Tarpitting is an artificial delay in server responses in SMTP for several reasons (preventing spam, directory harvest attack, high server load and etc.).
For convenience, I presented the information about log records, features (that responsible for the delay), delay values and etc. in the tables.
| Feature | Recipient Lookup |
| Log | Tarpit for '0.00:00:05' 550 5.1.1 User unknown |
| Applicable | Exchange 2007 - 2016 on Edge Role |
| Delay default value | 00:00:05 |
| Delay minimum value | 00:00:00 |
| Delay maximum value | 00:10:00 |
| How to change delay value | Set-ReceiveConnector "Default" -TarpitInterval 00:**:** |
| Default feature state | Disabled. Need to enable Recipient Filter agent. |
| How to enable feature | Set-RecipientFilterConfig -Enabled $true |
| How to disable feature | Set-RecipientFilterConfig
-Enabled $false Disable-TransportAgent "Recipient Filter Agent" |
| Comments | Authenticated connections are never delayed. |
| Technet | https://technet.microsoft.com/en-us/library/bb123891(v=exchg.160).aspx |
| Feature | Shadow Redundancy |
| Log | Tarpit for '0.00:00:05' due to 'DelayedAck' |
| Applicable | Exchange 2010 - 2016 |
| Delay default value | 00:00:30 |
| Delay minimum value | 00:00:00 |
| Delay maximum value | 00:10:00 |
| How to change delay value | Set-ReceiveConnector "Default" -MaxAcknowledgementDelay 00:**:** |
| Default feature state | Enabled |
| How to enable feature | Set-TransportConfig
-ShadowRedundancyEnabled $true Set-ReceiveConnector "Default" -MaxAcknowledgementDelay 00:00:30 (Exchange 2010) |
| How to disable feature | Set-TransportConfig
-ShadowRedundancyEnabled $false Set-ReceiveConnector "Default" -MaxAcknowledgementDelay 0 (Exchange 2010) |
| Comments | |
| Technet | https://technet.microsoft.com/en-us/library/dd351027(v=exchg.141).aspx |
| Feature | Back Pressure |
| Log | Tarpit for '0.00:00:55' due to 'Back Pressure' |
| Applicable | Exchange 2007 - Exchange 2016 |
| Delay default value | 00:00:10 |
| Delay minimum value | 00:00:00 |
| Delay maximum value | 00:00:55 |
| How to change delay value | Modify SMTPBaseThrottlingDelayInterval, SMTPMaxThrottlingDelayInterval, SMTPStepThrottlingDelayInterval, SMTPStartThrottlingDelayInterval keys in "EdgeTransport.exe.config" file. |
| Default feature state | Enabled |
| How to enable feature | Open
the "%ExchangeInstallPath%Bin\EdgeTransport.exe.config" file. Add or change the key "<add key=”EnableResourceMonitoring” value=”true” />" and save. Run "Restart-Service MSExchangeTransport" cmdlet. |
| How to disable feature | Open
the "%ExchangeInstallPath%Bin\EdgeTransport.exe.config" file. Add or change the key "<add key=”EnableResourceMonitoring” value=”false” />" and save. Run "Restart-Service MSExchangeTransport" cmdlet. |
| Comments | Messages
could delay due to Back Pressure only for
"QueueLength[SubmissionQueue]" and "UsedVersionBuckets"
resources with medium utilization level. For other resources due to Back
Pressure all messages are rejected. Microsoft hasn't recommended modification back pressure settings in the EdgeTransport.exe.config file. |
| Technet | https://technet.microsoft.com/ru-ru/library/bb201658(v=exchg.160).aspx |
Other tarpit logs that not yet explored by me:
Tarpit for '0.00:00:05' due to '535 5.7.3 Authentication unsuccessful'
Tarpit for '0.00:00:05' due to '554 5.6.0 Invalid message content'
Tarpit for '0.00:00:05' due to '504 5.7.4 Unrecognized authentication type'
Tarpit for '0.00:00:05' due to 'IP discredited'
P.S. Interestingly, Tarpit feature can be enabled in Microsoft Windows Server 2003.
Hi,
ReplyDeleteThank you for this research, but i need more info on IP discredited, how to disable that, do you have any idea ?