Date: Tue, 18 Jan 2005 16:46:16 -0500 (EST) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: Spam & Virus Firewall Q & A -------------------------------------------------- BCPL.NET SPAM & VIRUS FIREWALL QUESTIONS & ANSWERS -------------------------------------------------- My BCPL.NET News message of January 11th announcing the installation of our new Barracuda 400 Spam & Virus Firewall caused a flood of questions about the Barracuda and how it works. I haven't been able to answer each one personally due to the large number of questions, but thee most commonly asked questions are answered below. This will probably become the basis of a Barracuda FAQ on our web site (www.bcpl.net) in the not-too-distant future. By the way, in my January 11th message I listed an incorrect URL for the Barracuda Networks company web site. The correct URL is: http://www.barracudanetworks.com -------- Q: The new spam and virus blocking seems to be working very well. But why did you wait so long to get a spam and virus firewall? A: Money, money, and more money. Until the Barracuda Spam & Virus Firewall became available the vendors of most commercial anti-spam and anti-virus products based their prices on the number of mailboxes on the mail server, or on the number of processors in the mail server. That translates to money. Lots of money! We just couldn't afford to do it without a fairly hefty increase in our annual renewal fee, and we didn't want to do that. Barracuda Networks doesn't charge per mailbox or per processor. They offer their Barracuda Spam & Virus Firewall in several sizes, at a fixed price for each size. The Barracuda 400 we selected has more than enough capacity to handle our e-mail load, and at a very reasonable price that we feel we can absorb without passing the cost along to our customers. -------- Q: I'm getting spam that isn't tagged [SPAM], and I'm getting legitimate e-mail that is tagged [SPAM]. Why? A: Two reasons: 1) That sort of thing is bound to happen with any spam-detection mechanism, because there is no absolutely foolproof way for a computer to differentiate between spam and legitimate e-mail. A reasonably intelligent human can make very accurate "Spam" and "Not Spam" decisions fairly easily. Unfortunately (or perhaps fortunately, depending on your point of view) we have yet to learn how to make computers think exactly like humans. The Barracuda spam firewall scores each incoming message from 1 to 10 based on certain characteristics that are commonly found in spam. The higher the score, the more likely the message is to be spam. As it is currently configured, the Barracuda blocks any message with a score of 9 or higher. Something with a score that high is so riddled with spam characteristics that it can't be anything other than spam. Messages with a score of 9 or higher never reach your mailbox. Messages with a score of 3 or lower are sent straight through to your mailbox on the assumption that they are not spam. That doesn't guarantee that they aren't spam. It just means that based on the scoring they probably aren't spam. Messages with a score between 3 and 9 have the [SPAM] tag added to the subject line before forwarding them on to your mailbox. Most messages in this scoring range are probably spam, but some may not be. The Barracuda tags them to let you know these are "maybes", but you still need to look at them to decide for yourself. 2) Another reason why you're seeing spam that isn't tagged [SPAM] is that the mass-mail software used by spammers doesn't always play by the rules. That shouldn't be a big surprise to anyone! When a mail server out on the Internet needs to deliver e-mail to an address ending with "@bcpl.net", it does a DNS (domain name service) lookup to find the address of BCPL.NET's mail server. It then delivers the message to that mail server. Currently that DNS lookup tells the remote mail server to deliver the message to mail-in.bcpl.net, our Barracuda Spam & Virus Firewall. The Barracuda then pre-processes the message before either rejecting it or relaying it to our main mail server (mail.bcpl.net). Some mass-mail software used by spammers does that DNS lookup only once for each address on its target list, and uses that information forever without updating it. If a spammer's misbehaving software did that lookup before we installed the Barracuda, it is still sending directly to our main mail server (mail.bcpl.net). The Barracuda (mail-in.bcpl.net) doesn't come into play at all. This problem should decrease in time, but it might never go away completely. There isn't anything we can do about this. -------- Q: Instead of tagging e-mail as spam and sending it to me anyway, why don't you just delete it? A: As mentioned above, there is no foolproof way for a computer to differentiate between spam and legitimate e-mail. If we just delete everything the Barracuda thinks might be spam, we would end up deleting some legitimate e-mail too. We don't want to do that. -------- Q: Should I report legitimate messages marked [SPAM] and spam messages that aren't marked [SPAM]? A: We don't currently have a mechanism in place for doing that. We will create one in the not-too-distant future, but we need a little more time to get comfortable with how the Barracuda Spam & Virus Firewall works. Watch for an announcement in BCPL.NET News. Once the reporting mechanism is in place, your reports will help the Barracuda learn what you do and do not consider to be spam. -------- Q: I'm pretty sure I didn't receive a legitimate e-mail that I'm pretty sure someone sent to me. What can be done about that? A: Those two "pretty sures" are not much for us to go on. If you know for a fact that e-mail was sent to you but never arrived in your mailbox, contact the Help Desk (410-887-3297 or help@bcpl.net) with the details as soon as possible. We need to know your e-mail address, the sender's e-mail address, and approximately when the message was sent. We can then try to find the message in the Barracuda's log. If found, we can forward the message to you and mark it "Not Spam" to help the Barracuda learn. -------- Q: How does the Barracuda Spam & Virus Firewall decide how to score incoming e-mail? A: It would take a book-length e-mail to explain that in detail, but here's a slightly shorter version: Virus Checking: Two different virus scanners examine each incoming message. Messages containing viruses are blocked, and you receive a notice from the Barracuda that this has occurred. Rate Controls: This protects us from automated spam programs (spambots) that attempt to send huge amounts of email to our mail server in a very small amount of time. If this occurs the sending server is told to try again later, then disconnected. Legitimate mail servers will try again later, so legitimate e-mail still gets through. Spam software usually doesn't bother to try again, so a lot of spam is blocked. External Blacklists: The Barracuda uses the same externally maintained blacklists we have used for several years on our main mail server. It also uses an external blacklist maintained by Barracuda Networks that lists the largest and most aggressive spammers. All e-mail coming from blacklisted sites is blocked. Internal Blacklists: These are blacklists maintained by us, containing domain names, IP addresses, and individual e-mail addresses from which we will not accept e-mail. We are not currently using internal blacklists. Checksum Technology: Barracuda Networks uses "honeypot" accounts all over the Internet to keep track of how often identical spam messages are seen. If an unsolicited e-mail has appeared very broadly it is categorized as known spam. Checksums of known spam messages are used by the Barracuda firewall to block spam messages. Intention Analysis: This checks any URLs in the message against a database of Web sites known to be run by spammers or known to advertise via spam. If found, the message is blocked. Otherwise intention analysis looks at the apparent intent of the message. If it appears to be trying to sell you something, that affects the spam score assigned to the message. Message Authenticity: Several methods are used to determine whether a message seems authentic. These range from simply verifying that the "From:" address is a real address, to complex tests related to the way Internet e-mail delivery is supposed to work. The Barracuda uses these tests to help determine what spam score should be assigned to a message. Bayesian Filtering: This uses Bayesian analysis to compare words and phrases in a message to words and phases in previous e-mails, both legitimate and spam. The Barracuda uses this to help determine what spam score should be assigned to a message. Bayesian Learning: This allows us to tell the Barracuda which messages we consider to be spam and which ones we don't in order to improve the Bayesian Filtering process. Currently only the Barracuda administrator can do this. Eventually individual users will be able to do it too, but before we enable that we have to create a good set of online instructions. Stay tuned... Spam Fingerprinting: This technique compares the characteristics of each incoming e-mail against a "fingerprint database" of known spam maintained by Barracuda Networks. The Barracuda uses fingerprinting to help determine what spam score should be assigned to a message. Keyword Scanning: This looks for certain keywords commonly used by spammers. If found, they contribute to the spam score assigned to the message. -------- That's enough for now. Stay tuned to BCPL.NET News for updates. Chip -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. Web Site: http://www.bcpl.net Who To Contact For What: http://www.bcpl.net/contacts/