The scenario describes a classic Directory Harvest Attack (DHA), where an attacker attempts to discover valid email addresses by sending messages to a large number of potential recipients. The log entry "550 Too many invalid recipients" is a direct indicator that the mail gateway is rejecting connections after a certain threshold of invalid recipient lookups has been reached. The Directory Harvest Attack Prevention (DHAP) feature on a Cisco Email Security Appliance (ESA) is specifically designed to detect and mitigate this activity by monitoring the number of invalid recipients from a single connecting host and then throttling or blocking the connection.

B. SBRS: SenderBase Reputation Score is a general IP reputation system. While it can block poor-reputation senders, it does not specifically target the behavior of probing for many invalid recipients.

C. LDAP: Lightweight Directory Access Protocol is the directory service being queried. It is the target of the attack, not the security feature used to prevent it.

D. SMTP: Simple Mail Transfer Protocol is the protocol used to initiate the recipient validation attempts. It is the attack vector, not the protective mechanism.

1. Cisco Email Security Appliance Configuration Guide

15.0

"Mail Policies" Chapter

"Preventing Directory Harvest Attacks" Section. This section states

"A directory harvest attack is an attempt to find valid email addresses at a domain by sending a large number of messages to addresses that may or may not exist... You can configure the security appliance to detect and prevent directory harvest attacks."

2. Cisco Email Security Appliance Best Practices

Tips

and Tricks

"Directory Harvest Attack Prevention (DHAP)" Section. This document explains

"DHAP is a feature on the ESA that is used to prevent spammers from harvesting a corporate directory... The ESA will keep track of how many invalid recipients have been seen from a particular sending IP address... and will return a 550 'Invalid Recipient' SMTP response."

3. Cisco Content Security Management Appliance Configuration Guide

11.1

"Email" Chapter

"Configuring Recipient Access Table (RAT)" Section. This guide details how DHAP works in conjunction with the Recipient Access Table (RAT) and LDAP queries. It confirms that DHAP is the feature that acts on the results of these queries to prevent attacks.