Directory harvest attacks (DHAs) are the least visible, most under-reported threat to corporate e-mail systems, a study published Wednesday said.

DHAs are brute force attempts by spammers to find valid e-mail addresses where the spammer connects to business's e-mail server and guesses addresses until he gets some right. Those addresses are then harvested for use in later spam campaigns.

"DHAs are the silent kill of e-mail servers," said Chris Smith, the marketing director at anti-spam managed service provider Postini, and author of the Redwood City, Calif.-based firm's annual E-Mail Security Report.

"It's the most under-reported threat by far," said Smith. "The thing is, directory harvest attacks work, and they're how spammers are getting their spam addresses now. Plus they're difficult to defend against."

To illustrate the nature of DHAs, Smith cited data from Postini's efforts during 2004, in which it deflected an average of 150 DHAs per day per customer. Postini has some 5,000 corporate customers.

Each of those attacks, said Smith, averaged 234 invalid address lookups, creating an average of over 35,000 invalid lookups per day per company. The time spent dealing with a DHA chews up mail server processor time, packs deferral queues on those servers, and in some cases, can crash the server.

"That's a lot of useless work done by the server," said Smith. "Think of a single invalid lookup as a mosquito bite. One is no big deal, but say 40,000 and its death by mosquito bite."

In December 2004, Postini monitored its largest-ever DHA, one against a major North American retailer that peaked at more than 60,000 invalid address lookups every minute.

"If they hadn't been protected by Postini," Smith claimed, "a DHA of that magnitude would certainly have crippled their mail infrastructure."

Postini noted that the number of DHAs against its customers tripled in 2004 compared to the previous year, and that it often saw circumstantial evidence that spammers are tightly linking harvesting attacks and spam campaigns. "We've seen cases when a harvest happens and then a spam attack immediately follows," said Smith. In several cases it was clear that the one-two punch was automated, rather than being coordinated by a human spammer.

While Smith didn't expect to see another tripling of DHAs in 2005, he did warn that the practice will pick up. "They'll become more severe, as spammers turn to harvesting because they're finding it harder to locate valid addresses in other ways. People are getting smart, and they're not disclosing their e-mail or adding addresses to Web sites," he said.

Other information culled from Postini's report included confirmation that legislation, lawsuits, and criminal trials didn't put a dent in spam during 2004. For the year as a whole, the percentage of e-mail categorized as spam remained fairly constant at around 80 percent.

"We've thrown everything but the kitchen sink at spam, yet it's still with us," said Smith.

In fact, if one includes other unwanted mail attempts -- messages not usually considered spam -- such as DHAs and virus-infected mail, then the percentage of junk climbs above 90 percent, Smith said.

Postini's numbers also showed that while phishing attacks garner headlines, they actually account for only about 1 percent of all spam. (In comparison, virus-infected messages comprised about 1.5 percent of all messages in 2004, a tripling over 2003's 0.5 percent.)

"In absolute terms, that's a lot," said Smith. Fortunately, phishing "requires a pretty high level of technical expertise to pull off," he said. "That's one of the main reasons why this hasn't absolutely exploded. Phishing is beyond the capabilities of the average spammer."