Tarpitting interval must be set.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
Exch-ED-228	Exch-ED-228	Exch-ED-228_rule		Medium

Description
Tarpitting is the practice of artificially delaying server responses for specific SMTP communication patterns that indicate high volumes of spam or other unwelcome messages. The intent of tarpitting is to slow down the communication process for such email traffic so that the cost of sending spam increases for the person or organization sending the spam. Tarpitting makes directory harvest attacks too costly to automate efficiently. Recipient Lookup functionality enables the sending server to determine whether an email address is valid or invalid. As mentioned earlier, when the recipient of an inbound message is a known recipient, the Edge Transport server sends back a "OK" SMTP response to the sending server. This functionality provides an ideal environment for a directory harvest attack. A directory harvest attack is an attempt to collect valid email addresses from a particular organization so that the email addresses can be added to a spam database. Because all spam income relies on trying to make people open email messages, addresses known to be active are a commodity that malicious users, or spammers, pay for. Because the SMTP protocol provides feedback for known senders and unknown senders, a spammer can write an automated program that uses common names or dictionary terms to construct email addresses to a specific domain. The program collects all email addresses that return a "Recipient OK" SMTP response and discards all email addresses that return a "User unknown" SMTP session error. The spammer can then sell the valid email addresses or use them as recipients for unsolicited messages.

Description

Tarpitting is the practice of artificially delaying server responses for specific SMTP communication patterns that indicate high volumes of spam or other unwelcome messages. The intent of tarpitting is to slow down the communication process for such email traffic so that the cost of sending spam increases for the person or organization sending the spam. Tarpitting makes directory harvest attacks too costly to automate efficiently. Recipient Lookup functionality enables the sending server to determine whether an email address is valid or invalid. As mentioned earlier, when the recipient of an inbound message is a known recipient, the Edge Transport server sends back a "OK" SMTP response to the sending server. This functionality provides an ideal environment for a directory harvest attack. A directory harvest attack is an attempt to collect valid email addresses from a particular organization so that the email addresses can be added to a spam database. Because all spam income relies on trying to make people open email messages, addresses known to be active are a commodity that malicious users, or spammers, pay for. Because the SMTP protocol provides feedback for known senders and unknown senders, a spammer can write an automated program that uses common names or dictionary terms to construct email addresses to a specific domain. The program collects all email addresses that return a "Recipient OK" SMTP response and discards all email addresses that return a "User unknown" SMTP session error. The spammer can then sell the valid email addresses or use them as recipients for unsolicited messages.

STIG	Date
Microsoft Exchange 2010 Edge Transport Server Role	2012-05-31

Details

Check Text ( C-_chk )
Open the Exchange Management Shell and enter the following command. Get-ReceiveConnector \| Select Name, Identity, TarpitInterval If the value of "TarpitInterval" is not set to 00:00:05 or greater, this is a finding.

Fix Text (F-_fix)
Open the Exchange Management Shell and enter the following command. Set-ReceiveConnector -Identity <'ReceiveConnector'> -TarpitInterval 00:00:05