Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Request a Demo
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Request a Demo
Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP
Loading...
Loading...

Trustwave Knowledge Base

Home » Knowledgebase » Trustwave MailMarshal (SEG) » PRB: Email storm or DoS/DHA attack

PRB: Email storm or DoS/DHA attack

Expand / Collapse
Show/Hide Article Tools


This article applies to:

  • Trustwave MailMarshal (SEG)

Symptoms

  • Slow incoming email
  • Multiple receiver threads active
  • Number of receiver threads at maximum
  • Multiple connections from the same external host
  • Internal email server shows outbound messages queued to be sent through MailMarshal.

Causes

Potential causes include

  • Spam attack
  • DHA (Directory Harvest) attack
  • DoS (Denial of Service) attack
  • Network connectivity issues

Information:

Email moving very slowly through a MailMarshal SMTP server can be a sign of malicious activity such as a Denial of Service or Directory Harvest attack. It could also be due to a wave of spam.

You can make a number of configuration changes in MailMarshal that will help to reduce the effects of these problems.

Checking for problems:

You can check for many of the symptoms mentioned above by using the MailMarshal Console.

  • Expand Servers and view the information for each server.
    • Check the number of Receiver threads in use.
    • View the Receiver item for each server and check the details of connections and messages being received. When you refresh this view you should see changes in status, and different servers connecting.
    • If there are many connections persisting, connections not progressing past initial greeting, or similar connections being created repeatedly, that could indicate a problem.

General recommendations:

  • Upgrade MailMarshal to the latest version. Recent versions have enhanced protection against many of the possible causes.
  • Enable DoS and DHA protection. In the Configurator or MailMarshal (SEG) 10 Management Console, see Array Properties > Receiver > Attack Prevention. Background information about DoS and DHA is available in the MailMarshal User Guide. Details of the configuration steps are provided in Help.
  • Implement Anti-Spam Best Practices. See the suggestions in Q10810: What are MailMarshal SMTP anti-spam best practices? This article also has links to further information.
  • Configure Receiver binding: If your server has multiple network interfaces, you can ensure that outgoing email has priority by setting limits on the Receiver threads available to each interface. See Q10249: How do I change the default SMTP ports in MailMarshal SMTP?

Additional Steps:

You can make temporary changes in some MailMarshal settings that can help to decrease delays.

  • Block hosts with receiver rules: Even if you don't normally use DNS Blocklist rules at the Receiver, you can reduce server load by enabling these rules. Note that the lookups also take time, so it is best not to enable more than one or two. The Marshal IP Reputation Service is a blocklist maintained by Trustwave. When this article was last revised, Spamhaus ZEN was another generally effective list.
  • Block hosts by name or IP address: If you identify specific external servers that are creating malicious load, you can refuse connections from those servers. See Array Properties > Receiver > Blocked Hosts.
  • Increase Receiver threads: If the delays seem to be related to legitimate email, you can increase the number of available Receiver processing threads. See Array Properties > Advanced > (Additional Options) > Server Threads. You can manually increase the number of threads up to 200.
    • In a DoS attack situation, this action probably won't help.
  • Lower timeout values: You can improve availability of the Receiver by reducing the time that MailMarshal waits for a response. In most cases legitimate email servers respond quickly.
    • You can change the timeouts for the initial connection and send/receive responses from the MailMarshal Configurator > Server and Array Properties > Advanced > Additional Options > Times. In particular, you can lower the Initial Greeting setting to 30 seconds.
    • An additional value can be set in the Registry. See Q10399: How do I lower the Receiver socket timeout value?

Notes:

You should monitor the effects of these changes carefully. Aggressive use of blocking and lower timeouts can cause legitimate email to be refused. In most cases you should return to the default values once a particular situation is resolved.

To contact Trustwave about this article or to request support:

Rate this Article:
     

Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster.


Execution: 0.031. 9 queries. Compression Disabled.
Powered by InstantKB.NET