Tarpitting harvesters with Exchange 2003 on Windows 2003

  • Article

New KB article (KB.842851) covers a Windows 2003 hotfix to tarpit anyone harvesting addresses from Exchange. You want this one if you’re doing Recipient Filtering based on directory lookups!

By default, Exchange 2003 will allow inbound SMTP mail to be addressed (“RCPT TO”) any alias within the defined relay domains. This means that even if you don’t have a user called “joe@domain.com”, if you do accept email for “@domain.com”, anyone sending to “joe” will just get a 2.1.5 SMTP code and presume the user does exist. Only after mail is processed at Exchange does an NDR get generated.

Those who send unsolicited commercial email send out lots of email addressed to mailbox aliases that don’t exist. Since Exchange will accept this email and then NDR it later, it puts additional load on your gateway servers to receive and process this mail.

One of the new features in Exchange 2003 was recipient filtering (see KB.823866). When you configure recipient filtering, there’s a checkbox you can check that says “Filter recipients who are not in the directory”. That’s great! That’ll solve the problem. Now instead of just blindly accepting the email with a 2.1.5 and later NDRing it, we can just look up in the directory right away and decline to accept the email (with “5.1.1 User Unknown”). Right?

Introducing a new problem: Directory Harvest Attacks. If all a spammer has to do to find out if an email address is valid or not is submit an “RCPT TO: <address to test>” command to your server, this becomes a great way to do email address harvesting. Exchange doesn’t honor VRFY, if you turn on this particular recipient filtering feature you get the same net effect! See this and this for more on DHAs.

The Windows 2003 hotfix in KB.842851 is an update for the SMTP stack used by Exchange. If you apply the hotfix and set a registry key, it will then start to “tarpit” any attempts to look up non-existent addresses. What this means is that if I send an email to UserThatExists@domain.com, the SMTP stream will proceed with no delay. But as soon as I try to “RCPT TO” UserThatDOESNOTExist@domain.com, the SMTP stack on the Exchange server will wait the specified (in the registry) number of seconds — say five — before responding. This obviously doesn’t mean that it’s no longer possible to harvest email addresses in this way, but it certainly makes it more “expensive” and therefore less attractive.

There’s a bit more detail in the hotfix KB, so if this interests you, have a look at it! Happy tarpitting!

Update March 4,2005: Note that this fix is also incorporated in the MS04–035 security bulletin fix, so if you have applied this security patch (and if you haven’t, you should!), you can just go ahead with the registry key without applying anything additional. Just confirm that your “SMTPSVC.DLL” is version 6 .0.3790.175 or higher.