Windows Server has a role that it can run in SMTP. Exchange and other services use this role to relay mail. There is a type of attack against a mail server that revolves around effectively performing a Denial of Service (DoS) against Exchange by sending massive quantities of mail to the server and forcing it to send Non Delivery Reports (NDRs) from the mail you’ve sent the server. This is known as an NDR Flood Attack. You can also leverage what’s known as a Directory Harvest Attack to get a server to respond to each possible combination of characters for addresses on domains running on an Exchange server. A Directory Harvest Attack then ends up giving spammers information about what email addresses they can spam on your server.
Not to get off the point, but unless you can DoS a box with one or two packets only I don’t consider a DoS attack hacking. Really, it’s just brute force. It’s lame and there’s nothing scientific or interesting about it. Unless of course, you wrote some really cool botnet and it’s your bot farm DoSing some evil something-or-other. But I digress…
So one way that Microsoft has come up with to combat these types of automated attacks against their servers is to make SMTP “sticky”. Basically, you put a few seconds worth of delay in your response to a request. At 5 seconds, legitimate mail servers won’t even notice. But if someone is trying to flood you with massive quantities of junk traffic over port 25 they’re going to have a far less interesting time of doing so.
To enable the SMTP tar pit feature in Exchange/Windows Server, back up the registry and then locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Parameters subkey. From there, do a new DWORD value and call it TarpitTime. Enter a decimal value of 5 to make the sticky time 5 seconds (time is therefore in seconds). Once done, save and restart SMTP:
net stop smtpsvc
net start smtpsvc
And viola, you’re joining the good fight against evil spammers. Sleep better tonight!
Note: You get extra credit if you thought “it is soooooo 90s to allow SMTP traffic on any network you control! Do you worship Jeremy Piven’s character from PCU or what?!?!”
Note2: You get double extra credit if you happened to step in tar at the La Brea Tarpits while reading this article as I thought about writing it when almost stepping in some tar at the very same place.
krypted June 27th, 2013