering does not necessarily correspond to a 1:1 ratio of email per connection but could in fact have had a payload of 3, 5, 10, 100 messages for each unique connection that the box was seeing.

A DHA would increase the “Invalid Recipients” number on the monitoring page because at that stage of the connection, it has already passed SBRS and has issued an invalid RCPT TO:.

About

VMUNIX Blues is written by me, Mark Mayo, in Vancouver, BC. I like unix, coding, and the web, and naturally most articles I write here have something to do with what I like. If commenting on an article isn’t your style, you can always email me — mark (at) vmunix.com.