Preview your email in the most popular email clients and mobile devices.    Try it for FREE!

SPAM Filter Series: Beating the Barracuda

Posted January 23, 2013 by Geoff Phillips

Email Testing RSS Feed Email Test on Twitter Email Preview on Digg Email CSS on Linked In Email Simulator on Stumbled Upon

Is something fishy happening to your emails on the way to the inbox?

This is the third entry in our series on SPAM filters: how they work, how to avoid them, and what we can learn from their output. We already covered the Postini and SpamAssassin filters in our previous blogs. The "Barracuda SPAM and Virus Firewall" is a plug-in appliance that gives admins a suite of tools used to manage incoming mail. We often pay a lot of attention to the "SPAM rules" that we've learned to avoid, but looking at those rules is actually the last thing that a SPAM filter like Barracuda does. I'll list the steps it goes through in order below.

  1. Check IP BLock List - Make sure that the sender IP is't already listed as suspicious.
  2. Check for Viruses - Look for known viruses.
  3. Check for Viruses - Check again looking for anything suspicious.
  4. Check through any user specified rules - Users can specify that emails containing certain words, languages or code are to be classified as SPAM.
  5. Check "SPAM Fingerprint" - Checks to see if this email has already been fingerprinted by a Barracuda installation, more on this below.
  6. SPAM Intention Analysis - Analyzes what this message is trying to get the recipient to do: go to a site, reply, open an attachment, etc.
  7. Bayesian Spam Analysis - This uses Bayesian logic to compare the current email to a database of emails that the system already knows are SPAM or HAM.
  8. Spam Rules-Based Scoring - We get the most information about this step from the "X-Barracuda-Spam-Report" header, below.

This is because it's much more efficient to check for deal breakers, like a blacklisted IP address or the presence of a virus, before going through detailed rules checks like you'll see under the "X-Barracuda-Spam-Report" header. Legitimate emails should pass through steps 1-6 with no problem, and step 7 may even improve your score.

"SPAM fingerprinting" uses information about messages that have been categorized as SPAM to identify messages that are the same or similar as they pass through the Barracuda Spam Firewall. When a Barracuda installation identifies a message as SPAM, it is "fingerprinted" and sent to Barracuda Central so that information about that piece of SPAM can be communicated to other Barracuda installations.

Barracuda Headers

Below is an example set of Barracuda headers. Take a look at them and we'll explain them in more detail below.

X-Barracuda-Start-Time: 1332864901
X-Barracuda-URL: http://172.26.14.249:8000/url-mod/address.com
X-Barracuda-Bayes: SPAM GLOBAL 1.0000 1.0000 4.3430
X-Barracuda-Spam-Score: 2.03
X-Barracuda-Spam-Status: No, SCORE=2.03 using global scores of TAG_LEVEL=3.0 QUARANTINE_LEVEL=5.0 KILL_LEVEL=7.0 tests=BSF_SC0_SA_TO_FROM_DOMAIN_MATCH,
     BSF_SC7_SA578_CH, DATE_IN_PAST_12_24, DATE_IN_PAST_12_24_2, HEAD_LONG, HTML_MESSAGE, LONG_TERM_PRICE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.92409
     pts RULE_NAME description
     ---- ---------------------- ----------------------
     0.50 HEAD_LONG Message headers are very long
     0.01 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date
     0.21 LONG_TERM_PRICE BODY: LONG_TERM_PRICE
     0.00 HTML_MESSAGE BODY: HTML included in message
     0.50 BSF_SC7_SA578_CH Custom Rule SA578_CH
     0.01 BSF_SC0_SA_TO_FROM_DOMAIN_MATCH Sender Domain Matches Recipient Domain
     0.80 DATE_IN_PAST_12_24_2 DATE_IN_PAST_12_24_2
X-SA-Exim-Connect-IP: 12.237.60.52
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on server-4
X-Spam-Level: -0.5
X-Spam-Status: No, score=-0.5 required=5.7 tests=BAYES_00,DATE_IN_PAST_12_24,
     HTML_MESSAGE,LONG_TERM_PRICE,L_BILLS,L_TAX1,T_LOTS_OF_MONEY autolearn=no
     version=3.3.1

X-Barracuda-Spam-Score Header

X-Barracuda-Spam-Score: 2.03

This header will give you the Barracuda SPAM score of the email. To learn more about what this score means (and see it again) check out the next header.

X-Barracuda-Spam-Status Header

X-Barracuda-Spam-Status: No, SCORE=2.03 using global scores of TAG_LEVEL=3.0 QUARANTINE_LEVEL=5.0 KILL_LEVEL=7.0 tests=BSF_SC0_SA_TO_FROM_DOMAIN_MATCH,
     BSF_SC7_SA578_CH, DATE_IN_PAST_12_24, DATE_IN_PAST_12_24_2, HEAD_LONG, HTML_MESSAGE, LONG_TERM_PRICE

This header tells you if the email was classified as SPAM, what score it got, what the thresholds are for this installation, and what tests were performed. Barracuda allows the user to set thresholds for flagging, quarantining, bouncing and delivery. The example installation looks like this:

0.0 - 2.99 --> Delivered to Inbox.
3.0 - 4.99 --> Delivered to Inbox. Subject line tagged with [Suspected SPAM].
5.0 - 6.99 --> Delivered to Barracuda Quarantine Inbox.
7.0 - 10.0 --> Blocked from delivery

An aggressive installation (with a different added tag) might look like this:
0.0 - 1.99 --> Delivered to Inbox.
2.0 - 3.49 --> Delivered to Inbox. Subject line tagged with [SPAM?].
3.5 - 5.00 --> Delivered to Barracuda Quarantine Inbox.
5.1 - 10.0 --> Blocked from delivery

The Barracuda Quarantine Inbox is an inbox that network admins can access, but typical users cannot. This will prevent an average user from accidentally accessing an email with a virus, but allow a network admin to retrieve it if needed. Sadly, if your email makes it into the quarantine box it's pretty unlikely that anybody will find it and send it to the recipient, so its important to make sure you keep your Barracuda score low enough to make it in the first category. Even a score of 3.0-4.99 would be too much for most advertisers, as this would result in having "[Suspected Spam]" or another similar tag added to the subject line. The added tag is determined by the network admin, but it will almost certainly cause the recipient to delete your email without reading it.

X-Barracuda-Spam-Report Header

X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.92409
     pts RULE_NAME description
     ---- ---------------------- ----------------------
     0.50 HEAD_LONG Message headers are very long
     0.01 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date
     0.21 LONG_TERM_PRICE BODY: LONG_TERM_PRICE
     0.00 HTML_MESSAGE BODY: HTML included in message
     0.50 BSF_SC7_SA578_CH Custom Rule SA578_CH
     0.01 BSF_SC0_SA_TO_FROM_DOMAIN_MATCH Sender Domain Matches Recipient Domain
     0.80 DATE_IN_PAST_12_24_2 DATE_IN_PAST_12_24_2

This header containes detailed information about what tests were failed by the email and how many points each of these was worth. This is the best place to learn about what you can change to help your emails make it through next time. Anything that merits .5 points or more is something to take notice of. It also includes the code version and rules version that was used to test your email.

Putting It All Together

Here again is our example of a complete set of Postini headers. Hover over words or numbers in navy blue text to see an explanation of their meaning.

X-Barracuda-Start-Time: 1332864901
X-Barracuda-URL: http://172.26.14.249:8000/url-mod/address.com
X-Barracuda-Bayes: SPAM GLOBAL 1.0000 1.0000 4.3430
X-Barracuda-Spam-Score: 2.03
X-Barracuda-Spam-Status: No, SCORE=2.03 using global scores of TAG_LEVEL=3.0 QUARANTINE_LEVEL=5.0 KILL_LEVEL=7.0 tests=BSF_SC0_SA_TO_FROM_DOMAIN_MATCH,
     BSF_SC7_SA578_CH, DATE_IN_PAST_12_24, DATE_IN_PAST_12_24_2, HEAD_LONG, HTML_MESSAGE, LONG_TERM_PRICE

X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.92409
     pts RULE_NAME description
     ---- ---------------------- ----------------------
     0.50 HEAD_LONG Message headers are very long
     0.01 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date
     0.21 LONG_TERM_PRICE BODY: LONG_TERM_PRICE
     0.00 HTML_MESSAGE BODY: HTML included in message
     0.50 BSF_SC7_SA578_CH Custom Rule SA578_CH
     0.01 BSF_SC0_SA_TO_FROM_DOMAIN_MATCH Sender Domain Matches Recipient Domain
     0.80 DATE_IN_PAST_12_24_2 DATE_IN_PAST_12_24_2

From this we can learn the following:

  • The Barracuda SPAM score was 2.03.
  • For this installation, emails with a score of 0.0 - 2.99 will be delivered to the inbox, scores 3.0 - 4.99 will have the subject line tagged, scores 5.0 - 6.99 will be delivered to the Barracuda Quarantine Inbox, and scores 7.0 - 10.0 will be blocked from delivery.
  • This email failed the following tests: BSF_SC0_SA_TO_FROM_DOMAIN_MATCH, BSF_SC7_SA578_CH, DATE_IN_PAST_12_24, DATE_IN_PAST_12_24_2, HEAD_LONG, HTML_MESSAGE, LONG_TERM_PRICE. Information about each of these can be found in the X-Barracuda-Spam-Report.

We hope this information will allow you to make more sense of Barracuda headers and why your email might have been tagged as SPAM. Please feel free to add your own Barracuda comments down below.

Comments

Julio Lau pic
Julio Lau
I'd like to know more about the X-Barracuda-Spam-Report, as it is completely chinese for me.

I have a few lines of one of our emails that got spammed:

0.50 BSF_SC0_SA082p BODY: Custom Rule SA082p
1.20 BSF_SC0_SA082n BODY: Custom Rule SA082n
0.00 HTML_MESSAGE BODY: HTML included in message
0.00 BSF_SC5_SA210e Custom Rule SA210e

What all that mean?
Posted 02/14/2013

Avatar
Geoff Phillips
Julio,
It can be very hard to read! All of the ones that say "Custom Rule" were defined by the person administrating the installation, so we can't interpret those directly. "HTML_MESSAGE BODY" just means you had HTML in the message, and that wasn't counted against you (0.00). Wish I could offer you more information than that!
Posted 04/04/2013

Christophe pic
Christophe
Hi,

Nice article.

Maybe one remark. The quarantaine function in the Barracuda Spam is possible for admins and users. Nevertheless I would never suggest it that users are allowed to use a quaraintaine inbox.
Posted 04/20/2013

Billy pic
Billy
Note that the custom rules are not defined by system administrators, but instead by Barracuda Networks....a-la proprietary
Posted 08/12/2013

Avatar
Geoff Phillips
Julio,
I'm sorry, I was wrong about that. Upon further investigation, "custom rule" is a pretty ambiguous term. A stock installation of Barracuda apparently comes with a lot of "custom rules." I apologize for any confusion this may have caused.
Posted 09/20/2013

Joblo pic
Joblo
This thing is a nightmare! Keeps blocking important emails, and completely ignoring the "Whitelist."

Defeats the purpose of doing business via email doesn't it?
Posted 10/03/2013

Patrick pic
Patrick
Have you marked at least 100 messages as spam and another 100 as not spam? The Barracuda won't start its Bayesian filtering until you do this. Remember that they want more messages marked as "not spam" than those marked as "spam" to be most effective.
Posted 10/21/2013

Comment via our Blog

Name:
Email:
Location:
URL:

Comment:

Remember my personal information
Notify me of follow-up comments?

Please enter the word you see in the image below:

x
Sign up for our Newsletter

And get updates on the latest email tips, tricks and hacks!