Combating directory harvests

["Tyler T. Schoenke" <tyler.schoenke () COLORADO EDU>]

I am wondering what other schools are doing to combat LDAP directory
harvests.  We are constantly hit with phishing campaigns.  While some
email addresses are grabbed via web searches, malware reading address
books, or other means, I suspect email directory harvests account for a
large percentage of the addresses used in phishing campaigns.

Some ideas we have tossed around for limiting the harvests are:

- Only allow email look-ups to campus address space and campus VPN.

- Rate limit using a firewall or IDP to block an IP address for specific
period of time if connection attempts are made too rapidly.

- Rate limit at the web server that interfaces into the LDAP server.
Only allow a specific number of queries per source IP address per time
period.

- Use a Captcha to reduce the number of automated queries.

- Reduce the number of results returned.  Instead of 100 rows, return 5
closest matches.

- Require a valid email address to run the query.  Block email accounts
from anonymous email providers.

Has anyone implemented these or other measures to reduce LDAP harvests?
 Are there any commercial solutions?

Thanks,

Tyler

-- 
--
Tyler Schoenke
Network Security Manager
IT Security Office
University of Colorado at Boulder