A prime example of this new connection point threat is known as directory harvest attacks (DHAs). DHAs are designed to net spammers lists of valid email addresses to which they can send spam or sell to other spammers. It works like this. An open source or stand-alone Mail Transfer Agent (MTA) typically responds to email delivery attempt requests with a simple “yes” or “no”. If the response is “no”, the sending server gets an error message since the address is invalid and mail for that address cannot be delivered. If the sending server gets a “yes”, it knows the address is valid and a message can be delivered.

Spammers, list brokers or other unscrupulous culprits exploit this simple functionality to harvest legitimate email addresses from a corporate directory by sending thousands (or even hundreds of thousands) of messages to multiple addresses such as johndoe@yourcompany.com, or jdoe@yourcompany.com. Spammers track all of the addresses that do not bounce back or generate errors, and consider these valid addresses, which are then compiled into lists that are then sold or distributed to other spammers. In fact, it is not uncommon for new users of popular email systems like Yahoo or Hotmail to receive spam before they’ve ever used their new email address!

Directory harvest attacks also have a very damaging side effect: consuming enormous amounts of email server resources while email servers try to cope with DHA probes.

Lotus Notes and Exchange servers, for example, generally accept all messages for their domain by default. This only aggravates the negative impact of a directory harvest attack because the spammer assumes all the attempted addresses are valid, and thus will send more spam or sell the attempted addresses to others.


Unfortunately, directory harvest attacks are often launched simultaneously, from many different computers. The resulting spike in traffic from the directory harvest attack can easily knock an email server offline.

Anti-spam Solutions Must Go Beyond Content Filtering

Because of the harmful impact from DHAs on email system performance, directory harvest attacks must be treated as more than just an email inbox or end user annoyance issue. Directory harvest attacks cannot be stopped by conventional content filtering found in appliances or software since there is no “content”. Nor can spam messages that reduce or eliminate “content” in a message be reliably blocked with content filtering.