Directory Harvesting Attacks Explained: How Spammers are Stealing your Email Directory
Have you ever been in a situation where you've started to receive SPAM on an email address you've just created? How can this be possible if you never gave it to anyone? Unfortunately, keeping your address private does not necessarily protect you against spammers anymore. These guys know how to harvest addresses from a mail server without you even knowing about it. This technique is known as Directory Harvesting and here's how it works.
Mr. Johnny Spammer needs to collect some email addresses to send his Vi@gr@ ads to, and he needs them quick. He decides to code a script that will probe a huge list of SMTP servers for valid addresses using a dictionary of common first and last names. Since most corporations use the same standards when they create addresses, Mr. Spammer's script can easily come up with all possible variation of a name, add up the domain at the end, and send a probe containing the newly created address on its way to see if the targetted mail server will return a response. Let's say that the script starts probing a mail server for someone named John Doe. It will try all of these combinations before trying another name: jdoe@, john.doe@, johndoe@, johnd@, Doe.John@, etc... As you can see, if someone is named John Doe at the targeted domain, the script will probably find out about him. This vulnerability exists because mail servers usually provide non delivery reports (NDR) to senders when they try to reach someone who doesn’t exist. If the attacking computer does not receive any NDR, it means that the address it is trying to reach is an existing one. Why not disable NDRs then? Because:
- Suppressing NDRs is not an RFC-compliant practice
- Ordinary users will want to know if their mail hasn't reached the recipient
What can you do to defeat DHAs? On Windows 2003, you can enable a feature named SMTP Tar Pitting. This feature has been added to the OS since SP1, and unfortunately, it cannot be used under Windows 2000. "Tar Pitting" your mail server is the act of deliberately adding a delay into SMTP communications that are related to undesirable traffic. By slowing down these communications, you also reduce the rate at which DHAs are executed, especially when recipient filtering is on. If your mail server waits 10 seconds before it sends each of its NDRs, can you imagin how long it would take for a spammer to scan 35000 randomly generated addresses?
ExchangeInbox.com has a nice tutorial about how to enable tar pitting on Windows 2003. If you're administrating an exchange server, I would definitely recommend that you take a look at it. If you are looking at a more efficient and elegant solution, a company named Postini offers an excellent product to fight DHAs, SMTP attacks and spam (White paper right here, free registration required).
edit: One of our readers sent us a comment about how you, home users, can prevent your address from being harvested by DHAs. Just contact your ISP and have them change your user id into a randomized sequence of alphanumeric characters (ask them to change it to something like e34jfu98s @ fakeISP.com). This should do the trick! I know that these kind of addresses are going to be pretty hard to remember, but hey, easy solutions don't really exist in the IT world!