Saturday, March 6, 2010

Postini reports a drop in directory harvest attacks

The anti-spam service Postini has reported that there has been a drop of 8% in directory harvest attacks for the month of March. This is the first drop in seven months.

Unless they have changed their methods and I didn't hear/read about it yet, the way to run a directory harvest attack against a company is to do a bute force/dictionary attack on them with usernames (it helps - the spammer that is - if they already have a few usernames from that domain so that they can see the format). These can be gathered from existing spam databases, or from viruses which pull addresses from machines they infect.

So if the spammer has a few addresses at Company ABC which shows their email format appears to follow FIRST_INITIAL NO_SPACE LAST_NAME, then they can run a long list of first and last names against it and send them spam (doesn't have to be real spam in that there is a message, but instead just junk or even blanks).
If the machine responds with a non-delivery report, than you know that user doesn't exist on that server. If you get nothing back, or better yet an unsubscribe or a read-receipt, or an out of office, then you know that there is a live email there.

Actually, if you get nothing back, that technically doesn't mean that there is a live email on the other side. It could mean that they have turned off their NDRs (non-delivery reports) on their mailserver. This is generally a good thing and can reduce load on the server as well as bandwidth wasted.
Unfortunately, there are many scenarios for which a company can't turn those off. Our company is one of those. I turned them off when we were seeing extremely high spam loads and it was flooding our net connection. But there are several old addresses in our system that have been cleaned out lately and some of our less net savvy clients need to know that the user is not going to reply to them - so getting an NDR at least forces them to follow up with us. Otherwise they think the person got it, but just isn't responding - and that results in an angry client.

My first two thoughts upon seeing that DHAs are down is that either 1) more servers are turning off the features which make DHAs work (NDR, out of office, read receipts), or 2) spammers have found something more effective at making money and/or generating real live email addresses.

No comments:

Post a Comment