5.6 Preventing Malicious Email Attacks

MailMarshal helps to protect your network from intentional attempts to disrupt your operations. Denial of service attacks can cripple entire networks. Directory harvest attacks initially consume bandwidth and can result in your network receiving additional spam. 

MailMarshal allows you to tailor denial of service prevention and directory harvest prevention features to suit your network and business requirements. Enable one or both forms of attack prevention if you believe that your network is vulnerable to attack.

5.6.1 Understanding Denial of Service Attack Prevention

Denial of service (DoS) attacks cause target organizations to lose access to common business services, such as email. In an email DoS attack, the attacker floods email servers with messages or unused connections, causing the target email servers to slow down or cease operation.

5.6.1.1 How MailMarshal Prevents Attacks

MailMarshal prevents DoS attacks by the following means:

Identifying external email servers that are attacking your network

Blocking new connections from attacking servers for a period of time

MailMarshal determines that it is under attack when the number of new connections from any single external server in a short period exceeds a specified number. You specify both the period of time and the maximum number of allowable incoming messages.

5.6.1.2 Optimizing DoS Attack Prevention Settings

To determine the optimum settings for the DoS attack prevention parameters, you can log blocked hosts. You can use the Senders Blocked by DoS Prevention report (from Marshal Reporting Console) to see which servers were blocked. If you are affecting email flow from legitimate sources, you can change the settings to allow more messages through. You can also exclude specific hosts from DoS attack prevention by IP address or address range.

You configure DoS settings once for the entire MailMarshal array. However, MailMarshal applies the traffic limits you set at each email processing server. For example, if you use the default setting of 50 connections per minute and your installation is an array of five servers, your network can receive up to 250 connections per minute from any one external server (50 connections at each of 5 servers) When DoS prevention is triggered on one email processing server in a array, the other servers in the array are not affected.

When DoS prevention is blocking connections from a server, MailMarshal returns the SMTP response 421, Service not available. A legitimate server that receives this response will try again later.

5.6.2 Preventing Denial of Service Attacks

You configure DoS attack prevention by specifying the values MailMarshal will use to evaluate incoming email traffic, the blocking period, and any excluded hosts. You can adjust these values at any time.

To configure DoS attack prevention:

1.In the Management Console, select System Configuration and then expand Receiver Properties.

2.Select Attack Prevention in the right pane menu, and select the DoS tab.

3.Select (toggle on) Enable Denial of Service prevention, and specify values. For more information about the fields and settings, click Help.

DoSDHA.PNG 

4.Click Save.

5.Commit configuration to apply your changes.

5.6.3 Enabling and Disabling DoS Attack Prevention

After configuring DoS attack prevention, you can enable or disable the feature without changing the configuration.

To enable or disable DoS attack prevention:

1.In the Management Console, select System Configuration and then expand Receiver Properties

2.Select Attack Prevention in the left pane, and select the DoS tab.

3.Toggle the status of Enable Denial of Service prevention, as needed.

4.Click Save.

5.6.4 Understanding Directory Harvest Attack Prevention

In a directory harvest attack (DHA), an attacker attempts to identify valid email addresses by sending randomly-addressed messages to an email server. When a message reaches a recipient without being bounced back, the attacker enters the valid address in a database used for sending spam.

The attacker sends messages addressed either to random usernames, or to usernames that follow a common pattern, such as firstname_lastname@example.com.

5.6.4.1 How MailMarshal Prevents Attacks

MailMarshal helps to prevent DHAs by the following means:

Identifying external email servers that are attacking your network

Blocking email from attacking servers for a specified period of time

DHA prevention identifies which email messages are addressed to valid users by comparing the recipient addresses to a list of users (email addresses). To ensure DHA prevention works correctly, you must configure MailMarshal to check one or more user groups that together contain all valid email addresses of all users in your environment.

DHA prevention checks each incoming email for a valid recipient. When the number of messages with invalid addresses, from a single server, and in a short period of time, exceeds a specified threshold, MailMarshal considers itself under attack and blocks incoming mail from the server. You determine the length of time to block the attacking server.

When DHA prevention terminates a connection, MailMarshal returns the SMTP response 556 Too many invalid recipient requests. While MailMarshal is blocking connections from a server, MailMarshal returns the SMTP response 421 Service not available. A legitimate server that receives this response will try again later. You can also exclude specific hosts from DHA prevention by IP address or address range.

Information 

Note: To ensure that DHA prevention works properly, enable it on a MailMarshal installation on the highest upstream email server in your network (closest to the public Internet).

 

5.6.4.2 DHA Prevention Settings

You configure DHA settings once for the entire MailMarshal array. However, MailMarshal applies the traffic limits you set at each email processing server. For example, if you use the default setting of 10 messages with invalid recipients per minute, and your installation is an array of five servers, your network can receive up to 50 invalid messages per minute from any one external server (10 messages at each of 5 servers).

When DHA prevention is triggered on one MailMarshal email processing server, other servers in the array are not affected. You can adjust the limits depending on your array and MX configuration.

To determine the optimum settings for the DHA prevention parameters, you can log blocked hosts. You can use the Senders Blocked by DHA Prevention report (from Marshal Reporting Console) to see which servers were blocked. If you are affecting email flow from legitimate sources, you can change the settings to allow more incorrectly addressed messages through. You can also exclude specific hosts from DHA attack prevention by IP address or address range.

5.6.5 Preventing Directory Harvest Attacks

You configure DHA prevention by specifying the values MailMarshal will use to evaluate incoming email traffic. You can adjust these values until you determine the optimum settings for your network.

To configure DHA prevention:

1.Create a list of all valid recipients by completing the following steps:

a.Create one or more Active Directory or LDAP user groups that together contain all the user email addresses in your environment. For more information, see “Creating and Populating User Groups”.

Information 

Note: Take care not to miss any users (email addresses) that are valid for email delivery. Select the group(s) at the highest point in the organizational hierarchy that you want to protect to ensure that you include all possible users in that hierarchy.

 

b.Select these groups (or a group containing them) when configuring DHA prevention in the following steps.

2.In the Management Console, select System Configuration and then expand Receiver Properties.

3.Select Attack Prevention in the right pane menu, and select the DHA tab.

4.Select (toggle on) Enable Directory Harvest Attack prevention, and specify appropriate values. Specify the group(s) you created to be used during evaluation. For more information about the fields and settings, click Help.

DoSDHA2.PNG 

5.Click Save.

6.Commit configuration to apply your changes.

5.6.6 Enabling and Disabling Directory Harvest Attack Prevention

After configuring DHA prevention, you can enable or disable the feature without changing the configuration. Use the following procedure:

To enable or disable DHA prevention:

1.In the Management Console, select System Configuration and then expand Receiver Properties

2.Select Attack Prevention in the right pane menu, and select the DHA tab.

3.Toggle the status of Enable Directory Harvest Attack prevention, as needed.

4.Click Save.

Trustwave MailMarshal 10.2.5 User Guide August 2024
< Previous Section   |   Next Section >
Full document: see MailMarshal Documentation.