Latest Tumbleweed Dark Traffic Report Shows 300% Rise in Directory Harvest Attacks; Over 40% of Enterprises Surveyed Use Email Address as Single-Sign-On Credentials

Tumbleweed(R) Communications Corp. (Nasdaq:TMWD), aleading provider of email security, file transfer security, andidentity validation solutions, today announced the release of thesecond Dark Traffic(TM) Report covering Q3 of 2005. The Dark TrafficReport includes data on the prevalence of network-level threats toemail infrastructures and the impact to organizations, and can bedownloaded at: http://www.tumbleweed.com/pdfs/TMWD_Dark_Traffic_Email_Report_Q3_2005.pdf (Due to its length, this URL may need to be copied/pasted into your Internet browser's address field. Remove the extra space if one exists.)

Dark Traffic, now accounting for 83 percent of all inbound emailnetwork traffic, is made up of Directory Harvest Attacks (DHA), emailDenial of Service (DoS) attacks, malformed SMTP packets, invalidrecipient addresses, and other requests and communications unrelatedto the delivery of valid email messages. The Dark Traffic Reportdefines and analyzes email security information gathered through acombination of research interviews with enterprise IT and emailadministrators, and taps of raw email network data aggregated fromtraffic monitors positioned in top enterprises throughout the U.S.

For the period running from July through September 2005, invalidDark Traffic accounted for 83 percent of the inbound email networktraffic being processed by enterprises based on a sampling of over 100million messages. Represented another way, valid messages accountedfor 17 percent of inbound enterprise traffic. It is important to notethat, of these valid messages, a significant percentage are laterdetermined by content filters to be unwanted spam.

In addition to direct measurement of email network traffic in theU.S. and overseas, this report also includes the results of a surveyof over 100 top enterprise IT and email administrators in the U.S.which shows that there is still a large gap between the perceivedamount of Dark Traffic and the actual amount organizations receive.

Other findings available in this report include:

-- Growth in Denial of Service Attacks: 300%

-- Growth in Directory Harvest Attacks: 170%

-- Percentage of inbound SMTP traffic that is addressed to invalid recipients: 43%

-- Over 40% of enterprises surveyed use an employee's email address as the network login username. Successful DHA's can put network security at risk.

Most email administrators lack visibility into the composition ofinbound port 25 traffic, and therefore have no ability to shape it.They only see the impacts of Dark Traffic indirectly, for example whencomparing the volume of accepted messages to the volume of deliveredmessages, or via large outbound queues of non-delivery notices. As aresult of the huge volumes of Dark Traffic email that organizationsreceive, they continue to add additional email servers and emailsecurity appliances to process the excessive invalid email trafficthey receive.

"In our first Dark Traffic Report in Q1 of 2005, we were genuinelysurprised at the amount of hidden traffic flowing into the enterpriseunder the radar. In compiling this latest Dark Traffic report, we wereagain surprised to see such large jumps in Directory Harvest Attacksand Denial of Service Attacks," said John Thielens, CTO of TumbleweedCommunications. "Enterprises are spending far too much on emailinfrastructure to handle the 80-plus percent of useless traffic thatcould be stopped at the network perimeter."

About Email Denial of Service Attacks

Email Denial of Service attacks (also called "DoS attacks," "mailbombing" or "flooding") attempt to overwhelm an email relay or serverwith a huge volume of messages, causing the server to drop connectionsor refuse legitimate email. Distributed DoS attacks (DDoS) are oftenlaunched from armies of zombie computers that have been infected withemail viruses, worms, or spyware. These zombies can be controlledremotely by the hacker who sent them, and can be targeted to attackone or more specific victims. DoS attacks are generally malicious innature, with the goal of disabling a targeted organization's network.Note that in the Dark Traffic Report, we are only focusing on DoSattacks in email -- DoS attacks exist across many other Internetprotocols outside of our purview here, including HTTP, IM, FTP, RPC,etc.

About Directory Harvest Attacks

The goal of a Directory Harvest Attack (DHA) is to identify validemail addresses within a given domain. The traditional purpose hasbeen to gather lists of valid email addresses for resale or fortargeting future spam attacks. But with the rise of Active Directoryand single sign-on technologies in the enterprise, the threat extendsto network and information security. Network login credentials andemail address are often configured to be the same. As a result, emailapplication security is critical to prevent directory loss, which candeliver thousands of usernames to outsiders, allowing them to focuscracking efforts on the exact username list with the goal of breachingthe network itself. This puts confidential operational and customerdata at risk of compromise.

About Tumbleweed Communications Corp.

Tumbleweed provides security solutions for email protection, filetransfers, and identity validation that allow organizations to safelyconduct business over the Internet. Tumbleweed offers these solutionsin three comprehensive product suites: MailGate(R),SecureTransport(TM), and Validation Authority(TM). MailGate providesprotection against spam, viruses, and attacks, and enablespolicy-based message filtering, encryption, and routing.SecureTransport enables business to safely exchange large files andtransactions without proprietary software. Validation Authority is theworld-leading solution for determining the validity of digitalcertificates. Tumbleweed's enterprise and government customers includeABN Amro, Bank of America Securities, Catholic Healthcare West, JPMorgan Chase & Co., The Regence Group (Blue Cross/Blue Shield), St.Luke's Episcopal Healthcare System, the U.S. Food and DrugAdministration, the U.S. Department of Defense, and all four branchesof the U.S. Armed Forces. Tumbleweed was founded in 1993 and isheadquartered in Redwood City, Calif. For additional information aboutTumbleweed go to www.tumbleweed.com or call 650-216-2000.

Tumbleweed, MailGate, SecureTransport, Validation Authority andDark Traffic are either registered trademarks or trademarks ofTumbleweed Communications Corp. in the United States and/or othercountries. All other trademarks are the property of their respectiveowners.

SAFE HARBOR STATEMENT

Tumbleweed cautions that forward-looking statements contained inthis press release are based on current plans and expectations, andthat a number of factors could cause the actual results to differmaterially from the guidance given at this time. These factors aredescribed in the Safe Harbor statement below.

Except for the historical information contained herein, thematters discussed in this press release may constitute forward-lookingstatements that involve risks and uncertainties that could causeactual results to differ materially from those projected, particularlywith respect to Tumbleweed's ability to identify and quantify Denialof Service attacks, Directory Harvest Attacks and other Dark Traffic,as well as the performance and functionality of Tumbleweed's products.In some cases, forward-looking statements can be identified byterminology such as "may," "will," "should," "potential," "continue,""expects," "anticipates," "intends," "plans," "believes," "estimates,"and similar expressions. For further cautions about the risks ofinvesting in Tumbleweed, we refer you to the documents Tumbleweedfiles from time to time with the Securities and Exchange Commission,particularly Tumbleweed's Form 10-K filed March 16, 2005 and Form 10-Qfiled November 2, 2005.

Tumbleweed assumes no obligation to update information containedin this press release, including for example its guidance regardingits future performance, which represents Tumbleweed's expectationsonly as of the date of this release and should not be viewed as astatement about Tumbleweed's expectations after such date. Althoughthis release may remain available on Tumbleweed's website orelsewhere, its continued availability does not indicate thatTumbleweed is reaffirming or confirming any of the informationcontained herein.