Subscribe to our Newsletter. The latest news and articles delivered to your Inbox!
A Software Development Consultant with over 20 years of experience. Many of his projects involved Exchange integrated applications, including a FAX server, a mail security product and anti-spam products.
Exchange 2003 Recipient Filtering can eliminate spam addressed to invalid recipients. Nevertheless unless we are careful this can make us easier target for directory harvesting attacks.
Exchange 2003 added various anti-spam features helping organizations to curb down spam. However, one of these features increases the exposure to directory harvesting attacks. Today we look at this threat and how to mitigate it through tar pitting.
A directory harvesting attack is intended to discover valid email addresses of the targeted domain. This enables spammers and malware distributors to identify addresses to which emails can be sent.
A typical attack involves bombarding a domain with emails sent to various common recipient addresses. The attacker collects the responses received from the targeted SMTP server. Invalid addresses would return a rejection response whereas valid addresses are accepted.
Many organizations have someone called Bob, John, Jeff, Bill etc. Also many organizations have generic mailboxes such as email@example.com and firstname.lastname@example.org. Thus the attacker only requires a list of common aliases to perform this type of attack.
Exchange 2003 provides the ability to reject emails addressed to recipients not located within Active Directory. It also includes a list of recipients for whom emails are to be blocked. This functionality is available under Recipient Filtering and may be configured as follows:
From the Exchange System Manager open the Global Settings | Message Delivery properties.
Select the Recipient filtering tab, and select the 'Filter recipients who are not in the Directory' checkbox.
Next we need to enable Recipient filtering from the SMTP Virtual Server properties. In case of multiple virtual servers this must be done for each of them.
From the General property page click the Advanced button.
Select the IP/Port pair through which incoming email is received and click on Edit. Again when multiple entries are listed, this may need to be repeated for each of them.
Set the 'Apply Recipient Filter' checkbox and save changes.
This filter now tries to reject invalid email addresses as quickly as possible. This may sound very efficient. But in fact it is exactly what an attacker wants. In this manner huge address lists may be verified in a matter of a few minutes.
Tar pitting functionality was made available with Windows Server 2003 SP1. It extends the IIS SMTP server functionality and not Exchange. Nevertheless, since Exchange sits on top of this SMTP server, tar pitting also protects Exchange SMTP traffic.
Tar pitting protection simply introduces a delay to rejection responses. Whenever a recipient is rejected with a 5xx response, the sending end is kept on hold for a number of seconds before the response is dispatched. A directory harvesting attack will unavoidably cause many rejections. Thus this delay drastically slows down the attack. In turn an attack becomes impractical since it would take too long for it to be completed.
This type of protection does have a side-effect. The responses are also delayed for rejections concerning legitimate senders. Keep in mind that misspelling an email address is still a common mistake. Thus one should not consider all rejected emails to be spam.
Tar pitting is by default disabled. Enabling it requires setting a registry value specifying the number of seconds used for the delay. One should avoid going to extremes here. Keep in mind that legitimate senders will also be affected. The MS KB article discussing tar pitting (see references) uses a 5 seconds delay, which is reasonable.
Here are the details for the Registry value:
Value Name: TarpitTime
Value Type: DWORD
I also prepared a registry script that when imported enables tar pitting and sets the delay to 5 seconds. You may want to adjust the delay as necessary.
Follow the link at the downloads section to get a copy of the script.
Once the registry value is set, restart the Simple Mail Transport Protocol (SMTP) service in order to activate the functionality.
Rejecting spam addressed to invalid recipients is very handy. It minimizes the impact of spam and shifts the responsibility of NDR generation on the sending end. Recipient Filtering provides the functionality allowing us to do just that. Nevertheless one should be aware of the increased exposure to directory harvesting attacks.
Combining Recipient Filtering with tar pitting hardens Exchange against such attacks whilst invalid recipients are still rejected. Finally tar pitting is no magic potion and will also affect legitimate senders. Thus one should be careful not to excessively degrade the server responsiveness.
SMTP tar pit feature for Microsoft Windows Server 2003
Microsoft Security Advisory (842851)