Tarpitting is an artificial delay in server responses in SMTP for several reasons (preventing spam, directory harvest attack, high server load and etc.).
For convenience, I presented the information about log records, features (that responsible for the delay), delay values and etc. in the tables.
Feature | Recipient Lookup |
Log | Tarpit for '0.00:00:05' 550 5.1.1 User unknown |
Applicable | Exchange 2007 - 2016 on Edge Role |
Delay default value | 00:00:05 |
Delay minimum value | 00:00:00 |
Delay maximum value | 00:10:00 |
How to change delay value | Set-ReceiveConnector "Default" -TarpitInterval 00:**:** |
Default feature state | Disabled. Need to enable Recipient Filter agent. |
How to enable feature | Set-RecipientFilterConfig -Enabled $true |
How to disable feature | Set-RecipientFilterConfig
-Enabled $false Disable-TransportAgent "Recipient Filter Agent" |
Comments | Authenticated connections are never delayed. |
Technet | https://technet.microsoft.com/en-us/library/bb123891(v=exchg.160).aspx |
Feature | Shadow Redundancy |
Log | Tarpit for '0.00:00:05' due to 'DelayedAck' |
Applicable | Exchange 2010 - 2016 |
Delay default value | 00:00:30 |
Delay minimum value | 00:00:00 |
Delay maximum value | 00:10:00 |
How to change delay value | Set-ReceiveConnector "Default" -MaxAcknowledgementDelay 00:**:** |
Default feature state | Enabled |
How to enable feature | Set-TransportConfig
-ShadowRedundancyEnabled $true Set-ReceiveConnector "Default" -MaxAcknowledgementDelay 00:00:30 (Exchange 2010) |
How to disable feature | Set-TransportConfig
-ShadowRedundancyEnabled $false Set-ReceiveConnector "Default" -MaxAcknowledgementDelay 0 (Exchange 2010) |
Comments | |
Technet | https://technet.microsoft.com/en-us/library/dd351027(v=exchg.141).aspx |
Feature | Back Pressure |
Log | Tarpit for '0.00:00:55' due to 'Back Pressure' |
Applicable | Exchange 2007 - Exchange 2016 |
Delay default value | 00:00:10 |
Delay minimum value | 00:00:00 |
Delay maximum value | 00:00:55 |
How to change delay value | Modify SMTPBaseThrottlingDelayInterval, SMTPMaxThrottlingDelayInterval, SMTPStepThrottlingDelayInterval, SMTPStartThrottlingDelayInterval keys in "EdgeTransport.exe.config" file. |
Default feature state | Enabled |
How to enable feature | Open
the "%ExchangeInstallPath%Bin\EdgeTransport.exe.config" file. Add or change the key "<add key=”EnableResourceMonitoring” value=”true” />" and save. Run "Restart-Service MSExchangeTransport" cmdlet. |
How to disable feature | Open
the "%ExchangeInstallPath%Bin\EdgeTransport.exe.config" file. Add or change the key "<add key=”EnableResourceMonitoring” value=”false” />" and save. Run "Restart-Service MSExchangeTransport" cmdlet. |
Comments | Messages
could delay due to Back Pressure only for
"QueueLength[SubmissionQueue]" and "UsedVersionBuckets"
resources with medium utilization level. For other resources due to Back
Pressure all messages are rejected. Microsoft hasn't recommended modification back pressure settings in the EdgeTransport.exe.config file. |
Technet | https://technet.microsoft.com/ru-ru/library/bb201658(v=exchg.160).aspx |
Other tarpit logs that not yet explored by me:
Tarpit for '0.00:00:05' due to '535 5.7.3 Authentication unsuccessful'
Tarpit for '0.00:00:05' due to '554 5.6.0 Invalid message content'
Tarpit for '0.00:00:05' due to '504 5.7.4 Unrecognized authentication type'
Tarpit for '0.00:00:05' due to 'IP discredited'
P.S. Interestingly, Tarpit feature can be enabled in Microsoft Windows Server 2003.
Hi,
ReplyDeleteThank you for this research, but i need more info on IP discredited, how to disable that, do you have any idea ?