Today I saw a huge amount of “current sessions” in the SMTP Virtual Server of Exchange 2003 on a SBS 2003 server. These sessions had connection time values exceeding 180,000 seconds (50 hours). Wow! Well I just right clicked and terminated but that didn’t address the root cause. The consensus on this is that a directory harvest attack is being perpetrated. At the time this server was configured to wait 10 seconds before sending 5.x.x error responses (tar pit feature). Now I’ve increased that to 30 seconds in hopes of seeing this be reduced. If not I may have to either drop the back up mail server or switch to one that does recipient filtering. After researching this I found two resources I want to record.
Microsoft has a nice article elaborating on much more than merely directory harvest attacks and explains the pros and cons of these tools. This is critical since there are tangible consequences whenever changing the server filtering behaviors.
Next is a conversation discussing the root causes I had seen and why the tar pit value comes into play: