What Is a Directory Harvest Attack (DHA)? Explained
Before a large spam or phishing wave begins, attackers need a target: valid email addresses. One of the oldest and quietest ways to obtain those addresses is the directory harvest attack, also known as a directory attack. The tricky part: the attack often sends no message at all, it merely interrogates the mail server. Classic defences that look at content therefore never see it.
This guide explains in plain terms what a directory harvest attack is, how it differs from the related address harvesting, why spam filters miss it and how organisations can protect their addresses.
What is a directory harvest attack?
TL;DR: A directory harvest attack, DHA for short, is the systematic attempt to guess valid email addresses of a domain. The attacker tries many possible addresses over the SMTP protocol and reads the mail server responses to learn which ones exist. The result is a verified address list reused for spam, phishing and targeted attacks.
A directory attack exploits a property of the email protocol: during a delivery attempt, a mail server often reveals whether an address exists or not. The attacker uses exactly this. They open a connection and, in the dialogue with the server, announce a recipient for every address to be tested. From the server reaction, acceptance or rejection, they infer whether the address is valid.
Carried out at scale, guessed names like firstname.lastname or role addresses like info and accounting turn into a valuable list of real mailboxes.
Directory harvesting or address harvesting? An important difference
The terms are often mixed up but describe different attack paths:
- Address harvesting usually means scraping publicly available sources. Programs search websites, imprints, social networks and directories for email addresses that are visibly published there.
- Directory harvesting instead targets the mail server directly. It also finds addresses that are published nowhere, because they are simply guessed and verified against the server.
The distinction matters for defence. Obfuscation and restraint in publishing help against address harvesting. Only protection directly at the email entry point helps against a directory harvest attack.
How does a directory harvest attack work?
The process almost always follows the same pattern:
Step 1, generate addresses: The attacker builds a large list of likely addresses, for example from first names, surnames and common role labels.
Step 2, probe the server: Over many SMTP connections, they announce these addresses as recipients. Each connection can test numerous addresses.
Step 3, evaluate responses: If the server accepts an address, it counts as valid. If it rejects it as unknown, it is discarded. Indirect signals such as differing response times or later non-delivery reports can also reveal which addresses exist.
Step 4, use the list: The confirmed addresses are used for spam, phishing and targeted attacks, or resold as a dataset.
Why is a classic spam filter not enough?
A classic spam filter is a content filter. It evaluates the subject, body, links and attachments of a received message. A directory harvest attack bypasses this logic because it often delivers no message at all. The harmful part happens earlier, in the technical dialogue with the server, before any content is transferred. To a pure content filter this is invisible. Protection only emerges when the behaviour of the connection itself is assessed, that is frequency, source and the share of invalid recipients.
Why is directory harvesting dangerous?
A successful directory attack has several unpleasant consequences:
| Consequence | Impact |
|---|
| Target list for attacks | Confirmed addresses fuel spam, phishing and CEO fraud |
| Load on the mail server | Thousands of delivery attempts strain the infrastructure |
| Reputation risk | Many rejections can degrade server reputation |
| Data protection | Personal addresses are collected without permission |
Its role as a precursor is especially critical. Whoever knows that firstname.lastname of a managing director exists can craft a targeted spear-phishing email far more convincingly. The directory attack is therefore often the reconnaissance phase of a larger attack.
How Conbool MailGuard protects you
Effective protection against directory harvesting works on the behaviour of the connection, not on content. Conbool MailGuard combines several techniques for this:
- Pattern detection: Suspicious sequences of delivery attempts to unknown recipients are recognised as an attack.
- Throttling: Suspicious sources are slowed down so mass probing becomes uneconomical.
- Uniform responses: The server no longer gives usable hints about which address exists and which does not.
- Recipient verification and reputation: Known malicious sources and invalid recipients are rejected early.
These measures act before the actual inbox and protect existing mail servers without rebuilding them. As part of a mail gateway, the protection also supports the duty of care under the NIS2 Directive and the protection of personal data under the GDPR.
The matching protection at a glance is on the directory harvesting protection page.
Frequently asked questions about directory harvesting
What is a directory harvest attack?
A directory harvest attack, DHA for short, is the attempt to systematically guess valid email addresses of a domain. The attacker tries many addresses over SMTP and evaluates the mail server responses. Existing addresses land on a list for later attacks.
Is directory harvesting the same as address harvesting?
No. Address harvesting usually means scraping websites and public sources. A directory harvest attack targets the mail server directly and also guesses addresses that are published nowhere.
Why is a classic spam filter not enough against DHA?
A spam filter evaluates content. A DHA often only tests whether an address exists, without delivering content. The harmful part happens in the dialogue with the mail server and stays invisible to pure content filters.
How do you detect a directory harvest attack?
Typical are many SMTP connections from a few sources with strikingly many delivery attempts to non-existent recipients. Logs fill with rejections of unknown addresses. A protection system recognises this pattern and throttles the source.
How do you protect against directory harvesting?
An effective defence combines pattern detection, throttling, uniform server responses, recipient verification and reputation checks. Conbool MailGuard bundles these measures and protects existing mail servers without a rebuild.
Conclusion
The directory harvest attack is a quiet attack with a large effect. It builds the target list on which later spam and phishing waves are based, and it evades pure content filters. Protection only emerges when the behaviour of incoming connections is assessed: pattern detection, throttling and uniform responses take away the attacker's foundation.
See on the directory harvesting protection page how Conbool MailGuard protects your addresses before the wave arrives.
Further reading:
