Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Are Settings changed by Backoffice ?

ThKThK Enthusiast ✭✭

We had a big issue last year that HES IP adresses were blacklisted on Backscatterer.

This was a fulltime job for month to discuss with support and get a reliable solution.

On discusions with the support guys we were adviced to set the "Edit Inbound Path" "Directory Harvest Attack (DHA) Protection Settings" to REJECT INVALID ADRESSES.

I change this on all the customers HES. But i came back so often with an DEJA VU. The config is resetted to "process all massages the same"

Which of corse collects more SPAM to wrong email adresses as we want.

Why is this changed automatically - did you see this behavior on your HES?

and customers occasionally asked me about the mass of spam they get...

I think someone is kidding me !


--Thomas

Category: Hosted Email Security
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @ThK

    thanks for bringing this to attention. Gladly I have only one HES service running and I can confirm that this setting was set to "process all messages the same" which is nothing I would usually go for.

    I'll monitor this situation and check back regularely.

    --Michael@BWC

  • ThKThK Enthusiast ✭✭

    @BWC checked my own HES and also set to process all the same. So for now i have corrected 2 of 15....

    By the way the other thing is the admin session time . If you have a short break in the session for a telephone call or to get another cup of coffee you are logged out. 2FA is not applicable afaik.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @ThK LOL, the timeout hit me as well, you shouldn't have called it 😂

    Because I did not had a single DHA threat in the 14 days message log I did some digging. First thing I experienced there seems to be a delay between commiting a configuration change and the actual impact.

    1) Reject invalid addresses
    The message got rejected and a DHA threat appears in the message log, around 5 minutes later. 
    
    2) Process all messages the same
    The naming is stupid, it should state "DHA protection off" like on the on-promise variant. The message is
    marked as Delivered in the Log because of Email Continuity.
    
    3) Permanently delete
    Message got deleted (after transmission to the HES) and delivered to the Email Continuity. Not exactly the
    definition of "permanently" delete.
    

    The online documentation isn't complete (seems like a 1:1 copy of the on-premise variant which is different).

    But long story short, if the backend is resetting the configuration back to "Process all message the same" we are doomed.

    --Michael@BWC

  • ThKThK Enthusiast ✭✭

    @BWC yesterday i changed all of my instances and in the morning i checked. "Process all the same" is the config!

    i remember there was an advice during the backscatterer mess. I finally found

    https://www.sonicwall.com/support/knowledge-base/how-to-configure-ldap-and-enable-dha-protection-on-hes/200617100730517/

    (...)

    How to enable DHA on Hosted Email Security.


    • Go to Manage | Network | Server Configuration
    • Scroll down to Directory Harvest Attach (DHA) Protection Settings
    • Click on the pull down menu in Action for messages sent to email address that are not in your LDAP server.
    • Go to reject invalid Addresses.
    • Select the preferred choice for Apply DHA protection to these recipient domains. It is recommended to select Apply to all recipient domains.
    • Click Apply Changes.


    Any ideas?

    -Thomas

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @ThK

    our options are limited, but is the current setting reflecting the protection level? Meaning, are unknown addresses blocked by DHA protection or do they getting through? If DHA is off then your configuration gots altered which is a real problem. If it's just displayed incorrectly on the configuration page it's just an annoying glitch. Either way you probably end up in a support-case, for which I feel sorry for you 😉

    I have to check my instance again tomorrow, it is set to Permanently Delete and I'am not sure if I left it there yesterday.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @ThK

    my instance still shows Reject invalid addresses, which I set yesterday, so no trouble for me there.

    --Michael@BWC

  • ThKThK Enthusiast ✭✭

    @BWC Hi !

    i check all my instances. 3 of them were reset to process all...

    I´ll open a case now its mysterious...i do not see why this happens and wheater there is a regular update sequence


    --Thomas

  • ThKThK Enthusiast ✭✭

    again - resettet to process all same

  • David WDavid W SonicWall Employee

    @ThK @BWC Can you send me the serial numbers of the ones that changed.

    We are tracking this and I would like to provide the info to engineering.

    Thanks

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @ThK you called it and now the curse got to me as well.

    I checked earlier today and it was set to "Reject invalid addresses" and now it's "Process all Messages the same".

    This is messed up and we are not alone with this ****, another user in here complained about the same.

    --Michael@BWC

  • David WDavid W SonicWall Employee

    Hey guys I just looked and engineering is testing a fix for this that should be included in 10.0.10.

    ETA for 10.0.10 is April 12th.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited March 17

    Thanks @David W ... 10.0.10 will be a **** of a release then ... fixing my OpenLDAP (On-Premise) issue after 9+ Months and this thing here. SPF still broken, but we cannot have it all.

    --Michael@BWC

  • ThKThK Enthusiast ✭✭

    @David W this is good news.

    my whislist :

    a) RBL Servers like on prmise ES

    b) 2FO for Management

    c) please also have a solution for the login session time. It closes every few minutes.

    d) ...

    e) ...

    -Thomas

  • David WDavid W SonicWall Employee

    There are other changes coming with 10.1 including login timeout values that can be set and the addition of EDNS.

    RBL services I doubt will be in HES anytime soon as that is a major effort.

    I do know 2FA is on the horizon but not sure where we have that in the roadmap at this point.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

Sign In or Register to comment.