Barracuda Email Security Service Review

I used the Barracuda Email Security Service for the majority of the month of October 2012 to filter spam for our secondary domain name. During that period of time, we received almost 11,600 emails. Roughly 2,000 were allowed through; 8,600 were blocked, and 1,000 were quarantined. Of the 2,000 allowed, I estimate 600 of them were actually spam.

Technical Support

All calls to Barracuda technical support are routed through receptionists that only take your information and create tickets. I first called one morning and didn’t get a call back until 5:30 pm that evening after I had left for the day. When I called in the next morning to speak with a technician, I was put back in the queue and did not receiving a call until the following morning. The total time to begin addressing my issue was close to 48 hours.

Spam Filtering

I regularly reviewed the last block of 50 emails that Barracuda allowed to pass through. Of those 50, typically 15 (30%) were missed spam. (The number of missed spam ranged from 7 to 27 out of the 50.) Many of the subjects of the messages allowed through contained words that were obviously spam (think improving oneself in bed). Even after ratcheting up all of the custom scoring settings, too many messages were still getting through. To their credit, I was not able to find any false positives. All messages marked as spam were definitely spam.

The Barracuda ESS does provide a mechanism to mark messages as spam. However, it provides no useful feedback to indicate that the message is now spam. Therefore, you could easily mark the same message as spam 3 or 4 times if you
reviewed the same block of emails more than once.

Setting up custom policies to filter messages was rather limited. My only options were to enter keywords and then specify if messages matching those criteria should be allowed, blocked, or quarantined. I would have expected some fuzzy logic to handle a phrase like “orders of magnitude,” which could refer to effect of the male enhancement pills or just how off the sales projections were.

Virus Filtering

It is unclear what kind of virus scanning the Barracuda ESS is performing as it allowed through at least two zip archives containing suspicious executable applications masquerading as DHL shipment invoices.

LDAP Synchronization

LDAP integration from our Active Directory domain to the Barracuda ESS worked reasonably well. I created a non-privileged user on our domain for Barracuda to use, opened a hole in our firewall, and specified the base DN for synchronization. Unfortunately, there was no way to filter our AD contacts that did not have SAV email addresses. The Barracuda ESS also pulled in all email addresses including our internal domain savtrans.local which is not actually used for email. A simple filter could have easily prevented loading of this bogus information.

If I had chosen not to use LDAP synchronization with the Barracuda Email Security Service, all of my users would have need to verify their accounts and all corresponding email addresses one by one. I believe an administrator should have the ability to load aliases without having to manually verify each one.

Summary

While the Barracuda Email Security Service is priced below the competition, I believe the competition offers a superior product. Their major outage on October 22, 2012 brought out a lot of complaints about the service in their forum. I do believe they have now stepped up their game, especially in the communication department, but I still can’t recommend them as a service that does a good job of filtering spam.

Delaying Email Delivery Using Procmail and Cron

Because I use Mutt, any mailbox that has new mail tends to get my attention when I check my email. This became particularly annoying because I kept opening my spam mailbox to check a single spam message. Therefore, I decided to come up with a way to delay the delivery of my spam to once per day.

I started by changing my “.procmailrc” to deliver spam messages to a different mailbox that Mutt does not check.

MAIL=`echo $HOME/Mail`
[...]
:H
* ^X-Spam-Status: Yes
$MAIL/delay_spam
[...]

Then I created a new procmailrc file called “spam.procmailrc” that would deliver mail to my checked spam mailbox.

MAIL=`echo $HOME/Mail`

:0
$MAIL/spam

Next, I wrote a short Bash script to use Formail and Procmail to deliver all of the messages in the delayed delivery spam mailbox to the normal spam mailbox.

#! /bin/bash

FORMAIL=/usr/bin/formail
PROCMAIL=/usr/bin/procmail
PROCMAILRC=$HOME/.procmail/spam.procmailrc

MAIL=$HOME/Mail
DELAY=$MAIL/delay_spam
TEMP=$MAIL/.spam
LOCK=$TEMP.lock

# Make sure there is delayed mail and we can get the lock (retry once)
if ( test -s $DELAY && lockfile -r 1 $LOCK 2>/dev/null ); then

    # Add the delayed mail to the temp mailbox and empty the delayed mailbox
    cat $DELAY >> $TEMP && cat /dev/null > $DELAY
    # Process each delayed message
    $FORMAIL -s $PROCMAIL $PROCMAILRC < $TEMP && rm -f $TEMP

    # Delete the lock now that we are done
    rm -f $LOCK
fi

Finally, I set the script to run daily using Cron. Now I am only interrupted by spam when I choose to be instead of every time a new message arrives. I have used the same technique to delay the delivery of emails to unimportant mailing lists so I only read them hourly instead of every time a message arrives.

Bayes Filtering in SpamAssassin

The Bayesian classifier in SpamAssassin began tagging emails a few days ago. I found this out because while messages were not marked as spam, my procmail rule started diverting all messages to my spam folder. The old rule was not particular about where the yes was and since BAYES contains yes, all emails looked like spam. The new rule only looks for the yes at the beginning.

# Old Rule
:H
* ^X-Spam-Status:.*Yes
$MAIL/spam
# New Rule
:H
* ^X-Spam-Status: Yes
$MAIL/spam

Now incoming spam messages contain an additional score in the spam report.

X-Spam-Report:
        *  3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
        *      [score: 1.0000]

I was surprised that it took the Bayes filter three months to gather enough email to begin scoring incoming email. It is a nice addition because it bumps up the spam scores enough to ensure that more messages that are spam get marked as such.

URIBL SpamAssassin Settings

I have been receiving a lot of emails that contain web links that are getting marked as spam. According to URLBL.COM, these are links that appear in spam and not links where the spam originates. Therefore, about all I can do is whitelist the senders or dial down the scores on the rules for these filters. After adding a handful of senders to the whitelist, I decided to alter the rules.

I found all of the URIBL rules in the /usr/share/spamassassin/50_scores.cf file. I copied them to the /etc/spamassassin/local.cf file where I could change the values to something more reasonable:

score URIBL_AB_SURBL 0 0.800 0 0.900 # n=0 n=2
score URIBL_JP_SURBL 0 1.400 0 0.700 # n=0 n=2
score URIBL_OB_SURBL 0 1.000 0 0.700 # n=0 n=2
score URIBL_PH_SURBL 0 1.000 0 0.800 # n=0 n=2
score URIBL_RHS_DOB 0 0.400 0 0.500 # n=0 n=2
score URIBL_SBL 0 1.200 0 0.700 # n=0 n=2
score URIBL_SC_SURBL 0 1.200 0 0.200 # n=0 n=2
score URIBL_WS_SURBL 0 1.000 0 0.700 # n=0 n=2
score URIBL_BLACK 0 0.900 0 0.900 # n=0 n=2

Hopefully decreasing the scores for these rules will decrease false positives that I have been receiving in my inbox.

Configure SpamAssassin with Postfix on Ubuntu

I’ve been running a mail server for the last year and a half. When I initially set up my Postfix mail server on Ubuntu, I knew that eventually I would need to add a spam filter. I recently decided that SpamAssassin was the best choice to filter email on my mail server.

I now receive on average more than one spam message each day. Interestingly, all of my spam is sent to an email address that I have only given out to Marquette University. I guess that means they have either sold my email address or poorly secured it in their database. Neither would surprise me.

I used the content from two different tutorials to get SpamAssassin up and running on my server.

First, I installed SpamAssassin.

apt-get install spamassassin spamc

Next, I created the spamd user and group. You can specify a specific uid and gid if you want.

groupadd spamd
useradd -g spamd -s /bin/false -d /var/log/spamassassin spamd

Then I created the spamd home directory and set the permissions.

mkdir /var/log/spamassassin
chown spamd:spamd /var/log/spamassassin

Then I set up some configuration for SpamAssassin. You can edit the file directly, but I use Sed so that I can automate the installation process in a script. This enables SpamAssassin, Cron, and some other options.

DEFAULT_SPAMASSASSIN=/etc/default/spamassassin
mv $DEFAULT_SPAMASSASSIN $DEFAULT_SPAMASSASSIN.default
sed '
    s/ENABLED=0/ENABLED=1/
    s/CRON=0/CRON=1/
    s/^OPTIONS.*/SAHOME="\/var\/log\/spamassassin"\nOPTIONS="--create-prefs --max-children 5 --username spamd -H ${SAHOME} -s ${SAHOME}\/spamd.log"/
' $DEFAULT_SPAMASSASSIN.default > $DEFAULT_SPAMASSASSIN

Then I set up the rest of the configuration for SpamAssassin. I initially set the required score to 2.0, but this caused a lot of legitimate emails (ham) to be marked as spam. The following configuration will rewrite subjects of spam messages to identify them as spam.

SA_LOCAL_CF=/etc/spamassassin/local.cf
mv $SA_LOCAL_CF $SA_LOCAL_CF.default
echo "
rewrite_header Subject [***** SPAM _SCORE_ *****]
required_score           5.0
# to be able to use _SCORE_ we need report_safe set to 0
# If this option is set to 0, incoming spam is only 
# modified by adding some \"X-Spam-\" headers and no 
# changes will be made to the body.
report_safe     0

# Enable the Bayes system
use_bayes               1
use_bayes_rules         1
# Enable Bayes auto-learning
bayes_auto_learn        1

# Enable or disable network checks
skip_rbl_checks         0
use_razor2              0
use_dcc                 0
use_pyzor               0
" > $SA_LOCAL_CF

Now that I have been running the spam filter for a couple weeks, I have had to whitelist some email addresses that send me emails with strange headers or get sent from “shady” IP addresses. This goes into the same local.cf file.

whitelist_from *@hq.acm.org

I find it amusing that emails from the ACM keep getting marked as spam. Next I started SpamAssassin.

/etc/init.d/spamassassin start

Next, I modified Postfix to send emails through the SpamAssassin filter.

POSTFIX_MASTER_CF=/etc/postfix/master.cf
mv $POSTFIX_MASTER_CF $POSTFIX_MASTER_CF.default
sed 's/smtp      inet  n       -       -       -       -       smtpd/smtp      inet  n       -       -       -       -       smtpd\n\t-o content_filter=spamassassin/'  \
$POSTFIX_MASTER_CF.default > $POSTFIX_MASTER_CF
echo 'spamassassin unix -     n       n       -       -       pipe
  user=spamd argv=/usr/bin/spamc -f -e    
  /usr/sbin/sendmail -oi -f ${sender} ${recipient}' >> $POSTFIX_MASTER_CF

Next, reload Postfix so it will use SpamAssassin.

/etc/init.d/postfix reload

Once SpamAssassin is running, you can train it by passing it spam and ham emails.

sa-learn -u spamd --spam --mbox /path/to/spam_mbox
sa-learn -u spamd --ham --mbox /path/to/ham_mbox

After adjusting the spam threshold, training the filter with spam messages that I have acquired over the last year, and whitelisting a few problematic senders, my spam filter has been doing a good job of marking spam as spam. At this point it is easy enough to sort through the email manually and confirm that they are spam. In the future, if it ever gets bad enough, I will be able to automatically delete the messages or filter them into a different mailbox on delivery.