Re: How the hell barracuda behaves?
On ons 25 aug 2010 17:52:18 CEST, Matus UHLAR - fantomas wrote So I must not be the only one tired of this. there are more of us, I just didn't want to complain in the public, yet. and now we did :( -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: How the hell barracuda behaves?
>> no Perkel, everthing posted is not necessarily acceptable, helpful and/or >> relevant. >> >> especially when spamming the list for your tarbaby stuff, free or not. On 25.08.10 09:08, wrote: > So I must not be the only one tired of this. there are more of us, I just didn't want to complain in the public, yet. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
Re: How the hell barracuda behaves?
no Perkel, everthing posted is not necessarily acceptable, helpful and/or relevant. especially when spamming the list for your tarbaby stuff, free or not. So I must not be the only one tired of this. Q
RE: How the hell barracuda behaves?
> > > > Agreed. Seems to me that any discussion related to blocking > spam is relevant. > no Perkel, everthing posted is not necessarily acceptable, helpful and/or relevant. especially when spamming the list for your tarbaby stuff, free or not. it appears to me that you used to be a lot more involved with brainstorming, and other ideas, programming, and asking for help programming your ideas. many ideas are/were excellent and some have born fruit. some have not. if you would invest even more of your monies & time and persue some of what has been suggested on and by the knowledgeable list participants, you will eventually bring forth a lot more fruit. - rh
Re: How the hell barracuda behaves?
On 8/23/2010 2:31 AM, Raul Dias wrote: On 08/18/2010 10:14 PM, Marc Perkel wrote: [...] They were discussing ways to reduce spam and I mentioned it. [...] I believe, that 95% of the discussion in this list is about reducing spam in a way or another. -rsd Agreed. Seems to me that any discussion related to blocking spam is relevant. -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: How the hell barracuda behaves?
On 08/18/2010 10:14 PM, Marc Perkel wrote: > [...] They were discussing ways to reduce spam and I mentioned it. [...] I believe, that 95% of the discussion in this list is about reducing spam in a way or another. -rsd
Re: How the hell barracuda behaves?
On tor 19 aug 2010 03:14:50 CEST, Marc Perkel wrote Now you're going to criticize me for explaining what you just asked for? moderator did not criticize but say imho just this is not your market place -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: How the hell barracuda behaves?
On 8/18/2010 9:24 PM, Ted Mittelstaedt wrote: On 8/18/2010 6:14 PM, Marc Perkel wrote: On 8/18/2010 4:46 PM, Karsten Bräckelmann wrote: On Wed, 2010-08-18 at 12:38 -0700, Marc Perkel wrote: Registering with a white list doesn't reduce spam. It reduces false positives when you send email. If you want to reduce spam however you could add this MX record as your highest numbered MX. tarbaby. [...] Ahem. Marc, your infrequent (and off-topic at that) post about adding your tarpit MX for third-party domains is one thing. So far, it was a new thread always, and well, the very same arguing against it started immediately. This response, however, is a totally different thing. In my not so humble opinion, this is advertising -- almost cold-calling -- without the *necessary* discussion of what this does, what it actually means and the downsides implied. Please do not do it this way. guenther -- with his SA PMC and moderator hat on I've described it a number of times on the list. I don't see why I need to continue to do that. Great news! They were discussing ways to reduce spam and I mentioned it. It's free - it works - and there is no down side. There is a downside as has been explained before by me and many others. The actual fact of the matter is that the reason your sticking your plug for this MX trick of yours into the replies is because you want to contaminate the mailing list archives. You are hoping that one of us folks who know better will not be reading one of these threads and so your plug will slide by unnoticed. Then a few years later when some newbie is looking for something in the mailing list archives they will come across your plug and think it's a good idea, because there will be no counter-post from one of the people on the list who knows better. The amazing part of this is you think all of us are dumb enough to fall for this trick. As Karsten said your attempting to hijack a thread for a plug. The fact that it's a "free" system doesn't mean that it's a good system. The amazing thing to me is that you have had it explained why it's bad, repeatedly, and you continue to ignore the explanations. Are your eyes deaf? Ted Oh - I'm sorry. How do I make this right? Well since offering people resources for free is offensive then I suppose they only way to fix it is to rescind the offer. So Ted - I prohibit you from using my "free" services. Does that make it up to you? I wouldn't want any of you to fall for my "trick". You are truly a genius for catching me. -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: How the hell barracuda behaves?
On 8/18/2010 6:14 PM, Marc Perkel wrote: On 8/18/2010 4:46 PM, Karsten Bräckelmann wrote: On Wed, 2010-08-18 at 12:38 -0700, Marc Perkel wrote: Registering with a white list doesn't reduce spam. It reduces false positives when you send email. If you want to reduce spam however you could add this MX record as your highest numbered MX. tarbaby. [...] Ahem. Marc, your infrequent (and off-topic at that) post about adding your tarpit MX for third-party domains is one thing. So far, it was a new thread always, and well, the very same arguing against it started immediately. This response, however, is a totally different thing. In my not so humble opinion, this is advertising -- almost cold-calling -- without the *necessary* discussion of what this does, what it actually means and the downsides implied. Please do not do it this way. guenther -- with his SA PMC and moderator hat on I've described it a number of times on the list. I don't see why I need to continue to do that. Great news! They were discussing ways to reduce spam and I mentioned it. It's free - it works - and there is no down side. There is a downside as has been explained before by me and many others. The actual fact of the matter is that the reason your sticking your plug for this MX trick of yours into the replies is because you want to contaminate the mailing list archives. You are hoping that one of us folks who know better will not be reading one of these threads and so your plug will slide by unnoticed. Then a few years later when some newbie is looking for something in the mailing list archives they will come across your plug and think it's a good idea, because there will be no counter-post from one of the people on the list who knows better. The amazing part of this is you think all of us are dumb enough to fall for this trick. As Karsten said your attempting to hijack a thread for a plug. The fact that it's a "free" system doesn't mean that it's a good system. The amazing thing to me is that you have had it explained why it's bad, repeatedly, and you continue to ignore the explanations. Are your eyes deaf? Ted Here's the info on it. http://wiki.junkemailfilter.com/index.php/Project_tarbaby And it helps build black lists of spam bots that people can use for free. Now you're going to criticize me for explaining what you just asked for?
Re: How the hell barracuda behaves?
On 8/18/2010 4:46 PM, Karsten Bräckelmann wrote: On Wed, 2010-08-18 at 12:38 -0700, Marc Perkel wrote: Registering with a white list doesn't reduce spam. It reduces false positives when you send email. If you want to reduce spam however you could add this MX record as your highest numbered MX. tarbaby. [...] Ahem. Marc, your infrequent (and off-topic at that) post about adding your tarpit MX for third-party domains is one thing. So far, it was a new thread always, and well, the very same arguing against it started immediately. This response, however, is a totally different thing. In my not so humble opinion, this is advertising -- almost cold-calling -- without the *necessary* discussion of what this does, what it actually means and the downsides implied. Please do not do it this way. guenther -- with his SA PMC and moderator hat on I've described it a number of times on the list. I don't see why I need to continue to do that. They were discussing ways to reduce spam and I mentioned it. It's free - it works - and there is no down side. Here's the info on it. http://wiki.junkemailfilter.com/index.php/Project_tarbaby And it helps build black lists of spam bots that people can use for free. Now you're going to criticize me for explaining what you just asked for? -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: How the hell barracuda behaves?
> On the other hand, back to topic, Barracuda rejecting for mail originating > on a dialup line is just crazy. We've seen it too. And it has been mentioned here, and in other places on the net, before. Yes, indeed, there appears to be an issue with Barracuda appliances' configuration in "certain firmware revisions", not properly explaining what "some certain, recommended conf option" does. Aka, some (mis-configured?) Barracudas indeed have been reported to do deep-header parsing against blacklists possibly including PBL style IPs. SA does not do that. (Ow, how did I manage to get on-topic? ;) This entire thread is OT. Not that an occasional OT thread would be bad in and by itself. And I do understand the desire of the OP to vent about improper blacklist usage. However, I do NOT want this thread to become $vendor bashing or any kind of flame war. Even less so, if asking google would return references to all arguments brought up yet again here. If anyone feels a strong urge to bring up and discuss a spam related, though not SA related, topic -- oh well, so may it be. But please, do it sensibly. No flame war. Or I'll have to close the thread. guenther -- still wearing his SA PMC and list moderator hats -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: How the hell barracuda behaves?
On Wed, 2010-08-18 at 12:38 -0700, Marc Perkel wrote: > Registering with a white list doesn't reduce spam. It reduces false > positives when you send email. > > If you want to reduce spam however you could add this MX record as your > highest numbered MX. > > tarbaby. [...] Ahem. Marc, your infrequent (and off-topic at that) post about adding your tarpit MX for third-party domains is one thing. So far, it was a new thread always, and well, the very same arguing against it started immediately. This response, however, is a totally different thing. In my not so humble opinion, this is advertising -- almost cold-calling -- without the *necessary* discussion of what this does, what it actually means and the downsides implied. Please do not do it this way. guenther -- with his SA PMC and moderator hat on -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: How the hell barracuda behaves?
στις 18/08/2010 10:38 μμ, O/H Marc Perkel έγραψε: On 8/18/2010 12:29 PM, Sergios T.S. ( aka linuxman) wrote: στις 18/08/2010 10:03 μμ, O/H Matt έγραψε: By the way I'm not a big fan of registering my servers to any private entity in order to improve "deliverability". Register our servers here: www.dnswl.org Do not really use it for scoring but do not grey list any servers listed. Matt Hi , if I register our Server's there , is work to reduced spam ? Is effective method to register there . Thanks . Registering with a white list doesn't reduce spam. It reduces false positives when you send email. If you want to reduce spam however you could add this MX record as your highest numbered MX. tarbaby.junkemailfilter.com - priority 1000 It will probably get rid of about 1/3 of your spambot spam and it helps me build my spambot black list. There are no false positives because all email is rejected with a 4xx error. It's all free too. Thank you , I think about to add it . Our DNS Server is in USA but all mail servers is in Greece and is little hard to add MX Record , but I check it with our DNS provider and use it if is possible . -- Don't send me documents in .doc , .docx, .xls, .ppt . Send it with ODF format : .odt , .odp , .ods or .pdf . Try to use Open Document Format : http://www.openoffice.org/ Save you money& use GNU/Linux Distro http://distrowatch.com/
Re: How the hell barracuda behaves?
On 8/18/2010 12:29 PM, Sergios T.S. ( aka linuxman) wrote: στις 18/08/2010 10:03 μμ, O/H Matt έγραψε: By the way I'm not a big fan of registering my servers to any private entity in order to improve "deliverability". Register our servers here: www.dnswl.org Do not really use it for scoring but do not grey list any servers listed. Matt Hi , if I register our Server's there , is work to reduced spam ? Is effective method to register there . Thanks . Registering with a white list doesn't reduce spam. It reduces false positives when you send email. If you want to reduce spam however you could add this MX record as your highest numbered MX. tarbaby.junkemailfilter.com - priority 1000 It will probably get rid of about 1/3 of your spambot spam and it helps me build my spambot black list. There are no false positives because all email is rejected with a 4xx error. It's all free too. -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: How the hell barracuda behaves?
στις 18/08/2010 10:03 μμ, O/H Matt έγραψε: By the way I'm not a big fan of registering my servers to any private entity in order to improve "deliverability". Register our servers here: www.dnswl.org Do not really use it for scoring but do not grey list any servers listed. Matt Hi , if I register our Server's there , is work to reduced spam ? Is effective method to register there . Thanks .
Re: How the hell barracuda behaves?
> By the way I'm not a big fan of registering my servers to any private > entity in order to improve "deliverability". Register our servers here: www.dnswl.org Do not really use it for scoring but do not grey list any servers listed. Matt
Re: How the hell barracuda behaves?
Le mercredi 18 août 2010 à 11:27 -0700, Marc Perkel a écrit : > > On 8/18/2010 7:53 AM, Kris Deugau wrote: > > Alexandre Chapellon wrote: > >> When other well known DNSBL (I have always heard spamhaus sbl and xbl > >> are trust worthy) list less at most 50 entries , barrcuda lists > >> almost 8000 > > > > That's not a problem all by itself, but when combined with this: > > > >> Finally there is a special feature that barrcuda folks call "deep > >> scanning" which makes the appliance scans the 'Received' headers and > >> reject the mails if an IP found in that headers, is listed in the > >> DNSBL... a feature that should obviously be called: 'even increase my > >> false positive rate' > > > > ... it makes life difficult. (In fact, if you provide Internet access > > for residential customers, a big chunk of your IP address space > > *should* be listed on Spamhaus' PBL - these IPs should be using your > > SMTP relay, or submitting mail via SMTP AUTH to another relay, not > > contacting recipient MXes directly.) > > > > I've had far too many incidents in the last ~6 months of having tech > > support ask me to dig into why a certain customer of ours is suddenly > > getting postmaster rejections on their mail to certain recipients - > > usually "important business contacts". > > > > All of them have proven to be recipients behind a Barracuda filter > > appliance that's deep-scanning headers and rejecting the message based > > on our customer's connection IP on our network - an IP behind our > > standard block for SMTP to anywhere but our own SMTP relay... and the > > rejected message was properly relayed through that system. Or worse, > > an IP on some other provider's network, where our mail customer is > > using SMTP AUTH on port 587 to relay through our server. > > > > I usually tell tech support to tell the customer that they'll have to > > contact the recipient by eg phone to let them know they're missing > > legitimate mail. > > > > -kgd > > > > I also scan IPs in received headers. I don't reject on that by itself > but it is a factor when combined with other conditions. > I have no problem with this, this a normal behaviour (but personnally i would avoid using barracudaBL for this).
Re: How the hell barracuda behaves?
On 8/18/2010 7:53 AM, Kris Deugau wrote: Alexandre Chapellon wrote: When other well known DNSBL (I have always heard spamhaus sbl and xbl are trust worthy) list less at most 50 entries , barrcuda lists almost 8000 That's not a problem all by itself, but when combined with this: Finally there is a special feature that barrcuda folks call "deep scanning" which makes the appliance scans the 'Received' headers and reject the mails if an IP found in that headers, is listed in the DNSBL... a feature that should obviously be called: 'even increase my false positive rate' ... it makes life difficult. (In fact, if you provide Internet access for residential customers, a big chunk of your IP address space *should* be listed on Spamhaus' PBL - these IPs should be using your SMTP relay, or submitting mail via SMTP AUTH to another relay, not contacting recipient MXes directly.) I've had far too many incidents in the last ~6 months of having tech support ask me to dig into why a certain customer of ours is suddenly getting postmaster rejections on their mail to certain recipients - usually "important business contacts". All of them have proven to be recipients behind a Barracuda filter appliance that's deep-scanning headers and rejecting the message based on our customer's connection IP on our network - an IP behind our standard block for SMTP to anywhere but our own SMTP relay... and the rejected message was properly relayed through that system. Or worse, an IP on some other provider's network, where our mail customer is using SMTP AUTH on port 587 to relay through our server. I usually tell tech support to tell the customer that they'll have to contact the recipient by eg phone to let them know they're missing legitimate mail. -kgd I also scan IPs in received headers. I don't reject on that by itself but it is a factor when combined with other conditions. -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: How the hell barracuda behaves?
On 8/18/2010 4:10 AM, corpus.defero wrote: On Wed, 2010-08-18 at 06:36 -0400, Michael Scheidell wrote: On 8/17/10 7:30 PM, Alexandre Chapellon wrote: Hi the list, I am posting the results of my tests in order to have fedback/feelings/remarqs. This is not directly spamassassin related, but can be helpful for people (I saw here) wondering if they would used the barracuda DNSBL. When other well known DNSBL (I have always heard spamhaus sbl and xbl are trust worthy) list less at most 50 entries , barrcuda lists almost 8000 They list spammers based on trend and feedback from their appliance users. Personally I find it very accurate and it hits out rubbish that other lists seem to inexplicably (£$£$£$) miss. Third reason is 'emailreg.org'. Totally agree - the owners of Barracuda appliances are unable to disable the 'emailreg.org' whitelist without calling support which, in my view, makes it a bypass or 'pay to spam barracuda owners' . That said, compared to their internal whitelist (which has some really interesting clients on it) emailreg.org is small fry. Barracuda - not white hat, not black hat, but kinda pinky grey hat. I'm using both their black lists and white lists and it seems to work fine for me. Putting the issue of political correctness aside. -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: How the hell barracuda behaves?
Le mercredi 18 août 2010 à 12:10 +0100, corpus.defero a écrit : > On Wed, 2010-08-18 at 06:36 -0400, Michael Scheidell wrote: > > On 8/17/10 7:30 PM, Alexandre Chapellon wrote: > > > Hi the list, > > > > > > I am posting the results of my tests in order to have > > > fedback/feelings/remarqs. > > > This is not directly spamassassin related, but can be helpful for > > > people (I saw here) wondering if they would used the barracuda > > > DNSBL. > > > > > > When other well known DNSBL (I have always heard spamhaus sbl and > > > xbl are trust worthy) list less at most 50 entries , barrcuda lists > > > almost 8000 > They list spammers based on trend and feedback from their appliance > users. Personally I find it very accurate and it hits out rubbish that > other lists seem to inexplicably (£$£$£$) miss. > I do not doubt they catch thing that others would let go through :)! I doubt it's for good reason. Have you ever tried to measure your false positive rate? If you use it for scoring mail it may not have big impact... FYI: I have seen listed in barracuda IPs of switches and routers. I'va double check, and smtp relay is not open on thoose devices and they only sends messages internally... and to the support... BUT! the support has a barracuda gateway, which seems to recognize its own report sent by their devices as spam... and automatically feeding their RBL... This means that every missconfigured device is suceptible to insert false positive entries in the dnsBL. > > Third reason is 'emailreg.org'. > Totally agree - the owners of Barracuda appliances are unable to disable > the 'emailreg.org' whitelist without calling support which, in my view, > makes it a bypass or 'pay to spam barracuda owners' . That said, > compared to their internal whitelist (which has some really interesting > clients on it) emailreg.org is small fry. > > Barracuda - not white hat, not black hat, but kinda pinky grey hat. >
Re: How the hell barracuda behaves?
Le mercredi 18 août 2010 à 13:39 -0400, Joseph Brennan a écrit : > The error message from Barracuda is broken too. Sample: > > > > ... while talking to barracuda.xprize.org.: > DATA > > <<< 554 Service unavailable; Client host [tarap.cc.columbia.edu] blocked > > using Barracuda Reputation; > > http://www.barracudanetworks.com/reputation/?r=1&ip=69.86.203.182 > > 554 5.0.0 Service unavailable > > > That says our outbound mail server tarap is blocked, right? > > But wait, the URL says 69.86.203.182 is blocked. That's not us. That's > user-12lditm.cable.mindspring.com. One of our users was there, did SMTP > auth to our server tarap, and we allowed the message. > You got it Joseph... the sending server has an ip not listed in the bl, but relayed form an ip which is listed. As a result barracuda rejected the mail because of blacklist: this is deep scanning. an Obviously non-standard and stupid behaviour because primarily bots sending spam, send direct to MX, or via a spam canon (which has to be listed). If an barracuda blacklisted IP relays through an non listed server (even more if it uses auth/TLS) they are many chances the mail is legitmate and so no reason to reject it! > 69.86.203.182 is still listed. Go to the URL. It does not tell you why > but suggests many possible reasons. I'd go for the last one :-) > I suscpect many barracuda admin not to understand how to use this feature! > > Joseph Brennan > Columbia University Information Technology > >
Re: How the hell barracuda behaves?
Le mercredi 18 août 2010 à 06:36 -0400, Michael Scheidell a écrit : > On 8/17/10 7:30 PM, Alexandre Chapellon wrote: > > Hi the list, > > > > I am posting the results of my tests in order to have > > fedback/feelings/remarqs. > > This is not directly spamassassin related, but can be helpful for > > people (I saw here) wondering if they would used the barracuda > > DNSBL. > > > > When other well known DNSBL (I have always heard spamhaus sbl and > > xbl are trust worthy) list less at most 50 entries , barrcuda lists > > almost 8000 > > > > > If I were asked to use barracuda bl I would just anwser: "NO WAY!" > Which is one reason that the barracuda list is optional. latest > suggestion was to use a (low score) and last_untrusted. > Third reason is 'emailreg.org'. Do you own googling and make your own > conclusion. > (second reason left out or public forum) > Indeed using Barracuda RBL to score (low) is already a much better idea than using it to reject mails (what deep scanning do)! >From emailreg.org frontpage: "Emailreg.org will not get you delisted from Barracuda Block List (BRBL)" If I'm not mistaking emailreg.org register mail servers and domains...? In my case the problem is at the same time having IP listed (dynamics ip) AND dulb admin enabling deeps scanning when they sould not. By the way I'm not a big fan of registering my servers to any private entity in order to improve "deliverability". What about the second reason? > > __ > > This email has been scanned and certified safe by SpammerTrap®. > For Information please see http://www.secnap.com/products/spammertrap/ > > > __ >
Re: How the hell barracuda behaves?
The error message from Barracuda is broken too. Sample: ... while talking to barracuda.xprize.org.: DATA <<< 554 Service unavailable; Client host [tarap.cc.columbia.edu] blocked using Barracuda Reputation; http://www.barracudanetworks.com/reputation/?r=1&ip=69.86.203.182 554 5.0.0 Service unavailable That says our outbound mail server tarap is blocked, right? But wait, the URL says 69.86.203.182 is blocked. That's not us. That's user-12lditm.cable.mindspring.com. One of our users was there, did SMTP auth to our server tarap, and we allowed the message. 69.86.203.182 is still listed. Go to the URL. It does not tell you why but suggests many possible reasons. I'd go for the last one :-) Joseph Brennan Columbia University Information Technology
Re: How the hell barracuda behaves?
Le mercredi 18 août 2010 à 10:53 -0400, Kris Deugau a écrit : > Alexandre Chapellon wrote: > > When other well known DNSBL (I have always heard spamhaus sbl and xbl > > are trust worthy) list less at most 50 entries , barrcuda lists almost > > 8000 > > That's not a problem all by itself, but when combined with this: No indeed... It's just not very clean, and makes me think the list is not very reliable. > > > Finally there is a special feature that barrcuda folks call "deep > > scanning" which makes the appliance scans the 'Received' headers and > > reject the mails if an IP found in that headers, is listed in the > > DNSBL... a feature that should obviously be called: 'even increase my > > false positive rate' > > ... it makes life difficult. (In fact, if you provide Internet access > for residential customers, a big chunk of your IP address space *should* > be listed on Spamhaus' PBL - these IPs should be using your SMTP relay, > or submitting mail via SMTP AUTH to another relay, not contacting > recipient MXes directly.) > This is what all my residential customers do as port 25 is blocked at the bound of our network. > I've had far too many incidents in the last ~6 months of having tech > support ask me to dig into why a certain customer of ours is suddenly > getting postmaster rejections on their mail to certain recipients - > usually "important business contacts". > All of them have proven to be recipients behind a Barracuda filter > appliance that's deep-scanning headers and rejecting the message based > on our customer's connection IP on our network - an IP behind our > standard block for SMTP to anywhere but our own SMTP relay... and the > rejected message was properly relayed through that system. Or worse, an > IP on some other provider's network, where our mail customer is using > SMTP AUTH on port 587 to relay through our server. > This is exactly what happens here: deep scanning put a mess (I conclude it's deep scanning involved as I noticed rejection happened after the end of data command and complained about ip address). Do people (dumbly) using barracuda just don't care of rejecting legitimate email??? > I usually tell tech support to tell the customer that they'll have to > contact the recipient by eg phone to let them know they're missing > legitimate mail. > > -kgd
Re: How the hell barracuda behaves?
Matt wrote: Perhaps for authenticated SMTP not record the IP address in the headers but rather just the authenticated username in the headers. I think Squirrelmail does that. Your MTA logs will have the IP recorded if needed later. From the browser to Squirrelmail is not SMTP. Gmail is an example of not recording the HTTP hop. That makes it harder to distinguish spam from well-known problem Ip sources. In my opinion the origin should be shown. On the other hand, back to topic, Barracuda rejecting for mail originating on a dialup line is just crazy. We've seen it too. Joseph Brennan Columbia University Information Technology
Re: How the hell barracuda behaves?
> > Finally there is a special feature that barrcuda folks call "deep scanning" > > which makes the appliance scans the 'Received' headers and reject the mails > > if an IP found in that headers, is listed in the DNSBL... a feature that > > should obviously be called: 'even increase my false positive rate' On 18.08.10 10:14, Matt wrote: > Perhaps for authenticated SMTP not record the IP address in the > headers but rather just the authenticated username in the headers. I > think Squirrelmail does that. Your MTA logs will have the IP recorded > if needed later. it would break the existing usage and cause tracking very hard. I don't think anyone should break his SMTP server just because other admins have broken SMTP servers... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory.
Re: How the hell barracuda behaves?
> Finally there is a special feature that barrcuda folks call "deep scanning" > which makes the appliance scans the 'Received' headers and reject the mails > if an IP found in that headers, is listed in the DNSBL... a feature that > should obviously be called: 'even increase my false positive rate' Perhaps for authenticated SMTP not record the IP address in the headers but rather just the authenticated username in the headers. I think Squirrelmail does that. Your MTA logs will have the IP recorded if needed later. Matt
Re: How the hell barracuda behaves?
Alexandre Chapellon wrote: When other well known DNSBL (I have always heard spamhaus sbl and xbl are trust worthy) list less at most 50 entries , barrcuda lists almost 8000 That's not a problem all by itself, but when combined with this: Finally there is a special feature that barrcuda folks call "deep scanning" which makes the appliance scans the 'Received' headers and reject the mails if an IP found in that headers, is listed in the DNSBL... a feature that should obviously be called: 'even increase my false positive rate' ... it makes life difficult. (In fact, if you provide Internet access for residential customers, a big chunk of your IP address space *should* be listed on Spamhaus' PBL - these IPs should be using your SMTP relay, or submitting mail via SMTP AUTH to another relay, not contacting recipient MXes directly.) I've had far too many incidents in the last ~6 months of having tech support ask me to dig into why a certain customer of ours is suddenly getting postmaster rejections on their mail to certain recipients - usually "important business contacts". All of them have proven to be recipients behind a Barracuda filter appliance that's deep-scanning headers and rejecting the message based on our customer's connection IP on our network - an IP behind our standard block for SMTP to anywhere but our own SMTP relay... and the rejected message was properly relayed through that system. Or worse, an IP on some other provider's network, where our mail customer is using SMTP AUTH on port 587 to relay through our server. I usually tell tech support to tell the customer that they'll have to contact the recipient by eg phone to let them know they're missing legitimate mail. -kgd
Re: How the hell barracuda behaves?
On Wed, 2010-08-18 at 06:36 -0400, Michael Scheidell wrote: > On 8/17/10 7:30 PM, Alexandre Chapellon wrote: > > Hi the list, > > > > I am posting the results of my tests in order to have > > fedback/feelings/remarqs. > > This is not directly spamassassin related, but can be helpful for > > people (I saw here) wondering if they would used the barracuda > > DNSBL. > > > > When other well known DNSBL (I have always heard spamhaus sbl and > > xbl are trust worthy) list less at most 50 entries , barrcuda lists > > almost 8000 They list spammers based on trend and feedback from their appliance users. Personally I find it very accurate and it hits out rubbish that other lists seem to inexplicably (£$£$£$) miss. > Third reason is 'emailreg.org'. Totally agree - the owners of Barracuda appliances are unable to disable the 'emailreg.org' whitelist without calling support which, in my view, makes it a bypass or 'pay to spam barracuda owners' . That said, compared to their internal whitelist (which has some really interesting clients on it) emailreg.org is small fry. Barracuda - not white hat, not black hat, but kinda pinky grey hat.
Re: How the hell barracuda behaves?
On 8/17/10 7:30 PM, Alexandre Chapellon wrote: Hi the list, I am posting the results of my tests in order to have fedback/feelings/remarqs. This is not directly spamassassin related, but can be helpful for people (I saw here) wondering if they would used the barracuda DNSBL. When other well known DNSBL (I have always heard spamhaus sbl and xbl are trust worthy) list less at most 50 entries , barrcuda lists almost 8000 If I were asked to use barracuda bl I would just anwser: "NO WAY!" Which is one reason that the barracuda list is optional. latest suggestion was to use a (low score) and last_untrusted. Third reason is 'emailreg.org'. Do you own googling and make your own conclusion. (second reason left out or public forum) __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
How the hell barracuda behaves?
Hi the list, I am posting the results of my tests in order to have fedback/feelings/remarqs. This is not directly spamassassin related, but can be helpful for people (I saw here) wondering if they would used the barracuda DNSBL. the problem: - I have quite often complaints from my customers about mails they sent not being delivered because of some barracudacentral blocking. the facts: - As an ISP with tens of thounsands users, I have several mail relay plateforms offering smtp on port 587 (and 25 locally), authentication (not yet mandatory), SPF records published for my very own domains. the tests: - I ran a simple bash loop in order to tests my IP addresses (~4 addresses) against several blacklists. Let me be clear: I admit my whole network (and so customer network) is not perfectly clean, and must include some bots (now or in the past). But results here really look terrible! Here follow the name of the black lists, te number of (black)listed entry, and the errors returned (mostly timout requests) barracuda listed: 7947 errors: 98 total: 38760 sorbs listed: 52 errors: 0 total: 38760 spamhaus listed: 2 errors: 0 total: 38760 xbl listed: 19 errors: 0 total: 38760 cbl listed: 19 errors: 1 total: 38760 When other well known DNSBL (I have always heard spamhaus sbl and xbl are trust worthy) list less at most 50 entries , barrcuda lists almost 8000 Furthermore barracuda blacklists seems to return the very same DNS results whatever the reason of the listing is! Which, if true, does not makes it easy to take a decision of what to do with a mail when DNSBL matched. Finally there is a special feature that barrcuda folks call "deep scanning" which makes the appliance scans the 'Received' headers and reject the mails if an IP found in that headers, is listed in the DNSBL... a feature that should obviously be called: 'even increase my false positive rate' If I were asked to use barracuda bl I would just anwser: "NO WAY!"