The Barracuda Email Security Service is a pass-through service, accepting connections from a mail server, getting the initial "rcpt to" line and connecting to the destination mail server. The service then monitors the data stream for any spam or virus content and applies policies you configure in the service on the INBOUND SETTINGS and OUTBOUND SETTINGS pages.
The following topics help you understand what your Barracuda Email Security Service can do and how to approach configuring the features that are important to your organization policies. It is recommended that you understand these concepts before customizing the configuration of your Barracuda Email Security Service.
In this article:
These layers identify and block unwanted email messages before accepting the message body for further processing. For the average small or medium business, more than half of the total email volume can be blocked using Connection Management techniques. Extremely large Internet Service Providers (ISPs) or even small web hosts, while under attack, may observe block rates at the Connection Management layers exceeding 99 percent of total email volume.
The Barracuda Email Security Service receives inbound email on behalf of the organization, insulating your organization's mail server from receiving direct Internet connections and associated threats. This layer does not apply to outbound mail.
Automated spam software can be used to send large amounts of email to a single mail server. To protect the email infrastructure from these flood-based attacks, the Barracuda Email Security Service counts the number of recipients from a sender to a domain during a 30 minute interval and defers the connections once a particular threshold is exceeded. Inbound Rate Control is a threshold for the number of recipients a domain is willing to receive from a sender (a single IP address) during a 30 minute interval. See also Rate Control Inbound. Inbound Rate control is configurable on the INBOUND SETTINGS > Rate Control page. Outbound rate control is set automatically by the Barracuda Email Security Service.
After applying rate controls based on IP address, the Barracuda Email Security Service performs analysis on the IP address of email based on the following:
Declaring an invalid "from" address is a common practice used by spammers. The Barracuda Email Security Service Sender Authentication layer uses a number of techniques on inbound mail to both validate the sender of an email message and apply policy. Sender Policy Framework (SPF) tracks sender authentication by having domains publish reverse MX records to display which machines are designated as mail sending machines for that domain. The recipient can check those records to make sure mail is coming from a designated sending machine.
The most basic level of mail scanning is virus scanning. The Barracuda Email Security Service utilizes three layers of virus scanning and automatically decompresses archives for comprehensive protection. By utilizing virus definitions, Barracuda Email Security Service customers receive the best and most comprehensive virus and malware protection available. The three layers of virus scanning of inbound and outbound mail include:
In addition, Barracuda offers the optional subscription-based Advanced Threat Detection (ATD) service, a cloud-based virus scanning service that applies to inbound messages. ATD analyzes email attachments in a separate, secured cloud environment to detect new threats and determine whether to block such messages. If you subscribe to ATD, you must enable the service on the INBOUND SETTINGS > ATD page.
Barracuda Antivirus Supercomputing Grid
An additional, patent-pending layer of virus protection offered by the Barracuda Email Security Service is the Barracuda Antivirus Supercomputing Grid, which can protect your network from polymorphic viruses. Not only does it detect new outbreaks similar to known viruses, it also identifies new threats for which signatures have never existed using "premonition" technology.
All spam messages have an "intent" – to get a user to reply to an email, to visit a website or to call a phone number. Intent analysis involves researching email addresses, web links and phone numbers embedded in email messages to determine whether they are associated with legitimate entities. Frequently, Intent Analysis is the defense layer that catches phishing attacks. The Barracuda Email Security Service applies various forms of Intent Analysis to both inbound and outbound mail, including real-time and multi-level intent (or 'content') analysis. Multi-level, or content intent, is the process of identifying URLs in an email message body that redirect to known spam or malware sites.
Enable or disable intent on the INBOUND SETTINGS > Anti-Phishing page.
Advanced Spam Detection
You can configure spam detection for custom categories by setting a 'score' for content type on the INBOUND SETTINGS > Anti-Spam/Antivirus page. This score ranges from 0 (definitely not spam) to 5 (definitely spam). Based on this score, the Barracuda Email Security Service will block messages that appear to be spam and they will appear in the user's Message Log with the category responsible for the block.
When spammers try to hide their identities, the Barracuda Email Security Service can use Predictive Sender Profiling to identify behaviors of all senders and reject connections and/or messages from spammers. This involves looking beyond the reputation of the apparent sender of a message, just like a bank needs to look beyond the reputation of a valid credit card holder of a card that is lost or stolen and used for fraud. Some examples of spammer behavior that attempts to hide behind a valid domain, and the Barracuda Email Security Service features that address them, include the following:
The Barracuda Email Security Service sends out two kinds of notifications:
The Barracuda Email Security Service monitors the volume of outbound email from the system to the internet. If the volume exceeds normal thresholds during any given 30 minute interval, the Rate Control function will take effect, causing all outbound mail to be deferred until the end of the 30 minute time frame. The outbound mail flow will then continue unless the volume is exceeded again in the next 30 minute interval. If so, Rate Control will again be triggered and outbound mail will be deferred until the end of the time frame. The allowable volume of outbound mail for an IP address can potentially be increased if the user clicks the Request Increased Limit button on the OUTBOUND Settings > Abuse Monitor page. The request will be reviewed by Barracuda Networks and the limit on the rate of outbound mail from the Barracuda Email Security Service may be increased. If this situation occurs frequently for a particular sending IP address, that IP address will be listed in the OUTBOUND Settings > Abuse Monitor page in the IP Addresses With Recent Abuse table.
Continue with Step 2: Initial Setup of the Service.