Spam Filter Series: Beating the Barracuda


Is something fishy happening to your emails on the way to the inbox?

This is the third entry in our series on SPAM filters: how they work, how to avoid them, and what we can learn from their output. We already covered the Postini and SpamAssassin filters in our previous blogs. The “Barracuda SPAM and Virus Firewall” is a plug-in appliance that gives admins a suite of tools used to manage incoming mail. We often pay a lot of attention to the “SPAM rules” that we’ve learned to avoid, but looking at those rules is actually the last thing that a SPAM filter like Barracuda does. I’ll list the steps it goes through in order below.

  1. Check IP BLock List – Make sure that the sender IP is’t already listed as suspicious.
  2. Check for Viruses – Look for known viruses.
  3. Check for Viruses – Check again looking for anything suspicious.
  4. Check through any user specified rules – Users can specify that emails containing certain words, languages or code are to be classified as SPAM.
  5. Check “SPAM Fingerprint” – Checks to see if this email has already been fingerprinted by a Barracuda installation, more on this below.
  6. SPAM Intention Analysis – Analyzes what this message is trying to get the recipient to do: go to a site, reply, open an attachment, etc.
  7. Bayesian Spam Analysis – This uses Bayesian logic to compare the current email to a database of emails that the system already knows are SPAM or HAM.
  8. Spam Rules-Based Scoring – We get the most information about this step from the “X-Barracuda-Spam-Report” header, below.

This is because it’s much more efficient to check for deal breakers, like a blacklisted IP address or the presence of a virus, before going through detailed rules checks like you’ll see under the “X-Barracuda-Spam-Report” header. Legitimate emails should pass through steps 1-6 with no problem, and step 7 may even improve your score.

SPAM fingerprinting” uses information about messages that have been categorized as SPAM to identify messages that are the same or similar as they pass through the Barracuda Spam Firewall. When a Barracuda installation identifies a message as SPAM, it is “fingerprinted” and sent to Barracuda Central so that information about that piece of SPAM can be communicated to other Barracuda installations.

Barracuda Headers

Below is an example set of Barracuda headers. Take a look at them and we’ll explain them in more detail below.

X-Barracuda-Start-Time: 1332864901
X-Barracuda-URL: http://172.26.14.249:8000/url-mod/address.com
X-Barracuda-Bayes: SPAM GLOBAL 1.0000 1.0000 4.3430
X-Barracuda-Spam-Score: 2.03
X-Barracuda-Spam-Status: No, SCORE=2.03 using global scores of TAG_LEVEL=3.0 QUARANTINE_LEVEL=5.0 KILL_LEVEL=7.0 tests=BSF_SC0_SA_TO_FROM_DOMAIN_MATCH,
     BSF_SC7_SA578_CH, DATE_IN_PAST_12_24, DATE_IN_PAST_12_24_2, HEAD_LONG, HTML_MESSAGE, LONG_TERM_PRICE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.92409
     pts RULE_NAME description
     ---- ---------------------- ----------------------
     0.50 HEAD_LONG Message headers are very long
     0.01 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date
     0.21 LONG_TERM_PRICE BODY: LONG_TERM_PRICE
     0.00 HTML_MESSAGE BODY: HTML included in message
     0.50 BSF_SC7_SA578_CH Custom Rule SA578_CH
     0.01 BSF_SC0_SA_TO_FROM_DOMAIN_MATCH Sender Domain Matches Recipient Domain
     0.80 DATE_IN_PAST_12_24_2 DATE_IN_PAST_12_24_2
X-SA-Exim-Connect-IP: 12.237.60.52
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on server-4
X-Spam-Level: -0.5
X-Spam-Status: No, score=-0.5 required=5.7 tests=BAYES_00,DATE_IN_PAST_12_24,
     HTML_MESSAGE,LONG_TERM_PRICE,L_BILLS,L_TAX1,T_LOTS_OF_MONEY autolearn=no
     version=3.3.1

X-Barracuda-Spam-Score Header

X-Barracuda-Spam-Score: 2.03

This header will give you the Barracuda SPAM score of the email. To learn more about what this score means (and see it again) check out the next header.

X-Barracuda-Spam-Status Header

X-Barracuda-Spam-Status: No, SCORE=2.03 using global scores of TAG_LEVEL=3.0 QUARANTINE_LEVEL=5.0 KILL_LEVEL=7.0 tests=BSF_SC0_SA_TO_FROM_DOMAIN_MATCH,
     BSF_SC7_SA578_CH, DATE_IN_PAST_12_24, DATE_IN_PAST_12_24_2, HEAD_LONG, HTML_MESSAGE, LONG_TERM_PRICE

This header tells you if the email was classified as SPAM, what score it got, what the thresholds are for this installation, and what tests were performed. Barracuda allows the user to set thresholds for flagging, quarantining, bouncing and delivery. The example installation looks like this:

0.0 – 2.99 –> Delivered to Inbox.
3.0 – 4.99 –> Delivered to Inbox. Subject line tagged with [Suspected SPAM].
5.0 – 6.99 –> Delivered to Barracuda Quarantine Inbox.
7.0 – 10.0 –> Blocked from delivery

An aggressive installation (with a different added tag) might look like this:
0.0 – 1.99 –> Delivered to Inbox.
2.0 – 3.49 –> Delivered to Inbox. Subject line tagged with [SPAM?].
3.5 – 5.00 –> Delivered to Barracuda Quarantine Inbox.
5.1 – 10.0 –> Blocked from delivery

The Barracuda Quarantine Inbox is an inbox that network admins can access, but typical users cannot. This will prevent an average user from accidentally accessing an email with a virus, but allow a network admin to retrieve it if needed. Sadly, if your email makes it into the quarantine box it’s pretty unlikely that anybody will find it and send it to the recipient, so its important to make sure you keep your Barracuda score low enough to make it in the first category. Even a score of 3.0-4.99 would be too much for most advertisers, as this would result in having “[Suspected Spam]” or another similar tag added to the subject line. The added tag is determined by the network admin, but it will almost certainly cause the recipient to delete your email without reading it.

X-Barracuda-Spam-Report Header

X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.92409
     pts RULE_NAME description
     ---- ---------------------- ----------------------
     0.50 HEAD_LONG Message headers are very long
     0.01 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date
     0.21 LONG_TERM_PRICE BODY: LONG_TERM_PRICE
     0.00 HTML_MESSAGE BODY: HTML included in message
     0.50 BSF_SC7_SA578_CH Custom Rule SA578_CH
     0.01 BSF_SC0_SA_TO_FROM_DOMAIN_MATCH Sender Domain Matches Recipient Domain
     0.80 DATE_IN_PAST_12_24_2 DATE_IN_PAST_12_24_2

This header containes detailed information about what tests were failed by the email and how many points each of these was worth. This is the best place to learn about what you can change to help your emails make it through next time. Anything that merits .5 points or more is something to take notice of. It also includes the code version and rules version that was used to test your email.

Putting It All Together

Here again is our example of a complete set of Postini headers. Hover over words or numbers in navy blue text to see an explanation of their meaning.

X-Barracuda-Start-Time: 1332864901
X-Barracuda-URL: http://172.26.14.249:8000/url-mod/address.com
X-Barracuda-Bayes: SPAM GLOBAL 1.0000 1.0000 4.3430
X-Barracuda-Spam-Score: 2.03
X-Barracuda-Spam-Status: No, SCORE=2.03 using global scores of TAG_LEVEL=3.0 QUARANTINE_LEVEL=5.0 KILL_LEVEL=7.0 tests=BSF_SC0_SA_TO_FROM_DOMAIN_MATCH,
     BSF_SC7_SA578_CH, DATE_IN_PAST_12_24, DATE_IN_PAST_12_24_2, HEAD_LONG, HTML_MESSAGE, LONG_TERM_PRICE

X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.92409
     pts RULE_NAME description
     ---- ---------------------- ----------------------
     0.50 HEAD_LONG Message headers are very long
     0.01 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date
     0.21 LONG_TERM_PRICE BODY: LONG_TERM_PRICE
     0.00 HTML_MESSAGE BODY: HTML included in message
     0.50 BSF_SC7_SA578_CH Custom Rule SA578_CH
     0.01 BSF_SC0_SA_TO_FROM_DOMAIN_MATCH Sender Domain Matches Recipient Domain
     0.80 DATE_IN_PAST_12_24_2 DATE_IN_PAST_12_24_2

From this we can learn the following:

  • The Barracuda SPAM score was 2.03.
  • For this installation, emails with a score of 0.0 – 2.99 will be delivered to the inbox, scores 3.0 – 4.99 will have the subject line tagged, scores 5.0 – 6.99 will be delivered to the Barracuda Quarantine Inbox, and scores 7.0 – 10.0 will be blocked from delivery.
  • This email failed the following tests: BSF_SC0_SA_TO_FROM_DOMAIN_MATCH, BSF_SC7_SA578_CH, DATE_IN_PAST_12_24, DATE_IN_PAST_12_24_2, HEAD_LONG, HTML_MESSAGE, LONG_TERM_PRICE. Information about each of these can be found in the X-Barracuda-Spam-Report.

We hope this information will allow you to make more sense of Barracuda headers and why your email might have been tagged as SPAM. Please feel free to add your own Barracuda comments down below.

14 thoughts on “Spam Filter Series: Beating the Barracuda”

  1. I’d like to know more about the X-Barracuda-Spam-Report, as it is completely chinese for me.

    I have a few lines of one of our emails that got spammed:

    0.50 BSF_SC0_SA082p BODY: Custom Rule SA082p
    1.20 BSF_SC0_SA082n BODY: Custom Rule SA082n
    0.00 HTML_MESSAGE BODY: HTML included in message
    0.00 BSF_SC5_SA210e Custom Rule SA210e

    What all that mean?

  2. Julio,
    It can be very hard to read! All of the ones that say “Custom Rule” were defined by the person administrating the installation, so we can’t interpret those directly. “HTML_MESSAGE BODY” just means you had HTML in the message, and that wasn’t counted against you (0.00). Wish I could offer you more information than that!

  3. Hi,

    Nice article.

    Maybe one remark. The quarantaine function in the Barracuda Spam is possible for admins and users. Nevertheless I would never suggest it that users are allowed to use a quaraintaine inbox.

  4. Note that the custom rules are not defined by system administrators, but instead by Barracuda Networks….a-la proprietary

  5. Julio,
    I’m sorry, I was wrong about that. Upon further investigation, “custom rule” is a pretty ambiguous term. A stock installation of Barracuda apparently comes with a lot of “custom rules.” I apologize for any confusion this may have caused.

  6. This thing is a nightmare! Keeps blocking important emails, and completely ignoring the “Whitelist.”

    Defeats the purpose of doing business via email doesn’t it?

  7. Have you marked at least 100 messages as spam and another 100 as not spam? The Barracuda won’t start its Bayesian filtering until you do this. Remember that they want more messages marked as “not spam” than those marked as “spam” to be most effective.

  8. I think this is one of the most important info for me. And i am glad reading your article. But wanna remark on few general things, The web site style is ideal, the articles is really excellent D. Good job, cheers beegagegeecb

  9. Barracuda is not a good idea.

    Their filter criteria include origin IP but ignore the actual domain.

    This means that a spammer could be using a domain named “ispamlots.com”, but be using a dynamic IP and just by sending an IP refresh request to his router every 100 or 1000 messages, he would remain 100% invisible to Barracuda.

    Also, if he wanted to be lazy, he could just pay $20 to emailreg.org and get a free pass and spam all day and every day to a degree that would make Monty Python blush.

    On the other hand, we recently switched to a site that does a check with barracuda’s RBL and suddenly tons of our emails were showing up as false positives. Indeed, our main office uses a router with a dynamic IP that is rebooted daily at 3:00am. Every month or so, we get a “poisoned” IP number that shows up on the Barracuda RBL. Yep – I get a flag from our spam assassin check on an email I sent from me@maindomain to me@secondarydomain.

    I just did a check of all messages that have a flag for barracuda over the past 3 months. Not a *single* message is actual spam. 100% are ham and false positives from actual customers that we have been dealing with for years.

    This is the worst blacklist setup you could possibly imagine. Ridiculously easy to circumvent for regular spam. Blocks large numbers of emails on false positive.

  10. I admin a Barracuda filter. They work great. Jimmy is wrong.

    We can use Barracuda’s IP list, and Spamhaus or any other list we want (like SORBD, Backscatter, …). Spamhaus zen list blocks all dynamic IP address – all ISP’s report their dynamic ranges to spamhaus , Anyone using the zen spamhaus list automatically blocks all email from dynamic IP addresses. If anyone thinks they are sending email from a dynamic range they are nuts (I ran a site that pushed 2 million emails an hour).

    We setup honeypot email addresses inside the network and publish those addresses on our websites – when any email is sent to one of those mailboxes, we scan past logs for any 24 block use of the IP address, and check the registered range – the entire range is blocked.

    A really great feature of Barracuda is the ability to read the email. If some sales weasel sends contact information, you can just pick keywords out of the link and build a rule around the word. Phone number? Add it the content management engine – blocked forever, Email address, add a rule blocked forever. URL same treatment (add a rule so the domain on any TLD is blocked). Don’t want to get email from outside the US – there is a rule for that. You can require SPF and other domain validation rules (and PTR).

  11. We are part of a teaching organization, and use their regional mailing list for newsletters based on their current mailing list. We use a GoDaddy address as the send and reply-to address, and include it in the newsletter. What does the following mean on our newsletter spam check?
    BODY: Custom Phishing Mismatch

  12. I would like to know about the lines below:

    X-Barracuda-BRTS-Status: 1
    X-Barracuda-Bayes: INNOCENT GLOBAL 0.0000 1.0000 -2.0210
    X-Barracuda-Spam-Score: -1.27
    X-Barracuda-Spam-Status: No, SCORE=-1.27 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=5.0 tests=HTML_FONT_FACE_BAD, HTML_MESSAGE, MISSING_MID
    X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.32880
    Rule breakdown below
    pts rule name description
    —- ———————- ————————————————–
    0.14 MISSING_MID Missing Message-Id: header
    0.00 HTML_MESSAGE BODY: HTML included in message
    0.61 HTML_FONT_FACE_BAD BODY: HTML font face is not a word

    Could this define a message being delayed for hours?
    Or its just minor pts which can’t affect that?

    Thank you in advance

Leave a Reply

Your email address will not be published. Required fields are marked *

Free Email Goodies