Blank spams (directory-harvesting probes)

If you have used e-mail very often, or for very long, you may regularly receive mysteriously blank messages. They appear to come from strangers, and have no information in the body (and likely nothing in the subject line either). These are usually evidence that a spammer has been running a so-called directory harvest attack (or DHA, or "dictionary attack," or "MX probe"), and has thereby managed to confirm that your e-mail address is deliverable. This usually means that you can expect to get more spam in the near future.

Why probe?

A constant supply of fresh, deliverable e-mail addresses is the mother's milk of the spam operation. The spammer can obtain such addresses by traditional methods like the following:

• Tricking the owners of the addresses into signaling that they work, such as by tempting them to join dating websites, subscribe to joke-of-the-day lists, send "e-greeting-cards," and the like. As Monty Python∞ might have it, the recipients forget here How Not To Be Seen.
• "Scraping" addresses from random websites and usenet groups using automated programs that look for text strings that resemble e-mail addresses (like "a@b.c").
• Occasionally, bribing system administrators at ISPs to pass them lists of the ISP's customers (as happened a few years ago at America Online∞).

The best bet for obtaining fresh addresses, however, may be simply to get them directly from the mail servers (specifically the mail exchangers or MXs) that support them, via brute-force directory harvest attacks.

Characteristics of DHAs and probe messages

In the typical DHA, a spammer selects a likely domain (say, a medium-size or large retail ISP) and then locates its mail-exchanger (MX) hosts using DNS MX records. The spammer will then use his DHA software to connect to these hosts and attempt to send blank messages to as many different addresses within this domain as he can guess. And, "guess" is the proper term here, since the spammer can simply string together common words or names in various combinations (e.g., "jsmith@isp.foo"), and can then send hundreds or thousands of such messages over the course of a single run. Wherever any of these messages are accepted for delivery by the MX, the spammer can assume that he has hit a deliverable address and can retain it in his list. Likewise, the spammer can count a rejection as a "bad guess" and strike this address from his list.

According to information published (until recently) by the anti-spam vendor Postini∞, DHAs are believed to occur nearly a million times per day around the world, accounting for 500 million failed "deliveries" per day (due to bad guesses by the spammers). These DHAs place a heavy and pointless load on MX hosts, diverting them from their tasks of delivering bona-fide e-mail. Some DHA countermeasures have been integrated into modern mail-transfer software, such as tarpitting (deliberately slowing down mail transfers offered by greedy DHA hosts), or graylisting (rejecting or deflecting traffic from parties -- like DHA attackers -- who do not follow proper procedures for contacting MX hosts).

Most probe messages appear to come from broadband or pool IP addresses that ISPs assign to home users, so we might conclude that the directory harvest attackers use botnets for their DHA work.

The reason why blank messages are sent is probably just simple efficiency; blank messages do not take as much time or effort to send, and allow the attacker to fit more "guesses" into a single session with the target MX host. Also, blank messages might be less suspicious than messages with obvious spam content (because the exchange of blank e-mails is often used by honest internet applications as a rudimentary form of signaling or remote control), and therefore might be less likely to be caught by recipient-side spam filters.

Defending yourself against DHA probing

The current effectiveness of DHAs at harvesting deliverable addresses means that even if you take extraordinary measures to protect your e-mail address (and even if you never use it at all), it can still fall into the hands of spammers if they can guess it. DHAs are the principal reason why most e-mail security experts now advise users to pick "unguessable" addresses that do not contain recognizable words or names (e.g., "s2xh37b9@foo.bar"). The less guessable an address is, the less is the likelihood that a spammer will stumble upon it in a DHA. Clever users can make use of mnemonics (such as acronyms, special numbers like birthdates, etc.) to help them remember such unwieldy addresses.

If you operate your own web domain, there's an additional step you may wish to take. If your domain is currently set up with a so-called catchall address (i.e., an e-mail address to which all mail to your domain is sent if it is not addressed to an actual user account in the domain), then you will probably want to have it turned off. Otherwise, if a DHA comes calling on your domain, it will see EVERY address that it tries as deliverable. Refer to the Wiki pages CatchAllAccount and FromAddressForgery for more information.

Reporting DHA probe messages as spam

Although DHA messages usually don't contain spam pitches, they are otherwise not much different from other kinds of spam as far as the recipient is concerned -- they were sent in bulk to people who did not ask to receive them. Accordingly, they can be reported as spam to the internet providers whose resources were used to send them.

SpamCop may not process probe messages for reporting if they do not contain any body text (since it appears that SpamCop's policy is that spam messages must have bodies -- however small -- in order to be reportable). If you are pasting your spam into the SpamCop reporting page (as opposed to forwarding your mail to SpamCop or having SpamCop "POP" it from your provider), you may be able to "cheat" by adding some text after the message (for instance, one blank line (important) followed by the simple phrase "NO BODY SUPPLIED IN ORIGINAL MESSAGE") in order to get SpamCop to deal with these.

---

CategorySpamTypes

---