|
|
Understanding
Directory Harvest Attacks
Think you can protect your in-box by carefully guarding
your e-mail address—not posting it in online
forums or Usenet messages, using disposable e-mail
addresses to register for Web sites, or even leaving
it off your business cards? Now's the time for a
reality check. If you've ever wondered how a brand-new
e-mail account has started getting spam within hours,
here's how that can happen.
It's a tenet of legal thrillers as well as the news:
The absence of a denial can be as informative as
a direct confirmation. This simple idea underlies
the directory harvest attack (DHA), an increasingly
prevalent technique for mining e-mail addresses
that can then be bombarded with unwanted solicitations.
Enterprise |
e-mail security vendor Postini
reports that DHAs increased by 250 percent in 2003
and now account for as much as one-quarter of the
requests that some SMTP (Simple Mail Transfer Protocol)
servers process each day.
In a DHA, an attacker unleashes a program that guesses
at possible e-mail addresses within a domain and
attempts to send messages to those addresses. The
server rejects requests intended for addresses that
don't exist. By the process of elimination, the
addresses it doesn't reject are deemed valid, and
the program can add them to a spammer's databases.
The result isn't just more spam (as if that weren't
bad enough). An aggressive DHA can place such intense
demands on a server that it mimics a denial-of-service
attack and slows legitimate e-mail delivery.
There are two primary techniques that DHAs employ
to generate possible addresses within a given domain.
The most blatant brute-force method is to run through
every possible combination of alphanumeric characters.
Alternatively, DHAs may use a variation of the time-honored
dictionary attack, which uses lists of common names
and the fact that e-mail addresses often follow
predictable patterns, such as first initial and
last name.
While you could, in principle, try to foil dictionary-based
DHAs by choosing atypical or obscure e-mail addresses,
doing so would make those addresses harder for others
to remember. And in any case, that wouldn't protect
you against scripts that simply try all character
combinations.
Another seemingly simple countermeasure would be
to configure the server not to reject messages to
invalid e-mail addresses; instead, silently accept
them and just throw them into a black hole. But
there's a significant cost to this strategy. If
the spammer's script decides that the absence of
a rejection implies it's a live address, you're
going to get even more spam flowing into that nonexistent
account and bogging down your infrastructure.
So what can you do? A number of mail server and
security vendors offer technological fixes that
promise to mitigate DHAs. Products from companies
like Kerio, Postini, and Rockliffe monitor statistics
like the proportion or frequency of misaddressed
e-mails sent from a given IP address; if that measure
crosses a threshold, messages or senders can be
rejected or deferred for a period of time.
Deferral rather than blocking helps ensure that
the server won't reject legitimate e-mail that is
mistakenly flagged as DHA attempts. This slows down
delivery, but like a log-on dialog box that locks
out further attempts for 30 minutes after three
consecutive unsuccessful attempts, this throttling
retards the efficiency of an attack enough to make
it largely ineffective.
Such technological solutions can help, but ultimately
the fix has to come in the protocols we use for
e-mail. While there is some action in that area
(see "Can E-Mail Survive?" February 17),
it'll be some time before we see real progress.
|
|
|
|
|
|
|
