SBSers and Exchange 2003 tar pitting

Exchange, ExchangeDefender
Comments Off on SBSers and Exchange 2003 tar pitting

Few years ago tar-pitting was a big deal among SBSers who tried to protect their systems from spammers, worms and directory harvesting. Microsoft’s Alex Nikolayev, the big daddy of Microsoft’s SMTP stack developed the tar pitting technology for Microsoft’s SMTP server on top of which Microsoft Exchange 2003 works.

What is tar pitting you ask? It is a process of throttling bad recipient responses in the SMTP channel that are meant to slow down the spammer or directory harvesting attack meant to figure out the valid (or prune invalid) email addresses on your mail server. It works in conjunction with recipient filtering, so if you’re being a good little Internet participant and issuing NDRs as per RFC requirement, tar pitting can help. What exactly does it do? Here is a visual example:

220 Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at  Sat, 9 Feb 2008 15:31:38 -0500
ehlo Hello []
250 OK
mail from:
250 2.1.0….Sender OK
rcpt to:
250 2.1.5
rcpt to:
550 5.1.1 User unknown
rcpt to:
550 5.1.1 User unknown
rcpt to:
550 5.1.1 User unknown
rcpt to:
550 5.1.1 User unknown

What tar pitting enables you to do is specify the timeout interval in seconds between each rcpt to: command and the 550/511 rejection. Assuming that a regular spambot will issue thousands if not hundreds of thousands of commands in an attempt to filter out the valid recipients on the domain, tar pitting delays can significantly delay their connections.

Why SBSers shouldn’t use this!

First, if you wish to use this technology, here is a Microsoft KB842851 addressing this. If this is something you believe is worthwhile, you should outsource it to a service adequate of handling the volume of these connections, check out ExchangeDefender.

There are two reasons why you shouldn’t implement this technology on a small network:

First, if you are running SBS 2003 or 2003 R2 you have likely upgraded your server to ISA 2004. ISA 2004 establishes the max number of connections per server, per rule to 1000. Likewise, if you are using cheapie firewall solutions that also throttle down the connection limits as to not exhaust an internal server, you are likely going to run out of connections on your server. Remember that tar pitting does not close the connection, it keeps it open. So if you set a timeout of 30 seconds for example, you could run into hundreds of open connections during an attack which would result in service unavailable and connection drops for the valid SMTP connections that may be trying to reach you.

Second, tar pitting has proven itself effective enough that nobody uses DHA anymore. The malicious use of DHA has gone away to a large degree, the spambots are now either being launched with a raw write straight to the socket (ignoring any delays in the connection) or tend to disconnect if more than 5 seconds (depending on the spambot config) has passed between a rcpt to and 250/550 response.

So in effect, this would be worthless to you in stopping spammers and DHA but would backfire on you the first time a larger worm/virus outbreak starts slamming your server.

All in all, not a worthwhile practice for this day and age. Remember, spammers adapt much faster than the rest of the net does, what worked in 2005 won’t work in 2008.