- More Effective Email Marketing with Salesforce.com(07/30 10:30 AM)
- Live BlastWizard by Boomerang Training(08/03 11:00 AM)
- Save Time, Drive Sales by Automating Your Newsletter with SlingShot(08/03 11:00 AM)
- Growing Your Email List(08/03 13:00 PM)
- More Effective Email Marketing with Salesforce.com(08/04 11:00 AM)
- Learn From Your Delivery Results with Email Analytics(08/04 13:00 PM)
- Create Great Email Messages with an Online HTML Editor(08/04 13:00 PM)
- Live BlastWizard by Boomerang Training(08/05 11:00 AM)
- Enhance Email Marketing with Social Media(08/05 13:00 PM)
- Get Out of the Spam Folder and Deliver More Email(08/05 13:00 PM)
Barracuda: BarracudaCentral’s Blacklist
More and more companies today are purchasing and using Barracuda’s Spam Firewall appliances to ‘block’ email. Barracuda appliances are very flexible in configuration options, but most people choose to use the ‘recommended’ setup for their appliance. While this is easy, it is not wise. As a result, companies may find a higher than normal percentage of false positives. Why?
Barracuda Central
BarracudaCentral.org is a site operated by Barracuda to house an alleged computational blacklist. However, unlike most blacklists, this system is completely automated and offers no details for IPs that become listed.
BarracudaCentral’s site says:
“Barracuda Reputation is one of the many techniques Barracuda Networks employs within the Barracuda Spam & Virus Firewall to reinforce its superior 95 percent spam accuracy rate.”
Wow, 95%. That’s a really good accuracy rate. This number sounds really good on paper until you read between the lines… there is nothing on the site that backs up this claim. In fact, I’ve found nothing anywhere on the Internet that backs up this claim. Further digging on BarracudaCentral’s site comes up with:
“The Barracuda Reputation Block List (BRBL) is based on the Barracuda Reputation System and operates collaboratively to fight spam. The BRBL provides a list of IP addresses which are sending spam. The Barracuda Reputation system uses automated collection methods to add and delete IP addresses from the BRBL.
The automated spam trap, collection and rating system automatically adds IP addresses to the list when spam is detected. Barracuda Networks does not manually add addresses to this IP list.”
This statement effectively says that Barracuda does not manually manage or maintain this database in any real way. They just let it do what it does on its own. This also means that it could be completely polluted with inaccurate information or, worse, completely bogus information because of ‘user collected’ garbage. Remember, garbage in - garbage out. It also states:
“Most IP addresses are listed as a result of directly sending spam or viruses to the Barracuda Reputation System’s detectors. The Barracuda Reputation System detects spam by using honeypots, special addresses created to receive only spam and do not belong to any real user and through analysis of captive spyware protocol activity. In addition, the BRBL leverages some data derived from the Barracuda Blocklist (BBL) that is delivered to Barracuda Spam & Virus Firewalls as part of Barracuda Networks’ product offerings.”
So this says BarracudaCentral utilizes spamtraps and honeypots. But, the reality is, there is no way to know what listing methodologies they are really using. These statements are just like icing on the cake. You can’t see the cake at all. These are nebulous statements with no facts behind them. Worse, when IPs are listed in this database, BarracudaCentral does not validate or verify any information. Barracuda assumes that what is derived from their appliances is 100% accurate. BarracudaCentral also apparently does not store any spam evidence to validate an IP’s existence in the database. Worse, they cannot and will not provide said evidence when requested. Barracuda support representatives simply ignore this request entirely (probably because they don’t even have the evidence to provide).
Spam RBL lists
As a result of BarracudaCentral’s poor operating principals, poor data management, lack of proper evidence and even lack of proper validation, this RBL should not be used for day-to-day operations. If you really want your emails to get through to your recipients, you should opt to use other properly managed RBL systems such as Spamhaus or Spamcop. Don’t rely on BarracudaCentral’s RBL in its present form.
If you or your IT staff utilize Barracuda spam firewall appliances, you should override the recommended use of the poorly run BarracudaCentral RBL and replace it with a far more reliable RBL system.
Not IP owner or ESP Friendly
BarracudaCentral does not offer any tools to IP owners to help manage their IP space or determine how or why an IP has become listed. They do offer a delisting mechanism, but it’s effectively useless because the IP owner cannot find out how an IP became listed. The BarracudaCentral system also does not allow you to determine which user affected the listing in order to remove that user from the service. For this reason alone, BarracudaCentral is a dead end to IP owner and could lead to listing again and again. This also means that Barracuda doesn’t appear to want to help manage or reduce spam traffic by helping ESPs. Instead, they just block the mail without giving any evidence or means to the IP owner to get rid of any offending users. So, the IPs are blocked without reason and without any valid evidence. Again, no evidence leaves no way to remove offending users.
Any ESP’s IPs may be blocked from delivery based on invalid information given by another Barracuda appliance or even by intentional misuse of a Barracuda (RBL Poisoning). Again, there are no checks and balances with this service and there’s no one at Barracuda to monitor abuse of it. For a free service that comes with the Barracuda, you get what you pay for… a half-baked service.
Barracuda Appliances
Just strictly looking at the appliance itself, Barracuda did a great job with making the hardware do what it’s supposed to do. It’s unfortunate, however, that Barracuda created such a half-baked RBL to go along with such an excellent tool. As a Barracuda owner, you should contact Barracuda and request that they fix their Barracuda RBL to offer better validation and better checking.
When you use the BRBL, you are are the mercy of hundreds or, perhaps, thousands of other installed Barracuda appliances that could even be hacked up causing invalid listings in the BRBL and, thus, giving your domain a ton of false positives.
If you must use an RBL, you should use a trusted RBL such as Spamhaus Xen or Spamcop. These RBLs offer tools for both the spam reporter and the ESP. They offer fair listing methodologies and they offer evidence to support their listings. Until such time as BarracudaCentral can rework their RBL to actually offer evidence to support their IP listings, you should use another RBL in your Barracuda appliance.
Other RBL systems
Systems such as Spamcop (which are also somewhat computational) offer both accurate listing methdologies and spam evidence showing what was sent and when it was sent on a given IP address. If more than one email was seen, you will see all evidence that got an IP listed. This is the kind of RBL that proves that they are in it seriously and willing to see both sides of spam filtering. Unfortunately, BarracudaCentral’s listing system isn’t fair to either side. For the Barracuda owner, you are at the mercy of other Barracuda users to be honest, forthright and non-malicious. For IP owners, there’s no listing validation or evidence to aid in why an IP ended up becoming listed.
Barracuda and Malicious users
For example, if some other malicious Barracuda owner decides to honeypot addresses (like postmaster, hostmaster, webmaster, etc), the Barracuda will catch valid emails and may begin marking the delivering IP addresses as ‘poor’. A malicious user could even go so far as to set up a small pseuedo network of IP addresses from another company and deliver mail through the Barracuda from these fake IP addresses in order in reduce their reputation on the Internet.
Someone could even go so far as to hack up the software and literally feed BarracudaCentral inaccurate information on purpose. For all of these reasons, owners of a Barracuda should opt to use third party systems that are not computationally derived from a ‘collaborative’ environment. Using managed RBL systems such as Spamcop and Spamhaus prevent malicious usage.
Emailreg.org
Then there’s Emailreg.org that someone operates (I’m thinking it’s owned by Barracuda also). I am guessing this site is supposed to be some kind of consolation for the fact that Barracuda doesn’t want to properly manage BarracudaCentral. So, according to Barracuda, if you register your domain combined with the IP you use, your emails are supposed to bypass BarracudaCentral’s reputation RBL system. Of course, you have to pay $20 to list with this site. It is also unclear whether that’s $20 a year or $20 period. Whatever the cost, it’s questionable why a supposedly reputable appliance like Barracuda would allow you to pay a $20 fee and bypass Barracuda’s reputation system. That just doesn’t make a whole lot of sense. But, that’s what the Barracuda representatives have said. I’m guessing that the $20 fee is a way to make a bit of side money without having to put in the effort to make BarracudaCentral a more complete and, therefore, more reliable RBL.
If you are concerned about your email customers, then you need to use high quality RBL systems that you can trust. So far, the trust level of BarracudaCentral is far too low to be of any real use today.
Tags:
August 27th, 2009 11:03 am
Interesting article. Where did you first hear about this?
Justin Davis
Internet Filter
August 27th, 2009 7:55 pm
Justin,
This article is written entirely from experience. I have worked with Barracuda appliances (we have one) and I have also had to work with Barracuda support. We have also had dealings with BarracudaCentral and been unable to get any spam evidence from their support staff. So far, it appears they are unwilling or unable to supply any spam evidence when IPs become listed on their RBL.
Without spam evidence, it’s impossible for an RBL to support the listing. Simply stating that they ‘have seen spam coming from an IP’ is not enough evidence to prove that it’s true. This is also an extremely ironic and hypocritical statement from a company that purports to offer a reputable spam filtering product. On the one hand, they are listing IPs as reputation of ‘Poor’ and on the other they provide no evidence to support that claim which tarnishes their own reputation as a valid RBL. So, their message becomes a subjective statement. Only spam evidence can prove and justify an RBL listing in an objective way.
Thanks for your comment.
August 28th, 2009 6:18 am
The reason BarracudaCentral can never provide any evidence for the IPs on BRBL is because BRBL data is derived from 3rd party blacklists - primarily those of Spamhaus.org.
BRBL works thanks to the thousands of Barracuda boxes at customer sites all “sending home” to BarracudaCentral a stream of the IPs each box finds are on some other blacklist the box uses, such as the Spamhaus ZEN list.
Effectively all BarracudaCentral do is ’syphon’ data from ZEN and others into BRBL… which is also why they have no data on what the IPs were actually blacklisted for.
So Spamhaus, Spamcop, CBL and others do all the work, while Barracuda simply take others hard work, syphon in the data and call it “BRBL”. BRBL is of course free, because they don’t yet have the gall to actually charge for the work of others too… but they will.
August 28th, 2009 3:43 pm
Serge,
I wish this were true. Unfortunately, it isn’t fully accurate. Boomerang regularly monitors all major blacklists for our IP addresses (including Spamhaus and Spamcop). Our IPs are never on Spamhaus or Spamcop (or any other RBL) when BRBL has marked our IPs as ‘Poor’. This means that they are deriving their information from places other than the major RBLs.
What this says to me is that you are correct in that thousands of Barracuda appliances are sending IPs back to the mothership, but at the same time that info is not derived from major blacklists. As I said in the article, it may take as few as ONE Barracuda appliance to mark our IP in that local Barracuda for the BRBL to begin marking the IP as ‘Poor’. And that may also be what Barracuda means by a ‘collaborative’ system. Again, it appears that BarracudaCentral assumes that all IP reputation data coming from Barracuda appliances is 100% accurate. In fact, if it takes as few as one appliance, then that’s sows the seeds of maliciousness and RBL poisoning.
Worse, they do not offer evidence to back up the listing, so IP owners are at the mercy of Barracuda appliance owners to be honest, forthright and diligent in what they do with their Barracuda. At the same time, it leaves the entire ‘collaborative’ environment open to malicious behavior which could lead to RBL poisoning.
At best, this RBL is poor quality. At worst, it’s a complete sham. Either way, it shouldn’t be used as a production RBL assuming you really want emails to get through to your email recipients. The sad thing, though, is that Barracuda sets this RBL up by default on the appliances and most administrators don’t appear to understand this fact. So, they think the appliance is actually working well… when, in fact, the RBL is likely telling the Barracuda to block a lot more mail than it should.
Thanks for the response.
September 7th, 2009 7:16 am
Ended up reading this for the same reason this was posted.
The first thing that jumps to mind: A high spam detection rate necessarily dictates a high false positive rate as well.
Now, if you really want to mess up the equation further, automate everything and combine it with poor back office processes.
I also ended up looking at http://www.emailreg.org carefully. All looked good until I has already registered and wanted to register the (I suspect) false positive domain, assuming an email originating from our small net was listed. Only then do you suddenly find a whitelisting fee of $20! Nice try - when hell freezes over!
Also, what exactly is business competitors paste nice fake mails here: http://www.emailreg.org/index.cgi?p=reportspam? Nasty to think about that as well.
Anyway, one glaringly obvious shortcoming is what I suspect happened in our case. A client of ours has undergone a management and company name change. They mailed their clients from the new domain, informing them of such. The rest is history.
September 23rd, 2009 7:43 pm
I am a retiree with a personal computer. Why in the world would Barracuda block a single personal email to a friend-colleague and blame it on my IP’s “poor” rating? I don’t have computer viruses or malware; I don’t have a business; I don’t send spam.
November 4th, 2009 7:20 pm
Barracuda rates IPs as ‘poor’ based on seemingly random criteria. The main criteria, as I understand it, is based on calculations done on the emails being received by the Barracuda (probably things like sameness, duplication, content type and style among other things). It may also be that the admin has specifically blocked the IP in their configuration and this information is sent upstream to Barracuda. Enough of these types of moves by admins may be enough to rate an IP as ‘poor’.
The issue, however, isn’t your use of the IP address, it’s that other people may also share in this use. Because you can’t control what other people do on that IP address, your email may be affected by what others do when they share that IP with you.
Shared IP addresses are commonly used on the Internet because IP address space is limited. Further, email servers are usually shared with other ISP participants. Because your email neighbor may choose to send spam, you will be negatively impacted when you send email using that same IP address. So, even though you don’t spam, those who share the space with you may be spammers. Thus, you are penalized for what others are doing.
Because of the shared IP address situation and because Barracuda doesn’t maintain any database of why an IP is marked as ‘Poor’, your emails could be blocked by Barracuda appliances without any real reasons. Barracuda really needs to step up and fix their appliance to work in a more Internet friendly manner.
January 25th, 2010 2:47 pm
Thank you for this article. It’s been a nighmare with these people. Barracuda apparently has a delayed reaction “filtering” method that checks ancient fossil records once in a while to relist ip addresses. Our network did once upon a time, a decade or so ago, have a rogue emailer on one user’s workstation. This problem has been addressed by the blocking of outbound ports, but Barracuda seems to like relisting us repeatedly.
February 16th, 2010 5:31 am
Add me to the list of people who have missed very important emails because of the muppets at Barracuda Central.
My ISP for some forsaken reason is using Barracuda which has rejected some extremely important emails today. I use a domain that belongs to an online store for my most important emails. I use this domain because it is a RELIABLE, WELL-SUPPORTED company with real paying customers! Plus, it’s the email address I use when I want it to remain valid for a long time, longer than my typical stay at an ISP.
But thanks to Barracuda Central’s infinitesimal wisdom, when that domain tries to forward email to my current ISP it rejects them.
I have printable tickets (barcode in .pdf) lost somewhere in the aether, and airline ticket confirmations that I need to present at the airport.
Thanks Barracuda Central, heckuva job
March 22nd, 2010 2:05 am
Am I to believe that it is even legal to shut off someone else’s mail for some arbitrary opinion? These guys need to be fired from guns. They shut off all mail from me to a friend I went to grade school and high school with and have known all my life. (I am nearly 62.) They made no move to check with me or inform me prior to shutting off service that there was any such problem.
I am a person who screens all mail, forwards only the really good stuff, writes and sends out informative and useful messages to friends, relatives and contacts, and gets lots of compliments on what I send and how well written it is.
Before I EVER forward anything I check it out pretty thoroughly and instantly reject what is false, distorted or obviously intended to harm or bring into question the reputation of the subject of the email by spreading false rumors.
Come on! If anyone wants to inform me they received a virus, spam, etc. from me, then fine. I am all for good security and keeping the lines clean. Having a Mac, I really am not much subject to viruses and such like a PC user, but I get the protection anyway so my friends will not be exposed via my mail to them.
If someone is somehow using my address or whatever, I would be glad to know and glad to find out how to stop it.
Security and effective control of real spam or other slimy stuff; fine! But let’s be real. In this country you are expected to be extended the courtesy of being addressed as innocent until real proof of wrong-doing. Where is there even an attempt at fairness or valid complaints with notifications? This is one of the most irresponsible gimmicks I have heard of yet on the internet!
June 23rd, 2010 10:17 am
Well they have now decided that we can’t send emails to one of our suppliers to order spares. We dont spam, have no known viruses or anything but we are blocked. We don’t even send block emails to our customers, that’s not how we work.
They dont even have a human available to answer your queries and still block you after telling you that they have sorted it out.
Surely they are breaking the law stopping legitimate businesses from operating. this is clearly a scam to relieve people of $20.00 to “register” with what appears to be, but probably isn’t, another company.
Lawyer anyone?