Home Page

VPN & Cryptography

Firewalls

Email & Spam

Security Topics

 

Email Spam

Zero Day Window

BATV

Bayesian Algorithm

Content and Connection control

Directory Harvesting Attacks

Email Encryption

Email Archiving

File attachments

Image scanning

Port forwarding and MX records

Reputation filters

Encrypted attachments

Grey Listing

Email Monitoring

Internal Email Security

Open Relay

Per user quarantine area

Reverse DNS lookup & SPF

RFC Compliant emails

SMTP IMAP4 or POP3

Email Throttling

What is Spam

Whitelists and Blacklists

 

 

Directory Harvesting attacks and Detection

 

Directory harvesting is when a variety of email addresses are sent to an email server in the hope that these addresses are valid. The responses are noted in order to find valid email addresses. These recipient addresses are then either sold on or used for malicious purposes. Most email firewall servers have the ability to detect directory harvesting attacks and block them.

A method used to detect and stop such an attack is when the anti-spam firewall is configured with a threshold on number of invalid recipients per SMTP connection. It can also be detected in the number of RSET commands per SMTP connection. For example when the anti-spam filtering solution is executing a reset command after analysing recipient addresses for a certain number of times from the same connection because it is invalid; this is another symptom it may be a directory harvesting attack.

In both circumstances above, thresholds can be set. If the threshold is 5 for example, and a anti-spam firewall receives more than 5 invalid recipients from one connection, it will close the connection, though blocking it from any more attempts.

Further Reading

Wikipedia's guide to Directory Harvesting Attacks