SMTP Session Tarpitting for Windows 2003 and Exchange
A common strategy for increasing the cost of would-be mail abuse uses a technique called tarpitting. Mail servers that tarpit wait a specified period of time before issuing SMTP responses to the client, thus increasing the time investment needed to successfully send a large amount of mail or a constant stream of (usually invalid) SMTP commands. To minimize the impact on the performance of well-meaning senders, servers can tarpit responses only for SMTP errors and allow authenticated clients to bypass the tarpit time.
Tarpitting is a useful countermeasure for:
- Dictionary harvest attacks (where an attacker is trying to compile a list of valid e-mail addresses from your organization)
- User account attacks (where an attacker repeatedly attempts to authenticate via username/password guessing)
- Spam scripts that send more invalid than valid e-mail recipients.
Most of these abuses depend on quick SMTP server responses to complete in an acceptable timeframe. SMTP servers that tarpit slow down the amount of work they can do in a given amount of time, thereby making the abuse less enticing or lucrative.
Until recently, there wasn’t a way to enable tarpitting behavior for Windows/Exchange. Now, you can.
Simply install the KB:842851 package and KB:885881 package. The only requirement is that you’re running Windows Server 2003 with Internet Information Services 6.0. If you’re running Microsoft Exchange, the package automatically integrates with it.
Then, create/set the following registry key:
The key value is the number of seconds you wish the server to tarpit error responses. You must stop/start the SMTP service for the change to take place.
When used with Microsoft Exchange Server 2003 features like recipient lookup, tarpitting increases the cost of invalid lookups that makes it harder to abuse the feature to launch a dictionary harvest attack.
SMTP Tarpitting In Exchange 2007…
SMTP Tarpitting is enabled by default in Exchange 2007. This is really good news as admins who configure recipient filtering are automatically protected against directory harvest attacks. This was not the case in exchange 2003, as a registry edit was necessary to enable the feature. Check this KB article for information regarding how to enable tarpitting on an exchange 2003 server.
SMTP Tarpitting is the feature by which a delay is introduced to the rejection response. When a recipient is rejected with a 5.x.x response, a delay of few seconds is introduced before the response is initiated. This makes it difficult for spammers to find legitimate email addresses in a domain by using directory harvesting attacks.
Exchange 2007 has a default tarpit interval of 5 seconds, which can be increased upto a maximum of 10 minutes. Much thought should be put in while changing the tarpit interval, as it will affect legitimate emails as well (the ones that are not spam, like misspelt addresses). The default interval is good in most cases. Tarpit interval is set on the receive connector and is in the format hh:mm:ss.
In order to find the tarpit interval, run the following command
Get-ReceiveConnector connectorname | select tarpitinterval
To increase the tarpit interval to 10 seconds, run Set-ReceiveConnector connectorname –TarpitInterval 00:00:10
Run Set-ReceiveConnector connectorname –TarpitInterval 00:00:00 to disable tarpitting (not recommended).
Sources: The Microsoft Exchange Team Blog, How Exchange Works