What’s a Directory Harvesting Attack?

Print anything with Printful



A directory harvesting attack involves collecting email addresses without permission, often by sending bulk emails to potentially valid addresses. Software is used to create lists of possible addresses, which are then targeted with bulk emails. The resulting lists are considered unqualified and can be used for spamming. Anti-spam software and provider mechanisms can prevent successful attacks.

A directory harvesting attack or DHA is a strategy aimed at harvesting or harvesting email addresses without the permission of the user of that address. While methods vary, one of the more common approaches is to send a bulk email to a wide variety of addresses that are highly likely to be valid. Servers typically respond with some sort of automated message if a given email address is invalid, alerting the collector which addresses are valid and which are not.

In most cases, software programs are used to build banks of possible email addresses which are routed through servers operated by a particular email client. For example, a collector may target free email services and use software in an attempt to build a list of millions of possible valid email addresses currently used by the subscriber of one or more of those services. The software allows the harvester to set guidelines for creating addresses, such as specifying the total number of characters in each address or including a range of letters or numbers within that address.

Once the list is complete, the directory harvesting attack is launched by sending a bulk email to every possible address included in that list. Destination servers will reply with some kind of message if a certain email address is invalid. Such a message may declare the email undeliverable or include verbiage indicating that the address does not exist at all. Any addresses not recognized by the server for any reason are dropped from the list, leaving only those that are apparently active and able to receive further emails over time.

The idea behind a directory harvesting attack is to create email lists that can be used for Internet advertising and promotion. Listings produced using DHA are considered unqualified lists, which means that the owners of such email addresses have not opted in to receive commercial solicitations. Accordingly, use of a list created using a directory harvesting attack allows the advertiser or an agent for that advertiser to engage in spamming or the transmission of unsolicited email.

Advertisers who use this method rarely expect to receive a huge response rate to their bulk email inquiries. The relatively low cost of building these lists and sending a uniform solicitation to each address on those lists means that even if no more than one or two percent of those receiving spam messages choose to make a purchase, the strategy is profitable.
Through the use of anti-spam software, many of the spam emails sent as a result of a direct harvester attack are routed to a spam folder rather than the end user’s mailbox. Some providers also have mechanisms in place to reject bulk mail transmissions that appear to be aimed at reaching a subset of customers using a particular email platform or service. This has made it necessary for anyone using a directory harvesting attack to plan very carefully in an effort to escape the service provider’s notice and still emerge with a list of verified and active email addresses.




Protect your devices with Threat Protection by NordVPN


Skip to content