SMTP Session Tarpitting for Windows 2003 and Exchange

re: SMTP Session Tarpitting for Windows 2003 and Exchange

Michel — Mon, 06 Dec 2004 20:51:00 GMT

Excellent work!

I had a discussion almost one year ago with David Lemson (URL points to the post on his weblog) about this specific feature. It fired discussions on how MS decides and knows about user feature requests. Tarpitting was one of those features I requested: now it's here!

I mentioned in previous posts on David's blog there was (and still is) a content scanning gateway in front of our Exchange organisation. I already have plans layed out to change that: have Exchange use IMF (recipient check), tarpit when needed, and then route back to the content scanning gateway. After the content scan messages will flow into the Exchange org again.

Great to see this feature in the SMTP service!

re: SMTP Session Tarpitting for Windows 2003 and Exchange

Dmitry Gromov — Mon, 06 Dec 2004 21:15:00 GMT

Hi!

That article is incorrect. Hotfix DOES NOT install Tarpit fix on Windowss 2003 unless _original_ KB842851 was installed.

WindowsServer2003-KB885881-x86-enu.EXE includes two versions of smtp.dll - GDR (for RTM versions) and QFE (for hotfix version). ONLY QFE version of smtp.dll has Tarpit fix. RTM version does not.

If original KB842851 fix (available from MS) was not installed, it is still possible to replace smtp.dll but that is not supported, of cause.

And the way it works is very simple - it times out SMTP response if reply is not in 250 status. Works perfectly with plain SMTP service and some other sink-based spam filters.

When "it's the pits" is actually GOOD

Exchange Security — Tue, 07 Dec 2004 00:39:00 GMT

<p>
Microsoft today released a hotfix for the Windows 2003 SMTP stack that provides tarpitting for SMTP.... The idea is that you install software that intentionally slows down SMTP throughput for bogus requests.
</p>

re: SMTP Session Tarpitting for Windows 2003 and Exchange

Bernd Kruczek — Tue, 07 Dec 2004 10:49:00 GMT

Great! But what value for tar pit would be the best?

re: SMTP Session Tarpitting for Windows 2003 and Exchange

Nino Bilic — Tue, 07 Dec 2004 17:36:00 GMT

Dmitry,

You are correct - I fixed the main post. Thanks for keeping us honest! :)

re: SMTP Session Tarpitting for Windows 2003 and Exchange

Peter — Tue, 07 Dec 2004 17:36:00 GMT

This sounds like a good idea but does it really work? Since address harvesting is automated would anyone really notice or care if a certain domain took longer than another?

re: SMTP Session Tarpitting for Windows 2003 and Exchange

Greg — Tue, 07 Dec 2004 18:38:00 GMT

Thanks for the feedback, all!

Peter: You are right in that tarpitting is not an end-all technique for stopping attacks. But raising the cost of an attack helps deter some of them and draws out the others such that a diligant administrator may have measures to detect the traffic and block the IP. So to answer your question, I'd argue that a e-mail organization whose accounts are being harvested would indeed care if it took longer to extract useful information, partially because it increases the chance that it can be detected and corrective measures to be taken.

Tarpitting isn't a replacement for, just something to be used in conjunction with other techniques such as limiting the number of connections per IP/Domain, RBL, address filtering, and traffic monitoring. As some of you might have guessed, there are scenarios where harvesting or mail abuse attacks can span multiple connections, sometimes from a distributed source. These scenarios should be considered as well.

Bernd, this is a very good question. A common number is about 5 seconds. However, if you are a gateway and you are confident that a large number of SMTP protocol errors your servers issue are due to one form of other of abuse, this value can certainly be increased. Keep in mind that a lot of mail servers and clients have a time limit associated with a SMTP session after which it may time out, so this should not be a very, very large value.

SMTP Tarpitting

Peter Schmidt — Tue, 07 Dec 2004 20:25:00 GMT

Referred on http://www.exchange-digest.com.

re: SMTP Session Tarpitting for Windows 2003 and Exchange

Dmitry Gromov — Wed, 08 Dec 2004 03:56:00 GMT

Cool!

Thanks for updating post... Would be great if KB article gets updated too ;-)

As for time setting, I'd suggest more like 30 sec. At least MS SMTP connection timeout is 10 min and other servers usually don't have it less then 1 min.

I'm planning to elaborate on this more in my blog soon...

re: SMTP Session Tarpitting for Windows 2003 and Exchange

Paul Robichaux — Thu, 09 Dec 2004 21:48:00 GMT

It looks like you only have to install the 885881 hotfix, then follow the directions in 842851 to configure tarpitting. Is that correct, or did I miss something subtle in one of the articles?

re: SMTP Session Tarpitting for Windows 2003 and Exchange

Reto — Tue, 14 Dec 2004 14:40:00 GMT

I've just installed package 885881, made the modification to the registry & restarted the smtp-servcie.
After that, people from outside the ex-org were unable to sent any e-mail to any ex-recipients. Everybody got an ndr, that states an authenticaion-error.
Does anybody encounter similar troubles?

re: SMTP Session Tarpitting for Windows 2003 and Exchange

Greg — Thu, 16 Dec 2004 02:57:00 GMT

To the best of my knowledge, the fix in 885881 should not influence authentication behavior. I'd check your existing authentication settings to see if a setting didn't take and was enacted when you recycled the service... otherwise I'd use message tracking to see where the message is blocked and drill in from there.

Messaging Security at Microsoft presentation

Eileen Brown's WebLog — Wed, 19 Jan 2005 21:17:00 GMT

re: Messaging Security at Microsoft presentation

Eileen Brown's WebLog — Thu, 20 Jan 2005 01:47:00 GMT

Exchange Error 0X8004010F - The Operation failed. An Object could not be found

Eileen Brown's WebLog — Thu, 17 Feb 2005 19:59:00 GMT

What to do in case of.... and

E-Bitz - SBS MVP the Official Blog of the SBS — Sat, 12 Mar 2005 10:06:00 GMT

What to do in case of.... and

E-Bitz - SBS MVP the Official Blog of the SBS — Sat, 12 Mar 2005 10:08:00 GMT

Microsoft Security Advisory (842851)

subject: exchange — Mon, 16 May 2005 12:30:22 GMT

Microsoft Security Advisory (842851)

subject: exchange — Mon, 16 May 2005 12:33:06 GMT

Approaches to fighting spam in an Exchange environment

Eileen Brown's WebLog — Wed, 15 Jun 2005 12:43:47 GMT

Greg presented this Technet evening for me last night.&nbsp; The topic was all about fighting spam -...

Resources for Webcast - Exchange Server 2003: Tips, Tricks, and Shortcuts (March 24, 2006)

Full of I.T. — Fri, 24 Mar 2006 20:36:11 GMT

Kevin&rsquo;s Webcast Resources:
Exchange Server 2003 &ndash; Tips, Tricks, and Shortcuts
Here are...