Video Screencast Help

Directory Harvest Attacks

Created: 05 Nov 2007 • Updated: 22 May 2010 | 2 comments
We're new to SMS 5 and its control techniques so please pardon this perhaps obvious question:
When I first installed SMS 5.0.1 last week I was astounded to discover that >93% of my inbound mail was considered SPAM. 
I turned on a feature called Directory Harvest Attacks and set the action to be defer connection. This morning I see that since doing this my SPAM has dropped to ~25% and the 'Attack' column [in the message overview report] has risen to the 70/80/90 + % zone. I presume that this means that 25% or so of my mail is tagged as SPAM and 70+% of it is tagged as originating from a DHA? Can anyone offer some insight into what I'm seeing? The affects of turning on the DHA/defer connection was immediate and pretty eye opening.
Discussion Filed Under:

Comments 2 CommentsJump to latest comment

Dennis Pinckard's picture

If you haven't done so, check the online help and/or manual for Directory Harvest Attack.

It is shocking to see first hand that 90+% of inbound email is junk.  With some work and research, you'll be able to squeeze out a few percentage points more.  It's also a learning experience when you start classifing the types of attacks (75% DHA, 23% SPAM, 1% Virus, . . .)

Since a Directory Harvest Attack sends email to a lot of guessed addresses, you may have noticed a lot of these in quarantine. (Adam@. . ., Betty@... David@...  JSmith@....)  While they may have multiple addresses on the TO: or CC: line, they are often sent just one address per message.  The main point is to identify valid addresses after all.

Depending on the settings in the Directory Harvest Attack configuration, multiple recipient failures from the same IP address within a given timeframe will result in an attack being flagged and the given action taking place.  Generally, this is to defer any connections from that IP.  That is, no connections accepted from that IP address for the next 2 hours, for example.

Now, I have noticed that with the newer botnets, they may send only 2-3 emails from a given IP address, but the botnet could have 10, 20, or 100 thousand bots to spread the load.

Do make sure you have "Drop Invalid Recipients" enabled.  This means anyone sending to jsmtih@... instead of jsmith@... will not get an NDR, but it will help defeat the DHA's.

The other option that will make a huge impact is to use the DNS blacklists.  Pick one or two to start with, if you don't already have a list of ones you trust.  For a commercial mail server, you should really sign up with them (some for $$) and rsync their lists to a local DNS server.  It's much faster and will greatly lessen the load on their servers.  (Plus they won't block you for too many dns requests).  Just make sure to read and understand the policies for each blacklist you use.

From the SMS 4300 appliance help file (version 7.6):

Configuring directory harvest attack recognition

Spammers employ directory harvest attacks to find valid email addresses at the target site. A directory harvest attack works by sending a large quantity of possible email addresses to a site. An unprotected mail server will simply reject messages sent to invalid addresses, so spammers can tell which email addresses are valid by checking the rejected messages against the original list.

Set up directory harvest attack recognition as described in the following procedures. Directory harvest attack recognition is disabled by default. You must enable directory harvest attack recognition to activate it. When enabled, connections received from violating senders are deferred by default. Deferring a connection slows down the progress of a possible attack and discourages spammers from maintaining the connection.


You must first enable and configure LDAP synchronization to use this feature.

J Penrose's picture
Thank you for this well thought out and very helpful post.
I'll be tweaking the DHA settings based on your input.