“检测到的潜在目录搜集攻击”警告消息表示什么？

简介

本文档介绍在思科邮件安全设备(ESA)上收到的“Potential Directory Harvest Attack”错误消息。

“检测到的潜在目录搜集攻击”警告消息表示什么？

ESA管理员已收到以下目录收集攻击防御(DHAP)警告消息：

The Warning message is:

Potential Directory Harvest Attack detected. See the system mail logs for more
information about this attack.

Version: 8.0.1-023
Serial Number: XXBAD1112DYY-008X011
Timestamp: 22 Sep 2014 21:21:32 -0600

这些警报只是提供信息，您无需采取任何操作。外部邮件服务器尝试了过多的无效收件人，并触发了DHAP（目录搜集攻击防御）警报。根据邮件策略配置，ESA按照配置工作。  

这是侦听程序每小时将从远程主机接收的最大无效收件人数。此阈值表示RAT拒绝和SMTP Call-Ahead服务器拒绝的总数，以及发送到SMTP会话中丢弃或工作队列中退回的无效LDAP收件人的邮件总数（如相关侦听程序的LDAP接受设置中所配置）。有关为LDAP接受查询配置DHAP的详细信息，请参阅邮件安全用户指南的“LDAP查询”一章。 

如果您不想接收这些风险通告，可以使用alertconfig调整风险通告配置文件以过滤这些风险通告：

myesa.local> alertconfig

Sending alerts to:
 robert@domain.com
 Class: All - Severities: All

Initial number of seconds to wait before sending a duplicate alert: 300
Maximum number of seconds to wait before sending a duplicate alert: 3600
Maximum number of alerts stored in the system are: 50

Alerts will be sent using the system-default From Address.

Cisco IronPort AutoSupport: Enabled
You will receive a copy of the weekly AutoSupport reports.

Choose the operation you want to perform:
- NEW - Add a new email address to send alerts.
- EDIT - Modify alert subscription for an email address.
- DELETE - Remove an email address.
- CLEAR - Remove all email addresses (disable alerts).
- SETUP - Configure alert settings.
- FROM - Configure the From Address of alert emails.
[]> edit

Please select the email address to edit.
1. robert@domain.com (all)
[]> 1

Choose the Alert Class to modify for "robert@domain.com".
Press Enter to return to alertconfig.
1. All - Severities: All
2. System - Severities: All
3. Hardware - Severities: All
4. Updater - Severities: All
5. Outbreak Filters - Severities: All
6. Anti-Virus - Severities: All
7. Anti-Spam - Severities: All
8. Directory Harvest Attack Prevention - Severities: All

或者通过GUI System Administration > Alerts > Recipient Address修改严重性级别为已接收的，或者完整修改警报。  

GUI

要从GUI查看您的DHAP配置参数，请依次点击邮件策略(Mail Policies) >邮件流策略(Mail Flow Policies) >点击策略名称(Policy Name)进行编辑，或者点击默认策略参数(Default Policy Parameters) >，然后根据需要对邮件流限制/目录搜集攻击防御(DHAP)部分进行更改：

提交并提交对GUI的更改。

CLI

要从CLI查看您的DHAP配置参数，请使用listenerconfig > edit(选择要编辑的监听程序编号)> hostaccess > default来编辑DHAP设置：

Default Policy Parameters
==========================
Maximum Message Size: 10M
Maximum Number Of Concurrent Connections From A Single IP: 10
Maximum Number Of Messages Per Connection: 10
Maximum Number Of Recipients Per Message: 50
Directory Harvest Attack Prevention: Enabled
Maximum Number Of Invalid Recipients Per Hour: 25
Maximum Number Of Recipients Per Hour: Disabled
Maximum Number of Recipients per Envelope Sender: Disabled
Use SenderBase for Flow Control: Yes 
Spam Detection Enabled: Yes
Virus Detection Enabled: Yes
Allow TLS Connections: No
Allow SMTP Authentication: No
Require TLS To Offer SMTP authentication: No
DKIM/DomainKeys Signing Enabled: No
DKIM Verification Enabled: No
SPF/SIDF Verification Enabled: No
DMARC Verification Enabled: No
Envelope Sender DNS Verification Enabled: No
Domain Exception Table Enabled: No
Accept untagged bounces: No

There are currently 5 policies defined.
There are currently 8 sender groups.

Choose the operation you want to perform:
- NEW - Create a new entry.
- EDIT - Modify an entry.
- DELETE - Remove an entry.
- MOVE - Move an entry.
- DEFAULT - Set the defaults.
- PRINT - Display the table.
- IMPORT - Import a table from a file.
- EXPORT - Export the table to a file.
- RESET - Remove senders and set policies to system default.
[]> default

Enter the default maximum message size. Add a trailing k for kilobytes, M for
megabytes, or no letter for bytes. 
[10M]> 

Enter the maximum number of concurrent connections allowed from a single
IP address. 
[10]> 

Enter the maximum number of messages per connection. 
[10]> 

Enter the maximum number of recipients per message. 
[50]> 

Do you want to override the hostname in the SMTP banner? [N]> 

Would you like to specify a custom SMTP acceptance response? [N]> 

Would you like to specify a custom SMTP rejection response? [N]> 

Do you want to enable rate limiting per host? [N]> 

Do you want to enable rate limiting per envelope sender? [N]> 

Do you want to enable Directory Harvest Attack Prevention per host? [Y]> 

Enter the maximum number of invalid recipients per hour from a remote host.
[25]> 

Select an action to apply when a recipient is rejected due to DHAP:
1. Drop
2. Code
[1]> 

Would you like to specify a custom SMTP DHAP response? [Y]> 

Enter the SMTP code to use in the response. 550 is the standard code.
[550]> 

Enter your custom SMTP response. Press Enter on a blank line to finish.

Would you like to use SenderBase for flow control by default? [Y]> 

Would you like to enable anti-spam scanning? [Y]> 

Would you like to enable anti-virus scanning? [Y]> 

Do you want to allow encrypted TLS connections?
1. No
2. Preferred
3. Required
4. Preferred - Verify
5. Required - Verify
[1]> 

Would you like to enable DKIM/DomainKeys signing? [N]> 

Would you like to enable DKIM verification? [N]> 

Would you like to change SPF/SIDF settings? [N]> 

Would you like to enable DMARC verification? [N]> 

Would you like to enable envelope sender verification? [N]> 

Would you like to enable use of the domain exception table? [N]> 

Do you wish to accept untagged bounces? [N]> 

如果您进行任何更新或更改，请返回主CLI提示符并提交所有更改。

相关信息

• 思科邮件安全设备-最终用户指南
• 技术支持和文档 - Cisco Systems