Tarpitting
Tarpitting Definition
Tarpitting is a security technique that slows down suspicious or abusive activity on a network or online service. It's most often used in email systems, but it can also be applied to other services, such as slowing down network port scanning, limiting the spread of worms, or reducing automated attacks like web scraping and credential stuffing. Instead of blocking a connection immediately, a tarpit keeps it occupied and makes repeated requests less efficient. This can help reduce spam, bot activity, and other high-volume attacks.
How Tarpitting Works
A tarpit adds delays when a harmful or unwanted connection tries to interact with a server or service. In email systems, this means the server waits longer than usual before replying to certain SMTP commands. That extra wait makes spam tools spend more time on each message. As a result, they can send fewer messages in the same amount of time.
In addition to slowing responses, tarpitting also ties up the attacker’s resources. Each delayed connection stays open longer, using up sockets or connection slots on the attacker’s system. Because these resources are often limited, the attacker may be unable to open as many new connections, which further reduces the effectiveness of automated attacks.
Some systems use tarpitting only after they notice warning signs like repeated failed attempts, unusual sending patterns, or too many requests from one source. Others use fixed delays for unknown or untrusted connections. The exact setup depends on the service and the type of threat it's designed to deal with.
Limitations of Tarpitting
- Limited coverage: Some threats can keep going even when one connection slows down.
- Possible delays for real users: Poor settings can affect legitimate traffic, too.
- Extra setup work: Teams need to tune the rules and check them over time.
- Mixed results: Some attackers can spread their requests across different sources.
- Dependence on other tools: Tarpitting works best when other security controls are in place.
Tarpitting vs Greylisting
Greylisting is an email security method that temporarily rejects a message from an unknown sender on the first attempt. A legitimate mail server will usually try again later, and the message is accepted if that retry matches the server’s rules. Many spam tools don't retry properly, so the message never arrives. Unlike tarpitting, greylisting doesn't delay the connection to slow the sender down. It blocks the message for the moment and waits to see whether the sender tries again
Read More
FAQ
Tarpitting is common on systems that process large amounts of email. It may also be used on login pages, contact forms, API endpoints, and other services that receive a lot of automated traffic. Some admins use it on network gateways and security tools that watch connection attempts. It tends to show up in places where bots or bulk senders can cause problems.
Rate limiting sets a clear limit on how many times a user, device, or IP address can make a request in a set period. After that limit is reached, the system may block, reject, or pause new requests. Tarpitting makes the interaction take longer and longer. In simple terms, rate limiting controls how much traffic is allowed, while tarpitting tries to make unwanted traffic less worth sending.
No. Tarpitting can help cut down the amount of spam that gets through, but it's not a complete fix on its own. Some spam systems can switch methods, retry later, or use different sources. That’s why admins usually pair tarpitting with other email protections, such as spam filters, blocklists, or sender checks.
Yes, some can. A determined attacker may rotate IP addresses, spread traffic across many systems, or adjust request timing to avoid getting stuck for long. Some tools may also pause and send another attempt later.
Blocking a source right away isn't always the best choice. Some traffic may look suspicious at first but still come from a real user or service. A short delay gives the system more time to assess the connection before taking stronger action. It can also make bulk abuse harder to carry out without cutting off every unknown source immediately.
45-Day Money-Back Guarantee (14 Days for Monthly Users)