Re: Barracuda Networks Spam Firewall
Here's what I got today from Barracuda. I'll let you know if it did indeed fix my problems. Hi Joe, Your latency problem should be resolved. === On July 27th a new stream of spam was introduced into the wild. This spam contained certain formatting aspects that were intentionally designed to cause Spam Assassin's Bayesian implementation to run at extremely slow speeds. Due to the way Spam Assassin handled the email, it was taking several minutes to process these messages and the Barracuda's internal processes would detect the potential problem and start queuing mail to prevent any mail loss. Unfortunately this precaution had the byproduct of further increasing the message latency on the system. Barracuda Networks' team of engineers created a patch for this Spam Assassin attack. The patch was released in version 1.6.733 of the spam definitions. If you were affected by the new spam, please make sure you are running this version or higher of the spam definitions (Advanced-Energize Updates in the web GUI). Also, if you had previously contacted tech support and were advised to disable Intention Analysis (Basic-Bayesian/Fingerprinting) as a way to attempt to reduce latency, you should be able to turn this feature back on without any issues. === Let me know if you have any additional concerns. Heather Heather Russell Barracuda Networks 408.342.5447 Direct 408.342.1061 Fax [EMAIL PROTECTED] www.barracudanetworks.com -- Joe Hamelin Edmonds, WA, US
Re: Barracuda Networks Spam Firewall
Is anyone else on NANOG having problems with Barracuda today? I'm getting massive latency (3000+ seconds) and it seems as if their tech support has gone into meltdown. While on hold I was even connected to another customer with the same problem. -- Joe Hamelin Edmonds, WA, US
Re: Barracuda Networks Spam Firewall
I just talked to Heather (sales) at Barracuda and was told that there would be a FIRMWARE release in the morning to fix a problem with virus detection. It seems that the support ppl can't really do anything right now and their phone system is melting. The word is to hold tight for a fix. -- Joe Hamelin Edmonds, WA, US
Re: Barracuda Networks Spam Firewall
My Series 400 seems to be doing fine today. Average queue latency 4 seconds which is about normal. Do you have any special config settings? -Matt On Jul 27, 2004, at 7:21 PM, Joe Hamelin wrote: I just talked to Heather (sales) at Barracuda and was told that there would be a FIRMWARE release in the morning to fix a problem with virus detection. It seems that the support ppl can't really do anything right now and their phone system is melting. The word is to hold tight for a fix. -- Joe Hamelin Edmonds, WA, US
Re: Barracuda Networks Spam Firewall
It only seems to be a problem when I hit above about 16k messages an hour. I do wish they had better numerical historical logging. Maybe in V3.0. On Tue, 27 Jul 2004 20:03:08 -0400, Matthew Crocker [EMAIL PROTECTED] wrote: My Series 400 seems to be doing fine today. Average queue latency 4 seconds which is about normal. Do you have any special config settings? -Matt On Jul 27, 2004, at 7:21 PM, Joe Hamelin wrote: I just talked to Heather (sales) at Barracuda and was told that there would be a FIRMWARE release in the morning to fix a problem with virus detection. It seems that the support ppl can't really do anything right now and their phone system is melting. The word is to hold tight for a fix. -- Joe Hamelin Edmonds, WA, US -- Joe Hamelin Edmonds, WA, US
Re: Barracuda Networks Spam Firewall
Eric A. Hall wrote: What's most interesting about the half-dozen accusations of xenophobia I've received (off-list and on) is that they've almost all come from foreigners. I promise not to read anything into that. Really. Could it be perhaps because us foreigners are conditioned by repeated exposure to the xenephobic attitudes of USofA patriots ? Peter
Re: Barracuda Networks Spam Firewall
Folks, let's stop this thread. We're getting into 'spam is really bad' comments, which aren't particularly enlightening to the list.
Re: Barracuda Networks Spam Firewall
What's most interesting about the half-dozen accusations of xenophobia I've received (off-list and on) is that they've almost all come from foreigners. I promise not to read anything into that. Really. Could it be perhaps because us foreigners are conditioned by repeated exposure to the xenephobic attitudes of USofA patriots ? shut up or we'll bomb and torture you
Re: Barracuda Networks Spam Firewall
On 5/20/2004 8:25 AM, Randy Bush wrote: What's most interesting about the half-dozen accusations of xenophobia I've received (off-list and on) is that they've almost all come from foreigners. I promise not to read anything into that. Really. Could it be perhaps because us foreigners are conditioned by repeated exposure to the xenephobic attitudes of USofA patriots ? shut up or we'll bomb and torture you resist the cycle of violence and hate -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: Barracuda Networks Spam Firewall
On Wed, 19 May 2004 22:54:55 EDT, joe [EMAIL PROTECTED] said: either 1: SMTP/ESMTP is fixed so that spoofing cannot occur or 2: Another method/protocol of email/messaging is adopted 3: We change the economics of spamming in some other fashion. I've been advocating taking up a collection - every ISP that has an inbound spam problem kicks in just $100 - if there's 4,000 ISP's in the US (including all those mompop sites with E-bay routers), that's a pretty chunk of change. We then hire a few representatives from choose ethnic organized crime to explain our point of view to a few of the aforementioned 200 big offenders... Unfortunately, there's these concepts of legality and morality involved... :) pgpdjV5bJPBtY.pgp Description: PGP signature
Re: Barracuda Networks Spam Firewall
On Wed, 19 May 2004, Eric A. Hall wrote: my last 10 survivors are at http://www.ehsco.com/misc/last-10-spams.eml the relevant data for them in order of occurrance is below. eight are CN, one is KR, one is Geocities, and one is dead Different people get different spam, from different sources. For years I was under the impression that spammers must be blasting everybody, so everybody would get similar spam. I was surprised to find out that this isn't the case... Rik -- Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. - Brian W. Kernighan
Re: Barracuda Networks Spam Firewall
On 5/20/2004 2:30 PM, Rik van Riel wrote: Different people get different spam, from different sources. Yah, I've been advocating the use of a CIDR match-list from the beginning for this and other reasons. Actually what you'd want is per-entry weighting, so for me and my mailbox: CIDR 221.232.0.0/14 score = 3.0 CIDR 147.28.0.0/16 score = -3.0 The ASN matching has merit too, so maybe: ASN 4134 score = 3.0 CIDR holes punched = -3.0 etcetera -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: Barracuda Networks Spam Firewall
On May 20, 3:30pm, Rik van Riel [EMAIL PROTECTED] wrote: Different people get different spam, from different sources. For years I was under the impression that spammers must be blasting everybody, so everybody would get similar spam. I was surprised to find out that this isn't the case... This is very true. We're four people in the same company, and there is the odd overlapping spam, but generally not at all; not even over several days. There must be some undiscovered science in there. -- Per
Re: Barracuda Networks Spam Firewall
Different people get different spam, from different sources. ... This is very true. We're four people in the same company, and there is the odd overlapping spam, but generally not at all; not even over several days. There must be some undiscovered science in there. according to http://www.dcc-servers.net/dcc/graphs/, most people get most of the same spam, even if this doesn't appear in local measurements. (note that these graphs are subtle and complex and wonderful, and deserve several minutes of careful study before you try to draw any conclusions.) -- Paul Vixie
Re: Barracuda Networks Spam Firewall
On Tue, 2004-05-18 at 21:49, Eric A. Hall wrote: There's one rule that will wipe out ~90% of spam, but nobody seems to have written it yet. if URL IP addr is in China then score=100 I beg to differ Eric A. Hall. According to statistics gathered by the Spamhaus Project (http://www.spamhaus.com) who most certainly have garnered my respect through their very satisfying services, (SBL, XBL, ROKSO) it is the Yankee's who are out of responsible for the majority of the internet's Spam. Lets have a look: Top 10 Spam Countries April 2004: - 1 United States 2 China 3 South Korea 4 Brazil 5 Taiwan 6 Argentina 7 Canada 8 Russia 9 Hong Kong 10 Italy Top 10 Worst Spam ISPs April 2004: -- 1 mci.com (United States) 2 savvis.net (United States) 3 kornet.net (Korea) 4 above.net (United States) 5 chinanet-gd (China) 6 chinanet-cq (China) 7 xo.com (United States) 8 interbusiness.it (Italy) 9 level3.net (United States) 10 pccw.com (China) Top 10 ROKSO Spammers April 2004: - 1 Alan Ralsky (United States) 2 Scott Richter - Wholesalebandwidth (United States) 3 Alexey Panov - ckync.com (Germany) 4 John Grandinetti / 321send.com (United States) 5 Anthony ''Tony'' M. Banks (United States) 6 Eric Reinertsen (United States) 7 lmihosting.com (United States) 8 Webfinity/Dynamic Pipe (Canada) 9 Scott Richter - OptInRealBig (United States) 10 Eddy Marin - Oneroute (United States) According to Spamhaus, 200 known Spam Operations are responsible for 90% of your spam. Of the list currently available on their site, 142 of the known spammers are from a little country called THE UNITED STATES. So contrary to what you said, perhaps I should just Null Route all email originating from the USA? ;) If you reall wish to stop spam, first we need to stop forgery. Then all the spammers will have to resort to more legitimate means for sending emails, but that being the case RHBL's become useful since because a spammer would no longer be forging, using domain based black lists will actually be useful. How to stop spam: #1 - Stop buying crap sold via spam!!! #2 - Stop SMTP forgery #3 - Raise the IQ of the average windows user/admin so they will be physically cable of patching their OS who contrary to popular belief isn't necessarily as crappy as everyone might think. Implementing those above three steps is a healthy start. Cheers, James -- James Couzens, Programmer - http://libspf.org -- ANSI C Sender Policy Framework library http://libsrs.org -- ANSI C Sender Rewriting Scheme library - PGP: http://gpg.mit.edu:11371/pks/lookup?op=getsearch=0x6E0396B3 signature.asc Description: This is a digitally signed message part
Re: Barracuda Networks Spam Firewall
on Wed, May 19, 2004 at 03:12:29PM -0700, James Couzens wrote: On Tue, 2004-05-18 at 21:49, Eric A. Hall wrote: There's one rule that will wipe out ~90% of spam, but nobody seems to have written it yet. if URL IP addr is in China then score=100 ^^^ I beg to differ Eric A. Hall. snip According to Spamhaus, 200 known Spam Operations are responsible for 90% of your spam. Of the list currently available on their site, 142 of the known spammers are from a little country called THE UNITED STATES. That may be, and is probably quite true - but as Eric said, a majority of the /sites/ advertised in spam use China-based ISPs. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com Buy Cascading Style Sheets: Separating Content from Presentation, 2/e today! http://www.amazon.com/exec/obidos/ASIN/159059231X/heskecominc-20/ref=nosim/
Re: Barracuda Networks Spam Firewall
On Wed, 19 May 2004, James Couzens wrote: On Tue, 2004-05-18 at 21:49, Eric A. Hall wrote: There's one rule that will wipe out ~90% of spam, but nobody seems to have written it yet. if URL IP addr is in China then score=100 I beg to differ Eric A. Hall. No Eric is quite correct. Read what he wrote again. Carefully. -Dan
Re: Barracuda Networks Spam Firewall
On 5/19/2004 5:12 PM, James Couzens ([EMAIL PROTECTED]) wrote: On Tue, 2004-05-18 at 21:49, Eric A. Hall wrote: There's one rule that will wipe out ~90% of spam, but nobody seems to have written it yet. if URL IP addr is in China then score=100 ^^^ not connection address, not domain 'owner', but URL-Hostname-IP_ADDR What's most interesting about the half-dozen accusations of xenophobia I've received (off-list and on) is that they've almost all come from foreigners. I promise not to read anything into that. Really. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: Barracuda Networks Spam Firewall
On 19 May 2004 15:12:29 -0700 James Couzens [EMAIL PROTECTED] wrote: | if URL IP addr is in China then score=100 | I beg to differ Eric A. Hall. ... | | So contrary to what you said, perhaps I should just Null Route all | email originating from the USA? ;) While this is verging off our remit here, I would clarify the point originally made, which is that if a URL - that is, a URL cited in the body of a message - points to an IP physically located in China, then that signals a high probability of the message being spam. The physical source of the message - which is likely to be in the US or China - will most probably not be visible to the recipient due to the use of anonymising proxies and other zombie senders - those IPs are likely to be on consumer networks just about anywhere ... -- Richard Cox
Re: Barracuda Networks Spam Firewall
On Wed, 2004-05-19 at 15:28, Eric A. Hall wrote: not connection address, not domain 'owner', but URL-Hostname-IP_ADDR What's most interesting about the half-dozen accusations of xenophobia I've received (off-list and on) is that they've almost all come from foreigners. I promise not to read anything into that. Really. Fair enough, my apologies on my misinterpretation. However, I am curious what source you have for your statistic. Going through the spam that I've got access to (and it is a substantial amount allbeit not in the millions of spam per day) I can't seem to associate the spam with chinese urls, and certainly not to the extent that you indicate (90%). Cheers, James -- James Couzens, Programmer - http://libspf.org -- ANSI C Sender Policy Framework library http://libsrs.org -- ANSI C Sender Rewriting Scheme library - PGP: http://gpg.mit.edu:11371/pks/lookup?op=getsearch=0x6E0396B3 signature.asc Description: This is a digitally signed message part
Re: Barracuda Networks Spam Firewall
On 5/19/2004 6:19 PM, James Couzens wrote: On Wed, 2004-05-19 at 15:28, Eric A. Hall wrote: Going through the spam that I've got access to (and it is a substantial amount allbeit not in the millions of spam per day) I can't seem to associate the spam with chinese urls, and certainly not to the extent that you indicate (90%). extract hostname from url, dig on hostname, whois on addr, and nine times out of ten the host is in a CN netblock. that's from the spam that gets into my mailbox. let me state AGAIN that what I really want is a plugin that allows for cidr match-lists so that I can also include the handful of non-enforcing hosters in Russia, New York, Florida, etc. One responder also suggested ASN matchlists but I'm not that mad. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: Barracuda Networks Spam Firewall
On Wed, 19 May 2004, Richard Cox wrote: While this is verging off our remit here, I would clarify the point originally made, which is that if a URL - that is, a URL cited in the body of a message - points to an IP physically located in China, then that signals a high probability of the message being spam. Altho this is probably not true if you're one of the billion or so people who live in or around China or are of Chinese origin.. Steve
Re: Barracuda Networks Spam Firewall
On Thu, 20 May 2004, Stephen J. Wilcox wrote: On Wed, 19 May 2004, Richard Cox wrote: While this is verging off our remit here, I would clarify the point originally made, which is that if a URL - that is, a URL cited in the body of a message - points to an IP physically located in China, then that signals a high probability of the message being spam. Altho this is probably not true if you're one of the billion or so people who live in or around China or are of Chinese origin.. Actually mainland chinese non-spammers seem to prefer offshore hosting eg hk, taiwan, japan or north america. I guess all the mainland chinese webhosting is all taken up by spam operators or something. -Dan
Re: Barracuda Networks Spam Firewall
perhaps this all belongs on alt.jingo.weenies? can we focus on network operations not network exclusionism? this is worse than spam.
Re: Barracuda Networks Spam Firewall
On Wed, 2004-05-19 at 16:24, Eric A. Hall wrote: extract hostname from url, dig on hostname, whois on addr, and nine times out of ten the host is in a CN netblock. that's from the spam that gets into my mailbox. Yes I understand that is what you meant. I just did this on 5 spam in my mail box, I got: Domain Name: AAFMALE.BIZ (www.aafmale.biz) Registrant Country: Canada Resolves to address: 218.232.109.220 (KRNIC-K) (Korea) Domain Name: PLANENEWS.COM Registrant Country: France Resolves to address: 216.92.194.65 (PAIRNET-BLK-3) (United States) Domain Name: MIRGOS.ORG Registrant Country: Russia Resolves to address: 211.198.200.208 (KRNIC-KR) (Korea) Domain Name: WINSPR.BIZ (iityvzbtpvw.winspr.biz) Registrant Country: New Zealand Resolves to address: 221.233.29.33 (CHINANET-HB-JZ7) (China) While it is only 5 mails, and certainly nothing to judge by, it does not seem to be 90%. Although Korea under APNIC it is not China. let me state AGAIN that what I really want is a plugin that allows for cidr match-lists so that I can also include the handful of non-enforcing hosters in Russia, New York, Florida, etc. One responder also suggested ASN matchlists but I'm not that mad. What sort of plugin? MTA? MUA? Going back to my previous e-mail, all of this effort I think is being placed in the wrong direction. Focus should be placed on preventing forgery, and educating users. If we spent the money we are dropping on hardware and software to stop spam (its in the BILLIONS) on educating users and pushing anti-forgery / sender authentication/verification methods forward, we'd have an easier time of all this. Cheers, James -- James Couzens, Programmer - http://libspf.org -- ANSI C Sender Policy Framework library http://libsrs.org -- ANSI C Sender Rewriting Scheme library - PGP: http://gpg.mit.edu:11371/pks/lookup?op=getsearch=0x6E0396B3 signature.asc Description: This is a digitally signed message part
Re: Barracuda Networks Spam Firewall
On 5/19/2004 6:38 PM, Stephen J. Wilcox wrote: Altho this is probably not true if you're one of the billion or so people who live in or around China or are of Chinese origin.. just check for charset=US-ASCII first. come to think of it, ASCII would probably give half the necessary weight alone. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: Barracuda Networks Spam Firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James Couzens wrote: | On Wed, 2004-05-19 at 16:24, Eric A. Hall wrote: | |extract hostname from url, dig on hostname, whois on addr, and nine times |out of ten the host is in a CN netblock. that's from the spam that gets |into my mailbox. | | | Yes I understand that is what you meant. I just did this on 5 spam in | my mail box, I got: | | Domain Name: AAFMALE.BIZ (www.aafmale.biz) | Registrant Country: Canada | Resolves to address: 218.232.109.220 (KRNIC-K) (Korea) | | Domain Name: PLANENEWS.COM | Registrant Country: France | Resolves to address: 216.92.194.65 (PAIRNET-BLK-3) (United States) | | Domain Name: MIRGOS.ORG | Registrant Country: Russia | Resolves to address: 211.198.200.208 (KRNIC-KR) (Korea) | | Domain Name: WINSPR.BIZ (iityvzbtpvw.winspr.biz) | Registrant Country: New Zealand | Resolves to address: 221.233.29.33 (CHINANET-HB-JZ7) (China) | | While it is only 5 mails, and certainly nothing to judge by, it does not | seem to be 90%. Although Korea under APNIC it is not China. | | Similar results. Got 2 in the US, one in Brazil, one in Korea, and one in China. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (MingW32) iD8DBQFAq/f4E1XcgMgrtyYRAhyJAKCrFKCYtQXJKaaqS52mQprWhIrb7gCgxvNY 0iH1BTcznV3Q1d2bFhI+mHo= =nIXz -END PGP SIGNATURE-
RE: Barracuda Networks Spam Firewall
Title: RE: Barracuda Networks Spam Firewall Eric, There's one rule that will wipe out ~90% of spam, but nobody seems to have written it yet. if URL IP addr is in China then score=100 support for a generic lookup list of cidr blocks would get another 9% I agree that geographically classifying the URL's embedded in the spams would be pretty slick, using the china.blackholes.us and cn-kr.blackholes.us RBLs has been pretty effective at reducing our spamload, as a supplement to the standard lookup services. They do not descriminate between legit mails and spam mails from china. Everything from those IP blocks gets classified as spam. Luckily we don't ever get any client emails from those countries at this point and can use these filters without worrying about false-positives. (I think the doubleclick.blackholes.us is pretty funny too) There are others at: http://www.blackholes.us/ Is anyone else out there using these blackholes? I wonder how often they get updated. Brian Battle Confluence
Re: Barracuda Networks Spam Firewall
On 5/19/2004 7:06 PM, James Couzens wrote: I just did this on 5 spam in my mail box, I got: [domains ommitted--tripped my filters] my last 10 survivors are at http://www.ehsco.com/misc/last-10-spams.eml the relevant data for them in order of occurrance is below. eight are CN, one is KR, one is Geocities, and one is dead 219.129.20.244 inetnum: 219.128.0.0 - 219.137.255.255 netname: CHINANET-GD descr:CHINANET Guangdong province network [timeout] 221.233.29.78 inetnum: 221.233.0.0 - 221.233.47.255 netname: CHINANET-HB-JZ7 descr:The Chinanet network in Jinzhou ,Hubei province 202.104.242.133 inetnum: 202.104.0.0 - 202.104.255.255 netname: CHINANET-GD descr:CHINANET Guangdong province network 221.233.29.33 inetnum: 221.233.0.0 - 221.233.47.255 netname: CHINANET-HB-JZ7 descr:The Chinanet network in Jinzhou ,Hubei province [dupe host for CN] 219.148.126.47 inetnum: 219.148.0.0 - 219.148.159.255 netname: CHINATELECOM-he descr:CHINANET hebei province network 66.218.77.68 (geocities, heh) OrgName:Yahoo! City: Sunnyvale StateProv: CA [dupe host for CN] [dupe host for CN] 218.152.186.107 inetnum: 218.144.0.0 - 218.159.255.255 netname: KORNET descr:KOREA TELECOM -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: Barracuda Networks Spam Firewall
On Wed, 2004-05-19 at 17:47, Randy Bush wrote: gosh! maybe someone should set up a mailing list to discuss spam, anti-spam, ...? you mean they have? well, then maybe a bunch of us network operators (as opposed to spam weenies) should go over there and talk about sdh, router configs, circuit provisioning, etc. get a clue, spam weenies! I've got a clue Randy Bush. Last time I checked SPAM has a serious impact on my network, and the network of others. The topic of SPAM is exceptionally relative to someone who operates a network. Now enough of the needless insults and forward with the discussion at hand. Cheers, James -- James Couzens, Programmer - http://libspf.org -- ANSI C Sender Policy Framework library http://libsrs.org -- ANSI C Sender Rewriting Scheme library - PGP: http://gpg.mit.edu:11371/pks/lookup?op=getsearch=0x6E0396B3 signature.asc Description: This is a digitally signed message part
Re: Barracuda Networks Spam Firewall
Folks, If I may offer a humble opinion here before this gets out of hand. I see many (me included) trying to side step the issue that SMTP is a broken and insecure protocol for that of electronic messages(ing). I see folks blacklisting, RBLing, and other methods in an attempt to fix the issue, which frankly is a band-aid to the entire mess. We can sit here and do route statements like ip route 200.0.0.0 255.0.0.0 127.0.0.1 till were blue in the face and need a spread sheet to keep up with the muk, but its only a side step to the problem. Until either 1: SMTP/ESMTP is fixed so that spoofing cannot occur or 2: Another method/protocol of email/messaging is adopted we are only going to keep spinning our wheels so to speak. I hate just as much as the rest to pay for the garbage of spam, but until all the MS and AOL users start using another standard we'll have to keep bandaiding the problem to keep our customers and jobs. We can all agree its a problem, period. But as always, just my 2¢s Joe Blanchard - Original Message - From: James Couzens [EMAIL PROTECTED] To: Randy Bush [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, May 19, 2004 8:59 PM Subject: Re: Barracuda Networks Spam Firewall
Re: Barracuda Networks Spam Firewall
Matthew Spamassassin needs quite a bit of tweaking above the out of the box setup. I run about 7000 messages a day here, 70% spam, .5% virus (clamav and Sophos), very very rarely a FP. I get bove 99% hit rate after adding in bayes, serveral additional rules from www.rulesemporium.org and the URI checkes. Runs on a 600mhz celeron with load avg .5 -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Matthew Crocker wrote: On May 17, 2004, at 2:35 PM, Claydon, Tom wrote: Doing evaluations on anti-spam, anti-virus solutions, and ran across this: http://www.barracudanetworks.com/ Looks like a good box -- even won an Editor's Choice award from Network Computing recently. Does anyone on list have any experience with these boxes? If so, how are they with false positives, quarantine capabilities, etc? Tom, I have a Barracuda Spam Firewall 400, We handle about 9k users and the thing is AMAZING! My old setup was 4 dual-PIII 550Mhz, 1 GIg RAM running Qmail/Qmail-ldap/spamassasin/F-Secure AV. My inbox would get 300+ spams/day, many of them not tagged at all This setup would melt on a regular basis when spam floods would come in My current setup is a Barracuda 400 and 1 inbound mail server (dual P-III 550Mhz...). My inbox now gets 5 untagged spams/day and about 10 quarantined. This setup has been able to handle everything thrown at it so far with no noticeable performance hit My customers love it, I love it, best thing I have purchased in the last 12 months. Very low false positives and high hit rate. The quarantine box is very easy to handle for users, they will get an e-mail once per day with a list of messages and links to whitelist, deliver or delete. When they click on a link they will connect/log into the Barracuda. They can manage their own Bayesian filters from the quarantine interface. It really has had a dramatic effect on my spam, I'm wondering what I'll be doing with all my spare time now that I don't have to manage my mail server. I was watching the message log one day and noticed a spam flood in action. 10 messages came in and went to customers tagged about 0.5 or so 10 messages came in and went to customers tagged as ::SPAM:: with a score of 3.7 or so 10 messages came in and went to quarantine with a score of 5.5 or so a bazillion messages were blocked with a score 20 It learned very fast. My Barracuda is currently blocking 500k+ messages/day current stats (installed 13 days) Blocked (SPAM) :7453215 Blocked (Virus) : 24600 Quarantined : 82170 Tagged: 31552 Allowed : 580876 Average Queue latency : 4 seconds Unique Recipients : 8245 I just signed up as a reseller and I'm building a managed mail solution around it. If you are an ISP I recommend you get a 400 series or higher. You can customize the web interface a bit and it handles multiple domains better (per domain spam settings) -Matt ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Barracuda Networks Spam Firewall
All Sorry that should should be http://www.rulesemporium.com/ also worthwhile adding in the surbl.org plugin for SA, which adds alot less CPU time than the bigvil etc rules. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Martin Hepworth wrote: Matthew Spamassassin needs quite a bit of tweaking above the out of the box setup. I run about 7000 messages a day here, 70% spam, .5% virus (clamav and Sophos), very very rarely a FP. I get bove 99% hit rate after adding in bayes, serveral additional rules from www.rulesemporium.org and the URI checkes. Runs on a 600mhz celeron with load avg .5 -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Matthew Crocker wrote: On May 17, 2004, at 2:35 PM, Claydon, Tom wrote: Doing evaluations on anti-spam, anti-virus solutions, and ran across this: http://www.barracudanetworks.com/ Looks like a good box -- even won an Editor's Choice award from Network Computing recently. Does anyone on list have any experience with these boxes? If so, how are they with false positives, quarantine capabilities, etc? Tom, I have a Barracuda Spam Firewall 400, We handle about 9k users and the thing is AMAZING! My old setup was 4 dual-PIII 550Mhz, 1 GIg RAM running Qmail/Qmail-ldap/spamassasin/F-Secure AV. My inbox would get 300+ spams/day, many of them not tagged at all This setup would melt on a regular basis when spam floods would come in My current setup is a Barracuda 400 and 1 inbound mail server (dual P-III 550Mhz...). My inbox now gets 5 untagged spams/day and about 10 quarantined. This setup has been able to handle everything thrown at it so far with no noticeable performance hit My customers love it, I love it, best thing I have purchased in the last 12 months. Very low false positives and high hit rate. The quarantine box is very easy to handle for users, they will get an e-mail once per day with a list of messages and links to whitelist, deliver or delete. When they click on a link they will connect/log into the Barracuda. They can manage their own Bayesian filters from the quarantine interface. It really has had a dramatic effect on my spam, I'm wondering what I'll be doing with all my spare time now that I don't have to manage my mail server. I was watching the message log one day and noticed a spam flood in action. 10 messages came in and went to customers tagged about 0.5 or so 10 messages came in and went to customers tagged as ::SPAM:: with a score of 3.7 or so 10 messages came in and went to quarantine with a score of 5.5 or so a bazillion messages were blocked with a score 20 It learned very fast. My Barracuda is currently blocking 500k+ messages/day current stats (installed 13 days) Blocked (SPAM) :7453215 Blocked (Virus) : 24600 Quarantined : 82170 Tagged: 31552 Allowed : 580876 Average Queue latency : 4 seconds Unique Recipients : 8245 I just signed up as a reseller and I'm building a managed mail solution around it. If you are an ISP I recommend you get a 400 series or higher. You can customize the web interface a bit and it handles multiple domains better (per domain spam settings) -Matt ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ** ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Barracuda Networks Spam Firewall
On May 18, 2004, at 4:13 AM, Martin Hepworth wrote: Matthew Spamassassin needs quite a bit of tweaking above the out of the box setup. I run about 7000 messages a day here, 70% spam, .5% virus (clamav and Sophos), very very rarely a FP. I get bove 99% hit rate after adding in bayes, serveral additional rules from www.rulesemporium.org and the URI checkes. Runs on a 600mhz celeron with load avg .5 I agree that everything the Barracuda does can be done by hand. I had a choice of either spending $4k for a 'set it and forget it' type spam solution or continue to spend days per month of my time tweaking my old setup. I chose to go with the commercial route which will easily save me $$ and more importantly frustration over the course of this year. I can spend my time building my business now instead of tweaking my mail server. Barracuda is built on open source, It boots LILO then goes into 'secret' mode. I don't think they added any black magic to the box. They just assembled the open source parts and shrink wrapped it into a very easy to manage solution. -Matt
Re: Barracuda Networks Spam Firewall
Matt I agree that everything the Barracuda does can be done by hand. I had a choice of either spending $4k for a 'set it and forget it' type spam solution or continue to spend days per month of my time tweaking my old setup. I chose to go with the commercial route which will easily save me $$ and more importantly frustration over the course of this year. I can spend my time building my business now instead of tweaking my mail server. Barracuda is built on open source, It boots LILO then goes into 'secret' mode. I don't think they added any black magic to the box. They just assembled the open source parts and shrink wrapped it into a very easy to manage solution. -Matt I prob spend ay most a couple of hours per week tweeking the thing now.. depends on whether you can squease the 4k out of the bean counters up front...:-) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Barracuda Networks Spam Firewall
On Mon, May 17, 2004 at 02:26:37PM -0700, Jared B. Reimer wrote: This is a pretty serious flaw IMHO, if it is (in fact) true. qmail isn't the only mailer that behaves this way. It looks like they may have tried to kludge their way around this with LDAP in the case of MS Exchange, which also does asynchronous bouncing of undeliverable mail IIRC. Quite frankly, I'm at a loss as to why anyone would wish to accept and queue mail that they cannot deliver. Queuing everything just allocates disk unnecessarily and results in a lot of delayed bounce backscatter, almost always directed at a third party (in the common case of spoofed from: headers). Accepting everything simply because you don't wish to give away valid addresses doesn't work; the spam bots just jabber more loudly at you. In the past year I've had two domains joe jobbed, generating thousands of those helpful delayed bounce messages per hour for my role accounts. If, after RCPT TO, you do not have a valid destination, just refuse it. My role accounts thank you. --msa
Re: Barracuda Networks Spam Firewall
On Tue, 18 May 2004 10:11:20 PDT, Majdi S. Abbas said: Quite frankly, I'm at a loss as to why anyone would wish to accept and queue mail that they cannot deliver. Queuing everything just allocates disk unnecessarily and results in a lot of delayed bounce backscatter, almost always directed at a third party (in the common case of spoofed from: headers). Well.. you're somewhat right - *IF* the mail gateway is able to make the determination quickly and definitively, reacting as soon as you see the RCPT TO: is a good idea. However, that can be a big 'if' in some configurations... Traditionally, accept and queue was a reasonable way for a gateway mail relay to function (and if you think about it, it's usually the ONLY way for an off-site secondary MX to function). You'd accept and queue everything, and then forward it to an internal machine that actually knew what mailboxes were valid addresses. If you don't do that, then you have to make your authentication system visible to machines on your DMZ, which has it's own touchy implications For high-volume sites, there are also firewall state issues - if you're getting 100K messages/hour, and each one has to be open for 5 seconds because of authentication issues on the RCPT TO:, you'll average 138 open connections. If you accept, queue, and deal with it later, you can get it down to 1 second and then you only average 27 open connections (numbers for illustration purposes only). pgp5dpZlklTp0.pgp Description: PGP signature
Re: Barracuda Networks Spam Firewall
On Tue, 18 May 2004 [EMAIL PROTECTED] wrote: and then forward it to an internal machine that actually knew what mailboxes were valid addresses. If you don't do that, then you have to make your authentication system visible to machines on your DMZ, which has it's own touchy implications Or push a list of valid addresses to the secondaries that they keep locally and use, update as needed. You don't need to 'authenticate' -- just know what is/isn't valid. For a few hundred, or a few thousand accounts rsync/ssh/make could do the job. If you're AOL, I'm sure there is a solution too. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Re: Barracuda Networks Spam Firewall
On Tue, 18 May 2004 14:52:54 EDT, Christopher X. Candreva [EMAIL PROTECTED] said: Or push a list of valid addresses to the secondaries that they keep locally and use, update as needed. You don't need to 'authenticate' -- just know what is/isn't valid. Remember to ask the auditors what they think of having such a list on a box in the DMZ. ;) pgpoKnYb5wORg.pgp Description: PGP signature
Re: Barracuda Networks Spam Firewall
On Tue, 18 May 2004 14:31:21 CDT, Steve Drees said: if I 0wn your mail gateway I can generate a list of valid accounts over time. On a busy host over a short period of time. So your auditor wouldn't mind if you kept an unencrypted list of credit card numbers on a DMZ box, because if somebody hacks the box they can gather those over time? :) pgp04uaZYWNhR.pgp Description: PGP signature
Re: Barracuda Networks Spam Firewall
On Tue, 18 May 2004 [EMAIL PROTECTED] wrote: So your auditor wouldn't mind if you kept an unencrypted list of credit card numbers on a DMZ box, because if somebody hacks the box they can gather those over time? :) This is hardly the same thing. E-mail addresses are public, credit card numbers aren't. Email addresses can be gotten by brute-force checking fairly easily without even cracking the machine. card numbers can't. What would your auditor think about your secondary MX being used as a DOS amplifier because it sends out thousands of bogus bounces to forged addresses ? == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Re: Barracuda Networks Spam Firewall
On Mon, 17 May 2004, Jared B. Reimer wrote: : We had this problem when our inbound-smtp server ( the server the : barracuda is dumping mail to) was accepting all RCPT TOs : This is a pretty serious flaw IMHO, if it is (in fact) true. qmail isn't : the only mailer that behaves this way. And, regardless of what the Barracuda box did, you should fix your qmail install. This behavior is no longer considered acceptable by the 'net at large, because accept-then-bounce is the biggest cause of virus spew bounceback spam. (As a result, people have begun widely blocking MXs that accept-then-bounce. You'd do yourself quite a favor to convert to reject-at-SMTP now, before you get blocked too.) -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Barracuda Networks Spam Firewall
On Tue, 18 May 2004 15:48:28 EDT, Christopher X. Candreva [EMAIL PROTECTED] said: What would your auditor think about your secondary MX being used as a DOS amplifier because it sends out thousands of bogus bounces to forged addresses ? You're missing the main point - that sometimes things are done in ways that are sub-optimal or even pessimal from the technical standpoint, because some other consideration interferes. Yes, it *would* be nice if everybody in the world was able to DTRT on their outward-facing gateway and send back an immediate 550 on a RCPT TO: in order to stop stuff right up front. However, this implies getting buy-in and resources of all the appropriate people. I'm sure *everybody* has had at least one Good Idea either totally shot down or mutated beyond recognition because it wouldn't pass auditors (either internal or external), or because it involved purchasing from Company X because X is the only one with the feature support, but you'll never get that purchase order approved by the it must be Company Y gear manager, or because deploying it would involve getting buy-in from somebody in applications development, and they don't understand why the urgency on this new feature you need them to add... pgp75RcbrzZok.pgp Description: PGP signature
Re: Barracuda Networks Spam Firewall
On Tue, 18 May 2004 [EMAIL PROTECTED] wrote: : Quite frankly, I'm at a loss as to why anyone would wish to accept : and queue mail that they cannot deliver. : Well.. you're somewhat right - *IF* the mail gateway is able to make the : determination quickly and definitively, That if is rapidly becoming a *requirement*. I invite you to participate in [EMAIL PROTECTED] is you somehow feel differently. : Traditionally, accept and queue was a reasonable way for a gateway : mail relay to function (and if you think about it, it's usually the ONLY way : for an off-site secondary MX to function). Then make the offsite MX use a user list, or else don't use an offsite MX at all. Sending mail exchangers will retry when the recipient servers are down; that's mandated by SMTP. You don't need an offsite secondary MX that has no access to a valid address list. Sorry to burst your bubble, but as of this year, where the levels of virus bounce spam as hreached obscene levels, this is no longer a valid excuse. : For high-volume sites, there are also firewall state issues Then upgrade your firewall. This is certainly not a valid excuse. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Barracuda Networks Spam Firewall
On Tue, 18 May 2004 [EMAIL PROTECTED] wrote: : Yes, it *would* be nice if everybody in the world was able to DTRT on : their outward-facing gateway and send back an immediate 550 on a RCPT TO: : in order to stop stuff right up front. However, this implies getting : buy-in and resources of all the appropriate people. Blocking outbound mail from such entities is a pretty good way to get buy-in. (Yes, there's a DNSBL in work to enumerate such systems.) -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Barracuda Networks Spam Firewall
On Tue, 18 May 2004 [EMAIL PROTECTED] wrote: You're missing the main point - that sometimes things are done in ways that are sub-optimal or even pessimal from the technical standpoint, because some other consideration interferes. Yes, it *would* be nice if everybody in the world Oh, I know that point very well. It's why we're in the mess we are in, because no one could budget to set things up properly. It's the same arguement we heard as to why people couldn't close their open relays. To which we eventually responded OK, if that's what you have to do. Let us know when you have fixed it and we'll accept mail from you again. You'll have to use a different server though, 'cause it's blocked now. It's not that I missed the point. I don't care if YOU can't afford it. That's your problem. I'm not going to let it affect MY network. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Re: Barracuda Networks Spam Firewall
You're missing the main point - that sometimes things are done in ways that are sub-optimal or even pessimal from the technical standpoint, because some other consideration interferes. Yes, it *would* be nice if everybody in the world But if you really need a reason to convince someone who won't get their head out of their . . . the sand -- You can probably cut in half the number of viruses you have to scan if you reject invalid addresses up front, meaning you can buy a smaller/ fewer virus scanner(s). Which means the companies making them have absolutely no incentive to add this feature. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Re: Barracuda Networks Spam Firewall
On Tue, 18 May 2004 16:13:20 EDT, Todd Vierling said: On Tue, 18 May 2004 [EMAIL PROTECTED] wrote: : Yes, it *would* be nice if everybody in the world was able to DTRT on : their outward-facing gateway and send back an immediate 550 on a RCPT TO: : in order to stop stuff right up front. However, this implies getting : buy-in and resources of all the appropriate people. Blocking outbound mail from such entities is a pretty good way to get buy-in. (Yes, there's a DNSBL in work to enumerate such systems.) When it gets built, will it list AOL.COM for not rejecting at the original RCPT TO? Or Hotmail.com? (Consider the following 2 pieces of mail - mail comes in from someplace with a From: @aol.com, our Listserv tries to process the command (which was actually spam, but it's hard to tell that until you try to handle it), and send the response back... notice that AOL didn't 550 my mail, but accepted and bounced it. Similarly for the hotmail.com mail - the spam comes in, and they accept-and-bounce our response rather than 550 it (although to be fair, they usually DO manage to 550 this stuff). Yes, it's generally a good idea - but not one that everybody can carry out all the time. You don't like it, take it up with the AOL and Hotmail guys, not me, OK? :) ---BeginMessage--- The original message was received at Mon, 17 May 2004 04:56:55 -0400 (EDT) from listserv.vt.edu [198.82.161.192] *** ATTENTION *** Your e-mail is being returned to you because there was a problem with its delivery. The address which was undeliverable is listed in the section labeled: - The following addresses had permanent fatal errors -. The reason your mail is being returned to you is listed in the section labeled: - Transcript of Session Follows -. The line beginning with describes the specific reason your e-mail could not be delivered. The next line contains a second error message which is a general translation for other e-mail servers. Please direct further questions regarding this message to your e-mail administrator. --AOL Postmaster - The following addresses had permanent fatal errors - [EMAIL PROTECTED] - Transcript of session follows - ... while talking to air-xg01.mail.aol.com.: RCPT To:[EMAIL PROTECTED] 550 MAILBOX NOT FOUND 550 [EMAIL PROTECTED]... User unknown Reporting-MTA: dns; rly-xg05.mx.aol.com Arrival-Date: Mon, 17 May 2004 04:56:55 -0400 (EDT) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.1.1 Remote-MTA: DNS; air-xg01.mail.aol.com Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND Last-Attempt-Date: Mon, 17 May 2004 04:56:58 -0400 (EDT) Received: from listserv.vt.edu (listserv.vt.edu [198.82.161.192]) by rly-xg05.mx.aol.com (v99_r4.3) with ESMTP id MAILRELAYINXG56-47040a87e5628e; Mon, 17 May 2004 04:56:54 -0400 Received: from listserv.vt.edu (LOCALHOST [127.0.0.1]) by listserv.vt.edu (8.12.10/8.12.10/LISTSERV) with ESMTP id i4H85h43139864 for [EMAIL PROTECTED]; Mon, 17 May 2004 04:56:54 -0400 Date: Mon, 17 May 2004 04:56:54 -0400 From: L-Soft list server at LISTSERV.VT.EDU (1.8e) [EMAIL PROTECTED] Subject: Re: start making money To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] X-AOL-IP: 198.82.161.192 X-AOL-SCOLL-SCORE: 0:XXX:XX X-AOL-SCOLL-URL_COUNT: 0 ---End Message--- ---BeginMessage--- This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed. [EMAIL PROTECTED] Reporting-MTA: dns;mc2-f24.hotmail.com Received-From-MTA: dns;listserv.vt.edu Arrival-Date: Sun, 11 Apr 2004 22:07:13 -0700 Original-Recipient: Final-Recipient: rfc822;[EMAIL PROTECTED] Action: failed Status: 5.0.0 Diagnostic-Code: smtp;550 Requested action not taken: mailbox unavailable ---BeginMessage--- Your message dated Sun, 11 Apr 04 23:05:06 GMT with subject Á÷ÀåÀηР½ÅûÇϼ¼¿ä 6°³¿ùÀÌ»ó±Ù¹«ÀÚ clrqy lhu iotgnuhca has been submitted to the moderator of the TURBVIS list: [EMAIL PROTECTED] ---End Message--- ---End Message--- pgpGJac7Wuha5.pgp Description: PGP signature
Re: Barracuda Networks Spam Firewall
On Tue, 18 May 2004 [EMAIL PROTECTED] wrote: When it gets built, will it list AOL.COM for not rejecting at the original RCPT TO? Or Hotmail.com? (Consider the following 2 pieces of mail - mail Don't know about hotmail, but AOL is working on this. You might want to check out that SPAM-L list, if this is something you are interested in. Once AOL starts doing it -- you can bet they will be one of the ones blocking on it. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Re: Barracuda Networks Spam Firewall
On Tue, 18 May 2004 16:56:30 EDT, Christopher X. Candreva [EMAIL PROTECTED] said: But if you really need a reason to convince someone who won't get their head out of their . . . the sand -- You can probably cut in half the number of viruses you have to scan if you reject invalid addresses up front, meaning you can buy a smaller/ fewer virus scanner(s). Which means the companies making them have absolutely no incentive to add this feature. Right. Mirapoints are that way too (at least in our configuration). And yes, we'll probably have to buy a 5th Mirapoint and/or upgrade our current 4 sooner because of it - but the incremental cost for that is *still* lower than the cost of replacing them with another vendor's gear Now how do you explain to the CFO that in order to get around a $50K upgrade to the current gear, you want to spend $200K to bring in another vendor? :) pgpszl7fhhuy6.pgp Description: PGP signature
Re: Barracuda Networks Spam Firewall
On Tue, 18 May 2004 17:11:54 EDT, Christopher X. Candreva [EMAIL PROTECTED] said: Don't know about hotmail, but AOL is working on this. You might want to check out that SPAM-L list, if this is something you are interested in. Other than knowing that it's a good idea if you can do it, but sometimes not doable with the resources at hand, I don't have any special interest in it... Once AOL starts doing it -- you can bet they will be one of the ones blocking on it. That's going to pretty much torpedo the concept of secondary MX's. pgpEAdGIaNjf2.pgp Description: PGP signature
backscatter hosts (was: Re: Barracuda Networks Spam Firewall)
on Tue, May 18, 2004 at 04:01:40PM -0400, Todd Vierling wrote: On Mon, 17 May 2004, Jared B. Reimer wrote: : We had this problem when our inbound-smtp server ( the server the : barracuda is dumping mail to) was accepting all RCPT TOs : This is a pretty serious flaw IMHO, if it is (in fact) true. qmail isn't : the only mailer that behaves this way. And, regardless of what the Barracuda box did, you should fix your qmail install. This behavior is no longer considered acceptable by the 'net at large, because accept-then-bounce is the biggest cause of virus spew bounceback spam. (As a result, people have begun widely blocking MXs that accept-then-bounce. You'd do yourself quite a favor to convert to reject-at-SMTP now, before you get blocked too.) At present, thanks to a recent massive joe job against one of the domains we host, I've got a list of ~16100 mailhosts that I no longer accept null sender mail* from. Most of them are running qmail, based on some unscientific analysis I did when compiling the list. All of them accepted, then bounced, mail from spammers HELO'ing with that domain back to the victim. Several hundred also sent us DSNs from virus forgeries. All of them were unnecessary. Sad, really, especially given that patches exist to fix this problem. Steve * or postmaster/Symantec_Antivirus/Webshield/VirusWall/JCT/etc. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com Buy Cascading Style Sheets: Separating Content from Presentation, 2/e today! http://www.amazon.com/exec/obidos/ASIN/159059231X/heskecominc-20/ref=nosim/
Re: Barracuda Networks Spam Firewall
On Tue, 18 May 2004 [EMAIL PROTECTED] wrote: : Blocking outbound mail from such entities is a pretty good way to get : buy-in. (Yes, there's a DNSBL in work to enumerate such systems.) : : When it gets built, will it list AOL.COM for not rejecting at the original : RCPT TO? AOL happens to be working with the anti-spam community by converting their MXs to do reject-at-SMTP. (See SPAM-L archives. They're quite aware of the problem and are in fact addressing it.) : Or Hotmail.com? Strange; I've received direct SMTP rejections from Hotmail plenty of times recently. Given the size of that entity, I'm sure the DNSBL admin in question would try to work with them (and Hotmail admins have also shown themselves on SPAM-L); but without any movement, yes, it'd be a candidate for listing. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Barracuda Networks Spam Firewall
On Tue, 18 May 2004 [EMAIL PROTECTED] wrote: : Don't know about hotmail, but AOL is working on this. You might want to : check out that SPAM-L list, if this is something you are interested in. : : Other than knowing that it's a good idea s/a good idea/an emerging requirement/ (and for one definition of the idea, s/a good idea/a soon-to-be RFC MUST/) : if you can do it, s/can do it/wish to send mail, or at least DSNs, to most of the 'net soon/ : but sometimes not doable with the resources at hand, s/.*// Those of us under a deluge of virus bounce spew just don't care anymore. If you don't reject at SMTP time, you're now a major part of the problem. (As a straw example, I happen to block, on a personal 12 user domain, almost 20k bounce spew attempts per day. That's simply untenable anymore.) : Once AOL starts doing it -- you can bet they will be one of the ones : blocking on it. : : That's going to pretty much torpedo the concept of secondary MX's. And what's the gain of secondary MX's that don't have access to a valid address list? Ever since the advent of globally deployed, permanently connected sending MX's, offsite secondary MX machines have become moot. SMTP mandates that a missed connection is equivalent to a 4xx error, in that the sender is to retry delivery later. That obviates any need for an offsite secondary MX in today's world. Unauditable SMTP transport -- that is, SMTP where neither the sender nor recipient values are verifiable -- is no longer a workable solution. The problems with that model are reaching critical mass, and if you don't think it's a problem now, just trust me; you'll be a believer soon enough. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Barracuda Networks Spam Firewall
On 5/18/2004 4:22 PM, [EMAIL PROTECTED] wrote: That's going to pretty much torpedo the concept of secondary MX's. Folks still run those? No really, most people I know terminated their off-site secondaries a couple of years ago at least. The only secondary you can reasonably use these days has (1) a copy of your user list, and (2) a clone of your spam filters. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: Barracuda Networks Spam Firewall
On May 18, 5:22pm, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Once AOL starts doing it -- you can bet they will be one of the ones blocking on it. That's going to pretty much torpedo the concept of secondary MX's. Not to suddenly burst back, but ... Second/terti/etc-ary MXers really belong in a bygone age anyway. There was a time when IP was a novelty, and UUCP was king. Then there was a time when UUCP was getting long in the tooth, but politics dictated an IP Internet that was not universally connected. Somewhere in the meantime, leading a life of its own, was something called FidoNet (http://www.fidonet.org) and something else called BITNET (http://www.bitnet.org), but as of today both are for pub brawls only. This is of course an opportune moment to recall that the 10th anniversary of the shutdown of the successor of mcvax.bitnet, namely mcsun.bitnet, was in January of this year. http://www.mcvax.org/mcsun/ The fundamental idea of less preferred MXs was to get the mail delivered through a backdoor, not reachable via IP routing from the originator. Think multihoming for email, keeping in mind that email routing is disjoint from IP routing: a genuine secondary MX would be able to, one way or another, deliver the mail, by means not accessible to the originator. This inaccessibility would be because the more preferred MX was unreachable for one of several reasons (host down, network down, or politics enabled), but, whatever the reason, one wanted to find a way of routing around the problem. For a long time since then, backup MXs have been seen as a kind of value-added courtesy service; they serve no really useful purpose, but look good on a checklist. In practice, of course, in the current Internet it rarely matters on which host an undelivered email is spinning in the spool area. Best, -- Per
Re: Barracuda Networks Spam Firewall
On 5/18/2004 6:44 PM, Per Gregers Bilse wrote: For a long time since then, backup MXs have been seen as a kind of value-added courtesy service; they serve no really useful purpose well, they're handy for centralizing filters against multiple domains, if you're willing to put your various primaries at the mercy of the filter service, and if the filter knows your valid recipients. what with ldap-smart servers and fancy routing, this isn't even hard anymore. but general backup MX is long-time dead. first the spammers killed our outbound flexibility by forcing everybody to close their relays, and then they killed our inbound flexibility by forcing everybody to close their generic backup MX paths. that cracking sound is stress fractures as the network gets more rigid. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: Barracuda Networks Spam Firewall
On May 18, 7:03pm, Eric A. Hall [EMAIL PROTECTED] wrote: For a long time since then, backup MXs have been seen as a kind of value-added courtesy service; they serve no really useful purpose well, they're handy for centralizing filters against multiple domains, if you're willing to put your various primaries at the mercy of the filter service, and if the filter knows your valid recipients. what with ldap-smart servers and fancy routing, this isn't even hard anymore. But this only means that the primary, and only, MX should be the filter service MX; in turn, it would deliver sanitized email to its real destination. An amusing twist on this is then that the final recipients could be listed as less preferred MXs -- if the filter service MX is down, one would accept all mail unfiltered, rather than wait until the primary, filter service, MX is back on line. While this would be a legitimate use of less preferred MXs, even if it practically turns the original rationale upside down, I would generally suggest to opt for uncompromising reliablity on a filter service MX, and fall back on DNS changes for disaster recovery, rather than receive tons of junk unfiltered mail whenever there's a glitch on the primary, filter server, MX. But your point is technically correct. Only goes to show how much mileage there is to be had from an otherwise very simple protocol extension.-) Best, -- Per
Re: Barracuda Networks Spam Firewall
On 5/17/2004 4:00 PM, Joe Boyce wrote: I Googled around and found a bunch of rulesets that once installed, started tagging those hard to get messages. http://www.rulesemporium.com/ is a good place to start if anybody else is running Spam Assassin straight out of the box. There's one rule that will wipe out ~90% of spam, but nobody seems to have written it yet. if URL IP addr is in China then score=100 support for a generic lookup list of cidr blocks would get another 9% -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: Barracuda Networks Spam Firewall
Eric A. Hall wrote: There's one rule that will wipe out ~90% of spam, but nobody seems to have written it yet. if URL IP addr is in China then score=100 Where does this leave the 70% which would only match the rule; if URL IP addr is in FL,USA then score=42 ? Pete support for a generic lookup list of cidr blocks would get another 9%
Re: Barracuda Networks Spam Firewall
On May 17, 2004, at 2:35 PM, Claydon, Tom wrote: Doing evaluations on anti-spam, anti-virus solutions, and ran across this: http://www.barracudanetworks.com/ Looks like a good box -- even won an Editor's Choice award from Network Computing recently. Does anyone on list have any experience with these boxes? If so, how are they with false positives, quarantine capabilities, etc? Tom, I have a Barracuda Spam Firewall 400, We handle about 9k users and the thing is AMAZING! My old setup was 4 dual-PIII 550Mhz, 1 GIg RAM running Qmail/Qmail-ldap/spamassasin/F-Secure AV. My inbox would get 300+ spams/day, many of them not tagged at all This setup would melt on a regular basis when spam floods would come in My current setup is a Barracuda 400 and 1 inbound mail server (dual P-III 550Mhz...). My inbox now gets 5 untagged spams/day and about 10 quarantined. This setup has been able to handle everything thrown at it so far with no noticeable performance hit My customers love it, I love it, best thing I have purchased in the last 12 months. Very low false positives and high hit rate. The quarantine box is very easy to handle for users, they will get an e-mail once per day with a list of messages and links to whitelist, deliver or delete. When they click on a link they will connect/log into the Barracuda. They can manage their own Bayesian filters from the quarantine interface. It really has had a dramatic effect on my spam, I'm wondering what I'll be doing with all my spare time now that I don't have to manage my mail server. I was watching the message log one day and noticed a spam flood in action. 10 messages came in and went to customers tagged about 0.5 or so 10 messages came in and went to customers tagged as ::SPAM:: with a score of 3.7 or so 10 messages came in and went to quarantine with a score of 5.5 or so a bazillion messages were blocked with a score 20 It learned very fast. My Barracuda is currently blocking 500k+ messages/day current stats (installed 13 days) Blocked (SPAM) :7453215 Blocked (Virus) : 24600 Quarantined : 82170 Tagged: 31552 Allowed : 580876 Average Queue latency : 4 seconds Unique Recipients : 8245 I just signed up as a reseller and I'm building a managed mail solution around it. If you are an ISP I recommend you get a 400 series or higher. You can customize the web interface a bit and it handles multiple domains better (per domain spam settings) -Matt
Re: Barracuda Networks Spam Firewall
We have done an eval of this same product (model 400). It is very cool in virtually every regard except one: performance. We were facing 1+ hour mail delays (!) through the device when pumping less than 1,000,000 messages per day through it. Given that they claim it can handle ten times that much, I am left wondering what happened. Very disappointing in that regard; the eval unit is being shipped back as a result. -- Jared At 11:35 AM 5/17/2004, Claydon, Tom wrote: Doing evaluations on anti-spam, anti-virus solutions, and ran across this: http://www.barracudanetworks.com/ Looks like a good box -- even won an Editor's Choice award from Network Computing recently. Does anyone on list have any experience with these boxes? If so, how are they with false positives, quarantine capabilities, etc? Thanks, Tom Claydon Dobson Telephone ## Jared B. Reimer [EMAIL PROTECTED] ## CTO / The River Internet Access Co. ## +1 (877) 88-RIVER x170 || http://www.theriver.com/
Re: Barracuda Networks Spam Firewall
Monday, May 17, 2004, 12:32:29 PM, you wrote: MC My old setup was 4 dual-PIII 550Mhz, 1 GIg RAM running MC Qmail/Qmail-ldap/spamassasin/F-Secure AV. My inbox would get 300+ MC spams/day, many of them not tagged at all MC This setup would melt on a regular basis when spam floods would come in Not to thread jack or anything, but when I first moved our cluster to Spam Assassin, I was disappointed at the amount of messages that would get past Spam Assassin at even a low threshold of 2. I Googled around and found a bunch of rulesets that once installed, started tagging those hard to get messages. http://www.rulesemporium.com/ is a good place to start if anybody else is running Spam Assassin straight out of the box. Regards, Joe Boyce --- InterStar, Inc. - Shasta.com Internet Phone: +1 (530) 224-6866 x105 Email: [EMAIL PROTECTED]
RE: Barracuda Networks Spam Firewall
We've had a 400 up for 3 months now, very nice box. It's doing pretty good with handling false positives, and the updates are very frequent. One of the nice things for us is the ability to do per domain / per user quarantines for clients that want that ability. It also has an 'Exchange Accelerator' to tie into LDAP on exchange servers. We've not had any serious through put issues so far, but only pushing 500K mails a day so far. Christopher Brown Concergent, LLC Wichita, Kansas -Original Message- From: Jared B. Reimer [mailto:[EMAIL PROTECTED] Sent: Monday, May 17, 2004 3:48 PM To: Claydon, Tom Cc: [EMAIL PROTECTED] Subject: Re: Barracuda Networks Spam Firewall We have done an eval of this same product (model 400). It is very cool in virtually every regard except one: performance. We were facing 1+ hour mail delays (!) through the device when pumping less than 1,000,000 messages per day through it. Given that they claim it can handle ten times that much, I am left wondering what happened. Very disappointing in that regard; the eval unit is being shipped back as a result. -- Jared At 11:35 AM 5/17/2004, Claydon, Tom wrote: Doing evaluations on anti-spam, anti-virus solutions, and ran across this: http://www.barracudanetworks.com/ Looks like a good box -- even won an Editor's Choice award from Network Computing recently. Does anyone on list have any experience with these boxes? If so, how are they with false positives, quarantine capabilities, etc? Thanks, Tom Claydon Dobson Telephone ## Jared B. Reimer [EMAIL PROTECTED] ## CTO / The River Internet Access Co. ## +1 (877) 88-RIVER x170 || http://www.theriver.com/
Re: Barracuda Networks Spam Firewall
Jared B. Reimer [EMAIL PROTECTED] 5/17/04 2:48:16 PM We have done an eval of this same product (model 400). It is very cool in virtually every regard except one: performance. We were facing 1+ hour mail delays (!) through the device when pumping less than 1,000,000 messages per day through it. Given that they claim it can handle ten times that much, I am left wondering what happened. Very disappointing in that regard; the eval unit is being shipped back as a result. -- Jared Did you not receive some basic support from them during your evaluation? A perceived 90% drop in performance is pretty significant and I'd imagine that they'd be interested in helping to determine the cause. John --
Re: Barracuda Networks Spam Firewall
At 05:00 PM 17/05/2004, Joe Boyce wrote: Not to thread jack or anything, but when I first moved our cluster to Spam Assassin, I was disappointed at the amount of messages that would get past Spam Assassin at even a low threshold of 2. I Googled around and found a bunch of rulesets that once installed, started tagging those hard to get messages. Also, use the various RBLs in the scoring. e.g. add 50% of the threshold score if its on spamcop and 25% for some of the other more aggressive RBLs. We have a very high and correct hit rate as a result. Our users can then add white lists for the handful of their contacts that get tagged as spam since they are using spam friendly ISPs. ---Mike
Re: Barracuda Networks Spam Firewall
Hi! Not to thread jack or anything, but when I first moved our cluster to Spam Assassin, I was disappointed at the amount of messages that would get past Spam Assassin at even a low threshold of 2. I Googled around and found a bunch of rulesets that once installed, started tagging those hard to get messages. http://www.rulesemporium.com/ is a good place to start if anybody else is running Spam Assassin straight out of the box. And if i may plug SURBL if you wanna do that, might help with performance also. For example if you run BigEvil you might gain a lot of performance by doing that via SURBL. http://www.surbl.org Bye, Raymond.
Re: Barracuda Networks Spam Firewall
Did you not receive some basic support from them during your evaluation? A perceived 90% drop in performance is pretty significant and I'd imagine that they'd be interested in helping to determine the cause. Sadly, they have not responded to my email on the topic, sent four days ago. However, someone unrelated to the company emailed me off-list saying that basically this is a known flaw in the product with back-end systems like qmail that asynchronously bounce mail for invalid recipients. See below quote: We had this problem when our inbound-smtp server ( the server the barracuda is dumping mail to) was accepting all RCPT TOs: As a result dictionary attacks were getting through and creating 'unique recipients' on the Barracuda. As soon as I fixed my mail server to reject with a 220 error on bogus RCPT TOs the problem cleared up. This is a pretty serious flaw IMHO, if it is (in fact) true. qmail isn't the only mailer that behaves this way. It looks like they may have tried to kludge their way around this with LDAP in the case of MS Exchange, which also does asynchronous bouncing of undeliverable mail IIRC. -- Jared
Re: Barracuda Networks Spam Firewall
On Mon, 17 May 2004, Jared B. Reimer wrote: We had this problem when our inbound-smtp server ( the server the barracuda is dumping mail to) was accepting all RCPT TOs: As a result dictionary attacks were getting through and creating 'unique recipients' on the Barracuda. As soon as I fixed my mail server to reject with a 220 error on bogus RCPT TOs the problem cleared up. This is a pretty serious flaw IMHO, if it is (in fact) true. qmail isn't the only mailer that behaves this way. It looks like they may have tried to kludge their way around this with LDAP in the case of MS Exchange, which also does asynchronous bouncing of undeliverable mail IIRC. The fault here is with qmail. The barracuda was doing exactly what it was designed to do. qmail can be patched to be smarter (google for qmail spamcontrol or magic smtpd). Accept all, then try to bounce, is a recipe for disaster with today's dictionary attackers and virii that will send to randomly created destinations from randomly created forged froms. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
