Enabled by default: SMTP Tarpit in Exchange Server 2007

by Bharat Suneja

From a recent discussion, and something I’ve been wanting to post about for a while: SMTP tarpitting is enabled by default on Receive Connectors in Exchange 2007 (and Exchange 210).

What is SMTP tarpitting?

It’s the process of introducing a delay in SMTP connections from hosts that are suspected of inappropriate SMTP behavior – for example, by sending messages to non-existent addresses in your domain. (Tarpit is a noun, I use tarpitting as a verb to describe the process. The word probably can’t be found in a dictionary, but perhaps appropriate usage to describe the process, just like telnetting, and emailing – Bharat)

If you’ve used Recipient Filtering on Exchange Server 2003 and selected the option to drop messages for recipients that do not exist in Active Directory, it’s a best practice to use SMTP tarpitting to get some level of protection from directory harvesting attacks. Directory harvesting is when spammers attempt to send email to addresses in your domain – which may or may not exist in your directory, to figure out which addresses are valid and which ones are not.

With the option in Recipient Filtering enabled, the SMTP virtual server will respond with a 550 error (550 5.1.1 User unknown) when it comes across an email address in the message’s RCPT TO command. This happens before the message body is transmitted. With tarpitting enabled, this response is delayed a few seconds. In Exchange 2003 (on Windows Server 2003 SP1 – it is a Windows Server 2003 feature), this is configurable using a registry setting, as described in Microsoft KBA 842851. Most spammers will drop the connection if there’s such a delay, because it’s more expensive for spammers to continue spamming/harvesting with such delays in place.

Does this sound too good to be true? What’s the down side? Or are there any? On servers with high volume of SMTP traffic, you may notice more open connections, and open connections consume resources. The trick is to make sure this delay is not too high, resulting in more open connections for much longer, but high enough to make the sending hosts displaying suspicious behavior to drop connections.

Having said that, I’ve not come across many cases of performance degradation that could specifically be attributed to tarpitting delays, but you’ll need to test this in your environment to figure out what works best.

Also note, authenticated connections are not subjected to tarpitting delays. Additionally, tarpitting only makes sense on Receive Connectors exposed to the Internet – i.e. for inbound Internet email.

Exchange Server 2007’s Receive Connectors are configured with a tarpit interval of 5 seconds by default. A good way to observe this behavior is by telnetting to the SMTP port of an Exchange Server 2007 server and first sending a message to a valid recipient, and then trying to send a message to a recipient that does not exist.

To check the SMTP tarpit interval on your Receive Connectors, use the following shell command:

Get-ReceiveConnector | Select name,tarpitinterval

Change tarpit interval

You can set the tarpit interval to a higher value on a Receive Connector – I have mine set to 10 seconds, using the Set-ReceiveConnector cmdlet:

set-ReceiveConnector “Receive Connector Name” -tarpitinterval 00:00:10

The value is in hours:minutes:seconds.

At the time of writing, the documentation for set-ReceiveConnector cmdlet states that the tarpit interval can be set in days as well (number of days and number of hours separated by a dot), but further it also states the maximum value for tarpitinterval is 10 minutes (00:10:00) – which can be confirmed by the shell when you try to set it to a value higher than 10 minutes. (Technically speaking, the documentation isn’t wrong – you can in fact set it in days – e.g. 00.00:09:00 – as long as the value of days is zero! :) I’m told the doc will soon be changed/corrected).

Disable SMTP tarpit

You may want to disable SMTP tarpitting for specific trusted/internal hosts to avoid delays in sending mail – for example, if the hosts need to send bulk mail. In such scenarios, you should create a dedicated Receive Connector for trusted/internal hosts, specify the IP addresses or ranges of those hosts in the RemoteIPRanges parameter of the Receive Connector and disable SMTP tarpitting.
To disable the tarpit behavior, set the TarpitInterval value to 00:00:00:

Set-ReceiveConnector “Receive Connector Name” -tarpitinterval 00:00:00

If you also need to allow those hosts to relay mail to external recipients, see How To Allow Relaying in Exchange 2010 and Exchange 2007.

{ 10 comments… read them below or add one }

Tim Kremer June 25, 2007 at 6:28 am

Excellent post, Bharat! Ever since I’ve moved to Exch2007, I’ve not been able to enable tarpitting. Documentation on it is a bit difficult to find. Your post has helped out at least ONE person. :)

Reply

TC July 5, 2007 at 11:35 am

In my experience, your documentation has always been more concise and easier to understand than MS’s. Thanks for this article. One question I do have is the output I’m getting after setting the tarpit interval to 10 secs. I’m seeing:

Receive Connector TarpitInterval
——————- ————–
00:00:10
00:00:05
00:00:05
00:00:05
00:00:05
00:00:05

I’m curious about the “:05” entries after the first one. What do they signify? Before setting the tarpit interval, it was showing all “:05″s. Thanks again.

Reply

Bharat Suneja July 5, 2007 at 12:08 pm

Do you have more than one Receive Connectors. Try:
Get-ReceiveConnector | Select Name,TarpitInterval

If you do have more than one, the tarpit interval will need to be set on each.

You can also pipe it using the following commands:
Get-ReceiveConnector | Set-ReceiveConnector -tarpitinterval 00:00:10

Reply

TC July 5, 2007 at 12:32 pm

Yes, that’s it. I do have a few more connectors (most are disabled). The blank entries on the RecConn column confused me a bit, but running w/ the “select name” parameter showed all the connector names.

Thanks again and keep up the good work =).

Reply

Anonymous July 23, 2008 at 12:12 pm

Awesome post, I was wondering what caused the lag, for some reason I had problems with the set command and recognizing the connector on a domain controller, using the pipe option worked great though

Reply

Anonymous November 5, 2008 at 11:02 pm

You know this was one of those small things which bothered me from the begging with Exchange 2007.
I never knew it existed :)

Thanks alot for the info, now SMTP is instant.

Reply

Anonymous April 23, 2009 at 10:10 pm

Do you know if Exchange 2007 has any built-in feature to detect and slow down spam mail going out through it? Like tarpitting on the send connectors.

Reply

Bharat Suneja April 23, 2009 at 10:14 pm

@Anonymous from April 23: You can enable antispam filters for internal/authenticated mail. By default, it’s not enabled.

Is there a specific reason to believe spam is originating from inside or from an authenticated source?

Reply

Anonymous May 8, 2009 at 12:35 pm

Excellent Document : )
i was wondering if Tarpit is not configured inExchange 2003 and IMF is set to some settings is the Job done?

Reply

Bharat Suneja May 9, 2009 at 10:09 am

@Anonymous May 8: Thanks! IMF does content filtering – it does not do tarpitting. Tarpitting is an additional measure – you have to determine whether you want to use it or not. I recommend it.

Take a look at the post on Exchange team blog: SMTP Session Tarpitting for Windows 2003 and Exchange, and KB 842851: SMTP tar pit feature for Microsoft Windows Server 2003.

Reply

Leave a Comment

{ 1 trackback }

Previous post:

Next post: