Understanding Directory Harvest Attacks

We examine directory harvest attacks to figure out how spammers find and target legitimate e-mail addresses.

Think you can protect your in-box by carefully guarding your e-mail address—not posting it in online forums or Usenet messages, using disposable e-mail addresses to register for Web sites, or even leaving it off your business cards? Nows the time for a reality check. If youve ever wondered how a brand-new e-mail account has started getting spam within hours, heres how that can happen.

Its a tenet of legal thrillers as well as the news: The absence of a denial can be as informative as a direct confirmation. This simple idea underlies the directory harvest attack (DHA), an increasingly prevalent technique for mining e-mail addresses that can then be bombarded with unwanted solicitations. Enterprise e-mail security vendor Postini reports that DHAs increased by 250 percent in 2003 and now account for as much as one-quarter of the requests that some SMTP (Simple Mail Transfer Protocol) servers process each day.

In a DHA, an attacker unleashes a program that guesses at possible e-mail addresses within a domain and attempts to send messages to those addresses. The server rejects requests intended for addresses that dont exist. By the process of elimination, the addresses it doesnt reject are deemed valid, and the program can add them to a spammers databases.

The result isnt just more spam (as if that werent bad enough). An aggressive DHA can place such intense demands on a server that it mimics a denial-of-service attack and slows legitimate e-mail delivery.