Impact of tarpitting on load-balanced SMTP services
Tarpitting (spam on SMTP servers) may result in delayed mail transmission when load-balancing SMTP. This article outlines measures to prevent this.
It is common for the KEMP LoadMaster to be used to load balance SMTP services. A secure SMTP connection can be achieved using STARTTLS and the offloading of this encryption can be configured on the LoadMaster in the SSL Properties section of the Virtual Service modify screen.
When this is done, the LoadMaster will negotiate a STARTTLS session with a client. This can be forced by selecting the SMTP (STARTTLS always) option for the STARTTLS mode drop-down list in Standard Options, or made optional using the SMTP (STARTLS if requested) option.
In some SMTP servers a feature called Tarpitting is enabled which is used as a defense against MAIL-BOTS which, when connected to SMTP servers, attempts to send multiple emails through an SMTP connection. The way it works is by simply inserting server response delays to certain SMTP commands issued by the SMTP client. This limits the number of separate emails that can be sent in a given time. Typically a value of five seconds is used. Typically these apply to messages such as EHLO and RSET meaning that a certain pause will be enforced when multiple SMTP connections are made.
While this is an effective way of preventing SPAM and other issues it can result in SSL accelerated services experiencing unexpected delays when passed through the LoadMaster.
The reason is - when a user connects, the LoadMaster will negotiate a STARTLS session with the client. The procedure for doing this involves sending an SMTP RSET to terminate the original connection in favor of negotiating a new secure connection. In addition to this, when the secure connection is negotiated a new Client EHLO is sent.
Both of these messages - RSET and Client EHLO - typically trigger a tarpit delay. This means sending an email over this load-balanced connection can result in 10 seconds of extra delay.
To see if any tarpitting delays are configured on a Microsoft Exchange server, use the following PowerShell command:
get-ReceiveConnector | select name,tarpitinterval
Tarpitting can be disabled and/or reduced by running the following command:
get-ReceiveConnector | set-ReceiveConnector –TarpitInterval 00:00:00