Gammadyne Corporation
Home Page Contact Us

Toriss

Toriss is an IIS plug-in that makes the SMTP service immune to Reverse NDR Attacks (a.k.a. Backscatter Spam). 

The Attack

By sending spam to invalid users, the SMTP service will send a bounce-back to the forged From: header with the spam attached.  As a result, the mail queue fills up with thousands of undeliverable bounce-backs, slowing down the whole system and making the SMTP service unresponsive.  Toriss solves this problem completely.

The Solution

Instead of bouncing emails that are sent to invalid users, Toriss will reject the email as soon as the RCPT command is received.  Microsoft left this important security feature out of IIS to motivate people to buy its $1500 ISA Server.  However, this foolishly allows the server to be used to send spam by way of the Reverse NDR Attack.
 

Features

  • Prevents Reverse NDR Attacks (also known as Backscatter Spam).
  • Blocks email that is addressed to invalid/nonexistent users.
  • Email is blocked at the SMTP level, in response to a RCPT command.
  • Prevents the mail queue from filling up with undeliverable bounce-backs.
  • Toriss also has the ability to reject unauthenticated connections from dynamic IP addresses.  This technique is used by many large domains such as Hotmail and AOL to reduce spam.  When this feature is enabled, your mail server will only accept email from computers with a static IP address, or if a user name and password is provided.
  • Automatically detects local POP3 domains and users.
  • Can be manually configured to accept specific domains and users.
  • Unless auto-detection fails (unlikely), Toriss works right out of the box with no need for configuration.
  • Emails can be rejected for specific mail accounts.  This is useful when a user hasn't paid their bill.
  • Uses virtually no resources.  Verified to not leak memory or resources.
  • Toriss can be temporarily disabled without restarting IIS.
  • Works with all 32-bit versions of Windows® 2000, XP, 2003, Vista, 2008, 7, 8, and 2012.

Purchase

To purchase a license for only $30 U.S. please click the button below.


Notes:
  • Once the order is completed, you will receive an email with a download link.
  • There are no subscription fees!  Once installed, Toriss will operate indefinitely.
  • The current version is 2.0, released May 30th, 2013.
  • Minor upgrades containing bug fixes will be provided freely by Gammadyne.  Major upgrades containing new features will require a new license to be purchased.  The email address associated with the license will be notified when upgrades are released.
  • Please purchase one license per machine on which Toriss is installed.
 

Instructions

The installer is a self-contained executable program.  Open the downloaded file to start the installation process.  Please note that because Toriss is a plug-in, it will begin working as soon as it is installed.  There is no executable that you are required to run.

Once Toriss is installed, please follow this procedure immediately to verify its correct operation:

  1. If the IIS public directory is not located at C:\Inetpub, make sure there are no security restrictions on the "HKLM\Software\Microsoft\INetStp" registry key.  Toriss needs to be able to read the value for PathWWWRoot.
  2. Wait until an email is received by the system, or send an email to yourself.  The first time that Toriss is triggered, it will create the TORISS_DETECTED.TXT log file.
  3. Open the file TORISS_DETECTED.TXT (located in the C:\Inetpub directory).
  4. Verify that the "DOMAINS:" section of TORISS_DETECTED.TXT lists all of the domains that the SMTP service handles email for.  If any domain is missing, create a plain text file named TORISS_DOMAINS.TXT (also in C:\Inetpub).  Each line of the file can specify one domain.  Toriss will only reject invalid users at these domains.
  5. Verify that the "ADDRESSES:" section of TORISS_DETECTED.TXT lists all email addresses that the SMTP service handles email for.  If any address is missing, create a plain text file named TORISS_LOCALS.TXT (also in C:\Inetpub).  Each line of the file can specify one email address.  Toriss will reject all recipients who are not in the list (but only if the recipient is a member of a local domain).
  6. If it was necessary to create a TORISS_DOMAINS.TXT or TORISS_LOCALS.TXT file, set "redetect=1" in Toriss.INI so that the change can take effect.
  7. Test Toriss by sending an email to a bogus local address.  The SMTP server should reject the email upon receiving the RCPT command.
  8. Test Toriss by sending an email to a valid local address.  The email should arrive as normal.
  9. Test Toriss by sending an email from a local email address to any external domain.  Toriss should not interfere.

If any problem occurs, there may be an issue with the system's security.  If you cannot figure it out, please contact us.

IMPORTANT NOTE

Whenever a new email address is added to the POP3 server, it is necessary to do one of the following:
  • Set "redetect=1" in Toriss.INI, which is located in c:\Inetpub.
  • Execute TORISS_REDETECT.EXE, which is located in the directory where Toriss is installed.

Otherwise, Toriss will be unaware of the new mailbox's existence, and therefore reject all incoming email destined for the mailbox.

REJECTING UNAUTHENTICATED CONNECTIONS FROM DYNAMIC IP'S

Simply set "dynamic=1" and "redetect=1" in Toriss.INI

SUSPENDING ACCOUNTS

To designate an email account as "suspended", enter its email address on a new line in the file "c:\Inetpub\toriss_suspensions.txt".  Then run the TORISS_REDETECT.EXE program or set "redetect=1" in Toriss.INI.  When the email account is suspended, Toriss will reject all email that is sent to that account.