Home Page


Email & Spam

Security Terminology

Security Topics

VPN & Cryptography



Email Security and Spam Terminology

Zero Day Window


Bayesian Algorithm

Content and Connection control

Directory Harvesting Attacks

Email Encryption

Email Archiving

File attachments

Image scanning

Email Load balancing

Port forwarding and MX records

Reputation filters

Encrypted attachments

Grey Listing

Email Monitoring

Internal Email Security

Open Relay

Outbound email filtering

Per user quarantine area

Reverse DNS lookup & SPF

RFC Compliant emails


Spoofed email

Stopping spam for Networks guide

Email Throttling

What is Spam

Which Spam filter

Whitelists and Blacklists


Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?


What is Guide

What is a Firewall?

What is a Virus?

What is Spam?


Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security



Top 8 Internet Security Tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?





Directory Harvesting attacks and Detection


Directory harvesting is when a variety of email addresses are sent to an email server in the hope that these addresses are valid. The responses are noted in order to find valid email addresses. These recipient addresses are then either sold on or used for malicious purposes. Most email firewall servers have the ability to detect directory harvesting attacks and block the attack.

Strategies to detect and stop such an attack are when the spam firewall can put a threshold on number of invalid recipients per SMTP connection. It can also be detected in the number of RSET commands per SMTP connection. So if your spam filter is executing the reset command after analysing recipient addresses so many number of times from the same connection because it is invalid; this is another symptom it may be a directory harvesting attack.

In both circumstances above, thresholds can be set. So if the threshold is 5, and a spam firewall receives more than 5 invalid recipients from one connection, it will close the connection, though blocking it from any more attempts.

Further Reading

Wikipedia's guide to Directory Harvesting Attacks