Q
Problem solve Get help with specific problems with your technologies, process and projects.

Reverse DNS attacks and tarpitting

I have an email server that has been running flawlessly for two years. Recently, I have been seeing an increase in the number of messages seemingly "stuck" in the SMTP queues... They seem to be replies from postmaster@mydomain.com to spam sent to nonexistent users in our domain... This is causing mail to back up and I have to go in manually and delete the offending messages from the SMTP queue... Any ideas on how to stop this from happening?

I have an email server that has been running flawlessly for two years. Recently, I have been seeing an increase in the number of messages seemingly "stuck" in the SMTP queues... They seem to be replies from postmaster@mydomain.com to spam sent to nonexistent users in our domain... This is causing mail to back up and I have to go in manually and delete the offending messages from the SMTP queue... Any ideas on how to stop this from happening?
What you are seeing is more likely a reverse DNS attack.

Your server gets messages for non-existent users, and now it needs to send back a Non-Delivery Report (NDR) for each one of those. You can disable NDRs completely, but that's not such a good idea, and it's not RFC-compliant behavior.

You did not state what mail server you are using. Assuming it is Exchange Server 2003, you can use Recipient Filtering. In Exchange System Manager, go to Global Settings | Message Delivery | Properties | Recipient Filtering and check "Filter recipients who are not in the Directory." Next, go to SMTP virtual server properties | General tab | Advanced (next to IP address) | select IP address | Edit | check "Apply Recipient Filter."

This will do an AD lookup for recipients and drop messages for recipients that do not exist.

In addition to this, you can implement SMTP Tarpitting. This inserts a delay in the SMTP connection with the sending server (that tries to send you such messages), forcing it to slow down considerably as well as disconnect the session depending on how long the delay is and the timeouts possibly configured at the rogue sending server. You need Windows Server 2003 SP1 to implement this.

To implement Tarpitting, create a new registry value of type DWORD called TarpitTime in the following registry subkey:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSMTPSVCParameters

In the value data, enter the number of seconds of delay you want to insert.

KBA 842851 provides more detail about SMTP Tarpitting.

Dig Deeper on Exchange Server setup and troubleshooting

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchSQLServer

SearchEnterpriseDesktop

SearchVirtualDesktop

Close