Directory Harvest Attack (DHA) Protection

84
Votes

DONE Directory Harvest Attack (DHA) Protection

| Last activity: more than 10 years ago
Add a new test to ORF that would temporarily reject all delivery attempts if the sending IP address is sending to more than "X" (user-configurable) non-existent recipients within in a specified period of time. This would provide some protection against poorly distributed or non-distributed Directory Harvest Attacks.

Comments

I'd like to refine this: a) if more than X invalid recipients in a single connection, drop the connection (conserves band-width and sockets) b) if more than X invalid recipients by that IP in a configurable time interval, then add to temporary IP blacklist
by Andy Schmidt more than 10 years ago
@Andy: a) We are not aware of a documented way to reliably identify a single connection (not without possible conflicts with other software under IIS SMTP/Exchange 2000-2003), but dropping the connection with the current "Close connection when blocking" option would work, just by the IP. b) That is how it would work. The temporary IP blacklist would offer the DHA protection itself. This is similar to honeypots (http://www.vamsoft.com/features/features_more.asp?fi=7), but there even a single email address may trigger the blacklisting and probably for a longer period of time. Unfortunately, most of the DHAs are massively distributed, so this would stop the most simple attacks only.
by Peter Karsai (Vamsoft) more than 10 years ago
Looking at the logs senders seem to use a sending name for very few in a row. Same with IP address. They will use several on a /24 block 5 from this IP, 5 from that and jump around. Using sender for the filter chances are it will catch very few, using IP addresses or block will result in false positives, especially when dealing with hotmail (can you guys let them know that 100,000 mails from a single source and all coming off same hotmail subnet is a outbound SPAM attack).
by Brian more than 10 years ago
SMTP tarpitting should help here as well.
by Gregg, no longer anonymous! more than 10 years ago
@Gregg: yes, it should, though it only slows down the attack buy delaying the SMTP responses (this is what the Tarpit Delay test of ORF does currently, but it has some limitations: ORF holds up max 10 concurrent sessions, as holding up too many may eat up your SMTP connections causing delivery problems). This solution would hopefully stop it as soon as the attack is detected.
by Krisztian Fekete (Vamsoft) more than 10 years ago

My Comment

Please sign in or sign up to comment.
hnp1 | hnp2