Preventing Directory Harvest Attacks

Spammers use manytechniques to flood yourExchange server with unwanted garbage. One technique that can be especiallyproblematic for the recipient isa directory harvest attack(DHA). In these attacks, spammers send messages to mailboxes that may or may not existin order to discover legitimateaddresses. There are techniques you can use to protectyour Exchange organizationagainst these attacks, but firstyou need to understand howDHAs work.

Anatomy of a DHA

The basic idea behind a DHA isthat there are many commonnames. If your company hasmany employees, chances areyou have employees namedJohn, Bob, Mary, and so forth.Spammers have therefore compiled long lists of commonnames. A mail-generating program attaches each name on thelist to a known domain name.For example, if a spammer weretargeting the contoso.comdomain and had the namesJohn, Bob, and Mary on a list,spam messages would be sentto [email protected], [email protected], and [email protected].

Keep in mind that theremight not be a John, Bob, orMary working at Contoso. Thespammer sends messages tothese addresses anyway, usingcommon names in an effort tofigure out which email addressesare valid. In addition to names,the spammer will also usewords that are often found inemail addresses; for example,the spammer might try [email protected], [email protected], or [email protected].

When spammers launchDHAs, they know that most ofthe addresses they're tryingwill be invalid. However, theyalso know that if they tryenough names, some messages will go through. Spammers often have thousands ofnames on their lists.

In the example of spambeing sent to John, Bob, andMary, I showed you how thename from the list could beattached to a target domainname. In the real world, companies rarely use an employee'sfirst name as the sole basis foran email address. More often,email addresses are made up ofa combination of the employee'sfirst and last name. Spammersknow this, so they send messages to many different combinations of the names on theirlists. For example, if a spammerwanted to target the name John Smith, some possible combinationsmight include JSMITH, John.Smith, orJohnS.

If the spammer's list contains thousands of names, you can imagine howmany messages have been sent by thetime the spammer has attemptedevery possible combination of names.Typically, first and last names wouldbe separate lists, greatly increasing theoverall number of combinations to try.A DHA sometimes produces the samesymptoms as a Denial of Service(DoS) attack. The spammer mightflood the recipient's email server withso many messages that legitimatemessages can't get through.

Of course, this technique has manyvariations. Some spammers don'tworry about using lists of names butinstead perform a brute-force attackin which they try every possible combination of numbers and letterswithin a predetermined length ofusername in conjunction with aknown domain name. This techniqueis extremely resource- and time-consuming for the spammer becauseof its brute-force nature. Some spammers prefer to use a less thorough, lesstime-consuming method.

Other spammers use spam databases to find a few known addressesassociated with the domain, so thatthey can determine the email-addressformat that a company uses. If spammers know the address format, theycan launch a much more efficientDHA. But because millions of domainsexist, spammers are spending lessand less time fine-tuning attacksagainst individual domains, preferringinstead to send out millions of messages to a variety of address formats tofind a few valid ones.

Sending messages to countlessemail addresses is only half the battle.Remember that the purpose of theDHA is to determine which emailaddresses are valid so that more spamcan be sent to those addresses. Spammers can find valid email addresses intwo different ways.

The most common technique thatspammers use to find valid addressesis to look at the nondelivery reports(NDRs) that are generated. As youprobably know, most mail servers areconfigured so that when a message issent to a nonexistent email address,an NDR is returned to the sender.Spammers cross-reference NDRsagainst the list of email addresses thatthey sent messages to. Any address forwhich an NDR was returned is considered to be invalid and is thereforeremoved from the list.

Originally, spammers treated theabsence of an NDR as confirmationthat an address was valid. Today, however, spammers can't be completelycertain that an email address is validjust because they didn't get an NDR. Ifa spammer floods a domain with directory-harvest messages and no NDRsare returned, the spammer knows thatthe company has disabled NDRs.

Spammers can still figure out legitimate email addresses, although notas many as they could if NDRs wereenabled. To do so, spammers look forclues such as out-of-office messages.Spammers might also include arequest for delivery receipts withindirectory-harvest messages.

Because of the way DHAs work, it'spossible that even new email addressesthat haven't been used could startreceiving spam within hours of creation. Fortunately, there are severalways that you can fight this type ofattack. The techniques I describe areintended for Exchange Server 2003,but most should also work withExchange 2000 Server.

Disabling Delivery Receipts

One method to combat DHAs is todisable delivery receipts for theExchange organization. The primaryadvantage of disabling deliveryreceipts is that doing so makes DHAsmuch less effective. Disabling deliveryreceipts might also save you bandwidth and other system resources.Think about it for a minute. If your mail server has to generate a deliveryreceipt for every message that a spammer sends, you could be wasting a lotof system resources. A single deliveryreceipt consumes a negligible amountof bandwidth, CPU time, memory,and other resources; cumulatively,however, generating large numbers ofdelivery receipts can have an impacton available system resources. Thedownside to this technique is that if alegitimate user asks for a deliveryreceipt and you've disabled deliveryreceipts, the user will think that his orher message wasn't delivered.

Disabling NDRs

Just as the process of generating and sending large numbers of delivery receipts can affect available system resources, so too can generating NDRs. A DHA sends messages to thousands (if not millions) of nonexistent mailboxes. The impact of these messages on your bandwidth and other system resources is bad enough, but the effect is compounded when your server replies to each invalid message with an NDR.

In some organizations, the thoughtof recovering bandwidth and systemresources that were previously used inproducing NDRs might be appealingenough to justify disabling them. Butbefore you do, there are a couple ofnegative aspects that you need toconsider.

One problem involves people whosend legitimate email messages toyour organization. If a client enters anemail address incorrectly, the messagewon't reach its recipient. Without anNDR, senders never know that theirmessage wasn't delivered and mightthink they're being ignored.

Another problem with disablingNDRs as a countermeasure to DHAs isthat the technique can backfire on you.Remember how a DHA works: In theattack's simplest form, the list of namesis compared with the list of NDRs todetermine which email addresses arevalid. Some of the less-sophisticated spam generators automatically assumethat an email address is good if no NDRis returned for it. Once spammers havea valid address, they send a lot morespam to it.

Sending False NDRs

Some antispam applications can actually produce false NDRs, which can be used to defend an organization against an onslaught of spam. The antispam application contains all the typical filters (e.g., keyword, blacklist, Bayesian). When one of the filters detects a spam message, the antispam application returns a phony NDR to the spammer. The idea is to make the spammer think that the address is no longer valid and stop sending spam to it.

Sending false NDRs consumes a lot of resources. Also, because the messages used in DHAs are usually either empty or contain only one word, some antispam applications have trouble identifying these messages as spam. Besides, unless a message contains a valid email address for the sender, a reply is futile.

Atypical Address Formats

Another way to counter DHAs is to use atypical email address formats. For example, I've seen companies that include the year an employee was born as part of the employee's email address: If John Smith was born in 1973, he might be assigned an email address such as [email protected].

The logic behind this technique is that if spammers are using lists of names to launch attacks, no combination from the lists will produce a valid email address. However, email addresses that include numbers tend to be more difficult to remember, which can make it tough for legitimate senders to communicate with employees at your company unless they have the recipient's email address stored in an address book. Also, this technique works against only those spammers who use list-based attacks; a brute-force attack will yield valid email addresses regardless of their format.

Recipient Filtering

One last technique I'll discuss is recipient filtering. Recipient filtering takes place during the early phases of the SMTP conversation, which means that a message can be rejected before the message body is sent to the server. The benefit is that you conserve resources because the server isn't downloading the message body for rejected messages.

The problem with recipient filtering, though, is that when used by itself it can actually make a DHA more efficient and more successful. Remember that the key to a successful DHA is that the spammer must be able to match NDRs to the messages that were sent out. It takes time for an Exchange server to process a message, then generate and transmit an NDR.

Because recipient filtering works at the SMTP level, the entire process of receiving a message and generating an NDR is eliminated. The server simply won't accept a message for which the recipient doesn't exist. The spammer receives an SMTP-level message indicating that the message was rejected and therefore finds out much more quickly whether or not an email address is invalid. Fortunately, there is a countermeasure known as tar pitting, which involves throttling the bounce messages in a way that makes them impractical for a spammer to use. I discuss this technique in more detail in the next section.

As if helping spammers be more efficient weren't enough, using recipient filtering encourages spammers to use domain-name spoofing. If the spammer depends on receiving NDRs, in most cases the spammer will have to use a legitimate domain name so that the NDR can find its way back to the spammer. With recipient filtering, though, the rejection process occurs at the SMTP level. Spammers can hide behind a spoofed domain name and still get the information they need.

Tar Pitting

Because recipient filtering works atthe SMTP level, Windows, notExchange Server, actually directs theprocess of accepting or rejectingmessages. Tar pitting is a techniquethat Microsoft included with therelease of Windows Server 2003 Service Pack 1 (SP1). Tar pitting can slowdown recipient filtering to the pointthat DHAs become impractical. Keepin mind that the spammer has thousands of email addresses to testagainst your mail server, which takesa lot of time. Imagine how muchlonger this process would take if youcould insert a 10-second delay intothe approval process for eachmessage. That's exactly what tar pitting does: It lets you insert a delaybefore responding to invalid emailaddresses.

Before I explain how to enable tar pitting, I need to warn you about two things. First, by enabling tar pitting, you might end up slowing down legitimate email. It's therefore important to monitor your server's response time after tar pitting is enabled. Second, enabling tar pitting requires editing the registry, which can be dangerous. Making an incorrect modification can damage Windows and your applications. I therefore recommend creating a full system backup before continuing.

To enable tar pitting, open the registry editor (regedit.exe) and navigate to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSMTPSVCParameters subkey. Next, right-click the Parameters container and select New, DWORD Value from the shortcut menu. Enter TarpitTime as the name for the new registry entry. Double-click the entry you just created and set the value data to the number of seconds you want the SMTP address-verification process to be delayed. Five to 10 seconds is usually sufficient. Now just click OK, close the registry editor, and restart the SMTP service.

Fight Spammers

As you can see, DHAs can be an especially problematic spamming technique. But now you know several ways to mitigate the effects of such attacks. In order to reduce the effectiveness and impact of DHAs, I recommend taking advantage of recipient filtering and tar pitting. Using blacklist filters is also a good idea because they can deny a connection outright. Disabling delivery receipts and NDRs might also be effective countermeasures, but you need to consider the effect of such actions before doing so.