A common strategy for increasing the cost of would-be mail abuse uses a technique called tarpitting. Mail servers that tarpit wait a specified period of time before issuing SMTP responses to the client, thus increasing the time investment needed to successfully send a large amount of mail or a constant stream of (usually invalid) SMTP commands. To minimize the impact on the performance of well-meaning senders, servers can tarpit responses only for SMTP errors and allow authenticated clients to bypass the tarpit time.
Tarpitting is a useful countermeasure for:
- Dictionary harvest attacks (where an attacker is trying to compile a list of valid e-mail addresses from your organization)
- User account attacks (where an attacker repeatedly attempts to authenticate via username/password guessing)
- Spam scripts that send more invalid than valid e-mail recipients.
Most of these abuses depend on quick SMTP server responses to complete in an acceptable timeframe. SMTP servers that tarpit slow down the amount of work they can do in a given amount of time, thereby making the abuse less enticing or lucrative.
Until recently, there wasn’t a way to enable tarpitting behavior for Windows/Exchange. Now, you can.
Simply install the KB:842851 package and KB:885881 package. The only requirement is that you’re running Windows Server 2003 with Internet Information Services 6.0. If you’re running Microsoft Exchange, the package automatically integrates with it.
Then, create/set the following registry key:
HKLM\System\CurrentControlSet\Services\SmtpSvc\Parameters\TarpitTime (DWORD)
The key value is the number of seconds you wish the server to tarpit error responses. You must stop/start the SMTP service for the change to take place.
When used with Microsoft Exchange Server 2003 features like recipient lookup, tarpitting increases the cost of invalid lookups that makes it harder to abuse the feature to launch a dictionary harvest attack.
- Greg Beitler
