Exam 350-701 topic 1 question 206 discussion

i would choose A https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117847-technote-esa-00.html

To prevent malicious actors from quickly identifying all valid recipients, the engineer can use Directory Harvest Attack Prevention (DHAP) on the Cisco ESA. DHAP blocks SMTP messages to invalid recipient addresses and limits the number of messages that can be sent to the server, which helps prevent attackers from obtaining a complete list of valid email addresses. Therefore, option A is the correct answer. Option B, bypassing LDAP access queries in the recipient access table, does not provide any protection against Directory Harvest Attacks (DHAs). Option C, using Bounce Verification, is used to prevent backscatter, which is when an email system sends a bounce message to an innocent victim, who did not send the original message and who is not the intended recipient of the bounce message. Option D, configuring incoming content filters, is used to block unwanted emails based on message content.

The correct answer is A. Configure Directory Harvest Attack Prevention. When LDAP (Lightweight Directory Access Protocol) accept queries are enabled on a listener, it is possible for malicious actors to quickly identify all valid recipients on the email server. This is known as a Directory Harvest Attack (DHA), and it can be used by spammers to collect valid email addresses to use for spamming. To prevent a DHA, the Cisco ESA (Email Security Appliance) must be configured with Directory Harvest Attack Prevention (DHAP). This feature limits the number of invalid queries a sender can make, and it can be used to detect and block DHA attempts.

A is correct. Using LDAP For Directory Harvest Attack Prevention Directory Harvest Attacks occur when a malicious sender attempts to send messages to recipients with common names, and the email gateway responds by verifying that a recipient has a valid mailbox at that location. When performed on a large scale, malicious senders can determine who to send mail to by “harvesting” these valid addresses for spamming. The appliance can detect and prevent Directory Harvest Attack (DHA) when using LDAP acceptance validation queries. You can configure LDAP acceptance to prevent directory harvest attacks within the SMTP conversation or within the work queue.

The DHAP is a supported feature on the Cisco Content Security Appliances that can be enabled when Lightweight Directory Access Protocol (LDAP) acceptance validation is used. The DHAP feature keeps track of the number of invalid recipient addresses from a given sender. Once a sender crosses an administrator-defined threshold, the sender is deemed to be untrusted, and mail from that sender is blocked with no Network Design Requirement (NDR) or error code generation. You can configure the threshold based upon the reputation of the sender. For example, untrusted or suspicious senders can have a low DHAP threshold, and trusted or reputable senders can have a high DHAP threshold.

i choose D For a read-only state where DLP violations are logged and reported but the messages are not stopped/quarantined or encrypted, the Deliver action is most often used. Secondary actions include: Sending a copy to any custom quarantine or the Policy quarantine. Encrypt the message. The appliance only encrypts the message body. It does not encrypt the message headers. Altering the Subject header. Adding disclaimer text/HTML to the message. Sending the message to an alternate destination mailhost. Sending bcc copies of the message. Sending DLP violation notification to the sender and/or other contacts. These actions are not mutually exclusive — you can combine some of them within different DLP policies for various processing needs for different user groups. We are going to implement the following DLP Actions: Encrypt These actions assume that Encryption is licensed and configured on the ESA and three profiles have been created for High, Medium, and Low security as was done in the earlier sections: CRES_HIGH CRES_MED CRES_LOW https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/216086-best-practice-guide-for-data-loss-preven.html#anc11

i believe its access policy....u can create an ips and attach it to the access policy to prevent