|
Spammers probe SMTP mail servers on the Internet in an attempt to discover valid addresses at a
domain. They set their computers to try sending email to different addresses using a
dictionary of common first name and last name combinations. Since companies sometimes use a
standardized name format as the first portion of an email address (before the @domain) these
harvesting attempts may succeed.
| |
|
For a user named John Smith, some standardized formats are: |
|
|
 |
JSmith@domain.com |
|
SJohn@domain.com |
|
|
|
JohnS@domain.com |
|
John.Smith@domain.com |
|
|
|
SmithJ@domain.com
|
|
Smith.John@domain.com |
Why does this "directory harvest" vulnerability exist?
The vulnerability arises because the receiving mail server under attack provides feedback
about the non-deliverability of an email address. The attacking computer notes this failed
attempt and continues with other test addresses.
For example, with Microsoft Exchange Server 2003, if the intended
recipient does not appear in Active Directory, the
following error message is returned to the spammer... 550 5.1.1 User unknown. This
signal indicates that the email
address is not valid; those that are found to be valid will
receive increasing spam from the spammer harvesting your
email directory.
By comparison, Praetor never returns any signal or other
information to the originating spammer.
What other problems can "directory harvest" attacks cause?
When under a directory harvest attack, the massive volume of attempts
with different addresses sent by the spammer will consume a mail server's
resources. At worse, the mail server may be prevented from
receiving legitimate email if all available resources are exhausted. |
BL-Monitor
