30 days of Barracuda Spam Filtering

First, I did NOT pick Barracuda by default. I’ve been using Open Source versions of software to remove and prevent spam from hitting our email servers for years now. I was given a 30 day free trial for my company, NetworkX, to test with.

 

Loading the product… Now, lets start with some good news. If you know me, you know I love Vitualization. I hate computer waste, wither its CPU or IO waste, I hate seeing a HP DL360 G8 with twin 12 core processors running just Quickbooks. Barracuda went up a few marks in my book for providing the v300 in Virtual format. You get the OVF file and can install it into VMware under an hour, YMMV, based on the ESXi server and network speeds.

 

Configuration time… It’s all HTTPS GUI. You manually do login and set the IP address, then it’s all HTTPS browser time. I did like that, but you do need to know how to login to the console on VMware, which is a given if your going to administer a VM. Once we got the initial setup, time to flip the MX record.

 

First couple of laps… We did setup our main domain to work on the Barracuda. And we did see some spam get through… A little more than we did with the open source setup. Also, right out of the box, it’s barely blocking. I have to say this, Barracuda Spam servers are not for beginners. If you don’t know how MX records work, how IP addressing and routing work, get help. I’m not saying do not do this, just that you really will want assistance in setting it up.

 

Active Directory verses Open Source… The first thing you have to do if your running Microsoft Exchange Server is setup a Active Directory connection for the Barracuda. This allows the Barracuda to know who has an email address for the domain and let them through. We also have domains that are hosted using Qmail, those don’t require any connection because Qmail will tell you up front that thispersondoesnotexist@ourdomain.com does not exist. This means the Barracuda can learn by testing against the Qmail server what are valid email addresses, unfortunately, Exchange server is, well, stupid. Once you have the Active Directory connection, Barracuda can know what are valid email addresses. HINT: If a person leaves your domain, you can change the email address in Active Directory so Barracuda will not try to forward it to Exchange.

 

RBL blocking… Now that Barracuda knows what emails are valid and to allow, the very first thing I had to do was add a few RBL, Realtime Blackhole List, blockers to the Barracuda. Barracuda has it’s own, but it’s woefully limited. We were still getting a bunch of spam through. Don’t get me wrong, out of the box it was doing a better job than just letting our Microsoft Exchange Server 2013 fend for itself, but the amount of spam coming in was to much. After adding the RBLs like, bl.spamcop.net, zen.spamhaus.org, cbl.abuseat.org and dul.dnsbl.sorbs.net, we were starting to get some major blocking working now.

 

Whitelisting… The Barracuda now started to complain about good emails, not due to RBL, but it was doing stupid stuff like “Sure, Dr Oz’s stupid diet” can come through but not “Invoice from <insert name of customer>”. ARGH! So within a few days, I had to add the IP addresses of good email servers. Funny, Linkedin was automatically added from day one by Barracuda, wonder how much they paid for that? After adding a few email servers to the whitelist, important emails were no longer getting blocked.

 

Our domain was easy, now lets add a domain that’s getting attacked… I added one of our client domains that was getting hit hard. This was due to one customer giving their email to a local clothes store that got hacked, and now she was getting so much spam it was horrible. Using TMDA, Tagged Messaging Delivery Agent, which was free and on our Qmail server, I had blocked all spam completely. I wanted to see how Barracuda would work, and I could use TMDA on the Qmail server to see how many new attacks made it through.

 

Attack of the SPAMMERS… Now, this is where I start to get mad at Barracuda, and Barracuda falls down. You would think that the engineers at Barracuda would pay attention to the news, or at least the emails you mark as SPAM. I started to notice that certain /24 blocks and larger had spam spewing from them, and the Barracuda was clueless. I really got mad because how many “Dr Oz” and “Finish College” and “Credit card/rating” and other obvious messages should have been blocked [Which I could add a subject blocker to the free Open Source blocker in 2 seconds, but can not to a Barracuda]. I started exporting the spam logs, then sorting them by IP address, and noticed I had some blocks of /24s around the internet that were the majority of spam. I ended up adding manual blocks into the Barracuda. It was working, and I could see a serious decrease in spam. This was finally putting a drop and I could measure it against TMDA of what was getting through. Today, I have over 50 segments (/24 or higher) that I block because Barracuda just would not block those emails.

 

But wait, there is hope… I was starting to get more SPAM blocked, and we are now in week 3 of our 30 day trial. It’s taken hours of work to stay on top of the SPAM, and to make sure everything is working correctly. I still have to do the “look for /24” to see if a segment of the internet has been hit. FYI, I’m blocking from everywhere in the world, USA, Germany, Romania, Russia, China, etc. Nobody has a shortage of spammers. The biggest issue I have, many of the abuse records for an IP segment for foreign countries are useless. You can’t send a email to the abuse record and show them where they are spamming. Guess they don’t care someone is wasting their bandwidth. But adding these blocks for a /24 or larger was working, and reducing the spam inbound.

 

Fine tuning… What Barracuda does have in it’s favor is the Outlook module add on [short rant to Barracuda: How about one for Thunderbird? What the —- is wrong with you, the world is NOT Outlook only]. We did add the Outlook module to clients and now clients can mark their own SPAM to be reported back to Barracuda.

 

Throwing it to the Wolves… Lastly, I took a domain that’s constantly under attack and ran them through the Barracuda… Again, it took about a week for the Barracuda to learn what is SPAM and what may not be for that domain. But this domain really put the Barracuda into overdrive, and I think I noticed something. Maybe, and I could very well be wrong, once the Barracuda learns the domain patterns, maybe the Spammers see that a Barracuda is now reading their emails, and Barracuda networks tell other Barracuda servers to start blocking. I did notice a reduction on inbound spam to the domain, and just maybe, the smarter Spammers don’t want to send to a Barracuda protect email domain. Or, maybe their were enough rejections that Spammers began to remove the emails from their lists.

 

TMDA versus Barracuda… TMDA works as follows, when TMDA gets an email, it checks to see if this has come through before. If not, it replies with a “prove you exist” and sends back a email with a crafted email address to reply to. Since spammers never use a real email address, TMDA never gets back a message and the email is blocked. Barracuda, instead, looks at the email and has to decide whether to send the email through or not. The issue with TMDA, you may have to see what’s blocked, and write a custom “allow” for certain lists [like allow *<some identifier>*@remotedomain.com] . I would prefer to block up front, but it’s kind of like telling the Spammer, yes, your message got through the gate.

 

Where are we now?… Yes, the Barracuda after 30 days [and untold hours of Admin time and tuning] is finally doing a better job than the Open Source Clamav and Amavis, but not by much, and TMDA still wins at maximum blocking. Do I think it’s worth the $1500, not really. But considering that Barracuda server wants $8 per user per Year [min 50 users in a domain] for $400/year and you can’t really configure it, If you have enough email addresses, the $1500 is alright. Does it make the clients feel all warm and happy, yes. It does so only in that it will send reports to show that it’s blocking spam, and what’s in the “quarantine” folder. The one real saving grace of the Barracuda is it’s updated about once an hour, so you do have a good chance to get most of the “Zero Hour Intent” attacks. Would I recommend Barracuda to other businesses, it would depend as you really need to look at the business case and time it takes to set it up properly to decide if it’s a good fit for your business.

 

Bottom Line… I’m just not sure it’s worth the $1500 to front end the Qmail/TMDA server with an Open Source Spam filter. Against the Exchange server, yes, it’s worth it because the Exchange server can’t really defend itself. Microsoft left that to third party, like Barracuda Networks. Overall, I do like the Barracuda Spam v300. I’m not in love with the price tag, but it can work and can block a majority of Spam. No Solution is perfect, but the Barracuda Solution works and integrates fine with Exchange.

 

If you do want to reach me about this project, you can reach me at info and the name of the domain. Don’t worry, I have both Barracuda and TMDA on that email account, so I’m not going to see any spam in that inbox 🙂 .