KB ID 0000549
With Exchange 2003 tarpitting was turned on post SP2 with a registry hack, with newer versions of Exchange it is enabled by default.
What is Tarpitting?
This is a method to stop a mail sender sending you multiple mail requests, it was designed to stop miscreant from carrying out either a :-
Directory Harvest Attack : Attempting to find out legitimate emails on your email server by randomly sending emails to loads of randomly generated names, that might exist on your Exchange Server. if they get an NDR back they know the address does not exist, if they do not get an NDR they will log that address and start sending spam to it.
Essentially a denial of service on your mail server, this can be a result of a Directory Harvest Attack, insofar as your outbound mail queues fill up with thousands of NDR’s and the server slowly grinds to a halt.
To stop this from happening we have a system called Tarpitting, this stops a remote sender, from sending multiple emails one after the other. It imposes a time limit between emails from a sender (5 Seconds by default). The net result of this is, it’s far to expensive and time consuming to attack you, so the spammers and script kiddies will go elsewhere.
To find out what your tarpitting settings are
1. As said above the default setting for all receive connectors is 5 seconds, to verify your is still set the same way as it was when you installed issue the following command;
2. Above you can see all the receive connectors are set to 5 seconds.
To disable Tarpitting for all Receive Connectors
1. Tarpitting is a good thing and should be enabled so normally I’d only advocate doing this so you can test/troubleshoot a problem. Issue the following command;
2. Now you can see all connectors are set to 00:00:00 (Disabled).
To change the Tarpit settings for a specific Receive Connector
1. If you want to alter the default timing of 5 seconds, you can sett it in an HH:MM:SS format like so;
2. Now the Default connector (Default DC2A) is set to 10 seconds and the rest remain at 5 seconds.
To disable Tarpitting for specific Receive Connectors
1. As said above tarpitting is a good thing and should be enabled, so normally I’d only advocate doing this so you can test/troubleshoot a problem. Issue the following command;
2. Now the default connector (Default DC2A) has no tarpitting and the rest remain at the default value of 5 seconds.
Related Articles, References, Credits, or External Links