Enabling SMTP Tarpitting in Windows 2003
It's no secret that Windows 2003 now includes a mechanism to enable SMTP
Tarpitting. Tarpitting is, in short, delaying the response (5.x.x
response, specifically) your server sends after a certain number of
invalid RCPT TO: commands. With each invalid name submitted, the delay
will grow longer. What does this accomplish? It makes e-mail
operations more expensive for spammers. Why? They thrive on the
ability to send as many e-mails as possible in a given period of time.
If you make it so they can't send as many e-mails, the operations become
more expensive. Does it stop them? No, but it may thwart their efforts
a bit, especially in sending spam to *your* domain. Now, in order to be
useful, you have to enable Recipient Filtering, and specifically, the
option to "Filter Recipients who are not in the Directory". This is
really the only way that tarpitting will work, because with the
recipient filter enabled, Exchange will issue a 5.1.1 response
indicating "User Unknown". Tarpitting delays those 5.1.1 responses.
Another reason that tarpitting can be very useful is to prevent
Directory Harvesting Attacks. If you simply enable recipient filtering,
it's possible that a spammer can harvest your list of users simply by
brute force spamming your domain. Since invalid users would immediately
generate the 5.1.1 error, it wouldn't be that hard to make a list of
those addresses that are valid. I'm sure that it would take a bit of
time to accumulate that list, but what do they care? By implementing
tarpitting, you make the likelihood of someone successfully harvesting
the list of users much less likely. It doesn't make it impossible, but
much less likely.
http://support.microsoft.com/?id=842851 describes how to implement SMTP
Tarpitting in Windows 2003, but what it doesn't mention is that in order
to use tarpitting, you actually need to have a hotfix installed. That
hotfix is mentioned in http://support.microsoft.com/kb/899492. While
KB842851 has a link to this article, there is nothing that states that
you need the hotfix. This hotfix is actually included in Windows 2003
SP1, so if you don't want to call PSS and ask for the hotfix, simply
make sure that you are running Windows 2003 SP1.