Barracuda Email Security Service

Step 1: Understand How the Service Works

Last update: Tuesday, 25. Feb 2014

These topics help you understand what your Barracuda Email Security Service can do and how to approach configuring the features that are important to your organization policies. It is recommended that you understand these concepts before customizing the configuration of your Barracuda Email Security Service.

In this article:

Connection Management Layers

These layers identify and block unwanted email messages before accepting the message body for further processing. For the average small or medium business, more than half of the total email volume can be blocked using Connection Management techniques. Extremely large Internet Service Providers (ISPs) or even small web hosts, while under attack, may observe block rates at the Connection Management layers exceeding 99 percent of total email volume.

Denial of Service Protection

The Barracuda Email Security Service receives inbound email on behalf of the organization, insulating your organization's mail server from receiving direct Internet connections and associated threats. This layer does not apply to outbound mail.

Rate Control

Automated spam software can be used to send large amounts of email to a single mail server. To protect the email infrastructure from these flood-based attacks, the Barracuda Email Security Service counts the number of incoming connections from a particular IP address (inbound and outbound mail) or sender email address (outbound mail only) during a 30 minute interval and defers the connections once a particular threshold is exceeded. Rate control is automatically configured by the Barracuda Email Security Service.

IP Analysis

After applying rate controls based on IP address, the Barracuda Email Security Service performs analysis on the IP address of email based on the following:

  • Barracuda Reputation - this feature leverages data on network addresses and domain names collected from spam traps and throughout other systems on the Internet. The sending histories associated with the IP addresses of all sending mail servers are analyzed to determine the likelihood of legitimate messages arriving from those addresses. IP addresses of incoming connections are compared to the Barracuda Reputation list, if enabled, and connections from suspicious senders are dropped.
  • External blocklists - Also known as real-time blocklists (RBLs) or DNS blocklists (DNSBLs). Several organizations maintain external blocklists of known spammers.
  • Allowed and blocked IP address lists - Customer-defined policy for allowed and blocked IP addresses. By listing trusted mail servers by IP address, administrators can avoid spam scanning of good email, both reducing processing requirements and eliminating the chances of false positives. Likewise, administrators can define a list of bad email senders for blocking. In some cases, administrators may choose to utilize the IP blocklists to restrict specific mail servers as a matter of policy rather than as a matter of spam protection.
Sender Authentication

Declaring an invalid "from" address is a common practice used by spammers. The Barracuda Email Security Service Sender Authentication layer uses a number of techniques on inbound mail to both validate the sender of an email message and apply policy, including domain name spoof protection, performing a DNS lookup of domain names and enforcing RFC 821 compliance. Sender Policy Framework (SPF) tracks sender authentication by having domains publish reverse MX records to display which machines are designated as mail sending machines for that domain. The recipient can check those records to make sure mail is coming from a designated sending machine.

Mail Scanning Layers

Virus Scanning

The most basic level of mail scanning is virus scanning. The Barracuda Email Security Service utilizes three layers of virus scanning and automatically decompresses archives for comprehensive protection. By utilizing virus definitions, Barracuda Email Security Service customers receive the best and most comprehensive virus and malware protection available. The three layers of virus scanning of inbound and outbound mail include:

  • Powerful open source virus definitions from the open source community help monitor and block the latest virus threats.
  • Proprietary virus definitions, gathered and maintained by Barracuda Central, our advanced 24/7 security operations center that works to continuously monitor and block the latest Internet threats.
  • Barracuda Real-Time System (BRTS). This feature provides fingerprint analysis, virus protection and intent analysis. When BRTS is enabled, any new virus or spam outbreak can be stopped in real-time for industry-leading response times to email-borne threats. The Barracuda Real-Time System allows customers the ability to report virus and spam propagation activity at an early stage to Barracuda Central. Virus Scanning takes precedence over all other mail scanning techniques and is applied even when mail passes through the Connection Management layers. As such, even email coming from "whitelisted" IP addresses, sender domains, sender email addresses or recipients are still scanned for viruses and blocked if a virus is detected.

Barracuda Anti-virus Supercomputing Grid

An additional, patent-pending layer of virus protection offered by the Barracuda Email Security Service is the Barracuda Anti-virus Supercomputing Grid, which can protect your network from polymorphic viruses. Not only does it detect new outbreaks similar to known viruses, it also identifies new threats for which signatures have never existed using "premonition" technology.

Intent Analysis

All spam messages have an "intent" – to get a user to reply to an email, to visit a website or to call a phone number. Intent analysis involves researching email addresses, web links and phone numbers embedded in email messages to determine whether they are associated with legitimate entities. Frequently, Intent Analysis is the defense layer that catches phishing attacks. The Barracuda Email Security Service applies various forms of Intent Analysis to both inbound and outbound mail, including real-time and multi-level intent (or 'content') analysis. Multi-level, or content intent, is the process of identifying URLs in an email message body that redirect to known spam or malware sites.

Enable or disable intent on the INBOUND SETTINGS > Anti-spam/Anti-virus page.

Image Analysis

The Barracuda Email Security Service uses Image Analysis techniques on both inbound and outbound mail which protect against new image variants. These techniques include:

  • Optical character recognition (OCR) - Enables the Barracuda Email Security Service to analyze the text rendered inside embedded images.
  • Image processing - To mitigate attempts by spammers to foil OCR through speckling, shading or color manipulation, the Barracuda Email Security Service also utilizes a number of lightweight image processing technologies to normalize the images prior to the OCR phase. More heavyweight image processing algorithms are utilized at Barracuda Central to quickly generate fingerprints that can be used by the Barracuda Email Security Service to block messages.
  • Animated GIF analysis - The Barracuda Email Security Service contains specialized algorithms for analyzing animated GIFs for suspect content.

Advanced Spam Detection

You can configure spam detection for custom categories by setting a 'score' for content type on the INBOUND SETTINGS > Anti-spam/Anti-virus page. This score ranges from 0 (definitely not spam) to 5 (definitely spam). Based on this score, the Barracuda Email Security Service will block messages that appear to be spam and they will appear in the user's Message Log with the category responsible for the block.

Predictive Sender Profiling

When spammers try to hide their identities, the Barracuda Email Security Service can use Predictive Sender Profiling to identify behaviors of all senders and reject connections and/or messages from spammers. This involves looking beyond the reputation of the apparent sender of a message, just like a bank needs to look beyond the reputation of a valid credit card holder of a card that is lost or stolen and used for fraud. Some examples of spammer behavior that attempts to hide behind a valid domain, and the Barracuda Email Security Service features that address them, include the following:

  • Sending too many emails from a single network address: Automated spam software can be used to send large amounts of email from a single mail server. The Rate Control feature on the Barracuda Email Security Service limits the number of connections made from any IP address within a 30 minute time period. Violations are logged to identify spammers. Rate Control is automatically configured by the Barracuda Email Security Service.
  • Attempting to send to too many invalid recipients: Many spammers attack email infrastructures by harvesting email addresses. Recipient Verification on the Barracuda Email Security Service enables the system to automatically reject SMTP connection attempts from email senders that attempt to send to too many invalid recipients, a behavior indicative of directory harvest or dictionary attacks. You can exempt email addresses of trusted, verified recipients from Recipient Verification using the INBOUND SETTINGS > Recipient Policies page.
  • Registering new domains for spam campaigns: Because registering new domain names is fast and inexpensive, many spammers switch domain names used in a campaign and send blast emails on the first day of domain registration. Realtime Intent Analysis on the Barracuda Email Security Service is typically used for new domain names and involves performing DNS lookups and comparing DNS configuration of new domains against the DNS configurations of known spammer domains. Enable Intent Analysis on the INBOUND SETTINGS > Anti-spam/Anti-virus page.
  • Using free Internet services to redirect to known spam domains: Use of free websites to redirect to known spammer websites is a growing practice used by spammers to hide or obfuscate their identity from mail scanning techniques such as Intent Analysis. With Multilevel Intent Analysis, the Barracuda Email Security Service inspects the results of web queries to URIs of well-known free websites for redirections to known spammer sites. Enable Intent Analysis on the INBOUND SETTINGS > Anti-spam/Anti-virus page.
Notifications

The Barracuda Email Security Service sends out two kinds of notifications:

  • Quarantine Digest: For email recipients which are listed in the Barracuda Email Security Service database (see Managing User Accounts), a notification email containing a summary of quarantined email is sent to their email address at an interval you specify for users. See Quarantine Notifications for information about configuring these types of notifications.
  • Attachment Blocking for Content: A notification will be sent to the sender of a message when it is blocked due to attachment content filtering. Configure content filtering for inbound email from the INBOUND SETTINGS > Content Policies page.
Monitored Outbound Email Volume

The Barracuda Email Security Service monitors the volume of outbound email from the system to the internet. If the volume exceeds normal thresholds during any given 30 minute interval, the Rate Control function will take effect, causing all outbound mail to be deferred until the end of the 30 minute time frame. The outbound mail flow will then continue unless the volume is exceeded again in the next 30 minute interval. If so, Rate Control will again be triggered and outbound mail will be deferred until the end of the time frame. The allowable volume of outbound mail for an IP address can potentially be increased if the user clicks the Request Increased Limit button on the OUTBOUND Settings > Abuse Monitor page. The request will be reviewed by Barracuda Networks and the limit on the rate of outbound mail from the Barracuda Email Security Service may be increased. If this situation occurs frequently for a particular sending IP address, that IP address will be listed in the OUTBOUND Settings > Abuse Monitor page in the IP Addresses With Recent Abuse table.

Continue with Step 2: Initial Setup of the Service.


Feedback
If you have a technical issue with the product, please contact Barracuda Networks Technical Support. Did you find this article helpful: |