November 24th, 2021 Read Time: 5 minutes
Jessica is a content writer with more than 8 years of experience covering SaaS and the tech industry. She has worked with both B2B and B2C publications across North America, Europe, and APAC and currently writes about IT Solutions for Electric.
Subscribe to our blog and stay up to date
Spammers are known to use a variety of methods to gain access to an organization's email addresses. Directory harvest attacks are one common approach, and you are especially susceptible if your organization uses a standard, predictable format for internal emails. So, what exactly is a directory harvest attack, and how can you prevent them?
A directory harvest attack (DHA) is a common method spammers use to collect email addresses without the knowledge of the users of those email addresses. Spammers typically use this technique to flood the Exchange Servers of organizations with unwanted emails. They send out bulk emails to mailboxes that may or may not exist in order to discover valid or existent email addresses at a domain.
Directory Harvest Attacks are conducted by spammers who know that you are likely to have certain common names among employees at your organization. For example, chances are there are employees named John, Sarah, Peter, and so forth in companies with high numbers of staff. The spammers compile a list of possible names in a company and attach them to a known domain name. For example, if the spammer aims to harvest email addresses from example.com and the above names are in their list, they will send spam emails to email@example.com, firstname.lastname@example.org, and so forth.
They also use different permutations of common names. For example, if the target user is John Smith, they can send spam emails to email@example.com, firstname.lastname@example.org, or email@example.com. Basically, they try any possible combination, and with the help of email-generating programs, they can produce different permutations of any name they can think of. Moreover, they also send spam emails to email addresses common in most companies, such as firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org.
Once spammers send a directory harvest attack, they rely on the responses from the server to purge invalid email addresses from their list. This includes those email addresses not delivered for any reason, and those that returned verbiage indicating the email address does not exist. Finally, they end up with a list of valid email addresses that they can use to attain their goals.
To determine if an email is valid or not, spammers use non-delivery reports and recipient filtering during the early phase of SMTP conversation. With these two approaches, it becomes easier for them to end up with a list containing valid email addresses.
Countering directory harvest attacks needs to be a top priority to avoid inconveniences that can significantly impact your day-to-day operations. Here are some of the reasons why you need to focus on directory harvest attack prevention:
When your mailboxes are flooded with garbage, there is a high possibility you may miss very crucial emails. Spammers may send spam often, sometimes every day, which will make it difficult to go through all your emails to identify the legitimate messages.
Spammers send spam in bulk. These are not the usual emails you receive every day. If they find their way to your mailboxes, you may need a couple of hours to delete them. Keep in mind that you can't just select and delete en masse, as some resemble genuine email addresses.
The good news is there are steps you can take to prevent directory harvest attacks.
Using standard email formats makes it easier for spammers to succeed in sending DHAs. Counter this by using atypical formats where spammers can't easily decipher a combination of characters. For example, you can include the year an employee joined your company in their email address. So, if John Smith was hired in 2019, you might have something like email@example.com.
The goal behind sending NDRs is to make spammers believe the email address doesn't exist so they will stop sending spam. You need an anti-spam application to achieve this. Anti-spam software uses keywords to filter out emails that look like spam. While this method is effective, it is good to note that it uses a lot of resources.
The other option is to disable NDRs. This is a good option if you are not ready to invest in anti-spam, but you need to be very cautious when implementing it. First, when you disable NDRs, anyone sending genuine emails to you won't know if the emails were delivered even when the email address was incorrect. So, even when a delivery fails, senders might end up thinking you are ignoring them, which is not the case.
The other reason you need to be cautious is that when no NDRs are generated, spammers may automatically assume your email address exists and proceed to send more spam. Keep in mind spammers rely on NDRs to prepare a reliable list of valid email addresses. So, by disabling your NDRs, you may be making the work of spammers easier.
Disabling delivery receipts can go a long way in helping you save on bandwidth and other resources. However, if you choose to implement this approach, it is important to note that legitimate senders will not receive delivery receipts and may think their messages weren't delivered.
While not the most malicious form of cyber attack, directory harvest attacks can still seriously hinder the day-to-day performance of your business. Thankfully, there are various steps you can take to counter the inconvenience of DHAs. At Electric, we have a team of experts ready to guide your company on cybersecurity issues such as how to prevent DHAs. For more information, book a meeting to speak with one of our IT specialists.