SecurExchange - > How To
How can I prevent a Directory Harvest Attack (DHA) and Spoofed NDRs on my Exchange Server?
Directory Harvest Attack Background:
Spammers use a technique called "directory attacks" to deliver email which can generate a high amount of NDR reports and ultimately chokes your bandwidth. There are many different techniques used but they typically fall into 1 of the following scenarios.
Directory attacks involve taking common given and surnames, generating addresses with many combinations of those names. For example taking "John" and "Smith" as common names, the resulting email addresses could be jsmith, johns, or john.smith to name only a few. By sending email with these combinations of multiple addresses results in an unusually high number of NDRs. However, the prime purpose of this type of spam is to determine which email addresses are valid within your Exchange Server organization.
Another manifestation of NDR attacks is due to the high number of spambots. Spambots are programs that have infested client PCs over the world and generate vast amounts of spam. These spam messages have automatically generated To and Sender addresses. When a spambot message is delivered to a target site, if the recipient address is not valid a NDR will be generated and sent to the Sender address. If the sender address happens to be your domain, then the NDR will be delivered to your server. The NDR is termed "spoofed" as the original message did not originate from your server/domain. This is also known as NDR BackScatter.
Nemx SecurExchange's Address Manager component, prevents Directory and NDR spoofing attacks by handling both scenarios. Directory harvesting attacks are handled by allowing a threshold to be set on number of un-resolveable recipients within an incoming email. Once the threshold is met, the message can be deleted or routed to a user or Public Folder. The SMTP session is then dropped, resulting in the "spammer" generating his own NDR on all addresses with no additional overhead on the part of your Exchange Server or your administrator. Spoofed NDRs are addressed by enabling a number of specific NDR rules. Once defined spoofed NDR matching particular characteristics can be trigger and any number of message actions may be invoked. Valid NDRs are not affected by SecurExchange's spoofed NDR logic.
Define a rule to handle spoofed NDR messages (BackScatter):
- From the Address Manager tab in the Non Delivery Report section, set the Enable setting
- In the Default Action field, select the appropriate message action (ie Delete Message, or any other available action)
- Press the Rules button.
- Enable the appropriate spoofed NDR rules - "Spoofed NDR", "Spoofed NDR - invalid address", "NDR - invalid address"
- Click Ok
- Click Apply
Define a rule to handle messages containing a high number of unresolveable addresses:
- From the Address Manager tab in the Header Filtering section, click Add
- In the Addressing Rule field, enter >>X, where X is the maximum number of unresolveable addresses permitted
- Select the appropriate Action.
- Enable Active
- Click Ok
- Click Apply
Need to add complete Anti-Virus protection from Internet email to your solution? Check out SecurExchange Anti-Virus!
|
