Are Settings changed by Backoffice ?

ThK

We had a big issue last year that HES IP adresses were blacklisted on Backscatterer.

This was a fulltime job for month to discuss with support and get a reliable solution.

On discusions with the support guys we were adviced to set the "Edit Inbound Path" "Directory Harvest Attack (DHA) Protection Settings" to REJECT INVALID ADRESSES.

I change this on all the customers HES. But i came back so often with an DEJA VU. The config is resetted to "process all massages the same"

Which of corse collects more SPAM to wrong email adresses as we want.

Why is this changed automatically - did you see this behavior on your HES?

and customers occasionally asked me about the mass of spam they get...

I think someone is kidding me !

--Thomas

BWC

Hi @ThK

thanks for bringing this to attention. Gladly I have only one HES service running and I can confirm that this setting was set to "process all messages the same" which is nothing I would usually go for.

I'll monitor this situation and check back regularely.

--Michael@BWC

ThK

@BWC checked my own HES and also set to process all the same. So for now i have corrected 2 of 15....

By the way the other thing is the admin session time . If you have a short break in the session for a telephone call or to get another cup of coffee you are logged out. 2FA is not applicable afaik.

BWC

@ThK LOL, the timeout hit me as well, you shouldn't have called it 😂

Because I did not had a single DHA threat in the 14 days message log I did some digging. First thing I experienced there seems to be a delay between commiting a configuration change and the actual impact.

1) Reject invalid addresses
The message got rejected and a DHA threat appears in the message log, around 5 minutes later. 

2) Process all messages the same
The naming is stupid, it should state "DHA protection off" like on the on-promise variant. The message is
marked as Delivered in the Log because of Email Continuity.

3) Permanently delete
Message got deleted (after transmission to the HES) and delivered to the Email Continuity. Not exactly the
definition of "permanently" delete.

The online documentation isn't complete (seems like a 1:1 copy of the on-premise variant which is different).

But long story short, if the backend is resetting the configuration back to "Process all message the same" we are doomed.

--Michael@BWC

ThK

@BWC yesterday i changed all of my instances and in the morning i checked. "Process all the same" is the config!

i remember there was an advice during the backscatterer mess. I finally found

https://www.sonicwall.com/support/knowledge-base/how-to-configure-ldap-and-enable-dha-protection-on-hes/200617100730517/

(...)

How to enable DHA on Hosted Email Security.

• Go to Manage | Network | Server Configuration
• Scroll down to Directory Harvest Attach (DHA) Protection Settings
• Click on the pull down menu in Action for messages sent to email address that are not in your LDAP server.
• Go to reject invalid Addresses.
• Select the preferred choice for Apply DHA protection to these recipient domains. It is recommended to select Apply to all recipient domains.
• Click Apply Changes.

Any ideas?

-Thomas

BWC

Hi @ThK

our options are limited, but is the current setting reflecting the protection level? Meaning, are unknown addresses blocked by DHA protection or do they getting through? If DHA is off then your configuration gots altered which is a real problem. If it's just displayed incorrectly on the configuration page it's just an annoying glitch. Either way you probably end up in a support-case, for which I feel sorry for you 😉

I have to check my instance again tomorrow, it is set to Permanently Delete and I'am not sure if I left it there yesterday.

--Michael@BWC

BWC

Hi @ThK

my instance still shows Reject invalid addresses, which I set yesterday, so no trouble for me there.

--Michael@BWC

ThK

@BWC Hi !

i check all my instances. 3 of them were reset to process all...

I´ll open a case now its mysterious...i do not see why this happens and wheater there is a regular update sequence

--Thomas

ThK

again - resettet to process all same

David W

@ThK @BWC Can you send me the serial numbers of the ones that changed.

We are tracking this and I would like to provide the info to engineering.

Thanks

BWC

@ThK you called it and now the curse got to me as well.

I checked earlier today and it was set to "Reject invalid addresses" and now it's "Process all Messages the same".

This is messed up and we are not alone with this ****, another user in here complained about the same.

--Michael@BWC

David W

Hey guys I just looked and engineering is testing a fix for this that should be included in 10.0.10.

ETA for 10.0.10 is April 12th.

BWC

Thanks @David W ... 10.0.10 will be a **** of a release then ... fixing my OpenLDAP (On-Premise) issue after 9+ Months and this thing here. SPF still broken, but we cannot have it all.

--Michael@BWC

ThK

@David W this is good news.

my whislist :

a) RBL Servers like on prmise ES

b) 2FO for Management

c) please also have a solution for the login session time. It closes every few minutes.

d) ...

e) ...

-Thomas

David W

There are other changes coming with 10.1 including login timeout values that can be set and the addition of EDNS.

RBL services I doubt will be in HES anytime soon as that is a major effort.

I do know 2FA is on the horizon but not sure where we have that in the roadmap at this point.

BWC

@ThK 10.0.10 got released today and got this covered as Resolved Issue:

HES: DHA settings are updating automatically. ES-6466

--Michael@BWC

ThK

@BWC HES still on 10.0.9 wait for the next maintenance window...

Time-of-Click Unicode character conversion. ES-5633

BWC

@ThK HES got updated to 10.0.10.6323, hopefully your problem got resolved.

--Michael@BWC

ThK

@BWC the first i did was changeing "my" setting to reject all on my own HES - i hope the settings will be saved...