TarpitTime has been implemented

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2007-02-21

The Microsoft® Exchange Server Analyzer Tool reads the following registry entry to determine whether the tar pit feature of recipient filtering has been set:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SMTPSvc\Parameters\TarpitTime

If the Exchange Server Analyzer finds that the value for TarpitTime is larger than 0 (zero), the Exchange Server Analyzer displays a non-default message.

Tar pitting is the practice of intentionally slowing down or delaying illegitimate connections to reduce the rate at which automated spam can be sent or at which a dictionary harvest attack can be conducted.

The tar pit feature that is available in Microsoft Windows Server™ 2003 Service Pack 1 (SP1) can be added to work with recipient filtering as described in the Microsoft Knowledge Base article 842851, "SMTP tar pit feature for Microsoft Windows Server 2003" (https://go.microsoft.com/fwlink/?LinkId=3052&kbid=842851). Specifically, the tar pit feature extends the usefulness of recipient filtering when the Filter recipients who are not in the Directory check box is selected on the Recipient Filtering tab in Global Settings.

The tar pit feature is implemented by setting the TarpitTime registry subkey. The TarpitTime registry subkey takes a decimal value. The decimal value translates to the number of seconds the SMTP session waits to respond to a sender when a recipient does not exist in the target Exchange Server organization.

Tar pit functionality makes it much more difficult for spammers who send unsolicited mail to automate a directory harvest attack. A directory harvest attack is an attempt to retrieve a list of known good e-mail addresses from a particular organization.

The SMTP protocol acknowledges acceptable recipients during an SMTP session by returning "2.1.5 Recipient OK." In the case where an unknown recipient is sent mail, the SMTP protocol returns a "5.x.x" error. Therefore, a spammer can write an automated program that uses common names or dictionary terms to construct e-mail addresses to a specific domain. The program can then collect all e-mail addresses that return "2.1.5 Recipient OK," and discard all e-mail address that cause "5.x.x" errors. The spammer can then sell the "good" e-mail addresses or use them as recipients for unsolicited mail.

If the Filter recipients who are not in the Directory check box is selected, but the TarpitTime registry subkey is not set, Exchange Server immediately returns a "5.x.x" error during the SMTP session to the sender when a recipient does not exist in the target Active Directory® directory service.

Alternatively, if the TarpitTime registry subkey is set, and the Filter recipients who are not in the Directory check box is selected, SMTP waits before returning the "5.x.x" error. The decimal value that is entered for the TarpitTime registry subkey is the number of seconds that SMTP will wait before returning the error. This pause in the SMTP session makes automating a directory harvest attack much more difficult.

As mentioned previously, the Exchange Server Analyzer displays a non-default message if the TarpitTime registry subkey is set. This message is for informational purposes only.

Important

This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore the registry if a problem occurs. For information about how to restore the registry, view the "Restore the Registry" Help topic in Regedit.exe or Regedt32.exe.

To view or change the TarpitTime registry subkey

  1. Click Start, click Run, type regedit in the Open box, and then click OK.

  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Parameters\TarpitTime

  3. The Value data box contains a decimal number. This value represents the number of seconds that you want to delay SMTP address verification responses for each address that does not exist in Active Directory.

  4. If you change the value or delete the TarpitTime registry subkey, you must restart the Simple Mail Transport Protocol (SMTP) Service.

For more information, see the Microsoft Knowledge Base article 842851, "SMTP tar pit feature for Microsoft Windows Server 2003" (https://go.microsoft.com/fwlink/?LinkId=3052&kbid=842851).