Fighting spam with SMTP 'tar pits'

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize.

"Tarpitting" is a way of reducing spam or spam-related attacks (such as directory harvesting). It involves delaying SMTP communications with remote servers suspected of sending unsolicited e-mail. This slows down mail processing on the spammers' end, so they can't bombard you as quickly or perform dictionary attacks as efficiently.

Windows Server 2003 Service Pack 1 now has a built-in tarpitting function that works with the included SMTP server or Exchange Server 2003.

The tar pit delay kicks in whenever an SMTP conversation with a remote server (i.e., whenever Exchange receives SMTP-relayed e-mail) produces a 5.x.x-type error code on your end. For instance, if a remote server tries to send e-mail to a nonexistent user, your server delays any further conversation with that server for a predetermined length of time.

Enabling tarpitting in Windows Server 2003 is simple:

Since most mail systems use a one-minute timeout for mail conversations, some administrators use delays of up to 90 seconds. But 20 seconds is a good starting point and shouldn't create too many adverse side effects.

Not everyone should enable tarpitting though.

If you use third-party antispam products that do a good job, tarpitting may do more harm than good.

Using tar pits may also make things difficult for legitimate users. For instance, if someone misspel

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Exchange Security Tips How file-level antivirus software can harm your Exchange Server Understanding Exchange Server 2007 SP1 mobile security settings Which ActiveSync authentication method is best for your mobile device? Why you should secure Exchange 2007 using administrative policies Microsoft Exchange Server security dos and don'ts Create a journal rule in Exchange 2007 to secure journaling mailboxes How to protect an Exchange journaling mailbox from email spoofing Lock down Microsoft Outlook 2007 to prevent .PST file access Using Exchange Server journaling as an email-archiving solution Use the OWA Admin tool to 'segment' Outlook Web Access 2003 features Microsoft Exchange Server 2003 Changing email address formats in Exchange Server 2003 Should you remove .STM files from Exchange Server 2003? Troubleshoot 'System Attendant' error messages in OWA Configuring the default recipient policy in an Exchange 2003 environment Removing old disclaimers from Exchange Server 2003 ExMerge gotchas to watch for when migrating Exchange 2003 mailboxes Recovering deleted items after an Exchange 2003 migration Linking two Exchange 2003 servers in different forests Microsoft Exchange Server virtualization tutorial Installing Exchange Server 2003 and a domain controller on the same hardware Microsoft Exchange Server 2003 Research Antispam Software and Spam Filtering Problems with email spoofing on SBS 2003 Exchange Insider e-zine Securing your Exchange Server 2007 journaling archives Microsoft Exchange Server security dos and don'ts Troubleshooting Microsoft Exchange Server Event ID error 6009 How can I configure Exchange IMF to allow an IP address or DNS? Tool helps identify inbound Exchange Server email flow issues Configure SMTP relay restrictions in Exchange Server 2003 to stop spam Exchange email sent to a domain using SPF authentication is returned Secure Edge Transport servers using the Security Configuration Wizard Antispam Software and Spam Filtering Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary greylist  (SearchExchange.com) hash buster  (SearchExchange.com) image spam  (SearchExchange.com) KnujOn  (SearchExchange.com) Sender ID  (SearchExchange.com) spam confidence level  (SearchExchange.com) spamblock  (SearchExchange.com) spim  (SearchExchange.com) tarpitting  (SearchExchange.com) teergrube  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ls the e-mail address of an acceptable message sent to you, and the tar pit time is set way above the timeout threshold tolerated by the sender, the mail in question will never even get a non-delivery report from your server.

The sender should get a problem report from their own SMTP server telling them that the mail in question could not be delivered -- but with a slightly misleading "Recipient timed out" error, rather than the proper "Username not found" error. (This could cause the administrator of the remote host to wonder, incorrectly, if there's something wrong with his network or the routing to the remote host.)

Tarpitting also works best when both recipient filtering and authenticated sessions are in use.

Recipient filtering lets you immediately reject e-mail that doesn't match anyone in your organization (which protects against dictionary attacks). It's useful when combined with tarpitting, since the majority of SMTP sessions trapped with tarpitting usually involve sending to invalid addresses.

Since tarpitting only works on anonymous SMTP sessions, if you exchange mail with other servers that authenticate, they can avoid any problems associated with tarpitting.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter.

Reference Center: Tips and resources on spam prevention and management

---

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.