Although the media hype over spam has subsided in 2006, spam still accounts for as much as 60% to 80% of all e-mail traffic. A tactic often used by spammers to collect e-mail addresses is the directory harvest attack. Protect the enterprise's messaging infrastructure from this risk by following anti-spam best practices.

DHA Defined

Directory harvest attacks (DHAs) are used to mine valid e-mail addresses associated with the target e-mail domain so that those addresses can be added to a spammer's database. In a DHA, the attacker uses a brute-force program to "guess" the possible e-mail addresses that may exist in a company's e-mail domain. Then the attacker sends a test message to all the potential e-mail addresses. Once the target company's e-mail server rejects the invalid or non-existent addresses, the DHA program uses a process of elimination to generate a list of valid addresses, then adds the entire list to the spammer's database of addresses to spam.

DHA attacks are detrimental for a variety of reasons:

• The company receives more spam, which is often a vehicle for viruses, Trojans, phishing attempts, and other threats.
• The DHA list-generation process can be demanding enough to slow down e-mail server performance, thus hindering the entire corporate messaging infrastructure.
• A particularly aggressive DHA can replicate the effects of a denial-of-service attack.

According to estimates, DHAs account for up 25% of requests processed by some SMTP servers. Small- to mid-sized enterprises (SMEs) are more at risk of DHAs than larger organizations. Spammers often target SMEs for DHAs because smaller companies tend not to purchase robust security tools or appliance. Large companies are normally better equipped with anti-spam tools, e-mail gateways, and other such countermeasures.

Recommendations

1. Buy server-level anti-spam tools now. To significantly reduce spam and save users' time, implement a product that has high accuracy. Identify a server-level product that meets the enterprise's needs at the lowest possible cost per user and doesn't require much care and feeding by IT staff. Refer to the spam filtering buying guide, from eWEEK.com.
   • Run a test of the anti-spam solution in monitoring mode before implementation. This will give IT an idea of how good the tool is at separating the wheat from the chaff before going live. Also, look into creating quarantine directories for rejected mail where a false positive might still be retrieved before deletion.
2. Configure anti-spam solutions for DHA-specific attacks. In some cases, it may be worthwhile to adjust anti-spam tools to monitor the frequency of misaddressed e-mail messages. Once the frequency passes a certain level, messages sent from that particular IP address can be deferred or rejected altogether. Deferral is better for ensuring that legitimate e-mails aren't misidentified as part of a DHA.
3. Ensure that users play a role for identifying anti-spam success. A good anti-spam strategy combines policy and communication, as well as filtering tools. While sophisticated pattern matching and Bayesian analysis are great things to have in an anti-spam tool, communication with end users is also crucial. Clearly communicate to users that the goal is to limit spam while also limiting things like false positives. Users must understand that even the best solution might still allow some spam to enter their inboxes. Encourage users to collaborate with the process by regularly reporting both spam and suspected false positives to the person(s) in charge of e-mail administration.
4. Leverage anti-spam industry expertise for DHA defense. E-mail security vendor Postini processes about one billion e-mail messages per day on behalf of 35,000 business customers around the world. Postini's Flash-based online tool StatTrack scans the Internet in real-time and reports on spam traffic and DHAs. StatTrack also shows an updated world map outlining where current DHA threats are originating. This allows administrators to be aware of – and to prepare for – the latest threats, sometimes even before anti-virus vendors can get the word out. This no-charge resource is meant to showcase Postini Perimeter Manager, the company's flagship e-mail protection service.
5. Exercise caution when posting corporate or personal e-mail addresses. It's much easier for spammers to harvest publicly-posted e-mail addresses than it is to use DHA. Some enterprises and/or business units rely on publicly-posted e-mail addresses more than others for their communications, but there are methods for mitigating the risk of spam while still allowing for publicly-available addresses:
   • Use Hex code. Replace non-alphabetical characters in an e-mail address with their Hex equivalents when creating HTML pages. For example, using Hex code turns "joe@anycompany.com" into "joe%60anycompany%2ecom." So when the Web page goes up, viewers will see a normal-looking address, but spammers won't be able to parse the underlying Hex code.
   • Reformat e-mail lists. If the corporate site posts e-mail lists, such as a sales group, consider re-posting them in a graphic format, like a .gif file. Customers will be able to read the list without problem, but again, the DHA program won't be able to parse the code for harvesting the addresses.
   • Consider Web forms. The enterprise could use Web forms on the corporate site for when visitors wish to contact the organization. With a Web form submission, there is no e-mail addresses posted at all. This is the least user-friendly aversion method, but it may be an option in certain situations.

Bottom Line

DHA is yet another method for spammers to harvest e-mail addresses that they subsequently blitz with unwanted and potentially harmful messages. Spam traffic is not going to end anytime soon; employ anti-spam solutions and procedures to lessen the threat.