Intelligent Message Filter, Content Filter, can do more...

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Tar Pitting Directory Harvesting Attacks

Alexander Zammit

Alexander Zammit Photo

Alexander Zammit has been developing server applications for over 15 years. Most of his works involve Exchange integrated applications, including a FAX server, a mail security product and anti-spam products.

  • Published: Mar 22, 2006
  • Category: Security, Anti-Spam
  • Votes: 4.9 out of 5 - 10 Votes
Cast your Vote
Poor Excellent

Exchange 2003 Recipient Filtering can eliminate spam addressed to invalid recipients. Nevertheless unless we are careful this can make us easier target for directory harvesting attacks.

Exchange 2003 added various anti-spam features helping organizations to curb down spam. However, one of these features increases the exposure to directory harvesting attacks. Today we look at this threat and how to mitigate it through tar pitting.

Typical Directory Harvesting Attack

A directory harvesting attack is intended to discover valid email addresses of the targeted domain. This enables spammers and malware distributors to identify addresses to which emails can be sent.

A typical attack involves bombarding a domain with emails sent to various common recipient addresses. The attacker collects the responses received from the targeted SMTP server. Invalid addresses would return a rejection response whereas valid addresses are accepted.

Many organizations have someone called Bob, John, Jeff, Bill etc. Also many organizations have generic mailboxes such as support@domain.com and sales@domain.com. Thus the attacker only requires a list of common aliases to perform this type of attack.

The Weak Link - Recipient Filtering

Exchange 2003 provides the ability to reject emails addressed to recipients not located within Active Directory. It also includes a list of recipients for whom emails are to be blocked. This functionality is available under Recipient Filtering and may be configured as follows:

  1. From the Exchange System Manager open the Global Settings | Message Delivery properties.

    Message Delivery Properties

  2. Select the Recipient filtering tab, and select the 'Filter recipients who are not in the Directory' checkbox.

    Recipient Filtering

  3. Next we need to enable Recipient filtering from the SMTP Virtual Server properties. In case of multiple virtual servers this must be done for each of them.

    SMTP Virtual Server

  4. From the General property page click the Advanced button.

    SMTP Virtual Server General Properties

  5. Select the IP/Port pair through which incoming email is received and click on Edit. Again when multiple entries are listed, this may need to be repeated for each of them.

    Advanced Options

  6. Set the 'Apply Recipient Filter' checkbox and save changes.

    Apply Recipient Filter

This filter now tries to reject invalid email addresses as quickly as possible. This may sound very efficient. But in fact it is exactly what an attacker wants. In this manner huge address lists may be verified in a matter of a few minutes.

Tar Pitting to the Rescue

Tar pitting functionality was made available with Windows Server 2003 SP1. It extends the IIS SMTP server functionality and not Exchange. Nevertheless, since Exchange sits on top of this SMTP server, tar pitting also protects Exchange SMTP traffic.

Tar pitting protection simply introduces a delay to rejection responses. Whenever a recipient is rejected with a 5xx response, the sending end is kept on hold for a number of seconds before the response is dispatched. A directory harvesting attack will unavoidably cause many rejections. Thus this delay drastically slows down the attack. In turn an attack becomes impractical since it would take too long for it to be completed.

This type of protection does have a side-effect. The responses are also delayed for rejections concerning legitimate senders. Keep in mind that misspelling an email address is still a common mistake. Thus one should not consider all rejected emails to be spam.

Tar pitting is by default disabled. Enabling it requires setting a registry value specifying the number of seconds used for the delay. One should avoid going to extremes here. Keep in mind that legitimate senders will also be affected. The MS KB article discussing tar pitting (see references) uses a 5 seconds delay, which is reasonable.

Here are the details for the Registry value:
Key: HKLM\SYSTEM\CurrentControlSet\Services\SMTPSVC\Parameters
Value Name: TarpitTime
Value Type: DWORD

I also prepared a registry script that when imported enables tar pitting and sets the delay to 5 seconds. You may want to adjust the delay as necessary. Follow the link at the downloads section to get a copy of the script.

Once the registry value is set, restart the Simple Mail Transport Protocol (SMTP) service in order to activate the functionality.

Final Points

Rejecting spam addressed to invalid recipients is very handy. It minimizes the impact of spam and shifts the responsibility of NDR generation on the sending end. Recipient Filtering provides the functionality allowing us to do just that. Nevertheless one should be aware of the increased exposure to directory harvesting attacks.

Combining Recipient Filtering with tar pitting hardens Exchange against such attacks whilst invalid recipients are still rejected. Finally tar pitting is no magic potion and will also affect legitimate senders. Thus one should be careful not to excessively degrade the server responsiveness.

References

SMTP tar pit feature for Microsoft Windows Server 2003

Microsoft Security Advisory (842851)

Copyright © 2005 - 2016 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation