When Tar Is Your Friend

Spammers send spam because they make money at it. In fact, if you ever want to get your blood up, try reading a book such as "Inside the Spam Cartel" (Syngress) or "Spam Kings" (O'Reilly), which detail the myriad sleazy tricks that spammers use. Of course, as an Exchange Server administrator, you already know the number-one trick: Spammers send a lot of mail that contains forged sender and recipient addresses. Even though filtering these bogus addresses is relatively straightforward, doing so consumes your resources, not the spammers, and throwing inbound spam on the floor doesn't do anything to discourage future outbursts.

What if you could make spamming uneconomical for the spammer? If you could somehow make each bogus delivery attempt take an unreasonable amount of time--say, 30 seconds--a spammer who wanted to send your organization 10,000 messages would need a little more than 83 hours to do so. Intentionally slowing down or delaying illegitimate connections is a process known as "tarpitting," and it has an illustrious history. Until now, tarpitting software has generally been available only to UNIX mail administrators. But this week, Microsoft released a Windows Server 2003 SMTP service hotfix that lets you tarpit incoming SMTP messages that have been sent to nonexistent addresses. The change doesn't affect legitimate senders or messages sent by authenticated users, but it drastically affects directory-harvest attacks, password-cracking attacks, and scripted spam runs. The tarpit delay is adjustable, so you can select the degree of punishment you want to hand out to spammers who try to flood your server.

To install the tarpit capability, you need two components. The first is Microsoft Security Bulletin MS04-035 (Vulnerability in SMTP Could Allow Remote Code Execution--885881), which fixes a remote code execution vulnerability in the Windows 2003 SMTP server (go to http://support.microsoft.com/?kbid=885881 for details). The second component is the hotfix that provides the tarpit support; that fix is available via the Microsoft article "A security update is available to help prevent the enumeration of Exchange Server 2003 e-mail addresses" ( http://support.microsoft.com/?kbid=842851 ). After you install these components--which work only on Exchange Server 2003 running on Windows 2003--you can add a new REG_DWORD registry entry, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SmtpSvc\Parameters\TarpitTime. Set the entry's value to the number of seconds of delay that you want to impose on spam requests. After setting the TarpitTime value, stop and restart the SMTP service. That's it!

The tarpit feature works on Windows 2003's SMTP server too, so if you're using it as a front end to your Exchange servers (perhaps with a dedicated SMTP virus scanner), you can still use the feature. However, when you install the feature on an Exchange 2003 server, you can use recipient filtering to gain more granular control.

The tarpit feature doesn't block messages sent to valid recipients, even if those messages are spam, so it isn't a complete antispam solution in and of itself. However, its release as a standalone hotfix bodes well for the kinds of transport control and antispam features we're likely to see in future Exchange releases and shows that Microsoft is paying attention to measures that have been successful in reducing spam in the wider messaging community.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.