Home Page

VPN & Cryptography


Email & Spam

Security Topics


Email Spam

Zero Day Window


Bayesian Algorithm

Content and Connection control

Directory Harvesting Attacks

Email Encryption

Email Archiving

File attachments

Image scanning

Port forwarding and MX records

Reputation filters

Encrypted attachments

Grey Listing

Email Monitoring

Internal Email Security

Open Relay

Per user quarantine area

Reverse DNS lookup & SPF

RFC Compliant emails


Email Throttling

What is Spam

Whitelists and Blacklists



Directory Harvesting attacks and Detection


Directory harvesting is when a variety of email addresses are sent to an email server in the hope that these addresses are valid. The responses are noted in order to find valid email addresses. These recipient addresses are then either sold on or used for malicious purposes. Most email firewall servers have the ability to detect directory harvesting attacks and block them.

A method used to detect and stop such an attack is when the anti-spam firewall is configured with a threshold on number of invalid recipients per SMTP connection. It can also be detected in the number of RSET commands per SMTP connection. For example when the anti-spam filtering solution is executing a reset command after analysing recipient addresses for a certain number of times from the same connection because it is invalid; this is another symptom it may be a directory harvesting attack.

In both circumstances above, thresholds can be set. If the threshold is 5 for example, and a anti-spam firewall receives more than 5 invalid recipients from one connection, it will close the connection, though blocking it from any more attempts.

Further Reading

Wikipedia's guide to Directory Harvesting Attacks