This works because SMTP servers respond to messages addressed to recipients differently. When a sender issues the RCPT TO: command to an MTA for a local addressee, valid addresses generate a “250 2.1.5 Recipient OK”, while invalid addresses generate a “550 5.1.1 User unknown.” The spammer does not actually have to send a message, as a valid email could have multiple recipients. They can run through dozens or even hundreds of addresses, as the MTA will respond until its maximum number of recipients is reached. For many systems, a maximum must be configured… there is no default. 

What does this look like on your system? The most common symptom of a directory harvest attack is when your MTA generates a large number of 550 5.1.1 messages in response to the same MAIL FROM: command. Of course, if you are looking at your logs, the attack has already happened. An effective defense needs to be in place in advance. One of the best ways to defend against directory harvest attacks is to implement SMTP tarpitting.

Named for the naturally occurring lakes of asphalt (bitumen) where prehistoric animals became trapped in the sticky tar, network tarpits are systems configured to trap misbehaving connections. They do this by slowing down responses to a crawl, effectively extending the duration of a conversation on the network from milliseconds to seconds… an eternity in computer time. SMTP Tarpitting is when the MTA recognises that an attack is underway, and responds to further RCPT TO: commands more slowly than normal. Response times for SMTP messages normally take place in fractions of a second, but when the tarpit is active, they can increase to several seconds or even minutes. This behaviour still complies with RFC 821, but greatly increases the amount of time it takes for a directory harvest attack to complete. At best, this can cause an attack to fail from time outs, and at worst, cause them some of the same aggravation they cause you. 

Exchange 2007 and 2010 both support SMTP tarpitting by default, and Exchange 2003 SP1 can be configured to do this as well. Other systems, or Exchange admins who want an extra layer of protection on the edge, can add other packages or implement a product like GFI Mail Essentials to enhance the security of their mail systems with protections including SMTP tarpitting. You can also look at hosted solutions like GFI’s Max MailProtection  to defend against these attacks.

Consult your mail server’s documentation for tar pitting, or look at adding an edge device or a hosted service. When using a tarpit, keep in mind that while you want to slow down a directory harvest attack, you don’t want to slow down the rest of your legitimate inbound email. Make small adjustments in the tarpitting interval until you find your sweet spot, constantly monitoring to ensure your inbound mail does not suffer unnecessary delays.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Using SMTP tarpits to slow down directory harvest attacks

Directory Harvesting

Directory harvesting is a technique spammers use to trick an email server into telling them which email addresses exist in an organisation and which do not.  The spammer bombards the email server with thousands of combinations of common names.  Any test emails that are accepted mean the spammer can be confident that particular email address exists at that domain and can be a target for future spam.  Sometimes the directory harvesting is performed by other parties who then sell the lists of valid email address to spammers.Although email server products such as Microsoft Exchange Server 2007 include some inbuilt directory harvesting protection measures, these usually rely on slowing the attack down (known as tar-pitting).  The best way for an organisation to protect itself from this attack is to implement a quality anti-spam system that includes directory harvesting detection and prevents the attack by cutting off further connections from the attacker.

Address Recycling

Some people find that they begin receiving spam as soon as they are given a new email address.  Although the person did not take any action that would attract spam they nonetheless begin receiving junk emails addressed directly to them.

Often this will occur in organisations, or any email provider for that matter, that recycles email addresses.  Not only does this practice expose the new user to whatever spam the previous person managed to attract, but it also carries other security risks as recently discovered by Livejournal users.

Once an email address is in the hands of spammers there is no way to get it back from them.  The only way to prevent spam from being received once an email address has been exposed is with an anti-spam solution that applies a range of preventative measures such as connection filtering, content filtering, Bayesian detection, and black listing.

Free Online Giveaways

Sometimes regardless of the amount of caution a person normally applies when surfing the web, the lure of a freebie causes them to drop all defences and give away their email address to a website online.  After all, who wouldn’t want a free 15 day supply of the latest miracle weight loss pill?

Sadly these websites are often run by shady affiliate marketers who immediately begin spamming the newly acquired email address with dozens of offers for other scams.  Often times they will sell the email address onto other spammers who will do the same.  Giving away your email address can result in a torrent of spam email thanks to these dodgy operators.

In these cases prevention is the best cure for an organisation trying to reduce their spam volumes.  Educating end users on the risks of giving out your email address to unknown parties can help reduce the number of addresses exposed to spammers in this fashion.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

This is why you get spam emails

A Directory Harvesting Attack normally consists of a basic dictionary attack combining common names and initials together into standard corporate email addresses and then sending a test message to each email address that is generated. For example, the spammer may send a message to john.smith@contoso.com, johns@contoso.com, and jsmith@contoso.com.

The attack relies on invalid email addresses being rejected by the email system either during the SMTP conversation or afterwards via a Delivery Status Notification (DSN). When the spammer receives a rejection the email address is considered invalid and is discarded. When no rejection or DSN is received the email address is considered “live” and is added to a database to later be targeted with spam emails either by the same person or another spammer that they sell the database to.

Email address databases are valuable information for spammers so directory harvesters can make a living by performing these attacks and selling the resulting information.

Aside from the exposure of your corporate email addresses to spammers a Directory Harvest Attack can also cause a performance problem for your internet-facing email servers as the process hundreds of thousands (or even millions) of SMTP connection attempts as the attacker works through every combination in their name dictionary.

How is Exchange Server 2007 vulnerable to Directory Harvesting Attacks?

In many Exchange Server 2007 environments incoming email is received directly by an internet-facing Hub Transport server. By default the transport server will use recipient lookups to notify the connecting host whether an email address is valid or not. When an inbound email is addressed to a recipient that does not exist a “550 5.1.1 User unknown” SMTP response is sent to the connecting host. When an email is addressed to a valid recipient a “250 2.1.5 Recipient OK” SMTP response is sent.

This behaviour complies with the RFCs for SMTP communication, and is important for many email users (if someone sent you an important email but misspelled your email address, you want your email server to notify them of the mistake so they can resend the message).

Though it is useful and important to provide this recipient lookup feedback to sending email servers this is also exactly the behaviour that enables a Directory Harvest Attack to occur.

There are two strategies that can be employed to protect an Exchange server from Directory Harvesting Attacks. The first makes use of an Exchange security feature known as “tarpitting”.

Protecting Exchange Server 2007 with Tarpitting

Tarpitting is a feature of Edge Transport and Hub Transport servers that inserts an artificial delay in the SMTP session before any “550 5.1.1 User unknown” response is sent. This increases the cost and difficulty to the spammer of a Directory Harvesting Attack, by slowing down the rate at which they are able to discover valid and invalid email addresses. This strategy reduces the effectiveness of Directory Harvesting Attacks while still retaining RFC compliance by sending the appropriate responses to incorrectly addressed email messages.

In order for tarpitting to be applied to suspected attacks the Recipient Filter Agent must be active. The Recipient Filter Agent is enabled by default on Edge Transport servers but must be installed by an administrator on Hub Transport servers. Here we see a Hub Transport server with the default transport agents enabled.

To make the Recipient Filter Agent available the administrator installs the Exchange anti-spam components using the “install-AntiSpamAgents.ps1″ script that is included with Exchange Server 2007.

Once the Microsoft Exchange Transport service is restarted the Recipient Filter Agent is now installed and enabled on the Hub Transport server.

When the Recipient Filter Agent is enabled it uses the TarpitInterval configured on the Receive Connector to determine how long to insert a delay for any “550 5.1.1 User unknown” responses to suspected attackers. The default delay is 5 seconds but this can be increased by the administrator.

Although tarpitting increases the cost and difficulty of a Directory Harvesting Attack it is not always going to be effective. If the spammer is patient enough they can put up with the tarpitting delays and still achieve the desired outcome. However tarpitting is a low cost option because it can be implemented on existing Exchange Server 2007 servers with no additional outlay on server hardware or software.

Protecting Exchange Server 2007 with third party products

Often a more effective strategy is to implement a third party email security solution that includes more advanced DHA protection. When a harvest attempt is detected by the security product the sending host is disconnected and then blocked by the server so that it cannot reconnect and continue the attack.

This is more effective than simply slowing down the attack however this strategy will usually involve additional costs of servers and software. This cost is usually justifiable though when you also consider the additional protection that the third party product can provide you from email viruses, spam, and phishing attempts. In the best commercial email security products the configurability and protection are both much greater than what can be provided with the built in features of Exchange Server 2007.

Always consider Directory Harvesting Attacks when protecting your Exchange servers

Directory Harvesting Attacks should not be ignored when assessing the threat landscape for your Exchange server environment. By implementing either the built-in Exchange protection for DHAs or a third party commercial email security product you can reduce both the load on your email servers and the risk of exposure of your corporate email addresses to spammers.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Protecting Exchange Server 2007 from Directory Harvesting Attacks