In order for Connection Manager to stop an attack, an administrator must, in advance, activate the settings, select a sensitivity level for determining the condition, and choose an appropriate 500-class error response.
Based on billions of messages processed each month, profiles were developed for the following four different types of malicious mail server attacks.
|
DHA refers to an attack where the attacker sends many SMTP “rcpt to” commands to a server in an attempt to check common user names by brute force. Although its aim is to retrieve a list of user addresses, it can act as a Denial of Service (DoS) attack by making the receiving mail server overloaded by replying to “rcpt to” commands instead of processing mail traffic.
|
|
|
An email bomb is a DoS attack where a large volume of emails with a large mean message size are sent from a particular IP, overwhelming the receiving mail server.
|
|
|
A spam attack is DoS attack whereby a statistically significant quantity of spam relative to non-spam traffic is sent from one server.
|
|
|
Virus Outbreak
|
A virus outbreak is a DoS attack whereby a statistically significant amount of virus traffic relative to valid email traffic is received from a particular sending server over a time period.
|
Connection Manager settings provide flexibility when responding to email attacks. The sensitivity setting provides a simple lever to adjust the attention the Connection Manager pays to attackers. The default setting for each attack is “Normal”. Normal is the recommended setting, which will identify most attacks with no chance of misdiagnosing an attack.
To understand just how the other sensitivities relate to Normal, consider that each email attack has a numerical formula, and each sensitivity setting has a multiplier which adjusts the scale of the attack. This table lists the multipliers used for each sensitivity setting:
|
Very aggressive in blocking attacks. Increases possibility of error.
|
Note: The Sensitivity settings also affect alerts since sensitivity determines when the event is initiated.
Automatic attack blocking should be configured as soon as you create a new inbound email config. Connection Manager’s automatic attack blocking provides protection so your server bandwidth is used for processing legitimate traffic than junk messages. See
If you have any trusted relay servers passing mail to your primary mail servers, then they will pass significantly more traffic than other servers. As such, it is likely that these servers will trigger automatic blocks. If you have any relay servers you do not want to be blocked by the Connection Manager’s automatic blocks, then follow the steps in Pass Throughs: Preventing Attack Blocking.
Note: Some customers always have Directory Harvest Attack, Spam Attack, and Virus Outbreak attack blocking enabled. This is based on your service plan. Settings can be adjusted, but the attack blocking cannot be disabled.
|
1.
|
Go to Orgs and Users > Orgs and select the mail server you want to protect from the Choose Org pull-down list.
|
|
4.
|
Select the check boxes for any automatic blocks you want to enable, and set your desired Sensitivity and 500-series error message and submit the form. See Types of Attacks for descriptions on sensitivity settings.
|
WARNING: Email servers such as Microsoft Exchange and qmail accept all inbound messages, even for invalid recipients, then perform a directory lookup to validate the recipient and send a bounce message, if needed, by separate email. This process, asynchronous bouncing, suppresses the real-time DHA prevention that Connection Manager can provide. To allow Connection Manager to handle this, activate Asynchronous Bouncing control. When activating this service, it is important to keep your user list up to date to avoid DHA false positives.
|
1.
|
Go to Orgs and Users > Orgs and select the mail server you want to protect from the Choose Org pull-down list.
|
Activating the checkbox under Handling “Unknown User” Bounces is only useful if you are using a server that initially accepts mail for invalid users, such as Microsoft Exchange or qmail.
This feature provides additional protection against directory harvest attacks, and can dramatically reduce load on your server. If you are using a Microsoft Exchange mail server, you will benefit tremendously from this protection.
WARNING: You should not enable this feature until you have most of your users added. This feature checks incoming mail against your user list in the message security service. Therefore, it may block good mail if you enable the feature before adding the majority of your users.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
