Microsoft Security Advisory (842851)

Purpose of Advisory: To clarify the purpose of the tar pit feature.

Advisory Status: A Knowledge Base Article and the tar pit feature are available.

Recommendation: Review the suggested actions and configure as appropriate.

This advisory discusses the following software.

What is the scope of the advisory?
This advisory clarifies the proper use and limits of the tar pit feature. Not all customers must or should use the tar pit feature. The tar pit feature does not correct a security vulnerability, but instead is an additional feature that may be useful for some customers.

What does the tar pit feature do?
SMTP tar pitting is the practice of artificially delaying server responses for certain SMTP communication patterns. These patterns are typically associated with spam traffic or other unwelcome messages, and usually the volume of communication involved in such an attack is very high. The intent of the feature is to slow down the communication process for unwelcome traffic. Tar pitting is a feature available not only in Microsoft Windows 2003 but also in other SMTP servers. It can be implemented in many different ways. The Windows 2003 SMTP tar pit feature allows an administrator to insert a configurable delay before returning some SMTP protocol error codes.

What SMTP threats can the tar pit feature help in dealing with?
The Windows 2003 tar pit feature may slow down the transmission of spam that is sent to large numbers of e-mail addresses that are not valid, thus preventing your server from unnecessarily processing large amounts of spam mail. There are other attacks that derive information from an SMTP server by generating large numbers of errors. For example, an e-mail harvest attack that uses a dictionary or list of possible e-mail addresses may deliberately generate errors or non-delivery reports to learn which e-mail addresses are valid in your organization. The tar pit feature does not prevent an attacker from conducting the attack altogether, but intends to slow down the rate of processing so that the attack becomes less worthwhile.

Are all SMTP servers susceptible to these types of threats?
Yes. This issue relates directly to limitations in the SMTP protocol. These limitations are not specific to any mail server or messaging system, such as Microsoft Exchange Server. This issue is an industry-wide problem. Microsoft and its partners are working with the respective standards bodies to improve the SMTP protocol.

Why don’t you block such attacks completely?
These attacks rely on ordinary and useful features of the SMTP protocol. To block such attacks entirely would require disabling important SMTP functionality. By slowing suspect communication, tar pitting reduces the cost effectiveness of spamming and address harvesting attacks.

Is this a security vulnerability that requires Microsoft to issue a security update?
No. The tar pit feature is an optional configuration that some customers may choose to deploy. This feature is not appropriate for all customers. For more information about this feature and how to appropriately configure it, see Microsoft Knowledge Base Article 842851.

What versions of Exchange Server are associated with this advisory?
This advisory addresses features in Microsoft Exchange Server 2003 and Exchange Server 2003 Service Pack 1.

Review the Microsoft Knowledge Base Article that is associated with the tar pit feature

Customers who are interested in learning more about the tar pit feature should review Microsoft Knowledge Base Article 842851.