Typhoon Haiyan: Spammers Strike with DHA Attack

Tacloban, the new ground zero created by Haiyan, is the raison d'être for a large directory harvest attack (DHA) launched by spammers today.

A DHA attack is launched to check the validity of an email directory or emails related to a targeted email server. The aim of this is to collect intelligence and prepare a platform to launch a large spam campaign on that particular site once a database is put in place. Rejected emails return as bounce or non-delivery report/receipt (NDR) and the rest is concluded as legit, while valid emails will soon be bombarded with a host of spam, phish and malware laden email attacks.

The attack is launched, with the spammer claiming to be from a reputed mass media and communications company on a very large Internet site and service provider, for the sole purpose of harvesting and validating email addresses.

The email’s structure is very simple. The headers and body content of the said attack are taken from a news article of a reputed news channel that was published around November 14, 2013. The alias in the form line and the subject line contain randomization at the end to prevent being caught by the spam filter detection.

Subject: Typhoon: After battle to survive, the struggle to live 26488
From: "Typhoon: After battle to survive, the struggle to live 26488" [email address]


Figure 1. A spam email about Typhoon Haiyan from a DHA attack

Symantec advises users to configure directory harvest attack recognition to protect their website environment, and to update their spam filter algorithms to repel such attacks.