How can I stop spam from getting through my Email Security Gateway?
If you are receiving any spam through the Email Security Gateway, there are a number of additional measures you can take to maximize the Email Security Gateway’s spam-blocking effectiveness.
- You may need to adjust your spam scoring rules. If your block score, quarantine score, or tag score are set too high, the Barracuda may not be blocking all that it should. To check and see whether lowering a spam score is warranted, filter the message log (on the Basic > Message Log page) using the Score in Range (x,y)filter. If you are considering lowering your block score from 5 to 4, you might use that filter with the following pattern: 4,5. This will display emails that score between a 4 and a 5, so you will be able to tell whether lowering this particular score will affect legitimate messages that score in this range.Also, you should make sure that the Email Security Gateway is using the proper spam scoring values. On the Email Security Gateway 400 and above, each domain is configured with its own spam scoring values and you may need to edit each individual domain’s values under the Domains tab. An individual domain’s spam scoring values are used instead of the global values (if they differ). On the Email Security Gateway 600, each user may set his or her own spam scoring values if each user has a quarantine account and the administrator has enabled that per-user feature. An individual user’s spam scoring values are used instead of the domain and global values (if they differ).
- Make sure your Energize Updates are up-to-date and configured to update hourly on the Advanced > Energize Updates page. A team of security engineers at Barracuda Central continuously monitors the Internet for trends in spam and virus attacks. As they detect trends, Energize Updates are created and distributed to all Email Security Gateways, which are automatically updated with new spam rules, spam algorithms, and virus definitions. If you don’t take advantage of these updates, your Barracuda will not be fully able to block the newest types of spam messages.
- Check your current firmware version against the latest general release on the Advanced > Firmware Update page. You may need to update your firmware to the latest version; new firmware releases often include feature enhancements and bug fixes that further improve spam blocking effectiveness.
- Make sure the Email Security Gateway has not been mistakenly configured to whitelist either untrusted senders or recipients that want spam scanning. Whitelisting one of your domains as a recipient domain will effectively disable spam scanning for that domain. While whitelisted messages will be displayed as whitelisted on the Basic > Message Log page, you should also check the Block/Accept > Sender Domain Block/Accept, Block/Accept > Email Sender Block/Accept, and Block/Accept > Email Recipient Block/Accept pages to make sure you are not unknowingly whitelisting either sources of spam or users that want spam protection.
- Go to the Block/Accept > IP Reputation page and check to see whether the Barracuda IP Reputation option is set to Block. The Barracuda Email Security Gateway leverages data on the network addresses used to send email gathered by Barracuda Central, an advanced 24/7 security operations center that works to continuously monitor and block the latest Internet threats. Combining both the IP and reputation data enables Barracuda Networks to implement countermeasures to mitigate all spam and virus threats. Barracuda Central maintains historical data on IP addresses used in both spam attacks and legitimate email campaigns. Through the Barracuda Reputation System, the Email Security Gateway can make quick and computationally efficient decisions to block or accept email based on a simple lookup of the sender’s IP address against the Barracuda IP Reputation list. Barracuda Networks recommends the use of this feature to maximize your Email Security Gateway’s effectiveness.
- The Email Security Gateway is also compatible with custom external blacklists. If you have any third party blacklists you would like to use, you may enter them under the Custom External RBLs heading on the Block/Accept > IP Reputation page. While adding a few RBLs in this way will ensure the Barracuda Spam Firewall blocks more email, be sure you’re aware of what sorts of IPs are on the lists you configure. Adding too many RBLs may hurt performance and will significantly increase the risk of false positives.
- Use intent blocking. This is configured on the Basic > Spam Checking page. Barracuda Central maintains reputation on spam domains, phishing domains, and Web sites known to host malware. When these domain names are embedded in email message bodies, the Intent Analysis layer of the Email Security Gateway can quickly block email based on a simple database lookup. You should also enable the Realtime Intent Analysis and Multi-Level Intent Analysis options unless they affect performance; these two options may increase the load on the DNS servers specified on the Basic > IP Configuration page.
- Make sure Fingerprint Analysis is enabled and set to Block on the Basic > Spam Checking page. A message “fingerprint” is based on commonly used message components (e.g., an image) across many instances of spam. Fingerprint analysis is an often useful mechanism to block future instances of spam once an early outbreak is identified. Engineers at Barracuda Central work around the clock to identify new spam fingerprints which are then updated on all Email Security Gateways through Barracuda Energize Updates.
- Use recipient verification. Many spammers attack email infrastructures by harvesting email addresses. The Email Security Gateway is able to verify the validity of recipient email addresses through multiple techniques without needing to scan each message, and configuring it to do so will greatly increase efficiency as well as effectiveness.Email Security Gateways are able to perform LDAP and Active Directory recipient verification on all incoming e-mail. This means that a Email Security Gateway is able to block all e-mails addressed to users that don’t exist. To configure LDAP verification, you will need an LDAP or Active Directory server. Once in the Barracuda’s interface, click on the Domains tab and click the Edit LDAP link to the right of a domain to configure LDAP or Active Directory verification for that domain. LDAP must be configured individually for each domain.If no LDAP or Active Directory server has been specified for recipient verification, the Email Security Gateway will automatically attempt recipient verification over SMTP (meaning it will open SMTP connections with the destination mail server and check each recipient address to see whether the mail server will accept it). This is less efficient than LDAP verification, but it is a great option for organizations that don’t maintain an LDAP or Active Directory server. If your mail server is not currently configured to perform SMTP verification, you need only enable it on your mail server. The Email Security Gateway should then automatically begin blocking email addressed to users that don’t exist at your domain.
- Train the Bayesian database by marking messages as Spam and Not Spam in the Barracuda’s Message Log (Basic > Message Log). The Bayesian system can increase or decrease the spam score of a message by up to 5 points in either direction, and the adjustment in score depends on the Bayesian database’s training. The Bayesian database is intended to adjust the spam score of messages that fall near the configured spam scoring thresholds so that they will be correctly classified.
- Go to the Block/Accept > Rate Control page and make sure rate control is enabled and the threshold is set to a reasonably low number (the default value of 50 is recommended). Automated spam software can be used to send large amounts of email to a single email server. To protect the email infrastructure from these flood-based attacks, the Email Security Gateway counts the number of incoming connections from a particular IP address and throttles the connections once the configured threshold is exceeded.