This help section describes the tarpit delay feature and the related settings.
The tarpit delay feature is designed to introduce a specified time delay in SMTP responses when an email is blacklisted. Enabling this feautre allows you to effectively combat spammers by slowing down their progress and making it nearly impossible for them to successfully carry out Directory Harvest Attacks (DHA).
It is important to note that the tarpit delay feature only works on internet-facing servers, and it will not introduce a delay in SMTP responses for blacklisted emails received from an intranet or Intermediate Host.
Directory Harvest Attacks (DHA) are used by spammers to extract the list of valid email addresses from a domain by sending recipient specification commands. They determine the validity of addresses by analyzing the server's SMTP response. The tarpit delay feature helps in mitigating such attacks by introducing a delay that disrupts the attackers' ability to efficiently harvest valid email addresses.
Tarpit delay can be enabled or disabled either as a default action for all tests or as a Custom Action for selected tests. See the Actions topic for detailed information.
Tarpit delay can be configured by clicking the Configure this feature link in the description of its checkbox.
Configure for how long each SMTP response should be delayed. By default, responses are delayed for 60 seconds.
Although the maximum delay time allowed by the tarpit delay is 600 seconds (10 minutes), it is recommended to keep the delay limit lower. Microsoft® Exchange®'s default timeout limit is 10 minutes, but other email servers may not be this patient.
Some email servers, most notably Exim and Postfix, perform so-called Sender Callout Verifications, which is a controversial anti-spam technique. The verification is performed when the server receives email from someone. During the verification, the recipient email server connects back to the sender server and initiates an email sending process to check whether the sender email address is valid. If the recipient email server does not get the response in time, because the attempt was blacklisted and tarpit delay is activated, it does not accept the email.
To avoid such problems, you can add the sender email address used by the verification to the exception list. The list contains the Exim and Postfix verification addresses by default.
Because ORF tests may take a significant amount of time, ORF calculates the tarpit delay from the time the email or recipient was first "seen", i.e., DNS blacklist check time and other time-expensive tests are counted into the tarpit delay.