Microsoft Security Advisory 842851
Clarification Of The SMTP Tar Pit Feature That Is Provided For Exchange Server 2003 in Windows Server 2003 Service Pack 1
Published: May 10, 2005
Microsoft is releasing this security advisory to inform customers about the tar pit feature included in Windows Server 2003 Service Pack 1. This feature was previously available from Microsoft Product Support Services (PSS) as an update.
Microsoft does not require or recommend that all customers implement this feature. It has been provided as an option for reducing the effectiveness of certain attacks that utilize standard features of the simple mail transfer protocol (SMTP). By default, the tar pit feature is disabled. The tar pit feature is one option available to help combat threats when using the SMTP protocol.
General Information
Overview
Purpose of Advisory: To clarify the purpose of the tar pit feature.
Advisory Status: A Knowledge Base Article and the tar pit feature are available.
Recommendation: Review the suggested actions and configure as appropriate.
| References | Identification |
|---|---|
| Knowledge Base Article | 842851 |
This advisory discusses the following software.
| Related Software |
| Microsoft Windows Server 2003 |
| Microsoft Windows Server 2003 Service Pack 1 |
| Microsoft Exchange Server 2003 |
| Microsoft Exchange Server 2003 Service Pack 1 |
Frequently Asked Questions
What is the scope of the advisory?
This advisory clarifies the proper use and limits of the tar pit feature. Not all customers must or should use the tar pit feature. The tar pit feature does not correct a security vulnerability, but instead is an additional feature that may be useful for some customers.
What does the tar pit feature do?
SMTP tar pitting is the practice of artificially delaying server responses for certain SMTP communication patterns. These patterns are typically associated with spam traffic or other unwelcome messages, and usually the volume of communication involved in such an attack is very high. The intent of the feature is to slow down the communication process for unwelcome traffic. Tar pitting is a feature available not only in Microsoft Windows 2003 but also in other SMTP servers. It can be implemented in many different ways. The Windows 2003 SMTP tar pit feature allows an administrator to insert a configurable delay before returning some SMTP protocol error codes.
What SMTP threats can the tar pit feature help in dealing with?
The Windows 2003 tar pit feature may slow down the transmission of spam that is sent to large numbers of e-mail addresses that are not valid, thus preventing your server from unnecessarily processing large amounts of spam mail. There are other attacks that derive information from an SMTP server by generating large numbers of errors. For example, an e-mail harvest attack that uses a dictionary or list of possible e-mail addresses may deliberately generate errors or non-delivery reports to learn which e-mail addresses are valid in your organization. The tar pit feature does not prevent an attacker from conducting the attack altogether, but intends to slow down the rate of processing so that the attack becomes less worthwhile.
Are all SMTP servers susceptible to these types of threats?
Yes. This issue relates directly to limitations in the SMTP protocol. These limitations are not specific to any mail server or messaging system, such as Microsoft Exchange Server. This issue is an industry-wide problem. Microsoft and its partners are working with the respective standards bodies to improve the SMTP protocol.
Why don’t you block such attacks completely?
These attacks rely on ordinary and useful features of the SMTP protocol. To block such attacks entirely would require disabling important SMTP functionality. By slowing suspect communication, tar pitting reduces the cost effectiveness of spamming and address harvesting attacks.
Is this a security vulnerability that requires Microsoft to issue a security update?
No. The tar pit feature is an optional configuration that some customers may choose to deploy. This feature is not appropriate for all customers. For more information about this feature and how to appropriately configure it, see Microsoft Knowledge Base Article 842851.
What versions of Exchange Server are associated with this advisory?
This advisory addresses features in Microsoft Exchange Server 2003 and Exchange Server 2003 Service Pack 1.
Suggested Actions
Review the Microsoft Knowledge Base Article that is associated with the tar pit feature
Customers who are interested in learning more about the tar pit feature should review Microsoft Knowledge Base Article 842851.
Other Information
Resources:
- You can provide feedback by completing the form at the following Web site.
- Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
- The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- May 10, 2005: Advisory published
Built at 2014-04-18T13:49:36Z-07:00