What is a Directory Harvest Attack?

A directory harvest attack or DHA is a strategy aimed at collecting or harvesting e-mail addresses without the permission of the user of that address. While methods vary, one of the most common approaches is to send a bulk email out to a wide range of addresses that are highly likely to be valid. Servers typically reply with some sort of automated message if a given e-mail address is not valid, alerting the harvester of which addresses are valid and which are not.

In most cases, software programs are used to create banks of possible e-mail addresses that are routed through servers operated by a particular e-mail client. For example, a harvester may target free email services and use software in an attempt to create a listing of millions of possible valid email addresses currently used by subscriber to one or more of those services. The software allows the harvester to set guidelines for the creation of the addresses, such as specifying the total number of characters in each address, or the inclusion of a series of letters or numbers within that address.

Once the listing is completed, the directory harvest attack is launched by bulk sending an e-mail to every possible address included on that list. The targeted servers will respond with some type of message if a given e-mail address is invalid. That message may declare the e-mail undeliverable or include verbiage that indicates the address does not exist at all. Any addresses that are not recognized by the server for any reason are purged from the listing, leaving only those that are apparently active and capable of receiving additional e-mails over time.

The idea behind a directory harvest attack is to create e-mail listings that can be used for Internet advertising and promotion. The lists that are manufactured using DHA are considered unqualified lists, meaning that the owners of those e-mail addresses have not granted permission to receive the business solicitations. As a result, the use of a listing created using a directory harvest attack allows the advertiser or an agent for that advertiser to engaging in spamming, or the transmission of unsolicited e-mails.

Advertisers using this method rarely expect to experience a huge percentage of responses to their bulk email solicitations. The relatively low cost of creating these lists and sending a uniform solicitation to each address included on those lists means that even if no more than one or two percent of those receiving the spam messages choose to make a purchase, the strategy is profitable.

Thanks to the use of anti-spam software, many of the spam e-mails sent as the result of a direct harvest attack are routed to a spam folder rather than the end user’s in-box. Some providers also have mechanisms in place to reject bulk mail transmissions that seem to be aimed at reaching a sub-group of customers using a particular e-mail platform or service. This has made it necessary for anyone using a directory harvest attack to plan very carefully in an attempt to escape the notice of the service provider and still emerge with a listing of verified and active e-mail addresses.