Exchange Server

Tar Pitting in Exchange 2003

Microsoft KB 842851 has more info:

Tar pitting is the practice of deliberately inserting a delay into certain SMTP communications that are associated with spam or with other unwanted traffic. The tar pit feature works by slowing all responses that contain SMTP protocol 5.x.x error codes. By slowing an SMTP conversation, you can reduce the rate at which automated spam can be sent or at which a dictionary attack can be conducted. On the downside, legitimate traffic may also be slowed by tar pitting.

The tar pit feature is available in Microsoft Windows Server 2003 and in several third-party SMTP servers. An administrator can configure the delay that is introduced by the tar pit feature. Tar pitting is a feature of the generic Windows Server 2003 SMTP service, meaning that it is used by the SMTP service and can also be used by other applications.

Tar pitting will become effective when you’ve enabled Exchange Server 2003 recipient filtering. Recipient filtering lets you filter or reject incoming mail for specifically defined recipients and for any incoming recipient that is not listed in the Active Directory directory service for your organization. Therefore, senders will not be able to send you mail that is destined for invalid recipients or for filtered recipients. Such mail is rejected early in the SMTP conversation before the body of the mail is transmitted. This behavior generally reduces the processing demand of dealing with invalid mail on your Exchange server. Not only do you not have to accept and store the mail, but you also are not obligated to send a non-delivery report (NDR) for invalid mail because the mail was never accepted.

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

A disadvantage of recipient filtering is that it might encourage spammers to perform an e-mail address harvest attack against you. In a harvest attack a  large number of e-mail messages will be sent to your server, and by monitoring the SMTP protocol 5.x.x error codes the spammer will be able to efficiently harvest a list of your valid users and e-mail addresses. The attacker can then use the list of discovered e-mail addresses to send spam or for other illegitimate purposes.

When the recipient filtering feature is enabled, your server will reveal whether an e-mail name is valid or invalid during an SMTP conversation. When the recipient filtering feature is disabled, an attacker will have to wait for the return of an NDR for each guessed name.

When both the recipient filtering feature and the tar pit feature are enabled, responses to invalid e-mail names can be greatly delayed. This behavior can discourage the attack.

Note: After enabling the tar pit feature you should carefully monitor the performance of your SMTP server. Additionally, you should analyze the traffic patterns on the server to make sure that tar pitting is not disrupting or delaying ordinary traffic.

Only anonymous SMTP connections are affected by this feature, and authenticated sessions are not. In cases where you regularly exchange lots of SMTP mail with another organization, and you find that tar pitting is affecting that traffic, you can bypass tar pitting for that organization by authenticating SMTP communications at the SMTP Virtual Server level.

How do I enable the tar pit feature?

The tar pit feature can be enabled and configured by setting a registry key. To do this, follow these steps:

Warning!
This document contains instructions for editing the registry. If you make any error while editing the registry, you can potentially cause Windows to fail or be unable to boot, requiring you to reinstall Windows. Edit the registry at your own risk. Always back up the registry before making any changes. If you do not feel comfortable editing the registry, do not attempt these instructions. Instead, seek the help of a trained computer specialist.
  1. Click Start, click Run, type REGEDIT in the Open box, and then click OK.

  2. Navigate to the following path:
Registry subkey path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Parameters
  1. Use the following information to modify (or add, if key does not exist) the following parameters:
Value type Value name Value base Value data
DWORD TarpitTime Decimal The number of seconds that you want to delay SMTP response

Note: If the TarpitTime registry entry does not exist, Exchange behaves as if the value of this registry entry were set to 0. When the registry entry has a value of 0, there is no delay when the SMTP address verification responses are sent.

  1. Quit Registry Editor.
  2. Restart the Simple Mail Transport Protocol (SMTP) service.

Done!

Related articles

You might also want to read the following related articles:

Links

RFC 821 – Simple Mail Transfer Protocol

RFC 1939 – Post Office Protocol Version 3

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

 
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: