Twin Cities Security User Group

 View Only

  • 1.  DHA - Directory Harvest Attack best practices

    Posted Mar 03, 2010 10:44 AM
    SBG out of the box is configured for
      bad recipients %  = 80
      min # of bad recipients = 5
      window = 10 minutes
      penalty box = 60 minutes.

    I'm wondering what others are using for these settings.   I'm thinking of increasing the penalty box time to a couple of hours.

    Also,  is anyone using the DHA reports to populate local bad sender IP lists?


  • 2.  RE: DHA - Directory Harvest Attack best practices

    Posted Mar 03, 2010 02:08 PM


    Configuring directory harvest attack recognition

    http://seer.entsupport.symantec.com/docs/321878.htm


  • 3.  RE: DHA - Directory Harvest Attack best practices

    Posted Mar 03, 2010 09:21 PM
    Thanks.  I've read the manual.  I'm looking for user experiences (pro/con) of using longer penalty times, or lower thresholds.  And the idea of using this as a source for local bad sender's IPs


  • 4.  RE: DHA - Directory Harvest Attack best practices

    Posted Mar 03, 2010 09:35 PM
      |   view attached
    Attached PDF for about 3 days. attached


  • 5.  RE: DHA - Directory Harvest Attack best practices

    Posted Mar 04, 2010 12:24 PM
    I think it's not a good idea to put those IP addresses in the "Local Bad Sender IPs". Here is my thinking:  Since most of the IPs would be dynamic and may later be assigned to senders trying to send legit messages, you will not be able to receive messages from them and they will have to contact you to get the IP address removed from your local list.  This puts the additional burden of micro-managing those IP on the admin. 

    I see that one of the IPs (203.87.178.17) in your report (I did not check other IPs) already has a "negative reputation" in Symantec IP Reputation database.  I would rather let Symantec manage those IPs based on its global intelligence network.  But if you are willing to take on the additional administrative burden and faily certain that you have not and will not receive legit messages from those IPs, then may be it's not a bad idea to add those IPs to the local list.

    Regards,

    Adnan



  • 6.  RE: DHA - Directory Harvest Attack best practices

    Posted Mar 05, 2010 10:44 AM
    I agree that the admin burden is probably not worth the trouble.   I'm not so sure about "dynamic" address moving to legitimate senders being an issue... but I do have vendors who are on "DSL" space per IP2Location.com data.

    I'm thinking that I might want to may the penalty time longer - say 2-3 hours as I think most legit senders will retry for at least 4 hours before notifiying their users.


  • 7.  RE: DHA - Directory Harvest Attack best practices
    Best Answer

    Posted Mar 05, 2010 08:35 PM
    Yes, I think increasing the penalty time to 3 hours may not be a bad idea.


  • 8.  RE: DHA - Directory Harvest Attack best practices

    Posted Mar 11, 2010 12:53 AM
    Thanks.