Comments on: What’s a DHA look like? http://www.vmunix.com/mark/blog/archives/2006/05/25/whats-a-dha-look-like/ by Mark Mayo Tue, 6 Jan 2009 14:06:39 +0000 http://wordpress.org/?v=2.6.2 By: mark http://www.vmunix.com/mark/blog/archives/2006/05/25/whats-a-dha-look-like/#comment-13115 mark Fri, 26 May 2006 06:48:20 +0000 http://www.vmunix.com/mark/blog/archives/2006/05/25/whats-a-dha-look-like/#comment-13115 I only know it's was a DHA because it was ongoing as I flipped the MX from the Postfix box to the IronPort mid-attack. :) I only know it’s was a DHA because it was ongoing as I flipped the MX from the Postfix box to the IronPort mid-attack. :)

]]> By: Jason http://www.vmunix.com/mark/blog/archives/2006/05/25/whats-a-dha-look-like/#comment-13111 Jason Fri, 26 May 2006 03:24:50 +0000 http://www.vmunix.com/mark/blog/archives/2006/05/25/whats-a-dha-look-like/#comment-13111 What this graph really shows you is the connections getting blocked. Because the remote mail system is not able to even send a MAIL FROM: SMTP command, there is no way to know if this really is a DHA. If you have DHAP enabled on the ironport and someone tried to do a directory harvest, you will get an email once they reach the limit for invalid recipients you configure on the box. Based on this graph you could presume that you were under some sort of DOS attack where many machines around the internet were trying to send email to your system and each of the IPs had a fairly negative SBRS score. The other interresting thing is that the number that defines the connections blocked by reputation filtering does not necessarily correspond to a 1:1 ratio of email per connection but could in fact have had a payload of 3, 5, 10, 100 messages for each unique connection that the box was seeing. A DHA would increase the "Invalid Recipients" number on the monitoring page because at that stage of the connection, it has already passed SBRS and has issued an invalid RCPT TO:. What this graph really shows you is the connections getting blocked. Because the remote mail system is not able to even send a MAIL FROM: SMTP command, there is no way to know if this really is a DHA. If you have DHAP enabled on the ironport and someone tried to do a directory harvest, you will get an email once they reach the limit for invalid recipients you configure on the box.

Based on this graph you could presume that you were under some sort of DOS attack where many machines around the internet were trying to send email to your system and each of the IPs had a fairly negative SBRS score. The other interresting thing is that the number that defines the connections blocked by reputation filtering does not necessarily correspond to a 1:1 ratio of email per connection but could in fact have had a payload of 3, 5, 10, 100 messages for each unique connection that the box was seeing.

A DHA would increase the “Invalid Recipients” number on the monitoring page because at that stage of the connection, it has already passed SBRS and has issued an invalid RCPT TO:.

]]>