Messaging Gateway

 View Only
  • 1.  DHA verdict on an email destined to domain which is not enabled recipient validation

    Posted Oct 09, 2009 11:04 AM

    Hi,

    I am using SBG 8.0.2. I enabled recipient validation on some local domain, for example abc.com is enabled recipient validation but xyz.com is not. In additon, I also turned on directory harvest attack. So, is it possible that an email destined to xyz.com is tagged (verdict) as directory harvest attack? I understand it should not but I got it from message audit log today. Could anyone please clarify it for me?

    I am using SBG 8.0.2.

    Thanks,
    Nitass



  • 2.  RE: DHA verdict on an email destined to domain which is not enabled recipient validation

    Posted Oct 12, 2009 11:14 AM

    Hi Nitass,

    One question, are you dropping or rejecting messages to invalid recipients(drop uses an LDAP Sync source and reject uses a recipient validation source)?

    Not quite sure if what you are seeing should be possible but you could certainly see the following.  Recipient validation should only reject messages for users that don't exist at abc.com and it sounds like this is what you are seeing, but you have also enabled DHA attack functionality which is basically stating if an IP tries to send so many messages over a certain period of time to users that don't exist in the abc.com domain then start rejecting all messages from this IP for a certain time period.  So once the IP is placed in the 'penalty box', regardless of what domain it wants to send messages to messages that from that IP are going to be rejected for whatever time you have configured.  That make sense?

    One thing though to call out though, once we've declared a DHA attack as soon as the IP makes the connection by default we should reject the message and at that stage we really shouldn't know who the message was destined for as the connection is terminated before we get to the 'rcpt to' in the SMTP conversation.  Have you possibly changed the default action to not reject or defer?  That could maybe cause what you are seeing...

    Kevin


  • 3.  RE: DHA verdict on an email destined to domain which is not enabled recipient validation

    Posted Oct 12, 2009 12:27 PM
    Hi Kevin,

    Thanks for your reply. It is nice to see you again. :-)

    >Are you dropping or rejecting messages to invalid recipients(drop uses an LDAP Sync source and reject uses a recipient validation source)?

    I am dropping the messages.

    >Recipient validation should only reject messages for users that don't exist at abc.com and it sounds like this is what you are seeing, but you have also enabled DHA attack functionality which is basically stating if an IP tries to send so many messages over a certain period of time to users that don't exist in the abc.com domain then start rejecting all messages from this IP for a certain time period.  So once the IP is placed in the 'penalty box', regardless of what domain it wants to send messages to messages that from that IP are going to be rejected for whatever time you have configured.  That make sense?

    Yes, it looks reasonable. So, if I examine message audit log of abc.com, I should find DHA verdict there, shouldn't I? Let me check and I will post here.

    >Have you possibly changed the default action to not reject or defer?  That could maybe cause what you are seeing...

    I will look whether I can do.

    Thanks,
    Nitass



  • 4.  RE: DHA verdict on an email destined to domain which is not enabled recipient validation

    Posted Oct 13, 2009 08:16 AM
    Kevin,

    I already had a look in message audit log and it is so strange. There is only one message destined to abc.com which was tagged DHA verdict. However, there are about 40 messages destined to xyz.com that were tagged the DHA. Did I miss anything?

    Thanks,
    Nitass


  • 5.  RE: DHA verdict on an email destined to domain which is not enabled recipient validation

    Posted Oct 28, 2009 12:13 PM
    Hi All,

    I think the problem may relate to DROP invalid recipients. I use DROP instead of reject. Let me create a new discussion to clearly question.

    Thanks,
    Nitass