Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Combating directory harvests

From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Thu, 19 Jul 2012 16:17:31 -0400
We give a maximum of 20 results - if you want more, you have to authenticate

Joel Rosenblatt

Joel Rosenblatt, Director Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3


--On Thursday, July 19, 2012 8:11 PM +0000 Roger A Safian <r-safian () NORTHWESTERN EDU> wrote:


It's getting more difficult to contain this data as more means become available for accessing it, but generally, we 
limit the returns to a search to 20 (or
is it 25?) unique responses.  Off campus searches have the email address obscured in a capcha like fashion.  We used to 
manage our logs better in the past
and would black list IP's that were obviously scraping our directory.  We don't have the time to do this anymore.  We 
have been replying on our anti-spam and
proactive education solutions to prevent phishing.  The number of victims remains low, so on some level I'd like to 
think our efforts are working, but, we
may just be lucky.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tyler T. Schoenke
Sent: Thursday, July 19, 2012 2:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Combating directory harvests

I am wondering what other schools are doing to combat LDAP directory
harvests.  We are constantly hit with phishing campaigns.  While some email
addresses are grabbed via web searches, malware reading address books, or
other means, I suspect email directory harvests account for a large
percentage of the addresses used in phishing campaigns.

Some ideas we have tossed around for limiting the harvests are:

- Only allow email look-ups to campus address space and campus VPN.

- Rate limit using a firewall or IDP to block an IP address for specific period of
time if connection attempts are made too rapidly.

- Rate limit at the web server that interfaces into the LDAP server.
Only allow a specific number of queries per source IP address per time
period.

- Use a Captcha to reduce the number of automated queries.

- Reduce the number of results returned.  Instead of 100 rows, return 5
closest matches.

- Require a valid email address to run the query.  Block email accounts from
anonymous email providers.

Has anyone implemented these or other measures to reduce LDAP harvests?
 Are there any commercial solutions?

Thanks,

Tyler

--
--
Tyler Schoenke
Network Security Manager
IT Security Office
University of Colorado at Boulder






Joel Rosenblatt, Director Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
Previous By Date Next
Previous By Thread Next

Current thread: