5.4 ORF Online Help
Select your ORF version:

Table of Contents

DHA Protection Test

This help section describes the DHA Protection Test. Configuration of this feature is available on the BlacklistDHA Protection Test page of the Administration Tool.

General Information

This test can be used to detect and stop certain Directory Harvest Attacks (DHAs). During a DHA, the attacker tries to discover valid email addresses by attempting to send to commonly used (e.g., info@ john@, etc.) or random generated email addresses. By inspecting the response from your server, the attacker can find out if the address is valid.

Most of these attacks are widely distributed which makes their detection very hard. Due to this, the DHA Protection Test is not guaranteed to detect all DHA attempts.

How Does It Work?

ORF monitors the incoming email flow and records the IP address of senders who send emails to non-existent / blacklisted recipient addresses in a database. If the same sender attempts to send emails to such recipients several times in a specified timeframe, it is likely looking for valid "spammable" addresses. If the number of invalid attempts reaches a pre-configured limit, the sender becomes blacklisted for valid / existent recipients as well.

Senders will be blacklisted by the DHA Protection test for 24 hours after 3 invalid attempts within 3 hours by default. We recommend keeping the default settings to avoid false positives.

Enabling or Disabling the DHA Protection Test

Enable or disable the DHA Protection Test by clicking the ON / OFF button on top of the BlacklistDHA Protection Test page, or on the FilteringTests page.

Using the DHA Protection Test

Database button

See the Database Settings Dialog topic.

Settings button

See the DHA Protection Test Settings Dialog topic.

Notes

Reliance on the Recipient Validation test / Recipient Blacklist

Invalid delivery attempts are reported to the DHA Protection Test by the recipient tests of ORF—primarily the Recipient Validation Test and secondly, the Recipient Blacklist.

Either of these tests must be enabled for the DHA Protection Test to work.

Filtering Point assignments

It is recommended to assign the DHA Protection Test to the Before Arrival filtering point if possible.

In fact, there is little use of DHA Protection at the On Arrival filtering point, because harvest attacks occur at the Before Arrival filtering point and they never reach On Arrival. When they do, it is usually not a real harvest attack, but the result of what we term "address list enrichment", i.e., when the address lists acquired by spammers contain "invented" email addresses. In this case, actual spam is sent to an invalid address. Running the DHA Protection Test at On Arrival can provide a limited protection against this.

Copyright © Vamsoft e-Security Kft. All rights reserved. Document ID adm-dhaprotection, version 1.