Directory Harvest Attack

The
Reputation > Policies > Bad Senders > Directory Harvest Attack
page provides an overview of your existing directory harvest attack definition and lets you add to or edit the actions taken when attack conditions you specify are met. The conditions you specify under Directory Harvest Attack Configuration define the situations that Symantec Messaging Gateway recognizes as a directory harvest attack. To enable directory harvest attack recognition, check
Enable
.
Following are the actions that you may perform:
  • Create and enable a data source with recipient validation enabled.
  • Set up your local domains. Symantec Messaging Gateway accepts inbound messages only for the domains you specify.
  • Enable invalid recipient handling, configured to reject invalid recipients.
The default action for this group is
Defer SMTP Connection
. You cannot combine other actions with the
Defer SMTP Connection
action. If you want to choose other actions, first delete the default action from the list.
Bad recipient messages are messages sent to addresses in your local domains that do not exist.
The following table lists options available when configuring directory harvest attack policies.
Directory Harvest Attack page
Item
Description
Enable DHA detection
Check to enable the actions chosen for this policy. Uncheck to disable all actions based on this policy.
Minimum percentage of bad recipients
Percentage of bad recipient messages from a single server that must be exceeded to trigger the specified action. The minimum number must also be exceeded.
Minimum number of bad recipients
Number of bad recipient messages from a single server that must be exceeded to trigger the specified action. The minimum percentage must also be exceeded.
Qualification time window
Time period in which the specified percentage and number of bad recipient messages must be exceeded to trigger the specified action.
Penalty box time
Period of time during which to perform the specified action against all messages from the sending SMTP connection.
If a Directory Harvest Attack occurs
Choose an action to take if a bad recipient message matches the specified conditions. You can add multiple actions, although the default, recommended, action of
Defer SMTP Connection
is usually specified by itself.
[various entry fields]
Depending on the action you chose, you may need to enter specific information required to complete the action.
Add Action/Update Action
Click to add the action in the drop-down list to the Actions list below. When you edit an action this button changes to
Update Action
.
Edit
Check the box next to an action and click
Edit
. Make your changes and then click
Update Action
to save changes to the action.
Delete
Check the box next to one or more actions and click
Delete
.
Save
Save your changes.