Tar Pitting in Exchange 2003
Microsoft KB 842851 has more info:
Tar pitting is the practice of deliberately inserting a delay into certain SMTP communications that are associated with spam or with other unwanted traffic. The tar pit feature works by slowing all responses that contain SMTP protocol 5.x.x error codes. By slowing an SMTP conversation, you can reduce the rate at which automated spam can be sent or at which a dictionary attack can be conducted. On the downside, legitimate traffic may also be slowed by tar pitting.
The tar pit feature is available in Microsoft Windows Server 2003 and in several third-party SMTP servers. An administrator can configure the delay that is introduced by the tar pit feature. Tar pitting is a feature of the generic Windows Server 2003 SMTP service, meaning that it is used by the SMTP service and can also be used by other applications.
Tar pitting will become effective when you’ve enabled Exchange Server 2003 recipient filtering. Recipient filtering lets you filter or reject incoming mail for specifically defined recipients and for any incoming recipient that is not listed in the Active Directory directory service for your organization. Therefore, senders will not be able to send you mail that is destined for invalid recipients or for filtered recipients. Such mail is rejected early in the SMTP conversation before the body of the mail is transmitted. This behavior generally reduces the processing demand of dealing with invalid mail on your Exchange server. Not only do you not have to accept and store the mail, but you also are not obligated to send a non-delivery report (NDR) for invalid mail because the mail was never accepted.
A disadvantage of recipient filtering is that it might encourage spammers to perform an e-mail address harvest attack against you. In a harvest attack a large number of e-mail messages will be sent to your server, and by monitoring the SMTP protocol 5.x.x error codes the spammer will be able to efficiently harvest a list of your valid users and e-mail addresses. The attacker can then use the list of discovered e-mail addresses to send spam or for other illegitimate purposes.
When the recipient filtering feature is enabled, your server will reveal whether an e-mail name is valid or invalid during an SMTP conversation. When the recipient filtering feature is disabled, an attacker will have to wait for the return of an NDR for each guessed name.
When both the recipient filtering feature and the tar pit feature are enabled, responses to invalid e-mail names can be greatly delayed. This behavior can discourage the attack.
Note: After enabling the tar pit feature you should carefully monitor the performance of your SMTP server. Additionally, you should analyze the traffic patterns on the server to make sure that tar pitting is not disrupting or delaying ordinary traffic.
Only anonymous SMTP connections are affected by this feature, and authenticated sessions are not. In cases where you regularly exchange lots of SMTP mail with another organization, and you find that tar pitting is affecting that traffic, you can bypass tar pitting for that organization by authenticating SMTP communications at the SMTP Virtual Server level.
How do I enable the tar pit feature?
The tar pit feature can be enabled and configured by setting a registry key. To do this, follow these steps:
|This document contains instructions for editing the registry. If you make any error while editing the registry, you can potentially cause Windows to fail or be unable to boot, requiring you to reinstall Windows. Edit the registry at your own risk. Always back up the registry before making any changes. If you do not feel comfortable editing the registry, do not attempt these instructions. Instead, seek the help of a trained computer specialist.|
- Click Start, click Run, type REGEDIT in the Open box, and then click OK.
- Navigate to the following path:
|Registry subkey path|
- Use the following information to modify (or add, if key does not exist) the following parameters:
|Value type||Value name||Value base||Value data|
|DWORD||TarpitTime||Decimal||The number of seconds that you want to delay SMTP response|
Note: If the TarpitTime registry entry does not exist, Exchange behaves as if the value of this registry entry were set to 0. When the registry entry has a value of 0, there is no delay when the SMTP address verification responses are sent.
- Quit Registry Editor.
- Restart the Simple Mail Transport Protocol (SMTP) service.
You might also want to read the following related articles:
- Block Incoming Internet Mail to Specific Users or Groups
- Change the IMAP4 Banner
- Change the POP3 Banner
- Change the SMTP Banner
- Configure IIS to be a Smart Host for Exchange
- Configure MX Records for Incoming SMTP E-Mail Traffic
- Message Protocols Used by Exchange 2000/2003
- Ports used by Exchange Server
- Preventing Exchange 2000/2003 from Relaying
- Quickly Send Email Messages
- Remote Version Checking through SMTP/POP3/IMAP4
- Send Mail from Script
- Send Mail (from the Tools and Scripts section)
- Test SMTP Service in IIS and Exchange