Friday, April 9, 2010

Filter Out Mail to Non-Existent Users - Exchange 2003

Filter Out Mail to Non-Existent Users - Exchange 2003
Author: Simon Butler, Exchange MVP, MCSE

This is for Exchange 2003 ONLY. For the version for Exchange 2007, click here: Filter Out Mail to Non-Existent Users - Exchange 2007

Exchange 2003 introduced a new facility to filter email messages if the email address do not exist in the Active Directory. This stops spammers from sending messages to non-valid addresses.

The rejection is done at the SMTP level - so the email message isn't even delivered. If valid senders misspell an email address then they will get a bounce message immediately - indicating that the message has been rejected.

This feature does expose your server to "Directory Harvest" attacks, allowing spammers to find valid email addresses on your server. Therefore it should only be enabled on Exchange 2003 installed on Windows 2003 so that the tar pit feature can be enabled (see below).

Exchange 2000 and users on Windows 2000 with Exchange 2003

If you are using the older version of Windows or Exchange, then you should look at third party tools to do the same thing.

Vamsoft's ORF is one such product that can filter on the active directory.

Enabling the Option on Exchange 2003

To enable this option:

Expand ESM, Message Delivery.
Right click on "Message Delivery" and choose Properties.
Click on the tab "Recipient Filtering".
Enable the option "Filter Recipients who are not in the directory."

You then need to enable the Recipient Filter on the SMTP Server.

Still in ESM, Expand Admin Groups, , Server, , Protocols, SMTP.
Right click on SMTP Virtual Server and choose Properties.
Click on "Advanced" next to the IP address on the first tab.

With the IP address selected, choose "Edit".

Enable "Apply Recipient Filter".

Click Apply/OK until clear.
Avoiding Directory Harvest Attacks

This feature makes your server vulnerable to directory harvest attacks - which is where the attacker sends commands to your server to find valid addresses. This can be avoided by using a feature known as tar pitting, which slows down the response of your server to these commands making it unviable for the attacker to scan your server.

Tar pitting was previously only available as a hot fix, but is now part of Windows 2003 Service Pack 1 and higher.

The tar pit is set with a small registry change.

Copy and paste the following text in to notepad and save it as tarpit.reg, changing the file type to All Types so that it is saved as a registry file. Then double click on it to install.

Windows Registry Editor Version 5.00


Restart the SMTP Server Service

After enabling these options, restart the SMTP Server Service in Services for them to take full effect.

Full information on enabling the feature can be found here:

No comments: