Protecting Exchange Server 2007 from Directory Harvesting Attacks

Written by Paul Cunningham on December 5, 2008

Directory Harvesting is a term used to describe a technique used by spammers to discover valid email addresses, usually targeting corporate networks. Spammers try to use this technique to trick an email system into telling them which email addresses are valid and which are not, which allows them to increase their database of valid email addresses to send spam emails to.

 Protecting Exchange Server from Directory Harvesting Attacks

A Directory Harvesting Attack normally consists of a basic dictionary attack combining common names and initials together into standard corporate email addresses and then sending a test message to each email address that is generated. For example, the spammer may send a message to john.smith@contoso.com, johns@contoso.com, and jsmith@contoso.com.

Directory Harvesting results in spammers finding valid email addresses

The attack relies on invalid email addresses being rejected by the email system either during the SMTP conversation or afterwards via a Delivery Status Notification (DSN). When the spammer receives a rejection the email address is considered invalid and is discarded. When no rejection or DSN is received the email address is considered “live” and is added to a database to later be targeted with spam emails either by the same person or another spammer that they sell the database to.

Email address databases are valuable information for spammers so directory harvesters can make a living by performing these attacks and selling the resulting information.

Aside from the exposure of your corporate email addresses to spammers a Directory Harvest Attack can also cause a performance problem for your internet-facing email servers as the process hundreds of thousands (or even millions) of SMTP connection attempts as the attacker works through every combination in their name dictionary.

How is Exchange Server 2007 vulnerable to Directory Harvesting Attacks?

In many Exchange Server 2007 environments incoming email is received directly by an internet-facing Hub Transport server. By default the transport server will use recipient lookups to notify the connecting host whether an email address is valid or not. When an inbound email is addressed to a recipient that does not exist a “550 5.1.1 User unknown” SMTP response is sent to the connecting host. When an email is addressed to a valid recipient a “250 2.1.5 Recipient OK” SMTP response is sent.

This behaviour complies with the RFCs for SMTP communication, and is important for many email users (if someone sent you an important email but misspelled your email address, you want your email server to notify them of the mistake so they can resend the message).

Though it is useful and important to provide this recipient lookup feedback to sending email servers this is also exactly the behaviour that enables a Directory Harvest Attack to occur.

There are two strategies that can be employed to protect an Exchange server from Directory Harvesting Attacks. The first makes use of an Exchange security feature known as “tarpitting”.

Protecting Exchange Server 2007 with Tarpitting

Tarpitting is a feature of Edge Transport and Hub Transport servers that inserts an artificial delay in the SMTP session before any “550 5.1.1 User unknown” response is sent. This increases the cost and difficulty to the spammer of a Directory Harvesting Attack, by slowing down the rate at which they are able to discover valid and invalid email addresses. This strategy reduces the effectiveness of Directory Harvesting Attacks while still retaining RFC compliance by sending the appropriate responses to incorrectly addressed email messages.

In order for tarpitting to be applied to suspected attacks the Recipient Filter Agent must be active. The Recipient Filter Agent is enabled by default on Edge Transport servers but must be installed by an administrator on Hub Transport servers. Here we see a Hub Transport server with the default transport agents enabled.

Hub Transport Server

To make the Recipient Filter Agent available the administrator installs the Exchange anti-spam components using the “install-AntiSpamAgents.ps1″ script that is included with Exchange Server 2007.

Install-AntiSpamAgents.ps1 script

Once the Microsoft Exchange Transport service is restarted the Recipient Filter Agent is now installed and enabled on the Hub Transport server.

The Recipient Filter Agent is installed

When the Recipient Filter Agent is enabled it uses the TarpitInterval configured on the Receive Connector to determine how long to insert a delay for any “550 5.1.1 User unknown” responses to suspected attackers. The default delay is 5 seconds but this can be increased by the administrator.

Although tarpitting increases the cost and difficulty of a Directory Harvesting Attack it is not always going to be effective. If the spammer is patient enough they can put up with the tarpitting delays and still achieve the desired outcome. However tarpitting is a low cost option because it can be implemented on existing Exchange Server 2007 servers with no additional outlay on server hardware or software.

Protecting Exchange Server 2007 with third party products

Often a more effective strategy is to implement a third party email security solution that includes more advanced DHA protection. When a harvest attempt is detected by the security product the sending host is disconnected and then blocked by the server so that it cannot reconnect and continue the attack.

This is more effective than simply slowing down the attack however this strategy will usually involve additional costs of servers and software. This cost is usually justifiable though when you also consider the additional protection that the third party product can provide you from email viruses, spam, and phishing attempts. In the best commercial email security products the configurability and protection are both much greater than what can be provided with the built in features of Exchange Server 2007.

Always consider Directory Harvesting Attacks when protecting your Exchange servers

Directory Harvesting Attacks should not be ignored when assessing the threat landscape for your Exchange server environment. By implementing either the built-in Exchange protection for DHAs or a third party commercial email security product you can reduce both the load on your email servers and the risk of exposure of your corporate email addresses to spammers.

About Paul Cunningham

Paul lives in Brisbane, Australia and works as a technical consultant for a national IT services provider, specialising in Microsoft Exchange Server and related messaging systems.

Comments

Pingback: Exchange Server 2007 and Directory Harvesting Attacks | The Capslock Assassin

Pingback: This is why you get spam emails

  • (required)
  • (required)