2008 IEEE Region 10 Colloquium and the Third ICIIS, Kharagpur, INDIA December 8-10. Paper ID. 236 978-1-4244-2806-9/08/$25.00© 2008 IEEE 1 Reducing the Effect of Distributed Directory Harvest Attack and Load of Mail Server Suman Das Oracle India Suman3010@gmail.com Rajeev Singh Department of Computer Engg. G.B.Pant. University of Ag. & Tech. rajeevpec@gmail.com R.C. Joshi, Durga Toshiwal I.I.T. Roorkee India joshfec,durgafec@iitr.ernet.in Abstract—A Directory Harvest Attack or DHA is a technique used by spammers in an attempt to determine the valid e-mail addresses associated with an e-mail server so that they can be added to a spam database. Directory Harvest Attackers send the blank mail to the server to collect the valid user-id. They do this by observing the server’s reply. Traditionally attackers use single IP address to send mails. Recently attackers use different IP address to send mail and from one IP address, they send 1-2 mails[1]. Therefore, only blocking IP address is not sufficient to reduce the effect of DHA. The Directory Harvest Attackers not only collect the valid user-id but also increase the load of mail server. In this paper, we propose a framework that reduces the distributed attack and load of mail server. With IP address, the user-id is also blocked in this framework. Due to this, the attacker cannot send mails by using same user-id and different IP addresses. The framework consists of distributed servers that maintain two databases to block the source, one is for IP address, and another is for user-id. All the distributed servers share their database information with each other. Another module is there in the model named front-end filter, which act as a main gateway in the domain. Mail servers decide the black listed source and pass this information to the front-end filter. The filter checks the incoming source address with its black listed information. If the address is in black list then it sends all the mail coming from the attacker to the reply generator. Reply generator is another module in the framework that gives only ‘invalid recipient address’ reply to the source. Therefore, front-end filter and distributed method reduces the DHA and load of server. This electronic document is a “live” template. Keywords-DHA;email;SMTPserver;front-end-filter;reply- generator. I. INTRODUCTION NOW a day’s spammers are increasing rapidly. They are doing their advertisement free of cost by sending SPAM. It causes a big problem for users who use mail to communicate with each other. The spammers get the valid mail-id from Directory Harvest Attackers. The mail server should be protected from Directory Harvest Attack (DHA) to minimize SPAM. The attacker attacks the mail server by sending blank message to randomly generated mail addresses. They generate the mail addresses by different ways. Dictionary base technique is one of them. Mail-server gives positive response if the email addresses are in the mail-server list else reply with error message. Attackers store the email addresses in their own database, which are valid. Attacker sends the blank massage to a huge number of randomly generated mail addresses (in a particular domain) in a short time from normal user’s machine by making this machine as a zombie[11] or they use open relay[5]. Thus, they get the valid user-id from the mail-server’s directory. Attackers sell these valid email addresses to the spammer. SMTP server also becomes slow for processing the request from attacker. To reduce the load of SMTP server we introduce a front-end filter along with reply generator and introduce a distributed SMTP server along with database. Front-end-filter maintains a database, which contains the blacklisted source id. Distributed SMTP servers update this black listed database. Front-end-filter sends all the mail, whose source address is not in the black list, to one of the SMTP server. The SMTP server is chosen by observing which one is free. Each SMTP server maintains a database. This database is used to identify the source that may be attacker. Database contains the entry of source address and number of mails coming from that source. Two types of source addresses will be maintained, source IP address and mail id of the source. All SMTP servers share their database information with each other and send to front-end- filter the information of black listed source. Reply generator is attached with front-end-filter. It only gets the mail whose source address is in black list. After getting this mail, the reply generator only gives a negative reply to that source address, so that attacker can’t get hint about validity of mail address. If the source is in black list it will get always a negative reply from reply generator and they cannot get the valid email address. Therefore, front-end-filter decides first where the mail will go before coming to the SMTP server. The source address, which will be black listed, will depend upon the threshold value. If the number of mail corresponding to a particular source is beyond this threshold value then enter this source id in black list. The content of the paper is divided as following: Section 2 contains the related work. In Section 3 we describe our propose solution to reduce the load of SMTP server and protect the mail server from DHA. Here several points are described related to reduce the load of server and how to block the source address. The simulation results of our proposed model are discussed in Section 4. In Section 5 we summarize the paper and describe the future work. IEEE Kharagpur Section & IEEE Sri Lanka Section