What’s the Barracuda Spam Filter and Blocklist All About?
We have no idea if barracudas in the wild are likely to devour spam. But we do know that the company Barracuda Networks is awfully good at filtering and blocking email spam (which is “devouring” in a sense).
The Barracuda spam filter is one of the most well-known and effective in the email industry. Administrators often use Barracuda for email security and configure this spam filter for G Suite and Outlook inboxes. So, understanding the Barracuda filter is especially important for B2B email communication.
There’s also a major blocklist run by the network, which is known as the Barracuda Reputation Blocklist (BRBL). Let’s take a closer look at a key player in the world of email marketing, including how the Barracuda spam filter works.
What is Barracuda Networks?
For starters, it has nothing to do with fish. While the snake-like water creature with gnarly teeth and bugged-out eyes is pretty scary to swimmers, Barracuda Networks puts fear in the hearts of cybercriminals and spammers.
The company started as a spam and virus firewall back in 2003. It now offers a variety of other security products and services including data protection, network security, as well as application and cloud security.
At this point, Barracuda has been helping mailbox providers and system admins stop spam for about two decades. For many years now, the company has also been recognized as a leader in email security by companies like Gartner, Forrester, and Europe’s SC Awards.
Is Barracuda a spam filter or a blocklist?
Barracuda Networks offers both a customizable spam filter and a blocklist, the latter of which it introduced in 2008. Its email blocklist is open source and free for the public to use. Unless you’re a known spammer, that is.
The company also offers email security solutions with features that protect against phishing, malware, DoS attacks, outbound email filtering, and more. Barracuda states that it protects around a billion emails every day.
Of course, inbound spam filtering is where Barracuda Networks got its start. The Barracuda spam filter identifies incoming mail from known spammers, catches spammy links in messages, and even has high-tech ways of finding hidden content that traditional spam filters may miss.
How does the Barracuda spam filter work?
Like other email spam filters, Barracuda has a method for giving messages a score that rates their likelihood of being spam. Among other factors, the filter looks for the following:
- Is the sender already on a list of suspicious IP addresses?
- Are there any known viruses or malware in the email?
- Bayesian spam analysis: How does the message compare to a database of other emails that are known spam?
- Spam intention analysis: Does the message appear to try and persuade the recipient to do something a spammer would want?
- Does the email fail any specific rules that the user/admin has set up or customized?
- Spam fingerprinting: Has the email already been marked by another Barracuda installation?
To clarify that last point on spam fingerprinting… When a Barracuda Network user identifies an email that’s malicious or spammy, information about the message gets sent to Barracuda Central where it can be shared with others who’ve installed the filter.
The Barracuda spam filter works efficiently because it knows it should look for the “deal breakers” first. That means it’s going to check blocklists and scan for viruses before it examines smaller spam signals.
The Barracuda spam report
Barracuda’s Email Gateway Defense is a pass-through system that uses custom X-headers, which are added to the email’s main header and used by mailbox providers to determine if an email should be blocked, marked as spam, or land in the inbox.
Here’s an example of a Barracuda header:
X-Barracuda-Start-Time: 1332864901
X-Barracuda-URL: http://172.26.14.249:8000/url-mod/address.com
X-Barracuda-Bayes: SPAM GLOBAL 1.0000 1.0000 4.3430
X-Barracuda-Spam-Score: 2.03
X-Barracuda-Spam-Status: No, SCORE=2.03 using global scores of TAG_LEVEL=3.0 QUARANTINE_LEVEL=5.0 KILL_LEVEL=7.0 tests=BSF_SC0_SA_TO_FROM_DOMAIN_MATCH,
BSF_SC7_SA578_CH, DATE_IN_PAST_12_24, DATE_IN_PAST_12_24_2, HEAD_LONG, HTML_MESSAGE, LONG_TERM_PRICE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.92409
pts RULE_NAME description
---- ---------------------- ----------------------
0.50 HEAD_LONG Message headers are very long
0.01 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date
0.21 LONG_TERM_PRICE BODY: LONG_TERM_PRICE
0.00 HTML_MESSAGE BODY: HTML included in message
0.50 BSF_SC7_SA578_CH Custom Rule SA578_CH
0.01 BSF_SC0_SA_TO_FROM_DOMAIN_MATCH Sender Domain Matches Recipient Domain
0.80 DATE_IN_PAST_12_24_2 DATE_IN_PAST_12_24_2
X-SA-Exim-Connect-IP: 12.237.60.52
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on server-4
X-Spam-Level: -0.5
X-Spam-Status: No, score=-0.5 required=5.7 tests=BAYES_00,DATE_IN_PAST_12_24,
HTML_MESSAGE,LONG_TERM_PRICE,L_BILLS,L_TAX1,T_LOTS_OF_MONEY autolearn=no
version=3.3.1
It’s a lot to take in, right? Let’s break down two of the most important X-headers in this string of text, because that’s what you really care about.
The X-Barracuda-Spam-Score
This bit of the header indicates the final result of spam scoring after all the tests and checks are performed.
X-Barracuda-Spam-Score: 2.03
Keep your Barracuda spam score low enough, and mailbox providers are more likely to open the door to your subscribers’ inboxes. But if your email crosses a threshold and scores too high, you’re probably going to land in spam or even get blocked.
Of course, the score 2.03 doesn’t mean much on its own. It sounds low. But is it low enough? That depends…
The X-Barracuda-Spam-Status
Here’s a look at the information in the X-Barracuda-spam-status header:
X-Barracuda-Spam-Status: No, SCORE=2.03 using global scores of TAG_LEVEL=3.0 QUARANTINE_LEVEL=5.0 KILL_LEVEL=7.0 tests=BSF_SC0_SA_TO_FROM_DOMAIN_MATCH,
BSF_SC7_SA578_CH, DATE_IN_PAST_12_24, DATE_IN_PAST_12_24_2, HEAD_LONG, HTML_MESSAGE, LONG_TERM_PRICE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.92409
This x-header defines the parameters for what gets delivered to the inbox, filtered to spam, or blocked.
First, you’ll notice the word “No” at the start of the X-header. That means this email was not considered spam (isn’t that a relief?). That’s because a score of 2.03 doesn’t meet the criteria for getting tagged, filtered, or blocked. There are three “levels” mentioned in this X-header:
TAG_LEVEL=3.0This means if an email reaches a score of 3.0, it could be tagged in the inbox as possible spam because some things were a little bit suspicious.QUARANTINE_LEVEL=5.0This means if a message scores 5.0 or higher, Barracuda recommends that mailbox providers treat it like true spam and send it to the junk folder.KILL_LEVEL=7.0This means that if the message reaches a score of 7.0 or higher, it should be rejected and blocked from delivery.
There are two important factors to keep in mind about Barracuda spam scoring. For one thing, the thresholds we used above are not necessarily the same rules every mailbox provider will use. That’s because the filter is customizable. While we used some standard levels for scoring in our example, a more aggressive approach could look like this:
- 0.0 – 1.99 –> Delivered to Inbox.
- 2.0 – 3.49 –> Delivered to Inbox. Subject line tagged with [SPAM?].
- 3.5 – 5.00 –> Delivered to Barracuda Quarantine Inbox.
- 5.1 – 10.0 –> Blocked from delivery
Secondly, the Barracuda spam filter can also be set to check for email authentication protocols, including SPF, DKIM, and DMARC. As a sender, it’s important to have email authentication set up and working properly.
How do I get off the Barracuda blocklist?
Mistakes happen, and you may find your sending domain or IP address ends up on the Barracuda blocklist. This is not a death sentence for your email deliverability, but it will take a little work to remedy the situation. That’s because removal from the Barracuda blocklist is a manual process.
Before you try to get removed, you need to know what went wrong. Barracuda says this about its blocklisting methodology:
“Most IP addresses are listed as a result of directly sending spam or viruses to the Barracuda Reputation System’s detectors. The Barracuda Reputation System detects spam by using honeypots, special addresses created to receive only spam and do not belong to any real user and through analysis of captive spyware protocol activity.”
Basically, you got on this blocklist because you either sent a dangerous email or you have pristine spam traps (honeypots) on your contact list. If you’ve got a honeypot email address on your list, it means that, at some point, someone either purchased contacts or scraped the web for email addresses. And that’s not cool.
It’s certainly possible this is not your fault. Maybe you were hacked, and bad actors are using your domain or IP. Maybe someone before your time conducted some shady list building practices. Whatever the case, you’ve got to fix things ASAP.
Where to go for Barracuda blocklist removal
If you plan to work on blocklist removal yourself, here are the steps to follow:
- Visit Barracuda Central’s blocklist removal page and check out the form.
- Enter your sending IP address to identify what should be removed from the blocklist.
- Give them an email address where the right person can be reached with follow-up questions.
- Provide a detailed explanation of what happened and why you should be removed.
It could take 12 hours or more for you to hear an initial response to your blocklist removal request, and even then, you may have to answer some questions and clarify a few things. Good luck!
The good news is that our friends at Sinch Mailgun say that getting listed on the BRBL typically has a low impact on email delivery. But it could hurt more if you’re a B2B brand sending to Outlook and G-Suite addresses that are more likely to use Barracuda.
Get email deliverability help from Mailgun Optimize
If all of this feels a little overwhelming, there is help out there, and there are tools that can help you prevent problems with spam filters and blocklists from ever happening in the first place.
Mailgun Optimize is a complete email deliverability suite. Among the services we offer is our Deliverability Monitoring, which includes blocklisting notifications. That means you can fix a sticky situation before you launch your next big email campaign.
There are also plenty of other beneficial tools in the Mailgun Optimize platform. That includes Email Validation, which can help you keep your list clean as well as find and remove spam traps that could get you blocklisted. Plus, Inbox Placement gives you amazing insights into deliverability. You can even predict if your messages will land in the inbox, spam, or the Gmail promotions tab before you hit send.
While you can use Mailgun Optimize and Sinch Email on Acid separately, when you put them together you’ll put your best email forward while giving it the best chance of reaching every subscriber on your list.
Finally, we’ve made it through this entire article without making any references to the classic rock song from Heart. Ladies and gentlemen… straight from 1977, we give you “Barracuda”.
This article was updated on October 17, 2022. It was first published in January of 2013.
Author: The Email on Acid Team
The Email on Acid content team is made up of digital marketers, content creators, and straight-up email geeks. Connect with us on LinkedIn, follow us on Facebook, and tweet at @EmailonAcid on Twitter for more sweet stuff and great convos on email marketing.
Author: The Email on Acid Team
The Email on Acid content team is made up of digital marketers, content creators, and straight-up email geeks. Connect with us on LinkedIn, follow us on Facebook, and tweet at @EmailonAcid on Twitter for more sweet stuff and great convos on email marketing.
14 thoughts on “What’s the Barracuda Spam Filter and Blocklist All About?”
Comments are closed.
I’d like to know more about the X-Barracuda-Spam-Report, as it is completely chinese for me.
I have a few lines of one of our emails that got spammed:
0.50 BSF_SC0_SA082p BODY: Custom Rule SA082p
1.20 BSF_SC0_SA082n BODY: Custom Rule SA082n
0.00 HTML_MESSAGE BODY: HTML included in message
0.00 BSF_SC5_SA210e Custom Rule SA210e
What all that mean?
Julio,
It can be very hard to read! All of the ones that say “Custom Rule” were defined by the person administrating the installation, so we can’t interpret those directly. “HTML_MESSAGE BODY” just means you had HTML in the message, and that wasn’t counted against you (0.00). Wish I could offer you more information than that!
Hi,
Nice article.
Maybe one remark. The quarantaine function in the Barracuda Spam is possible for admins and users. Nevertheless I would never suggest it that users are allowed to use a quaraintaine inbox.
Note that the custom rules are not defined by system administrators, but instead by Barracuda Networks….a-la proprietary
Julio,
I’m sorry, I was wrong about that. Upon further investigation, “custom rule” is a pretty ambiguous term. A stock installation of Barracuda apparently comes with a lot of “custom rules.” I apologize for any confusion this may have caused.
This thing is a nightmare! Keeps blocking important emails, and completely ignoring the “Whitelist.”
Defeats the purpose of doing business via email doesn’t it?
Have you marked at least 100 messages as spam and another 100 as not spam? The Barracuda won’t start its Bayesian filtering until you do this. Remember that they want more messages marked as “not spam” than those marked as “spam” to be most effective.
I think this is one of the most important info for me. And i am glad reading your article. But wanna remark on few general things, The web site style is ideal, the articles is really excellent D. Good job, cheers beegagegeecb
Barracuda is not a good idea.
Their filter criteria include origin IP but ignore the actual domain.
This means that a spammer could be using a domain named “ispamlots.com”, but be using a dynamic IP and just by sending an IP refresh request to his router every 100 or 1000 messages, he would remain 100% invisible to Barracuda.
Also, if he wanted to be lazy, he could just pay $20 to emailreg.org and get a free pass and spam all day and every day to a degree that would make Monty Python blush.
On the other hand, we recently switched to a site that does a check with barracuda’s RBL and suddenly tons of our emails were showing up as false positives. Indeed, our main office uses a router with a dynamic IP that is rebooted daily at 3:00am. Every month or so, we get a “poisoned” IP number that shows up on the Barracuda RBL. Yep – I get a flag from our spam assassin check on an email I sent from me@maindomain to me@secondarydomain.
I just did a check of all messages that have a flag for barracuda over the past 3 months. Not a *single* message is actual spam. 100% are ham and false positives from actual customers that we have been dealing with for years.
This is the worst blacklist setup you could possibly imagine. Ridiculously easy to circumvent for regular spam. Blocks large numbers of emails on false positive.
I admin a Barracuda filter. They work great. Jimmy is wrong.
We can use Barracuda’s IP list, and Spamhaus or any other list we want (like SORBD, Backscatter, …). Spamhaus zen list blocks all dynamic IP address – all ISP’s report their dynamic ranges to spamhaus , Anyone using the zen spamhaus list automatically blocks all email from dynamic IP addresses. If anyone thinks they are sending email from a dynamic range they are nuts (I ran a site that pushed 2 million emails an hour).
We setup honeypot email addresses inside the network and publish those addresses on our websites – when any email is sent to one of those mailboxes, we scan past logs for any 24 block use of the IP address, and check the registered range – the entire range is blocked.
A really great feature of Barracuda is the ability to read the email. If some sales weasel sends contact information, you can just pick keywords out of the link and build a rule around the word. Phone number? Add it the content management engine – blocked forever, Email address, add a rule blocked forever. URL same treatment (add a rule so the domain on any TLD is blocked). Don’t want to get email from outside the US – there is a rule for that. You can require SPF and other domain validation rules (and PTR).
We are part of a teaching organization, and use their regional mailing list for newsletters based on their current mailing list. We use a GoDaddy address as the send and reply-to address, and include it in the newsletter. What does the following mean on our newsletter spam check?
BODY: Custom Phishing Mismatch
Hey Maris,
It does appear that is Barracuda send out the “Custom Phishing Mismatch.” Unfortunately, Barracuda doesn’t really go into much detail about what the hit may have been specifically, but checking for these things should help: http://www.techrepublic.com/blog/10-things/10-tips-for-spotting-a-phishing-email/
Hope that helps, even just a little. Have a great day.
Julio,
Never had problems with any RBL in the past cca 15 years. Only with barracuda but very often.
Use something else…, or pay $20 per year for EmailReg.org and you could be an “official” spammer… 😉 Funny but true!
http://joystickjunkie.blogspot.hu/2010/04/emailregorg-is-scam.html
I would like to know about the lines below:
X-Barracuda-BRTS-Status: 1
X-Barracuda-Bayes: INNOCENT GLOBAL 0.0000 1.0000 -2.0210
X-Barracuda-Spam-Score: -1.27
X-Barracuda-Spam-Status: No, SCORE=-1.27 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=5.0 tests=HTML_FONT_FACE_BAD, HTML_MESSAGE, MISSING_MID
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.32880
Rule breakdown below
pts rule name description
—- ———————- ————————————————–
0.14 MISSING_MID Missing Message-Id: header
0.00 HTML_MESSAGE BODY: HTML included in message
0.61 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
Could this define a message being delayed for hours?
Or its just minor pts which can’t affect that?
Thank you in advance