EveryCloud Technologies    


The following article will provide a guideline on how to resolve Directory Harvest Attack mail delays in Kerio Connect. Please read it carefully.


Our Support team are available to help you contact details can be found Here.


Cause:


The Kerio mail server has a security option to prevent directory harvest attacks which blocks a sending IP address if too many emails to non-existent addresses are received in a given time-frame.


For EveryCloud’s relay checking method of adding new users automatically to work, it has to attempt delivery when it receives an email to an unknown address. If the mail server accepts the email then EveryCloud adds the address as a new user. If the mail server rejects the email then EveryCloud does not add the address as a new user. But if a lot of email is being sent through EveryCloud to false addresses then this will trigger the Kerio mail server to block the sending address – which is EveryCloud. This results in all mail coming through EveryCloud to that mail server being blocked for a period.


Primary symptom:


Clients reporting intermittent delays of up to an hour in the delivery of mail they were expecting to their inboxes. Obviously this delay length and frequency is going to depend on how often EveryCloud’s relay checking is triggering the directory harvest attack blocking.


Visibility in EveryCloud:


If you happen to be checking the EveryCloud workspace while there is directory harvest attack blocking active you’ll see mail being deferred. Otherwise there’s no visibility in EveryCloud because once the blocking ends the deferred mail is simply delivered.


Visibility in Kerio Connect:


If you look at the Security log in the Kerio Connect management console you’ll see periods of multiple entries:



Doing a reverse lookup on this IP address gives hsmx05.antispameurope.com reported by the hornetsecurity nameservers which points us in the direction of EveryCloud.
Obviously there are multiple other EveryCloud IP addresses that could be listed here.


To resolve this in Kerio Connect:

In the Kerio Connect management console go to Configuration and then to IP Address Groups



Create a new IP Address Group called EveryCloud and add the IP Address ranges as per EveryCloud’ s essential set up documentation here:


 https://support.everycloud.com/support/solutions/articles/4000038125-essential-set-up-documentation.


You will need to convert from CIDR format to subnet mask format.,(This is handy if you’re not a networking expert.)
http://droptips.com/cidr-subnet-masks-and-usable-ip-addresses-quick-reference-guide-cheat-sheet 


The end result will be an IP Address Group called EveryCloud with the listed IP's.



From here it’s simply a case of going to the ConfigurationSMTP Server - Security Options tab and ticking the box to not apply the checks above to IP address group, and select the EveryCloud IP group you’ve just created.



Click Apply.


this is now configured and you should no longer experience periodic email delays.