Read this before you buy a Barracuda Spam Firewall appliance

Written by SpamFighter (2007-10-25) 

You're thinking about buying a Barracuda Spam Firewall because of the following reasons (which are good reasons):

  • It does a great job at detecting spams.
  • It's easy to configure.
  • It doesn't require too much changing of your current email system.
  • It's reasonably priced (maybe).

Before you buy and deploy the product, you should know the following:

  1. Backscatter problems:
    Barracuda Spam Firewalls can create a form of spam known as backscatter, which is the sending of Unsolicited Bulk Email. This can get your site BLOCK-LISTED if you are not careful!
  2. RFC-Ignorant problems:
    Barracuda Spam Firewalls can get you listed on www.rfc-ignorant.org if your postmaster address doesn't exist or gets blocked by your Barracuda Spam Firewall.

Before you buy the Barracuda Spam Firewall, ask Barracuda about this page!

I have sent emails to Barracuda about this problem and have never had a reply from them.

Barracuda Spam Firewalls have sent me over 500 unsolicited messages since 2007-08-02 (that's roughly 150/month by my calculations!). Why? Because the configuration of these systems is to "backscatter" (bounce indiscriminately) any blocked spams back to the "From:" address in the spam. The problem with this approach, and the reason why "backscatter" is annoying, is that the "From:" address in a spam is ALWAYS FORGED by the spammer.

Despite the genius of Barracuda's spam-detection system, they are too stupid to know that bouncing a spam to the "From:" address is a bad idea. Since it's always forged, the message will not go to the spammer but to an innocent third-party (e.g., ME).

There's a great explanation of the Barracuda Spam Firewall backscatter problem.

1. Backscatter: Why is this happening?

Two reasons:

  1. Barracuda Spam Firewalls are configured to "auto-respond" to blocked spams, with the messagementioned below.
  2. Spammers are forging my email in the "From:" address of their spams, and I get Barracuda's responses.

One of my email addresses happens to be popular among spammers for putting in the "From:" field of their spams. This means I get lots of "misdirected bounces" or "backscatter". It's one thing when it happens from old mail servers that are not up-to-date and bounce messages that can't be delivered. But I find that Barracuda Networks have no excuse for allowing this on their modern systems, especially since they claim to be good at detecting spams!

It's even more annoying because their message accuses ME of sending the spam in the first place.

What can happen to your domain if you buy a Barracuda Spam Firewall that is configured block emails?

If your choose to purchase a Barracuda Spam Firewall and install it on your domain, be sure that it does not block spams and reply to the "From:" address in the spam's message. Ask Barracuda about this! They are apparently not explaining it, because I get hundreds of messages/month from their systems.

If your Barracuda Spam Firewall sends "backscatter", your site can be block-listed on spamming block lists (e.g., SpamCop, SpamHaus, Backscatterer.org, etc.). This is because people like me who get 5 messages/day from Barracuda Spam Firewalls find it annoying, and we report offending sites as if they were spammers. For us, there is no difference between a spam we get about Viagra, or a message we get saying the "message about Viagra we sent to your domain got blocked by your Barracuda Spam Firewall" -- it's a very selfish configuration of the Barracuda Spam Firewalls to bounce these messages, and you'll be incriminating your own site if you allow this.

Barracuda Spam Firewalls can be configured NOT to auto-reply to spams that are blocked. However, this means that in the event of "false positive" (i.e., a legitimate user sending a legitimate message that the Barracuda Spam Firewall mistakenly thinks is spam), no reply is sent to that user to inform him. To prevent such problems, I recommend that you configure your Barracuda Spam Firewall to either label such emails as "Spam" in the subject and let the users decide, or place any blocked messages into a quarantine, which is patrolled by an administrator on your system.

Configuring your Barracuda Spam Firewall to auto-reply to blocked spam will hurt the reputation of your company, because you'll be sending lots of replies to forged email addresses, some of which are legitimate people and will not take kindly to that.

For the record, the messages all have a subject saying "**Message you sent blocked by our email filter**". Here's what the full headers of the message look like.

Sample message sent by Barracuda Spam Firewall:

Note that <MY_EMAIL_THAT_WAS_FORGED_IN_THE_SPAM> has been replaced to protect my email address. However, you can see how Barracuda Spam Firewalls get it wrong by replying to any "From:" address in the original spam that is blocked.

Received: by <munged_IP> with SMTP id h5cs11441qbm;
 Wed, 8 Aug 2007 23:26:33 -0700 (PDT)
Received: by <munged_IP> with SMTP id m12mr822092rvj.1186640792796;
Wed, 08 Aug 2007 23:26:32 -0700 (PDT)
Return-Path: <>
Received: from mail-kr.bigfoot.com (mail-kr.bigfoot.com [211.115.216.226])
by mx.google.com with SMTP id f34si2563390rvb.2007.08.08.23.26.31;
Wed, 08 Aug 2007 23:26:32 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of mail-kr.bigfoot.com designates 211.115.216.226 as permitted sender) client-ip=211.115.216.226;
Received: from barracuda.krmrisk.com ([207.212.122.177])
by BFLITEMAIL-KR3.bigfoot.com (LiteMail v3.03(BFLITEMAIL-KR3)) with SMTP id 0708060737_BFLITEMAIL-KR3_969594_36170036;
Mon, 06 Aug 2007 07:40:12 -0400 EST
MIME-Version: 1.0
From: Barracuda Spam Firewall <postmaster@krmrisk.com>
Message-Id: <000701c59a7b$03bd9e14$ecd3cb8a@npoekxiv>
Subject: **Message you sent blocked by our bulk email filter**
Content-Type: multipart/report; report-type=delivery-status;
charset=utf-8;
boundary="----------=_1186400407-29031-717"
To: <MY_EMAIL_THAT_WAS_FORGED_IN_THE_SPAM>
Date: Mon, 6 Aug 2007 04:40:07 -0700 (PDT)

This is a multi-part message in MIME format...

------------=_1186400407-29031-717
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: base64

WW91ciBtZXNzYWdlIHRvOiBhLmN1a3VyQGFhcnRwYS5jb20Kd2FzIGJsb2Nr
ZWQgYnkgb3VyIFNwYW0gRmlyZXdhbGwuIFRoZSBlbWFpbCB5b3Ugc2VudCB3
aXRoIHRoZSBmb2xsb3dpbmcgc3ViamVjdCBoYXMgTk9UIEJFRU4gREVMSVZF
UkVEOgoKU3ViamVjdDogVGhlIHNhbGVzIG9mIGJyYW5kLW5hbWUgcXVhbGl0
eQoK

------------=_1186400407-29031-717
Content-Type: message/delivery-status
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Description: Delivery error report

Reporting-MTA: dns; barracuda.krmrisk.com
Received-From-MTA: smtp; barracuda.krmrisk.com ([127.0.0.1])
Arrival-Date: Mon, 6 Aug 2007 04:40:06 -0700 (PDT)

Final-Recipient: rfc822; a.cukur@aartpa.com
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=29031-01-382
Last-Attempt-Date: Mon, 6 Aug 2007 04:40:07 -0700 (PDT)

------------=_1186400407-29031-717
Content-Type: text/rfc822-headers
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Description: Undelivered-message headers

Received: from 29.149.66.125.broad.zg.sc.dynamic.163data.com.cn (unknown [125.66.149.29])
by barracuda.krmrisk.com (Spam Firewall) with ESMTP id 18A22200BA8A
for <a.cukur@aartpa.com>; Mon, 6 Aug 2007 04:40:03 -0700 (PDT)
Received: from [125.66.149.29] by mail-kr4.bigfoot.com; Sat, 06 Aug 2005 11:40:33 +0000
Message-ID: <000701c59a7b$03bd9e14$ecd3cb8a@npoekxiv>
From: "hillel mario" <MY_EMAIL_THAT_WAS_FORGED_IN_THE_SPAM>
To: <a.cukur@aartpa.com>
Subject: The sales of brand-name quality
Date: Sat, 06 Aug 2005 09:53:10 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0004_01C59A7B.03BB4A74"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2663
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757

------------=_1186400407-29031-717--

2. RFC-Ignorant: Why is this happening?

Two separate reasons:

  1. Barracuda Spam Firewalls are configured to send mail "From:" the postmaster address (e.g., postmaster@example.com), but mail coming into this address may get filtered and bounced (see problem 1 above).
  2. Barracuda Spam Firewalls are configured to send mail "From:" the postmaster address (e.g., postmaster@example.com), but this address doe not exist.

Both of these reasons can get your domain block-listed for disrespecting the RFCs for internet email. See http://www.rfc-ignorant.org/policy-postmaster.php for the details.

To date, I have listed over 100 sites that have Barracuda Spam Firewalls for being RFC-ignorant with their postmaster addresses. I have an automated process that helps me do this.

If you buy a Barracuda Spam Firewall that's misconfigured and bounces emails to me I did not send, I'll report them!