[Geeks are Sexy] technology news

Tuesday, May 09, 2006

Directory Harvesting Attacks Explained: How Spammers are Stealing your Email Directory

Have you ever been in a situation where you've started to receive SPAM on an email address you've just created? How can this be possible if you never gave it to anyone? Unfortunately, keeping your address private does not necessarily protect you against spammers anymore. These guys know how to harvest addresses from a mail server without you even knowing about it. This technique is known as Directory Harvesting and here's how it works.

Mr. Johnny Spammer needs to collect some email addresses to send his Vi@gr@ ads to, and he needs them quick. He decides to code a script that will probe a huge list of SMTP servers for valid addresses using a dictionary of common first and last names. Since most corporations use the same standards when they create addresses, Mr. Spammer's script can easily come up with all possible variation of a name, add up the domain at the end, and send a probe containing the newly created address on its way to see if the targetted mail server will return a response.
Let's say that the script starts probing a mail server for someone named John Doe. It will try all of these combinations before trying another name: jdoe@, john.doe@, johndoe@, johnd@, Doe.John@, etc... As you can see, if someone is named John Doe at the targeted domain, the script will probably find out about him. This vulnerability exists because mail servers usually provide non delivery reports (NDR) to senders when they try to reach someone who doesn’t exist. If the attacking computer does not receive any NDR, it means that the address it is trying to reach is an existing one. Why not disable NDRs then? Because:

  • Suppressing NDRs is not an RFC-compliant practice
  • Ordinary users will want to know if their mail hasn't reached the recipient

What can you do to defeat DHAs? On Windows 2003, you can enable a feature named SMTP Tar Pitting. This feature has been added to the OS since SP1, and unfortunately, it cannot be used under Windows 2000. "Tar Pitting" your mail server is the act of deliberately adding a delay into SMTP communications that are related to undesirable traffic. By slowing down these communications, you also reduce the rate at which DHAs are executed, especially when recipient filtering is on. If your mail server waits 10 seconds before it sends each of its NDRs, can you imagin how long it would take for a spammer to scan 35000 randomly generated addresses?

ExchangeInbox.com has a nice tutorial about how to enable tar pitting on Windows 2003. If you're administrating an exchange server, I would definitely recommend that you take a look at it. I
f you are looking at a more efficient and elegant solution, a company named Postini offers an excellent product to fight DHAs, SMTP attacks and spam (White paper right here, free registration required).

edit: One of our readers sent us a comment about how you, home users, can prevent your address from being harvested by DHAs. Just contact your ISP and have them change your user id into a randomized sequence of alphanumeric characters (ask them to change it to something like e34jfu98s @ fakeISP.com). This should do the trick! I know that these kind of addresses are going to be pretty hard to remember, but hey, easy solutions don't really exist in the IT world!


  • The school Vansau and I attend employs Postini to protect our email system. It can be a little annoying to support for those extra-tech-challenged people, but it has proven to be a very good service for preventing this attack.

    The also provide configurable junk filtering, black and white listing, and some virus protection as well. Quality.

    By Blogger theMatt, at 6:47 AM  

  • The ISP I used to work for employed Postini for a trial basis of 3 or so months. It was provided free for users for 30 days. After 30 days, few of the users (about 3000 dialup subscribers) went for the service. The ISP dropped postini, and suddenly every user was bombarded with spam, no matter if their address was "easy" or "random". The ISP had no choice but to go back and re-contract with Postini for the service, and raise everyone's bill across the board.

    By Blogger Greg Williams, at 11:46 AM  

  • Greg: Are you implying that postini would have sold your users' email to spammers so that the ISP you worked for would be "forced" to sign up with them? That's a pretty serious accusation...Could it have been pure coincidence that the spam level would have increased this much?

    The only thing I know is that their product is of top notch quality..

    By Blogger Kiltak, at 1:07 PM  

  • EGAD! How many times do I have to tell people how to create an email address that can’t be hacked? Contact your ISP and have them change your user id into a randomized sequence of alphanumeric characters. For instance:

    1. BAD: jcorliss@fakeISP.com
    2. GOOD: e34jfu98s@fakeISP.com

    How hard is that to do? But it’s not the last step.

    If your ISP provides you with server space so you can set up a web page, DON’T DO IT unless the address to that webpage doesn’t contain your user ID.

    Also, tell EVERYBODY in your address book that you don’t want chain emails, fraud emails, *E-CARDS* (almost all e-card websites are simply email address harvesting scams) or for them to give your email address to ANYBODY without your permission. If you have any people in your address book who tend to ignore such requests, only provide them with a Yahoo or some other throw-away email address.

    If you’re active in Usenet, be sure to configure your news reader to use a fake email address for posting. Thunderbird will do this, for instance.

    Of coure, it’s common sense that you should only provide your throw-away email address, NEVER your main one, to any government agency or business.

    Besides, Yahoo does such a good job of filtering spam that I rarely get any in that account anyway. However, if the flood-gates ever do open, I will simply create another account and abandon the old one.

    These are some *common sense ideas* that have successfully lowered my daily spam rate from about 500 a day to one every other day (a cousin who will remain nameless sent me an e-card and the next time I change my email address, she will only get the Yahoo address.)

    By Anonymous John Corliss, at 4:19 PM  

  • Using random characters for your email address makes your email far less usable.

    "Yes mum, my email address is i, three, seven, u, ... no it's a seven after the 3 not the i"... etc. Or worse yet "Mr Job Recruiter, my email is ... "

    Gmail's junk filter is pretty good, and i've seen a few other ISPs that allow server-side junk mail filtering. If you think you're missing email, you can login to a webpage and review them, possibly adding an address to a white list.

    Simple things like open relay blacklists can drop mail an incredible amount. You don't need to render your email address unusable to keep your email usable from spam.

    Also, keeping seperate emails for work and friends (who are likely to sign you up to God knows what) is a good idea.

    By Anonymous Andrew Whalan, at 8:18 PM  

  • I use an antispam service from Appriver thats actually better priced and more effective than Postinis is. Theyve saved me from a LOT of junk mail.

    By Anonymous Anonymous, at 10:38 AM  

Post a Comment

Links to this post:

Create a Link

<< Home