Directory Harvest Attack
Encyclopedia
A Directory Harvest Attack or DHA is a technique used by spammers in an attempt to find valid/existent e-mail
addresses at a domain by using brute force. The attack is usually carried out by way of a standard dictionary attack
, where valid e-mail addresses are found by brute force guessing valid e-mail addresses at a domain using different permutations of common usernames. These attacks are more effective for finding e-mail addresses of companies since they are likely to have a standard format for official e-mail aliases (i.e. jdoe@example.domain, johnd@example.domain, or johndoe@example.domain).
There are two main techniques for generating the addresses that a DHA will target. In the first, the spammer creates a list of all possible combinations of letters and numbers up to a maximum length and then appends the domain name
. This would be described as a standard brute force attack. This technique would be impractical for usernames longer than 5-7 characters. For example, one would have to try 368 (nearly 3 trillion) e-mail addresses to exhaust all 8-character sequences.
The other, more targeted technique, is to create a list that combines common first name and surnames and initials (as in the example above). This would be considered a standard dictionary attack when guessing usernames for e-mail addresses. The success of a directory harvest attack relies on the recipient e-mail server rejecting e-mail sent to invalid recipient e-mail addresses during the Simple Mail Transport Protocol (SMTP) session. Any addresses to which email is accepted are considered valid and are added to the spammer's list (which is commonly sold between spammers). Although the attack could also rely on Delivery Status Notifications (DSNs) to be sent to the sender address to notify of delivery failures, directory harvest attacks likely don't use a valid sender e-mail address.
The actual e-mail message generated to the recipient addresses will usually be a short random phrase such as "hello", so as not to trigger a spam filter. The actual content that is to be advertised will be sent in a later campaign to just the valid email addresses.
One theory is that spammers also use DHAs to disseminate spam, and not just to collect email addresses for a later spam campaign. Using the method in this way, similar to a paper-based leaflet drop, the sender achieves the goal based on sheer volume, and not on accuracy of delivery. Using this method, the message would likely contain the content that the spammer is advertising, and not a short random phrase.
E-mail
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
addresses at a domain by using brute force. The attack is usually carried out by way of a standard dictionary attack
Dictionary attack
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...
, where valid e-mail addresses are found by brute force guessing valid e-mail addresses at a domain using different permutations of common usernames. These attacks are more effective for finding e-mail addresses of companies since they are likely to have a standard format for official e-mail aliases (i.e. jdoe@example.domain, johnd@example.domain, or johndoe@example.domain).
There are two main techniques for generating the addresses that a DHA will target. In the first, the spammer creates a list of all possible combinations of letters and numbers up to a maximum length and then appends the domain name
Domain name
A domain name is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System ....
. This would be described as a standard brute force attack. This technique would be impractical for usernames longer than 5-7 characters. For example, one would have to try 368 (nearly 3 trillion) e-mail addresses to exhaust all 8-character sequences.
The other, more targeted technique, is to create a list that combines common first name and surnames and initials (as in the example above). This would be considered a standard dictionary attack when guessing usernames for e-mail addresses. The success of a directory harvest attack relies on the recipient e-mail server rejecting e-mail sent to invalid recipient e-mail addresses during the Simple Mail Transport Protocol (SMTP) session. Any addresses to which email is accepted are considered valid and are added to the spammer's list (which is commonly sold between spammers). Although the attack could also rely on Delivery Status Notifications (DSNs) to be sent to the sender address to notify of delivery failures, directory harvest attacks likely don't use a valid sender e-mail address.
The actual e-mail message generated to the recipient addresses will usually be a short random phrase such as "hello", so as not to trigger a spam filter. The actual content that is to be advertised will be sent in a later campaign to just the valid email addresses.
One theory is that spammers also use DHAs to disseminate spam, and not just to collect email addresses for a later spam campaign. Using the method in this way, similar to a paper-based leaflet drop, the sender achieves the goal based on sheer volume, and not on accuracy of delivery. Using this method, the message would likely contain the content that the spammer is advertising, and not a short random phrase.