Email SPAM lesson – SMTP Tar Pit feature

Today I saw a huge amount of “current sessions” in the SMTP Virtual Server of Exchange 2003 on a SBS 2003 server. These sessions had connection time values exceeding 180,000 seconds (50 hours). Wow! Well I just right clicked and terminated but that didn’t address the root cause. The consensus on this is that a directory harvest attack is being perpetrated. At the time this server was configured to wait 10 seconds before sending 5.x.x error responses (tar pit feature). Now I’ve increased that to 30 seconds in hopes of seeing this be reduced. If not I may have to either drop the back up mail server or switch to one that does recipient filtering. After researching this I found two resources I want to record.

Microsoft has a nice article elaborating on much more than merely directory harvest attacks and explains the pros and cons of these tools. This is critical since there are tangible consequences whenever changing the server filtering behaviors.

http://support.microsoft.com/kb/842851

Next is a conversation discussing the root causes I had seen and why the tar pit value comes into play:

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.server.sbs&tid=60571985-8ff6-4d10-b8aa-4606c5b234b6&cat=&lang=&cr=&sloc=&p=1

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s