How Did Spammers Get My Address?

IT managers and users alike can practice all the safe computing there is to practice and still somehow spammers get their e-mail addresses. How do they do it? Security Supersite Editor Larry Seltzer says the hot technique nowadays is the directory harvest

Everyone but the newbie knows the things to do and not to do in order to keep our e-mail addresses out of the hands of spammers: Dont post an address on the Web or (even worse) Usenet. For those wanting a sophisticated approach, use a disposable forwarding e-mail address. And finally (and most ironically), dont ever unsubscribe from a spam list.

Despite these practices, spammers still might get your address. How you might ask?

One of the main techniques used by sophisticated spammers is called the directory harvest attack (DHA). The algorithm is fairly simple: take a domain, for example, and send out large numbers of e-mails to a variety of common names at that address (,,, and so on). The bigger the target, the more likely that a random name will actually be an address.

If a particular address in the attack is a real address then nothing will happen (or even better for the spammer, the user will respond). If the address is not a real one, by default most mail servers send a "bounce" message declaring that there is no user with that name in this domain. The spammer gets a clean list of addresses that they can spam or sell.

Of course, there are some fine points on the technique. For example, they can search a company Web site for a few addresses in order to learn the naming scheme (john_smith or jsmith, etc.). But its all very straightforward.

Now, youd think this would be easy to stop: configure the mail server not to send out bounce messages. But theres a price network admins would pay for this action and its not a small one. If a ordinary user, a non-spammer, makes a mistake in an e-mail address when sending a message to the domain, the message wont get through and the sender wouldnt receive an error message. This could be a serious problem—what if its a customer? They might assume that the message had gone through.

All isnt roses for the spammers, however. One problem, or solution depending on your point of view, is that some mail servers (including some versions of Exchange) put bounce messages in a deferral queue, and the DHA attacker may not receive it for some time. In the meantime, the spammer may assume that the address is legitimate, even though he or she just havent yet received the bounce. The end result will be an address list that is less accurate than the spammer thinks. Boo-hoo.

Postini, an e-mail security vendor, claims that its heuristics-based anti-spam protection can detect the behavioral characteristics of a DHA. The software will then send an alert, giving the administrator the option to place a complete IP block on the address performing the attack. In combination with a deferral queue Postini could allow an administrator to provide for bounces, but still have time to stop them in event of a DHA.

Still, this is a less-than-satisfactory solution. Instead, it should be completely automated, which would let administrators avoid having to spend time on such a stupid thing.

Sometimes it seems as if theres more problem than solution in computer security news, and this definitely seems to be the case with respect to spam. A directory harvest attack may even be legal. Even though it simply relies on the way SMTP mail is supposed to behave when functioning properly, DHA offers a perfect example of the dysfunctional aspects of the Internet.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer