BT310 HB 104 - Barracuda Spam Firewall

Barracuda University
BT310 Barracuda Spam Firewall Systems Engineer

Module 1
Chapter Overview
Lecture Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [3]
Lesson 1: Features Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [5]
Lesson 2: Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [15]
Lesson 3: The Twelve Defense Layers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [31]
Lesson 4: Advanced Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [57]
Lesson 5: Administration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [79]
Lab-Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [89]
Lab 1.1: Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [93]
Lab 1.2: LDAP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [95]
Lab 1.3: IP Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [96]
Lab 1.4: Basic Spam Training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [97]
Lab 1.5: Custom Spam Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [99]
Lab 1.6: Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [100]
Lecture Guide
Contents
Lesson 1: Features Overview
Lesson 2: Deployment
Lesson 3: The Twelve Defense Layers
Lesson 4: Advanced Deployment
Lesson 5: Administration Tasks
Objectives
After completing the lessons in this course, you will be able to:
Understand how mail routing works
Choose an appropriate deployment method for your Barracuda Spam Firewall
Deploy the Barracuda Spam Firewall in your IT infrastructure
Understand the Connection Management Layers
Fully understand and configure the Twelve Defense Layer Model
Configure email quarantine
Understand multi-domain management
Deploy a Barracuda Spam Firewall cluster
Understand the high availability / load balancing options on the Barracuda Spam Firewall
Understand how Barracuda Email encryption works
Administer the Barracuda Spam Firewall
Lesson 1: Features Overview
2015 Barracuda University
BT310 - Lecture Guide
Definition
Introduction
The Barracuda Spam Firewall is an integrated hardware and software solution designed to protect your email
server from spam, virus, spoofing, phishing, and spyware attacks. Outbound filtering and encryption options
also prevent confidential or sensitive information from being purposely or inadvertently leaked outside the
organization (Data Leakage Prevention). The optional cloud protection layer (CPL) shields email servers from
inbound malware and DoS attacks while filtering out normal spam before it ever touches the networks
perimeter.
Key Features
Spam and virus filtering with the optional Barracuda Exchange Antivirus Agent, an add-in that you can install
on your Microsoft Exchange mailbox server(s).
Global or per-user quarantine
Prevents spoofing, phishing, and malware
Data leakage prevention (DLP) with outbound email filtering
SMTP/TLS site-to-site encryption see How to Use DLP and Encryption of Outbound Mail
Invalid bounce suppression
Policy enforcement for compliance and corporate policies
Outbound Filtering
Introduction
The Barracuda Spam Firewall may be configured to scan outgoing mail simultaneously with scanning inbound
mail. Virus Scanning and Rate Control are applied to outbound mail as well as the following filters, if
specifically enabled, which are configurable from the BASIC > Spam Checking and BLOCK/ACCEPT pages:
Spam Scoring, with Block or Quarantine actions
IP Address Filtering
Sender Domain Filtering
Sender Email Address Filtering
Recipient Filtering
Content Filtering (Subject, Header, and Body)
Attachment Filtering
Fingerprint Analysis
Image Analysis
Intent Analysis
The following policies can be applied to outbound mail using the BLOCK/ACCEPT pages:
Encryption
Quarantine
Block
Redirection
To scan outgoing mail with the Barracuda Spam Firewall, you must configure the outbound operation on the
BASIC > Outbound page (see How to Route Outbound Mail from the Barracuda Spam Firewall). There, you
will specify your trusted outbound mail server IP address or domain name (either your mail server or another
trusted relay), and identify a Smart host, if you have one, and an authentication type (optional). The Barracuda
Spam Firewall supports SMTP/SASL authentication and LDAP. If you are relaying through a Smart host, you
must also configure the Smart host to send to the Internet.
Be aware that configuring the Barracuda Spam Firewall to scan outbound as well as inbound mail will increase
the load on the system. You might need to upgrade your Barracuda Spam Firewall to another model.
Quarantine Functionality
What is Quarantine
A quarantine is the process of isolating a file or mail suspected of being infected with a virus to a specific area
of a storage device in order to prevent it from contaminating other files or systems. The quarantine process is
used when the spam firewall detects a problem and is unable to eliminate it with its current protocols, or when
it is unsure whether or not a mail contains malicious elements.
Quarantine Options
By default, the Barracuda Spam Firewall does not quarantine incoming messages. However, you may want to
enable quarantine to reduce load on the mail server while giving users a chance to determine what they
consider to be "spam" or "not spam". As listed below, there are three options available for configuring
quarantine with the Barracuda Spam Firewall. The advanteges and disadvanteges of each will be discussed in
a later chapter.
Using Global Quarantine
Using Per-user Quarantine
Turning Quarantine Off
Powerful Administration
Cloud Connected
10
Product Models & Specifications: Appliances
Model
100*
200
300*
400*
600*
800
900
1000
Capacity
Active Email Users
1-50
51-500
300-1.000
1.0005.000
3.00010.000
8.00022.000
15.00030.000
25.000100.000
Domains
10
50
250
500
5.000
5.000
5.000
5.000
Message Log
Storage
8 GB
10 GB
12 GB
24 GB
72 GB
120 GB
240 GB
512 GB
Quarantine Storage
n.a.
n.a.
20 GB
60 GB
180 GB
360 GB
1 TB
2 TB
Hardware
Rackmount Chassis
1U Mini
1U Mini
1U Mini
1U Mini
1U Fullsize
2U Fullsize
2U Fullsize
2U Fullsize
Dimensions (in)
16.8x1.7x9
16.8x1.7x9
16.8x1.8x1
6
16.8x1.8x1
6
16,8x1.7x2
2.6
17,4x3,5x2
5,5
17,4x3,5x2
5,5
17,4x3,5x2
5,5
Weight (lb)
11
12,1
26
46
52
52
Ethernet
1 x 10/100
1 x 10/100
1 x Gigabit
1 x Gigabit
2 x Gigabit
2 x Gigabit
2 x Gigabit
2 x Gigabit
AC Input Current
(amps)
1,0
1,0
1,2
1,4
1,8
4,1
5,4
7,2
Redundant Disk
Array (RAID)
n.a.
n.a.
n.a.
yes
Hot Swap
Hot Swap
Hot Swap
Hot Swap
ECC Memory
n.a.
n.a.
n.a.
n.a.
yes
yes
yes
yes
Redundant Power
Supply
n.a.
n.a.
n.a.
n.a.
n.a.
Hot Swap
Hot Swap
Hot Swap
*Also available in Virtual Edition (Vx)
11
Virtual Deployment
12
Product Models & Specifications: Features
Model
100
200
300
400
600
800
900
1000
Features
Outbound Email Filtering
yes
yes
yes
yes
yes
yes
yes
yes
Email Encryption
yes
yes
yes
yes
yes
yes
yes
yes
Large File Transfer
yes
yes
yes
yes
yes
yes
yes
yes
Cloud Protection Layer
yes
yes
yes
yes
yes
yes
yes
yes
MS Exchange/LDAP
Acceleration
n.a.
n.a.
yes
yes
yes
yes
yes
yes
Per-User Settings and

Quarantine
n.a.
n.a.
yes
yes
yes
yes
yes
yes
Delegated Help Desk Role
n.a.
n.a.
yes
yes
yes
yes
yes
yes
Syslog Support
n.a.
n.a.
yes
yes
yes
yes
yes
yes
Clustering & Remote Clustering
n.a.
n.a.
n.a.
yes
yes
yes
yes
yes
Per Domain Settings
n.a.
n.a.
n.a.
yes
yes
yes
yes
yes
Single Sign-On
n.a.
n.a.
n.a.
yes
yes
yes
yes
yes
SNMP/API
n.a.
n.a.
n.a.
yes
yes
yes
yes
yes
Customizable Branding
n.a.
n.a.
n.a.
n.a.
yes
yes
yes
yes
Per-User Score Settings
n.a.
n.a.
n.a.
n.a.
yes
yes
yes
yes
Delegated Domain
Administration
n.a.
n.a.
n.a.
n.a.
yes
yes
yes
yes
13
14
Lesson 2: Deployment
15
SMTP - Simple Mail Transfer Protocol
Overview
The SMTP protocol is one of the standard protocols used in modern mail transmission. The 1982 introduced
protocol has been updated regularly, last in 2008. By default SMTP uses port 25 and 587. There is also an
SSL secured version named SMTPS, that operates on port 465. However SMTPS is not yet standardized.
The protocol itself can be used for sending and receiving mail, eventhough it is mostly used for sending mail,
with POP3 and IMAP as its receiving counterparts.
16
SMTP - Simple Mail Transfer Protocol
17
Mail Routing
18
Deployment using Public IP Addresses
Overview
In this type of setup, perform the following tasks:
1.) Assign an available external IP address to the Barracuda Spam Firewall.
2.) Change the MX (Mail Exchange) records on the DNS (Domain Name Server) to direct traffic to the Barracuda
Spam Firewall. Create an A record and an MX record on your DNS for the Barracuda Spam Firewall.
The following example shows a DNS entry for a Barracuda Spam Firewall with a name of barracuda and an IP
address of 64.5.5.5.
barracuda.yourdomain.com
IN
64.5.5.5
The following example shows the associated MX record with a priority number of 10:
IN MX 10 barracuda.yourdomain.com
19
Deployment Behind a Corporate Firewall
Overview
If deploying the Barracuda Spam Firewall behind a Network Firewall, no changes to the MX record are
needed. However, the firewall needs to be configured to forward SMTP traffic on port 25 to the Barracuda
Spam Firewall.
Configure Your Corporate Firewall
If your Barracuda Spam Firewall is located behind a corporate firewall, you need to open specific ports to allow
communication between the Barracuda Spam Firewall and remote servers.
To configure your corporate firewall:
1.) Use the following table as a reference. Open the specified ports on your corporate firewall:
Port
Direction
Protocol
Used for
22
Out
TCP
Remote diagnostics and technical support

services (recommended)
25
In/Out
TCP
SMTP
53
Out
TCP/UDP
Domain Name Server (DNS)
80
Out
TCP
Virus, firmware, security and spam rule

definitions
123
Out
UDP
NTP (Network Time Protocol)
2.) If appropriate, change the NAT routing of your corporate firewall to route incoming email to the Barracuda
Spam Firewall. Consult your firewall documentation or your corporate firewall administrator to make the
necessary changes.
After specifying the IP address of the system and opening the necessary ports on your firewall, you need to
configure the Barracuda Spam Firewall from the web interface. Make sure the computer you configure the
Barracuda Spam Firewall on is connected to the same network, and the appropriate routing is in place to allow
connection to the Barracuda Spam Firewalls IP address from a web browser.
20
Initial Configuration: Getting Started
Configure IP Address and Network Settings

The Barracuda Spam Firewall is given a default IP address of 192.168.200.200. You can change this address
by doing either of the following:
Connect directly to the Barracuda Spam Firewall with a keyboard and monitor and specify a new IP address
through the console interface.
Applies only to the Barracuda Spam Firewall 200, 300, 400, and 600: Push and hold the Reset button on the
front panel. Holding the Reset button for 5 seconds changes the IP address to the default of 192.168.200.200.
Holding the Reset button for 8 seconds changes the IP address to 192.168.1.200. Holding the Reset button
for 12 seconds changes the IP address to 10.1.1.200.
To connect directly to the Barracuda Spam Firewall to set a new IP address:
3.) At the barracuda login prompt, enter:
Username: admin
Password: admin
The User Confirmation Requested window will display the current IP configuration of the system.
4.) Using the Tab key, select Yes to change the IP configuration.
5.) Enter the new IP address, netmask, and default gateway for your Barracuda Spam Firewall, and select OK
when finished.
6.) Select No when prompted if you want to change the IP configuration. Upon exiting the screen, the new IP
address and network settings will be applied to the Barracuda Spam Firewall.
21
Activate Your Barracuda Spam Firewall

Verify that the Energize Updates feature is activated on your Barracuda Spam Firewall by going to the BASIC
> Dashboard page. Under Subscription Status, make sure the Energize Updates subscription displays
Current. If the Energize Updates displays Not Activated, click the corresponding activation link to go to the
Barracuda Networks Product Activation page and complete activation of your subscriptions.
To be considered
If the Barracuda Spam Firewall has access to the activation servers, your Energize Update and Instant
Replacement subscriptions are most likely active.
If your subscriptions are not active, you will see a warning at the top of every page. You must activate your
subscriptions before continuing.
1.) Click the link in the warnin message, or use the link on the page to open the Barracuda Networks Product
Activation page.
2.) Fill in the required fields and click Activate.
A confirmation page will display the terms of your subscription.

For Physical Appliances
If the Barracuda Spam Firewall is connected to the Internet, it can automatically update its activation status
If the activation cant be completed
Click the link of the warning message on the BASIC > Status page
Fill in the required fields in the pop-up window and click Activate.
For Virtual Appliances

Activation is done after entering the license token during the initial setup
Update the Firmware
Go to the ADVANCED > Firmware Update page. If there is a new Latest General Release available, do the
following to update the system firmware:
1.) Click the Download Now button located next to the firmware version that you wish to install.
2.) Click the Apply Now button to install the firmware. This will take a few minutes to complete. To avoid
damaging the Barracuda Spam Firewall, do not manually power OFF the system during an update or
download.
3.) After the firmware has been applied, the Barracuda Spam Firewall will automatically reboot and display the
login page.
Log back into the web interface and read the Release Notes to learn about enhancements and new features.
Verify settings you may have already entered because new features may have been included with the
firmware update.
22
Initial Configuration: Virtual Appliances
Introduction
During the installation process you will be prompted to enter a license token. This token can be requested from
customter service and will be send to you via email.
23
Configure the Barracuda Spam Firewall from the Web Interface

1.) From a web browser, enter the IP address of the Barracuda Spam Firewall followed by port 8000.
Example: http://192.168.200.200:8000
2.) Log into the web interface by entering:
username: admin
password: admin
3.) On the BASIC > IP Configuration page, enter the required information in the fields as described in the
following table:
Fields
Description
TCP/IP Configuration
The IP address, subnet mask, and default gateway of your Barracuda Spam
Firewall. The TCP port is the port on which the Barracuda Spam Firewall
receives incoming email. This is usually port 25.
Destination Mail Server

TCP/IP Configuration
The hostname or IP address of your destination mail server: for example,

mail.yourdomain.com. This is the mail server that receives email after it has been
checked for spam and viruses.
You should specify your mail servers hostname rather than its IP address so that
the destination mail server can be moved and DNS updated at any time without
any changes needed to the Barracuda Spam Firewall.
TCP port is the port on which the destination mail server receives all SMTP
traffic, such as inbound email. This is usually port 25.
DNS Configuration
The primary and secondary DNS servers you use on your network.
It is strongly recommended that you specify a primary and secondary DNS
server. Certain features of the Barracuda Spam Firewall rely on DNS availability.
Domain Configuration
Default Host Name is the host name to be used in the reply address for email
messages (non-delivery receipts, virus alert notifications, etc.) sent from the
Barracuda Spam Firewall. The Default Host Name is appended to the default
domain.
Default Domain is a required field and indicates the domain name to be used in
the reply address for email messages (non-delivery receipts, virus alert
notifications, etc.) sent from the Barracuda Spam Firewall.
Accepted Email Recipients

Domains
The domains managed by the Barracuda Spam Firewall. Make sure this list is
complete. The Barracuda Spam Firewall rejects all incoming messages
addressed to domains not in this list. See Creating and Managing Domains.
Note: One Barracuda Spam Firewall can support multiple domains and mail
servers. If you have multiple mail servers, go to the DOMAINS tab and enter the
mail server associated with each domain
If you changed the IP address of your Barracuda Spam Firewall, you are disconnected from the web interface and will need to log in
again using the new IP address.
4.) Click Save Changes.
24
LIVE-Demo: Initial Configuration
25
Inbound Message Routing
Introduction
You can use either of the following methods to route messages to your Barracuda Spam Firewall:
Use port forwarding to redirect incoming SMTP traffic (port 25) to the Barracuda Spam Firewall if it is
installed behind a corporate firewall running NAT (Network Address Translation). Configure this option on
the ADVANCED > Advanced Networking page. For more information about port forwarding, refer to your
firewall documentation or network administrator.
MX records are used when your Barracuda Spam Firewall is located in a DMZ with a routeable public IP
address. If your Barracuda Spam Firewall is in the DMZ (not protected by your corporate firewall), do the
following to route incoming messages to the system:
1.) Create a DNS entry for your Barracuda Spam Firewall. The following example shows a DNS entry for a
Barracuda Spam Firewall with a name of barracuda and an IP address of 66.233.233.88:
barracuda.yourdomain.com IN
A 66.233.233.88
2.) Change your DNS MX Records. The following example shows the associated MX record with a priority
number of 10:
IN MX 10 barracuda.yourdomain.com
You can configure specific SMTP settings from the ADVANCED > Email Protocol page. After you route
incoming email to the Barracuda Spam Firewall, it will begin filtering all email it receives and routing good
email to your mail server.
26
Outbound Message Routing
Introduction
You can relay outbound mail through the Barracuda Spam Firewall simultaneously with scanning inbound
mail, where outbound mail will be subject to the same spam and virus scanning and, for the most part, the
same custom policy as inbound mail with some exceptions.
The following scanning tools are not applied to outbound mail:
IP Reputation, a sender authentication mechanism
SPF (Sender Policy Framework), a sender authentication mechanism
DKIM (DomainKeys), an email authentication system designed to verify the DNS domain of an email sender
Per-user Whitelist/Blocklist
Per-domain Whitelist/Blocklist
To relay outbound mail to the Barracuda Spam Firewall:
In most cases, you only need to enter the IP address of the outgoing mail server or other trusted relay server
in the Relay Using Trusted IP/Range field on the BASIC > Outbound page, as described below in Simple
configuration of outbound relay of mail. Outbound mail is scanned for spam (just like inbound mail), as well as
filtered for policies you create from the BLOCK/ACCEPT filtering pages.
If you need to configure additional options for outbound relay, see the online help on the BASIC > Outbound
page.
27
Simple configuration of outbound relay of mail

1.) Configure your mail server to relay outbound mail to the Barracuda Spam Firewall. If you have a Microsoft
Exchange Server, enter your Smart host IP address in the next step and configure the Smart host on your
mail server to relay outgoing mail to the Barracuda Spam Firewall.
2.) Enter the IP address or host/domain name of your default mail server or another trusted relay server that can
relay outbound mail through the Barracuda Spam Firewall to the Internet. Use the Relay Using Trusted IP/
Range and/or the Relay Using Trusted Host/Domain fields.
Note: To protect your system against domain spoofing, it is strongly recommended to use IP addresses and
NOT domain names for specifying Trusted Relays. As such, it is recommended to specify your mail server
and/or trusted outbound relay servers in the Relay Using Trusted IP/Range field as opposed to specifying
a host/domain name.
However, if you are using the Relay Using Trusted Host/Domain field, it is recommended to configure
either SMTP AUTH or LDAP authentication on this page as well.
If using your default mail server to relay outbound mail through the Barracuda Spam Firewall, enter the IP
address of your Destination Mail Server as specified on the BASIC > IP Configuration page or in the
DOMAINS > Manage Domain > BASIC > IP Configuration page per-domain setting.
The following steps cover additional options for outbound relay:
3.) To configure the Barracuda Spam Firewall to relay outgoing mail through your normal outbound SMTP host
or Smart host to the Internet, enter the IP address or hostname and TCP port in the Outbound SMTP Host/
Smart Host fields. This is the destination server through which outbound email will be sent from the
Barracuda Spam Firewall for routing to the Internet, and whose IP address will appear in the outgoing mail
headers.
4.) To enforce using a secure TLS connection to send mail through the Barracuda Spam Firewall (inbound and
outbound) for all domains, set Force TLS to Yes. SMTP over TLS/SSL defines the SMTP command
STARTTLS. This command advertises and negotiates an encrypted channel with the peer for this SMTP
connection. This encrypted channel is only used when the peer also supports it.
5.) To authenticate senders of outbound email, specify the authentication type in the Enable SASL/SMTP
Authentication field. (SASL is the Simple Authentication and Security Layer, a method for adding
authentication support to connection-based protocols. To use SASL, a protocol includes a command for
identifying and authenticating a user to a server and for optionally negotiating protection of subsequent
protocol interactions.)
SMTP AUTH Proxy - SMTP AUTH/SASL authentication enables the SMTP "AUTH" command to
authenticate users before allowing them to relay outgoing mail through this Barracuda Spam Firewall.
Either set Use Destination Mail Server as SMTP AUTH Proxy to Yes or fill in the IP address of another
proxy server that is set up to support the SMTP AUTH authentication command (e.g. MS-Exchange or
Sendmail) to authenticate senders of outbound mail. To use this authentication method, you must also
enable 'Use name and password' or a similar option in your email client. Also, since the password transmits
in cleartext, it is recommended to secure transmission by enabling SMTP over TLS on the ADVANCED >
Email Protocol page on the Barracuda Spam Firewall.
LDAP - Use your LDAP directory to authenticate senders. Fill in the LDAP settings as described below.
6.) To limit outbound relay capability to certain users or domain names, enter them in the Senders With Relay
Permission field. To prevent against domain spoofing, it is recommended not to specify sender email
address or domain names that can relay outbound mail through the Barracuda Spam Firewall. Please use
this setting only for trusted senders, and note that it is recommended to use one of the sender authentication
methods described above as well for added security.
28
Basic Outbound/Relay Settings

Outbound SMTP Host (Smart host) - The IP address or host name of the destination server through which
outbound email will be sent from the Barracuda Spam Firewall for routing to the Internet, and whose IP
address will appear in the outgoing mail headers.
Port - The TCP port of your SMTP host or Smart host through which you want to relay outbound mail.
Username - Only necessary if required for authentication with the SMTP host or Smart host.
Password - Only necessary if required for authentication with the SMTP host or Smart host.
Force TLS - (Optional): Set to Yes if you want to enforce using a secure TLS connection for all mail leaving
the Barracuda Spam Firewall (inbound and outbound). SMTP over TLS/SSL defines the SMTP command
STARTTLS. This command advertises and negotiates an encrypted channel with the peer for this SMTP
connection. This encrypted channel is only used when the peer also supports it.
To configure relay using authentication and other relay options, see the online help for the BASIC >
Outbound page.
29
30
Lesson 3: The Twelve Defense Layers
31
Defense Layers - Incoming Messages
Overview
Connection Management Layers
Network DoS Protection
Rate Control
IP Analysis
Sender Authentication
Recipient Verification
Mail Scanning Layers
Virus Scanning
Custom Policy
Intent Analysis
Image Analysis
Bayesian Analysis
Spam Scoring
32
Defense Layers - Outgoing Messages
Overview
Connection Management Layers
Rate Control
IP Analysis
Virus Scanning
Custom Policy
Intent Analysis
Image Analysis
Spam Scoring
33
The Connection Management Layers
Overview
These are the most important layers when deploying you Barracuda Spam Firewall for inbound mail because
they identify and block unwanted email messages before accepting the message body for further processing.
The Connection Management layers generally require less processing time than the seven content scanning
layers that follow. For the average small or medium business, more than half of the total email volume can be
blocked using Connection Management techniques. Service Providers (SPs), while under attack, may observe
block rates at the Connection Management layers exceeding 99 percent of total email volume.
34
Layer 1 - Network Denial of Service (DoS) Protection
Introduction
Built on a hardened and secure Linux operating system, the Barracuda Spam Firewall receives inbound email
on behalf of the organization, insulating your organizations mail server from receiving direct Internet
connections and associated threats. This layer does not apply to outbound mail.
35
Layer 2 - Rate Control
Introduction
As part of the Connection Management Layer, the Rate Control mechanism counts the number of connections
to the Barracuda Spam Firewall in a half-hour period and compares that number to the Rate Control threshold,
which is the maximum number of connections allowed from any one IP address in this half-hour time frame. If
the number of connections from a single IP address exceeds the Rate Control threshold within the half-hour
period, the Barracuda Spam Firewall will defer any further connection attempts from that particular IP address
until the next half-hour time frame and log each attempt as deferred in the Message Log with a Reason of
Rate Control.
The Barracuda Spam Firewall Rate Control feature protects the system from spammers or spam-programs
(also known as "spam-bots") that send large amounts of email to the server in a small amount of time. Rate
Control is configured on the BLOCK/ACCEPT > Rate Control page.
In this case, for each message deferred, the sender will receive a 4xx level error message instructing the mail
server to retry after a predefined time interval. Well-behaving mail servers act upon the defer message and will
try sending the message again later, whereas email from large volume spammers will not retry sending the
email again.
When Rate Control Takes Effect
When Rate Control is first enabled on the Barracuda Spam Firewall, or after a change is made to the Rate
Control threshold, five (5) unique IP addresses must connect before Rate Control is invoked. This is to take
into account that you may have another appliance receiving email (i.e., a front-end Mail Transfer Agent (MTA)
or a trusted forwarder) before the Barracuda Spam Firewall. Once 5 or more IP addresses have made
connections to the Barracuda Spam Firewall, it indicates that mail is also coming in from other outside sources
and rate control should be applied.
36
Layer 3 - IP Analysis
Introduction
After applying rate controls based on IP address, the Barracuda Spam Firewall performs analysis on the IP
address of inbound mail based on the following:
Barracuda Reputation - A set of Reputation Lists based on multiple sources and maintained by Barracuda
Central.
External blocklists - Also known as real-time blocklists (RBLs) or DNS blocklists (DNSBLs). Several
organizations maintain external blocklists of known spammers.
After the true sender of an email message is identified, the reputation and intent of that sender should be
determined before accepting the message as valid, or "not spam". The best way to address both issues is to
know the IP addresses of trusted senders and forwarders of email and define those on the Barracuda Spam
Firewall as "Allowed" by adding them to a whitelist of known good senders. Various methods for discerning
"good" senders of email versus spammers are described in this section to help you quickly configure your
Barracuda Spam Firewall according to the needs of your organization.
IP Reputation
The Barracuda Spam Firewall enables administrators to define a list of trusted mail servers by IP address. By
adding IP addresses to this list, administrators can avoid spam scanning of good email, thereby both reducing
processing load and eliminating the chances of false positives. Note that virus scanning and blocked
attachment checks are still enforced.
Likewise, you can define a list of bad email senders. In some cases, you may choose to utilize IP blocklists on
the BLOCK/ACCEPT > IP Filters page to restrict specific mail servers as a matter of policy rather than as a
matter of spam.
37
Barracuda Reputation (BRBL)

Barracuda Reputation is a database maintained by Barracuda Central and includes a list of IP addresses of
known, good senders as well as known spammers, or IP addresses with a "poor" reputation. This data is
collected from spam traps and other systems throughout the Internet. The sending histories associated with
the IP addresses of all sending mail servers are analyzed to determine the likelihood of legitimate messages
arriving from those addresses. Updates to Barracuda Reputation are made continuously by the engineers at
Barracuda Central and are delivered to all Barracuda Spam Firewalls via Energize Updates.
On the BLOCK/ACCEPT > IP Reputation page, it is strongly recommended that the Barracuda Reputation
Blocklist (BRBL) option be set to "Block".
Email Categorization
(Available in firmware version 6.1 and higher) This feature replaces the Barracuda Reputation Whitelist feature
in version 6.1 and higher. Email Categorization gives administrators more control over what they believe to be
spam, even though those messages may not meet the technical definition of spam. Most users do not realize
that newsletters and other subscription-based emails, while they are considered to be bulk email, are not
technically unsolicited - which means that they cannot be blocked by default as spam. The senders of these
emails may have a good reputation, but the user may no longer want to receive, for example, a mass mailing
from a club or vendor membership. The Email Categorization feature assigns these kinds of emails to
categories that display on the BLOCK/ACCEPT > IP Reputation page, and the administrator can then create
Block, Quarantine, Tag or Whitelist (allow) policies by category. Or the action can be Off, in which
messages are not scanned for Email Categorization. If the message action is Tag, the message subject will
indicate the category name. Categories supported are:
Transactional Emails - Emails related to order confirmation, bills, bank statements, invoices, monthly bills,
UPS shipping notices, surveys relating to services rendered and/or where transactions took place. The
default action is Whitelist (allow).
Note: Barracuda recommends setting Whitelist for the Transactional Emails category to prevent overlooking
potentially important billing, bank statements, and other time sensitive information.
Corporate Emails - Email sent from MS Exchange Server that involves general corporate communications.
Does not include marketing newsletters. The default action is Whitelist (allow).
Marketing Materials and Newsletters - Promotional emails from companies such as Constant Contact. The
default action is Off (no action taken).
Other - On the Message Log page, the administrator has the opportunity to assign selected messages in the
log to a custom category that is 'written in' when clicking the Categorize button in the log. See the BASIC >
Message Log page for details.
Exempting IP Addresses from the BRBL and Other Blocklists
The BRBL and other blocklists that you specify on the BLOCK/ACCEPT > IP Reputation page can be
overridden by listing the IP addresses or email addresses:
In the Barracuda Reputation, External RBL IP Exemption Range section of the BLOCK/ACCEPT > IP
Reputation page. Here, you can exempt particular IP addresses from RBL checks, including from the
Barracuda Reputation Blocklist. Messages from these IP addresses will be subject to all other spam and
virus checks.
In the Allowed IP/Range section or Blocked IP/Range section of the BLOCK/ACCEPT > IP Filters page.
In the Allowed Email Addresses and Domains section or Blocked Email Addresses and Domains
section of the BLOCK/ACCEPT > Sender Filters or BLOCK/ACCEPT > Recipients pages.
38
Subscribing to External Blocklist Services

The BLOCK/ACCEPT > IP Reputation page allows you to use various blocklist services. Several
organizations maintain external blocklists, such as spamhaus.org. External blocklists, sometimes called
DNSBLs or RBLs, are lists of IP addresses from which potential spam originates. In conjunction with
Barracuda Reputation, the Barracuda Spam Firewall uses these lists to verify the authenticity of the messages
you receive.
Be aware that blocklists can generate false-positives (legitimate messages that are blocked). However,
because the Barracuda Spam Firewall sends notifications when it rejects such messages, the sender will be
notified and legitimate senders will therefore know to try re-sending their message or otherwise notify the
recipient that their messages are being blocked.
Subscribing to blocklist services does not hinder the performance of the Barracuda Spam Firewall. Query
response time is typically in milliseconds, so delays are negligible. Once the Barracuda Spam Firewall queries
a blocklist service, that query is cached on your own local DNS for a period of time, making further queries
very fast.
39
Layer 4 - Sender Authentication
Introduction
Declaring an invalid from address is a common practice by spammers. The Barracuda Spam Firewall Sender
Authentication layer uses a number of techniques on inbound mail to both validate the sender of an email
message and apply policy, including domain name spoof protection, performing a DNS lookup of domain
names, and enforcing RFC 821 compliance.
40
Layer 4 - Sender Spoof Protection
Introduction
The Barracuda Spam Firewall has the option to prevent "spoofing" of an organizations own domain by
blocking emails with that domain name in the "From" field that are sent from outside the organization. Note that
sender spoof protection should not be enabled if the organization sends messages from outside their internal
email infrastructure (e.g., in the case of marketing bulk-mail services).
The Sender Spoof Protection feature can be configured at the global level from the ADVANCED > Email
Protocol page or at the per-domain level on the DOMAINS > Manage Domain > ADVANCED > Email
Protocol page. At the domain level, however, this feature is labeled as Reject messages from my domain.
Note: If the administrator enables Sender Spoof Protection at the global level, it will supersede any whitelist entry
created at the per-user level by a User, Helpdesk, or Domain Admin account holder.
41
Layer 4 - Sender Authentication Framework
Sender Policy Framework (SPF)

Sender Policy Framework (SPF) is an open standard specifying a method to prevent sender address forgery.
The current version of SPF protects the envelope sender address, which is used for the delivery of messages.
SPF works by having domains publish reverse MX records to display which machines (IP addresses) are
designated as valid mail sending machines for that domain. When receiving a message from a domain, the
recipient can check those records to make sure mail is coming from a designated sending machine. If the
message fails the SFP check, it may be spam. Enabling this features create more performance overhead for
the system due to the multiple DNS queries needed to retrieve a domain's SPF record; for this reason, the
default setting for the Enable SPF feature on the BLOCK/ACCEPT > Sender Authentication page is No (off).
For more information on SPF, please visit http://www.openspf.org.
Messages that fail SPF check can be tagged or blocked and will be logged as such. Messages that pass SPF
checks will still be scanned for spam. The recommended setting is to tag messages identified by SPF as spam
so that if there is any possibility that a message is legitimate, it will be allowed to go on to the next stage of
processing.
Exemptions from SPF Checking - Trusted Forwarders
You may specify a list of Trusted Forwarder IP addresses, on the BASIC > IP Configuration page, that will be
ignored when performing SPF checks, as well as rate control and IP Reputation checks. Trusted Forwarders
are mail servers that are set up specifically to forward email to the Barracuda Spam Firewall from outside
sources. The Barracuda Spam Firewall scans the IP addresses in the Received From headers list of each
email and performs an SPF check on the first IP address that is not in the list of Trusted Forwarders.
42
Layer 4 - Domain Keys Identified Mail
Domain Keys (DKIM) Inspection

DomainKeys is a method of email authentication that enables a sending domain to cryptographically sign
outgoing messages, allowing the sending domain to assert responsibility for a message. When receiving a
message from a domain, the Barracuda Spam Firewall can check the signature of the message to verify that
the message is, indeed, from the sending domain and that the message has not been tampered with. Because
most spam messages contain spoofed addresses, DomainKeys can help greatly in the reduction of spam.
DomainKeys uses a public and private key-pairs system. An encrypted public key is published to the sending
server's DNS records and then each outgoing message is signed by the server using the corresponding
encrypted private key. For incoming messages, when the Barracuda Spam Firewall sees that a message has
been signed, it will retrieve the public key from the sending server's DNS records and then compare that key
with the message's DomainKeys signature to determine its validity. If the incoming message cannot be
verified, the Barracuda Spam Firewall knows it contains a spoofed address or has been tampered with or
changed.
The benefits of enabling this feature include:
Email sender is validated
Email body is validated
Validation through DNS is difficult to foil
DomainKeys works well with email forwarding because it doesnt deal with the relay server IP address
You can choose to tag, block or quarantine both DKIM signed messages that fail the DKIM database check as
well as unsigned messages, depending on how you configure DomainKeys Inspection on the BLOCK/
ACCEPT > Sender Authentication page. You can also exempt domains from being tagged, quarantined or
blocked if they fail this check. As stated elsewhere in this guide, it is safest to NOT exempt domain names from
any kind of spam filtering due to the possibility of domain name spoofing by spammers.
DomainKeys inspection does require more CPU resources to encrypt & decrypt the key and is turned off by
default. Messages that pass DKIM checks will still be scanned for spam.
43
Layer 4 - Invalid Bounce Suppression
Introduction
The Invalid Bounce Suppression feature is used to determine whether or not the bounce address specified
in a message is valid. It is designed to reduce the number of bounce messages to forged return addresses;
i.e., you do not want to get bounced messages from spammers who spoof your domain or email address.
Every email sent from the Barracuda Spam Firewall is tagged with an encrypted password and expiration time.
With Invalid Bounce Suppression enabled, any bounced email received by the Barracuda Spam Firewall
that does not include that tag is blocked. Each blocked message is recorded in the Message Log with the
reason "Invalid Bounce".
Note: To use the Invalid Bounce Suppression feature, the Barracuda Spam Firewall must have Outbound Relay
configured on the BASIC > Outbound page.
44
Layer 4 - Invalid Bounce Suppression
Configuration
Configure Invalid Bounce Suppression on the BLOCK/ACCEPT > Sender Authentication page and enter
a Bounce Suppression Shared Secret as a non-null password which will be included in the headers of valid
emails sent from and bounced back to the Barracuda Spam Firewall. Email bounces that do not include the
password will be blocked if this feature is enabled. In a clustered environment, the Bounce Suppression
Shared Secret will be synchronized across all Barracuda Spam Firewalls in the cluster.
45
Layer 5 - Recipient Verification
Introduction
The Barracuda Spam Firewall verifies the validity of recipient email addresses for inbound messages (not
outbound) through multiple techniques to prevent invalid bounce messages.
LDAP Lookup
On the Barracuda Spam Firewall 300 and higher, email recipients can be validated with your existing LDAP
server. Configuration of LDAP lookup is done at the domain level. From the DOMAINS > Domain Manager
page, after clicking Manage Domain for the selected domain, youll configure LDAP on the USERS > LDAP
Configuration page. See the online help on that page for details about entering your server details. If LDAP is
not configured, the Barracuda Spam Firewall will do SMTP recipient verification through RCPT TO commands.
LDAP server types supported include Active Directory, Novell eDirectory, Domino Directory and OpenLDAP.
Explicit Users to Accept For (Valid Recipients)
If LDAP lookup is not being used for recipient verification, the Barracuda Spam Firewall provides a local
database with which email recipients can be compared for validation. Valid Recipients (Explicitly Accepted
Users) can be specified either at the global level from the ADVANCED > Explicit Users page or at the perdomain level from the DOMAINS > Domain Manager > USERS > Valid Recipients page.
Note: The number of entries in the text box for Explicitly Accepted Users and Alias Linking is limited by model: on
the Barracuda Spam Firewall 600 and lower, the maximum is 1000 per domain, and on the Barracuda Spam Firewall
800 and above, the limit is 5000 per domain.
To administer the local database, either at the global or domain level, fill in the text box in the Explicit Users
to Accept For section of the page, entering each email address for which the Barracuda Spam Firewall
should accept email. If you select Yes for the Only accept email for these recipients feature, email will be
REJECTED for any email recipients not in the list. Note that domain-specific lists override the global list.
Alias Linking
Alias linking allows quarantined email from multiple accounts to be directed to one account when using peruser quarantine. In the ADVANCED > Explicit Users page you can specify the email addresses to be linked
together in the Explicit Users to Accept For and Alias Linking text box. See the online help on that page for
more details.The quarantine account for all of the linked email addresses will be associated with the first email
address. Make sure to also enter the first email address on a separate line as well. In this way, a "catchall"
account can be created to receive all quarantined emails from a particular domain.
46
The Mail Scanning Layers
Overview
Virus Scanning
Custom Policy
Intent Analysis
Image Analysis
Bayesian Analysis
Spam Scoring
47
Layer 6 - Virus Scanning
Overview
The most basic level of Mail Scanning is virus scanning. The Barracuda Spam Firewall utilizes three layers of
virus scanning and automatically decompresses archives for comprehensive protection. By utilizing virus
definitions, Barracuda Spam Firewall customers receive the best and most comprehensive virus and malware
protection available. The three layers of virus scanning of inbound and outbound mail include:
Powerful open source virus definitions from the open source community help monitor and block the
latest virus threats.
Proprietary virus definitions, gathered and maintained by Barracuda Central, our advanced 24/7 security
operations center that works to continuously monitor and block the latest Internet threats.
Barracuda Real-Time Protection (BRTS), a set of advanced technologies that enables each Barracuda
Spam Firewall to immediately block the latest virus, spyware, and other malware attacks as they emerge.
This feature provides fingerprint analysis, virus protection and intent analysis. When BRTS is enabled, any
new virus or spam outbreak can be stopped in real-time for industry-leading response times to email-borne
threats. BRTS allows customers the ability to report virus and spam propagation activity at an early stage to
Barracuda Central.
Virus Scanning takes precedence over all other Mail Scanning techniques and is applied even when mail
passes through the Connection Management layers. As such, even email coming from whitelisted IP
addresses, sender domains, sender email addresses or recipients are still scanned for viruses and blocked if a
virus is detected.
Note: The Barracuda Exchange Antivirus Agent for the Microsoft Exchange Server is an add-in that empowers your
mail server to do virus scanning of internal mail and of previously stored mail by using constantly updated virus
signatures detected by Barracuda Central.
Extended Malware Protection

You can improve your virus protection by adding the Extended Malware Protection Subscription to your setup.
This will basically enable the Barracuda Spam Firewall to additinaly use the AVIRA virus scan engine. The
subscription can be enabled in the Subscription Status section of the BASIC > Dashboard page.
Note: The Extended Malware Protection is only available on firmware version 6.1 and higher and models 600+.
48
Layer 7 - Custom Policy
Introduction
Administrators can choose to define their own policies, perhaps for compliance or governance reasons, which
take precedence over spam blocking rules delivered to the system automatically through Barracuda Energize
Updates. Administrators can set custom content filters for inbound and/or outbound mail based on the subject,
message headers, message bodies and attachment file type.
Custom Content Filters
The Barracuda Spam Firewall enables administrators to set custom content filters based on the subject line,
message headers, message body and attachment file content. In general, administrators do not need to set
their own filters for the purposes of blocking spam because these forms of rules are delivered to the Barracuda
Spam Firewall automatically through Barracuda Energize Updates. The online help for the BLOCK/ACCEPT >
Content Filtering page includes a link to a Regular Expressions help page that covers expressions you can
use for advanced filtering. HTML comments and tags imbedded between characters in the HTML source of a
message are also filtered.
You can specify actions to take with messages based on pre-made patterns in the subject line or message
body. Credit card, Social Security numbers, privacy information such as drivers license numbers, phone
numbers or expiration dates and HIPAA data can be automatically checked and acted upon by blocking,
tagging or quarantining inbound messages.
Attachment Filtering
All messages, except those from whitelisted senders, go through attachment filtering. From the BLOCK/
ACCEPT > Attachment Filters page you can choose to take certain actions with inbound and/or outbound
messages if they contain attachments with certain filename patterns, file types, MIME types, or password
protected archives. Actions you can take with inbound messages include block or quarantine. Actions you can
take with outbound messages include block, quarantine, encrypt or redirect. You can elect to have a
notification sent to the sender when an inbound or outbound message is blocked due to attachment content
filtering. See the ADVANCED > Bounce/NDR Settings page to configure notifications.
The BLOCK/ACCEPT > Attachment Filters page provides a table of patterns you can use for specifying the
above actions based on attachment filenames, or you can create your own filters.
The Check Archives feature can be selected along with any filter to search the contents of attached archives
(zip, tar, etc.) and take one of the above actions with inbound or outbound messages based on filenames or
types.
49
Use the Password Protected Archive Filtering feature to take action with messages with attachments that
contain password protected (encrypted) archives.
Messages that are blocked due to attachment filtering will appear in the Message Log with the word
Attachment and the filename in the Reason column. For example, if you created a filter on the BLOCK/
ACCEPT > Attachment Filters page to block messages with attachments whose filenames match a pattern
of word*, the entry in the Message Log for such a blocked message would contain something like this in the
Reason column:
Attachment (word_2010_xml.tgz)
where word_2010_xml.tgz is the attachment filename that caused the message to be blocked.
Note: The default maximum attachment size allowed by your Barracuda Spam Firewall is 100 megabytes. If a
message exceeds this size, the Barracuda Spam Firewall rejects the message and the sending server notifies the
sender that their message did not go through. Contact Barracuda Networks Technical Support to change this
maximum.
50
Layer 8 - Fingerprint Analysis
Introduction
A message fingerprint is based on commonly used message components (e.g., an image) across many
instances of spam. Fingerprint analysis is often a useful mechanism for blocking future instances of spam
once an early outbreak is identified. Spam fingerprints blocked based on a real-time check will display an '*'
before "Fingerprint" in the Message Log. In order to detect real-time spam fingerprints, Barracuda Real-Time
Protection must be enabled on the BASIC > Virus Checking page.
Engineers at Barracuda Central work around the clock to identify new spam fingerprints, which are then
updated on all Barracuda Spam Firewalls through hourly Barracuda Energize Updates. Fingerprint Analysis is
configured on the BASIC > Spam Checking page.
51
Layer 9 - Intent Analysis
Introduction
All spam messages have an "intent" to get a user to reply to an email, visit a website or call a phone number.
Intent analysis involves researching email addresses, web links and phone numbers embedded in email
messages to determine whether they are associated with legitimate entities. Frequently, Intent Analysis is the
defense layer that catches phishing attacks. The Barracuda Spam Firewall features multiple forms of Intent
Analysis:
Intent analysis Markers of intent, such as URLs, are extracted and compared against a database
maintained by Barracuda Central, and then delivered to the Barracuda Spam Firewall via hourly Barracuda
Energize Updates. Intent can also be associated with general content categories, several of which are
provided for Intent filtering.
Real-time intent analysis For new domain names that may come into use, Real-Time Intent Analysis
involves performing DNS lookups against known URL blocklists.
Multilevel intent analysis Use of free websites to redirect to known spammer websites is a growing practice
used by spammers to hide or obfuscate their identity from mail scanning techniques such as Intent
Analysis. Multilevel Intent Analysis involves inspecting the results of web queries to URLs of well-known
free websites for redirections to known spammer sites.
Intent Analysis is configured on the BASIC > Spam Checking page.
52
Layer 10 - Image Analysis
Introduction
While Fingerprint Analysis captures a significant percentage of images after they have been seen, the
Barracuda Spam Firewall also uses Image Analysis techniques on both inbound and outbound mail which
protect against new image variants. These techniques include:
Optical character recognition (OCR) - Enables the Barracuda Spam Firewall to analyze the text rendered
inside embedded images.
Image processing - To mitigate attempts by spammers to foil OCR through speckling, shading or color
manipulation, the Barracuda Spam Firewall also utilizes a number of lightweight image processing
technologies to normalize the images prior to the OCR phase. More heavyweight image processing
algorithms are utilized at Barracuda Central to quickly generate fingerprints that can be used by the
Barracuda Spam Firewall to block messages.
Animated GIF analysis - The Barracuda Spam Firewall contains specialized algorithms for analyzing
animated GIFs for suspect content.
Image Analysis is configured on the BASIC > Spam Checking page.
53
Layer 11 - Bayesian Analysis
Introduction
Bayesian Analysis applies only to inbound mail and is a linguistic algorithm that profiles language used in both
spam messages and legitimate email for any particular user or organization. To determine the likelihood that a
new email message is spam, Bayesian Analysis compares the words and phrases used in the new email
against the corpus of previously identified email. The Barracuda Spam Firewall only uses Bayesian Analysis
after administrators or users profile a corpus of at least 200 legitimate (not spam) messages and 200 spam
messages. Bayesian Analysis does not apply to outbound mail.
54
Layer 12 - Spam Scoring
Introduction
Once an inbound or outbound message has passed the initial Barracuda Spam Firewall block/accept filters, it
receives a score for its spam probability. This score ranges from 0 (definitely not spam) to 9 or greater
(definitely spam). Based on this score, the Barracuda Spam Firewall can take one of the following actions:
Block
Quarantine
Tag (inbound mail only)
Allow (inbound mail only)
Send (outbound mail only)
If you want to have detailed information on the spam score of a specific message you should check its
headers. They will show you how the Barracuda Spam Firewall processed the message and which rules
contributed significantly to the final spam score. This is also incredibly useful for troubleshooting. You can
examine the headers by navigating to BASIC > Message Log.
Domain Level Spam Scoring: The Barracuda Spam Firewall 400 and higher allows for setting spam score
levels for inbound mail at the domain level. The administrator or the Domain admin role can set the spam
scoring levels on the BASIC > Spam Checking page.
Per-User Spam Scoring: The Barracuda Spam Firewall 600 and higher allows the administrator to enable
users to set their own spam score levels for inbound mail if per-user quarantine is enabled. If per-user spam
scoring is enabled, when the user logs into their account, they will see the PREFERENCES > Spam Settings
page from which they can set tag, quarantine and block scoring levels for that account.
55
56
Lesson 4: Advanced Deployment
57
Quarantine Functionality
Introduction
By default, the Barracuda Spam Firewall does not quarantine incoming messages, but you may want to enable
quarantine if, for example, your organization requires it, or if you want to reduce load on the mail server while
giving users a chance to determine what they consider to be "spam" or "not spam".
58
Inbound Quarantine
Using Global Quarantine

With global quarantine there is almost no difference in use of system resources versus having quarantine
turned off because messages are not stored on the Barracuda Spam Firewall; they are forwarded to a mailbox
as designated by the administrator. Global quarantine identifies email to quarantine, and rewrites the "From"
address of the message and sends it to the Quarantine Delivery Address specified on the BASIC >
Quarantine page. The subject line of each message is prepended with the Quarantine Subject Text (for
example, [QUAR], as specified on the same page). Global quarantine does require some time and effort by the
administrator to manage quarantined messages. Global quarantine can be enabled at the system level or at
the domain level.
Enabling global quarantine on the Barracuda Spam Firewall provides the administrator with complete control
over how quarantined messages are handled, and it saves system resources because messages are not
stored on the appliance.
59
To set up global quarantine:

From the BASIC > Quarantine page, set the Quarantine Type to Global and configure settings as
described below for global quarantine.
From the BASIC > Spam Checking page, if you want messages to be quarantined based on score, make
sure that the Disable check-box next to Quarantine in the Spam Scoring Limits section is NOT checked.
Set filters on the BLOCK/ACCEPT pages to Quarantine per your organization's policies.
Enter a Quarantine Delivery Address on the BASIC > Quarantine page.This mailbox can either be
on the mail server that the Barracuda Spam Firewall protects or a remote mail server.
Note: If you have a Barracuda Spam Firewall 400 or above, you can specify the quarantine delivery address on a perdomain basis by going to the DOMAINS tab and clicking the Manage Domains link, then using the BASIC >
Quarantine page for that domain to configure the address.
Messages determined to be quarantined by the Barracuda Spam Firewall will have the subject line prepended
by the Quarantine Subject Text as entered on the BASIC > Quarantine page. The default text is
[QUAR]. This allows you to identify quarantined messages when you have them delivered to a mailbox that
also receives non-quarantine messages.
Note: With global quarantine, users will have no control over whitelisting or blocklisting of email addresses, which
they do have with per-user quarantine. Allowing them this control by using per-user quarantine can help reduce the
number of messages processed by the Barracuda Spam Firewall. However, if using global quarantine, users can
communicate domains, IP addresses or email addresses that should be white or blocklisted to the administrator to
configure at the global level.
60
Using Per-user Quarantine

Providing a user with a quarantine inbox gives them greater control over how their messages are quarantined,
but also requires them to manage their quarantine inbox on the Barracuda Spam Firewall. Since per-user
quarantine entails storing quarantined messages on the Barracuda Spam Firewall until the user delivers or
deletes, them, you may want to only provide a quarantine inbox to a subset of power users. For details about
managing the quarantine inbox, please see the Barracuda Spam Firewall User's Guide - 5.x.
When enabling per-user quarantine on the Barracuda Spam Firewall, keep in mind that quarantined email
stored on the Barracuda Spam Firewall requires storage capacity, so system load will vary with the average
size of emails.
If the email patterns of your organization are such that many emails include large attachments (as with
architecture firms, marketing firms, etc.), the system may push the edge of performance more quickly than if
emails tend to be small in size. See the Mail/Log Storage indicator in the Performance Statistics pane of the
BASIC > Dashboard page to monitor disk storage on the Barracuda Spam Firewall.
To set up per-user quarantine:
On the BASIC > Quarantine page, select the Quarantine Type to be Per-User and configure settings as
described below for global quarantine.
From the BASIC > Spam Checking page, if you want messages to be quarantined based on score, make
sure that the Disable check box next to Quarantine in the Spam Scoring Limits section is NOT checked.
Set filters on the BLOCK/ACCEPT pages to Quarantine per your organization's policies.
If Per-User quarantine is set by the administrator, the Domain Admin can either enable or disable Per-User
quarantine at the domain level.
From the USERS > User Features page, the administrator can choose to allow the user to decide whether to
deliver quarantined messages to their regular email address associated with their account or to their
quarantine inbox. This can alternatively be decided for the user by preventing them from accessing this
setting. From this page the administrator can also allow the user to control their whitelist (allowed) and blocklist
(blocked) of email addresses.
Note: For the Barracuda Spam Firewall 300 and higher, be sure to set a Retention Policy (see the USERS >
Retention Policies page) before enabling per-user quarantine in order to prevent running out of quarantine space.
Turning Quarantine Off

Barracuda Networks recommends disabling quarantine unless, for example, your organization has a business
requirement to provide quarantine of messages suspected to be spam or you dont want those messages
stored on the mail server. Disabling quarantine means less management either by the administrator or by the
user and, in the case of per-user quarantine, saves system resources that would otherwise be used to store
the messages until the user delivers or deletes them.
An alternative to using quarantine is tagging email that may be spam based on scoring or is otherwise
identified as possible spam. Benefits include:
No messages are stored on the Barracuda Spam Firewall, thus saving system resources
The user does not have an extra quarantine inbox to manage
Tagged messages, with a keyword such as "[BULK]" prepended to the subject line, can be filtered by the
subject line to a separate folder for later examination by the user (see the BASIC > Spam Checking page
and the BLOCK/ACCEPT pages to configure spam scoring and criteria for tagging messages).
To disable Quarantine completely:
Check the Disable check-box next to "Quarantine" in the Spam Scoring Limits section of the BASIC >
Spam Checking page
Make sure nothing on the BLOCK/ACCEPT pages is set to Quarantine
61
Outbound Quarantine
Overview
For outbound mail, there is no per-user quarantine mechanism on the Barracuda Spam Firewall as there is
with inbound mail. Messages that meet or exceed the scoring level you set on the BASIC > Spam Checking
page for the quarantine of outbound messages, and messages that violate outbound policies you have
configured on various BLOCK/ACCEPT pages will be placed in outbound quarantine for the system. These
messages will be logged and can be viewed on the BASIC > Outbound Quarantine page. At the domain
level, messages in outbound quarantine can be viewed and managed by domain under DOMAINS > Manage
Domain > OUTBOUND QUARANTINE > Outbound Quarantine.
Configure outbound quarantine settings discussed here from the BASIC > Quarantine page.
Immediate notifications can be sent to the administrator via the specified Notification Address whenever
an outbound message is placed into quarantine. As with inbound quarantine notifications, a quarantine
summary can be sent on a daily or weekly basis, if at all.
An Age Retention Policy can be specified for outbound mail, indicating when "old" quarantined outbound
messages should be removed from the Barracuda Spam Firewall. Use this option together with the Size Limit
(KB) and Size Retention Policy to limit the amount of disk space allotted on the Barracuda Spam Firewall for
storing quarantined outbound mail. Regardless of these settings, quarantined outbound messages are always
retained for at least 3 days.
62
Domain Management
Introduction
Your Barracuda Spam Firewall will only accept emails addressed to domains that it has been configured to
recognize. Settings for individual domains can be configured by the administrator and, with some restrictions,
by the Domain Admin and Helpdesk account roles. All three roles will see a DOMAINS tab from which they
can click Manage Domain next to the domain for which to edit the domain-level settings.
Only an administrator can add or delete domains using the controls available in the DOMAINS page. The
administrator can also add domains from the BASIC > IP Configuration page. Domains added from either
page will be initially configured with whatever you have specified your default global settings to be.
If the administrator deletes a domain, all user accounts associated with that domain will also be deleted from
the Barracuda Spam Firewall. A confirmation dialog box will prompt you to confirm whether or not you want to
delete a domain.
Clicking the Manage Domain link for a particular domain will show some or all of the BASIC, USERS,
BLOCK/ACCEPT, OUTBOUND QUARANTINE and ADVANCED tabs, depending on the permissions level of
the logged in account role.
63
Domain Level Settings

Some settings are only configurable at the domain level, while others are configurable at both the global and
domain levels, with the domain level setting taking precedence.The Domain Admin role or the Admin role can
override some global settings for spam and virus checking and quarantine at the domain level.
Note: Setting values on a per-domain basis overrides the values configured at the global in the web interface.
However, if you have never changed a particular setting for a domain, any global level changes to that feature will be
applied for that domain. This also means that any changes you make to the global values of the Barracuda Spam
Firewall will NOT be inherited by the domains that you edit and for which you have changed configuration values.
Basic configuration of a domain consists of identifying the name of the domain (and/or a specific sub-domain)
and specifying a destination mail server. Additional settings available for a domain are dependent on the
model of your Barracuda Spam Firewall, and can include any or all of the following:
Destination Mail Server
Enabling of spam scanning and setting spam score limits for the domain
Enabling or disabling virus scanning
Per-user quarantine enable/disable
Control over which features users can see and configure for their accounts (see Controlling Access to
Account Features).
A defined global quarantine email address (for the domain only)
Option to reject messages from same domain name. If set to Yes, the Barracuda Spam Firewall will reject
email where the FROM envelope or header address domain matches the domain (in the TO address). This
feature provides protection from 'spoofing' of the domain.
Option to require an encrypted TLS connection when receiving email from either ALL or specified domains.
See the ADVANCED > Email Protocol page at the domain level for details.
Option to require an encrypted TLS connection when relaying email to specified destination domains. See
the ADVANCED > Email Protocol page at the domain level for details.
IP address/range, Sender domain, Sender email and Recipient filtering.
Note: BLOCK/ACCEPT policies created at the per-domain level do NOT apply to outbound messages - they only
apply to inbound messages for that domain.
LDAP configuration
Option to specify local database of valid recipients (if not using LDAP) and alias linking
Single Sign-On with various authentication mechanisms
Emailreg.org: option to require header, body or subject content filtering on mail from registered email
addresses
Ability to validate the domain and specify an image for branding encrypted email messages and notifications
sent to the recipient. Note that encryption policy can only be set at the global level by the administrator.
Note: The Barracuda Spam Firewall 400 and higher contains support for APIs that can be used to automate the steps
for creating and configuring multiple domains on the Barracuda Spam Firewall.
64
End User Interaction
Introduction
Within the web interface of the Barracuda Spam Firewall, users can check their quarantined messages,
classify them as spam or not spam, manage whitelisting and blocklisting for email addresses, and modify their
personal settings. Alternatively, an Add-In for Outlook can be used to provide these functionalities.
65
LDAP Integration
Introduction
When integrating your LDAP Directory Server with Barracuda Spam Firewall, the query requirements for
LDAP installation may vary depending on your environment. For best results, use the following generic
parameters:
LDAP Hostname: ldap.companyname.com
LDAP Port: none
LDAP Encryption Type: TLS
LDAP Version: none
LDAP Base DN: OU=Company Name,DC=COMPNET,DC=local
LDAP User Filter Query:
For matching only the primary email: (&(&(objectclass=user)(objectcategory=person))(mail=%%email%%))
For matching all emails under an LDAP account (Currently CudaSign accounts can have only one email, so
this may lead to multiple accounts for a user if they use multiple emails):
(&(objectCategory=person)(objectClass=user)(proxyAddresses=smtp:%%email%%))
LDAP User for Searches: CN=Account User,OU=Accounts,OU=IT,OU=HQ,OU=Company
Name,DC=CompNet,DC=local
66
Single Sign-On
Securing User Access With Single Sign-On

With Single Sign-On (SSO), users can log into their quarantine inbox via the web interface using their domain
passwords instead of a password managed separately by the Barracuda Spam Firewall. Single Sign-On is
configured at the domain level by either the Administrator or a Domain Admin.
Note that, if you are using LDAP authentication for single sign-on, you can either use the same LDAP server
and settings for user authentication as the one youre using for recipient verification (configured on the USERS
> LDAP Configuration page), or you can configure a separate LDAP server for single sign-on from the
USERS > Single Sign-On page. Please see the help on that page for specifics about LDAP server settings to
understand how they affect user logins and access to their quarantine inbox.
Note: If enabling Single Sign-On for a domain, you should also configure HTTPS/SSL Access Only at the global
level on the ADVANCED > Secure Administration page to protect the transmission of network passwords.
User Account Authentication

You can configure the Barracuda Spam Firewall to authenticate user accounts using an LDAP, POP, or
RADIUS server. This feature is available on the Barracuda Spam Firewall 400 and higher and is configured at
the domain level, not as a global setting. These user account authentication mechanisms are configured from
the DOMAINS tab by selecting the Domains page and clicking the Manage Domain link for a particular
domain.
To configure authentication, navigate to the USERS > Single Sign-On page for the selected domain and
select the Authentication Type. For RADIUS and POP, fill in the server settings on the page. To require users
to log in to the Barracuda Spam Firewall Web interface (as opposed to single sign on) to view and manage
their account, select Local for Authentication Type.
67
Barracuda Cloud Control
Introduction
The same tabbed pages are available on the Barracuda Cloud Control for managing all aspects of your
Barracuda Spam Firewall configuration that you see in each individual web interface, and you can create
aggregated reports for multiple Barracuda Spam Firewalls from the Barracuda Cloud Control console.
68
Barracuda Cloud Control: Configuration
Introduction
Barracuda Cloud Control enables administrators to manage, monitor, and configure multiple Barracuda Spam
Firewalls (version 5.0 and higher) at one time from one console. If you are using the Cloud Protection Layer
feature of the Barracuda Spam Firewall, you will manage it using the Barracuda Cloud Control. For information
specific to the Barracuda Cloud Control product configuration and management, see the Barracuda Cloud
Control Overview on Barracuda TechLibrary.
69
Clustering
Introduction
Clustering two or more Barracuda Spam Firewalls makes sense if your organization requires high availability,
scalability, data redundancy, and/or fault tolerance. Clustering also provides centralized policy management
because once you configure one of the devices, configuration settings are synchronized across the cluster
almost immediately. Clustered systems can be geographically dispersed and do not need to be located on the
same network.
70
Clustering Requirements
Set Up Clustered Systems

To cluster two Barracuda Spam Firewalls together, where one system is designated as Barracuda1 and the
other is designated Barracuda2, do the following:
1.) Complete the installation process for each system. Each Barracuda Spam Firewall in a cluster must be the
same model and be on exactly the same firmware version.

2.) From the ADVANCED > Task Manager page on the Barracuda1 system, verify that no processes are
running. Complete this step for the Barracuda2 system as well. No processes should be running when you
add a system to a cluster.
3.) Configure the Barracuda2 system as you would like Barracuda1, and any other system you might add to the
cluster, to be configured. Make a backup of the configurations of each Barracuda Spam Firewall.
4.) From the ADVANCED > Clustering page on the Barracuda1 system, enter a Cluster Shared Secret
password for the cluster, and click Save.
5.) Optional: In the Cluster Hostname field on Barracuda1, enter the DNS/hostname (FQDN) by which other
Barracuda Spam Firewalls in the cluster will attempt to communicate with this one. If this field is left blank,
the IP address entered below will be used. This field is also useful for limiting user access to a cluster - see
Limiting Access to a Cluster below.
6.) From the ADVANCED > Clustering page on the Barracuda2 system, do the following:
a) Enter the same Cluster Shared Secret password, and click Save Changes.
b) Optionally enter the DNS/hostname (FQDN) in the Cluster Hostname field for Barracuda2.
c) In the Clustered Systems section, enter the IP address of the Barracuda1 system and click Join Cluster. At this
point, the configuration of the Barracuda1 system will automatically propagate to Barracuda2.
7.) On each Barracuda system, refresh the ADVANCED > Clustering page, and verify that:
a) Each systems IP address appears in the Clustered Systems list
b) The Connection Status of each server is green.
8.) Distribute the incoming mail traffic to each Barracuda Spam Firewall using a Barracuda Load Balancer
(preferred) or another load balancing device, or by using multiple DNS MX records of equal priority.
71
Load Balancing & Fault Tolerance Overview
72
Cloud Protection Layer
Introduction
The optional Cloud Protection Layer (CPL) feature of the Barracuda Spam Firewall is an additional layer of
protection that blocks threats before they reach your network and provides email continuity. Once email
passes through the CPL, the Barracuda Spam Firewall filters email according to the more granular policies,
recipient verification, quarantining and other features you configure on the appliance. Youll use Barracuda
Cloud Control for central management of your CPL and your Barracuda Spam Firewall(s).
Advantages of using Cloud-Based Protection
The CPL provides yet another layer of security by pre-filtering inbound email for spam and viruses in the cloud
before it reaches your actual network. Here are some of the great benefits of enabling this feature:
Email Continuity The CPL polls your inbound mail server regularly and, if the mail server goes down, the
CPL spools your inbound mail for up to 4 days. As soon as the mail server comes back up, email is
released in a steady stream, resuming consistent inbound mail flow.
Dual Protection Points comprehensive onsite and cloud-based threat protection including the Barracuda
Anti-Virus Super Computing Grid and Barracuda Advanced Anti-Fraud Intelligence.
Email Burst Handling email surge suppression during peak traffic and spam spikes, which offloads a
significant volume of spam email to be filtered via the cloud.
Immediate Response automatic updates in real-time leveraging threat intelligence from Barracuda Labs
and Barracuda Central to continuously stay ahead of quickly morphing threats.
Note: CPL can be configured with many of the same block/accept policies you would apply to the Barracuda Spam
Firewall, but only provides the Block and Allow actions. The CPL does not support tagging or quarantine of email.
73
Clustering Deployment with DNS Balancing
Introduction
A Domain Name System server can be used for load balancing and provisioning fault-tolerance winthin a
cluster of multiple Spam Firewalls. However, in comparison to the use of a Load Balancer or Application
Delivery Controler, DNS servers can only provide round robin load balancing. Advanced functions like load
balancing based on performance specifics of different Spam Firewalls or integrated health checks for the
firewalls are not supported.
To enable DNS load balancing enter individual domain/IP pairs for each Spam Firewall available to the cluster.
The DNS server will then distribute the traffic between the Spam Firewalls according to its configuration.
74
Clustering Deployment with an Application Delivery Controler (ADC)
Overview
The use of Load Balancers like the Barracuda Load Balancer ADC with the Barracuda Spam Firewall has
three major benefits compared to the use of DNS Load Balancing. First it will provide better quality load
balancing, namely a cleaner and more even distribution of the incoming Email-traffic.
Additionally the Load Balancer ADC is able to dynamically retrieve load information from the Spam Firewall,
which ensures that ressource demand is taken into consideration when traffic is distributed.
Finally the Load Balancer ADC performs health checks at domain level, that determin the state of your domain
configured in the Spam Firewall and act upon the results of these tests. This functionality cant be
accomplished with basic DNS Load Balancing.
75
Email Encryption - Overview
Overview
For health care providers, governmental agencies, and other entities who need to protect private, sensitive,
and valuable information communicated via email, the Barracuda Spam Firewall allows creating multiple
policies to specify exactly which outbound emails to encrypt. Emails that match policy are securely (via TLS)
sent to the Barracuda Message Center.
Encryption is configured at the per-domain level, but actual encryption policy (by sender domain, email
address, recipient, etc.) is only configurable at the global level using the BLOCK/ACCEPT pages. These
global encryption policies will apply to all domains from which encrypted email messages are sent.
Encrypting Messages From the MS Outlook Client
You can download the Barracuda Outlook Add-In for your Microsoft Exchange Server to enable users to
choose encryption from the New Message window in their MS Outlook client. See the Barracuda Spam
Firewall Outlook Add-In Deployment Guide 6.0 or the USERS > User Features page in the Barracuda Spam
Firewall web interface for information on deploying the Outlook Add-In.
Secured Message Contents
When the Barracuda Spam Firewall encrypts the contents of a message, the message body will not be
displayed on the BASIC > Message Log, BASIC > Outbound Quarantine, or the ADVANCED > Queue
Management pages.
Note: Only the sender of the encrypted message(s) and the recipient can view the body of a message encrypted by
the Barracuda Email Encryption Service. For Mail Journaling and the download features in the Message Viewer, the
message body will not be sent to the Mail Journaling account and cannot be downloaded to the Desktop.
If you already have an email encryption server or service, you can specify a hostname (FQDN) or IP address
and port in the Redirection Mail Server TCP/IP Configuration section of the BASIC > IP Configuration page to
which the Barracuda Spam Firewall should redirect outbound mail for encryption. You can then select the
Redirect action for outbound filtering policies in the BLOCK/ACCEPT pages. Redirection of outbound mail per
policy is only available at the global (not per-domain) level.
76
Archiving Encrypted Emails

If you have a Barracuda Message Archiver, you can choose to archive encrypted emails and replies to those
emails. From the BASIC > Administration page, enter the IP address of the Barracuda Message Archiver in
the Email Encryption Service section. Note that encrypted messages are not sent in encrypted format to the
Barracuda Message Archiver. It is recommended that this email traffic from the Barracuda Spam Firewall to
the Barracuda Message Archiver be sent over internal networks.
Requirements for Using Encryption
Before applying encryption policy, make sure of the following:
Your Energize Updates subscription is current. See the Subscription Status section on the BASIC >
Dashboard page of the Barracuda Spam Firewall.
You validate all sending domains that are allowed to send encrypted messages, using the DOMAINS >
Manage Domain > ADVANCED > Encryption page. Several validation methods are available from this
page.
Setting Encryption Policy for Outbound Mail
From the BLOCK/ACCEPT pages you can create global custom encryption policy for secure transmission of
outbound mail based on:
Sender email address and/or domain
Recipient email address and/or domain
Attachment Filename pattern and/or type as well as attachment content
Content and content type (such as, for example, secured credit card info.)
These policies will apply for ALL domains from which you send encrypted email.
77
Email Encryption - Configuration
78
Email Encryption - Recipient View
79
80
Lesson 5: Administration Tasks
81
System Monitoring
Viewing Performance Statistics

The BASIC > Dashboard page provides an overview of the health and performance of your Barracuda Spam
Firewall, including:
Hourly and daily email statistics that display the number of viruses blocked and messages rate controlled
(deferred), blocked, quarantined, tagged (inbound only), sent (outbound only) and allowed (inbound only)
for the last 24 hours and 28 days.
The subscription status of Energize Updates.
Performance statistics, including CPU temperature and system load. Performance statistics displayed in red
signify that the value exceeds the normal threshold. These values will fluctuate based on the amount of
traffic that is being handled, but if any setting remains consistently in the red for a long period of time,
please contact Barracuda Networks Technical Support.
If the Mail/Log Storage rises above 75%, this indicates that more disk space has been taken up by the
message and log storage than is allocated for that purpose and you should contact Barracuda Networks
Technical Support.
If per-user quarantine is enabled and system performance has decreased, check the Quarantined number of
messages shown in the Email Statistics [inbound] pane on the BASIC > Dashboard page. If this number is
high, changing the Retention Policies for per-user quarantine on the USERS > Retention Policies page may
solve the problem.
On the Barracuda Spam Firewall 600 and higher, if a disk drive in the RAID array exhibits a problem, the
Redundancy (RAID) indicator will highlight in red and show one of the drives as degraded with a link Click To
Repair. Clicking this link will display a pop-up indicating the drive to replace and an Ok button and a Cancel
button. You must first replace the disk drive that indicates a problem before proceeding with the repair
operation.
Inbound and Outbound Message Queues
You can view the mail queues from the BASIC > Dashboard page with the In/Out Queue Size links.
The number of current inbound messages (In) plus accepted messages waiting for virus and spam scanning is
shown, separated by a /, from the number of messages in the outbound queue (Out) waiting for the outbound
server. Click either number to view a summary of the messages currently in the queues.
To view the queues in a Message Log format, with the ability to filter, requeue, delete and view details of
selected queued messages, use the ADVANCED > Queue Management page.
82
Retrying All Outbound Messages

If the outbound queue number is high, the mail server could be down or there could be another network issue.
Messages in the outbound queue will automatically expire if not successfully delivered within 48 hours
(default). This may happen normally if the destination mail server rejects email based on mail server policy and
the message is bounced back to the sender.
To requeue, or retry delivering ALL email messages in the out queue, click the Retry button at the bottom of
the BASIC > Administration page to retry sending the messages immediately. The button will then be
disabled until the requeue process has completed. To requeue, or retry delivering selected email messages in
the out queue, use the ADVANCED > Queue Management page.
Note: Alerts and notifications are queued separately from email so that the administrator can be alerted if the out
message queue is high.
The Message Log

The BASIC > Message Log page displays details about all email traffic that passes through the Barracuda
Spam Firewall. Message source and analysis is viewable by clicking on a message, and includes spam
scoring and Bayesian analysis, if enabled.
This data is captured initially in the Mail Syslog and appears on the mail facility at the debug priority level on
the specified syslog server.
The Message Log is a window into how the current spam and virus settings are filtering email coming through
the Barracuda Spam Firewall, and sorting data using the wide variety of filters can quickly provide a profile of
email by allowed, tagged, quarantined or blocked messages by domain, sender, recipient, time, subject, size,
reason for action taken or score.
Watch the Message Log after making changes to the spam and virus settings to determine if the Barracuda
Spam Firewall spam checking and quarantine behavior is tuned according to the needs of your organization.
Using the Task Manager to Monitor System Tasks
The ADVANCED > Task Manager page provides a list of tasks that are in the process of being performed and
displays any errors encountered when performing these tasks. Some of the tasks that the Barracuda Spam
Firewall tracks include:
Clustered environment setup
Configuration and Bayesian data restoration
Removal of invalid users
If a task takes a long time to complete, you can click the Cancel link next to the task name and then run the
task at a later time when the system is less busy. The Task Errors section will list an error until you manually
remove it from the list. The errors are not automatically phased out over time.
83
SNMP
Overview
To monitor specific information on a Barracuda Spam Firewall, Barracuda Networks recommends using
SNMP monitoring with an SNMP server. The Barracuda Spam Firewall 400 and higher offers the ability to
monitor various settings via SNMP, including:
System statistics, such as:
inbound/outbound queue size
average email latency
encrypted, blocked, quarantined and tagged messages based on spam, custom policy, virus, etc. (outbound
mail included)
appliance uptime
Performance statistics, including mail/log storage, CPU temperature and system load.
To query the Barracuda Spam Firewall for these statistics via SNMP, you must first enable the SNMP agent,
specify the SNMP version youre using, the community string, and enter the IP address of the server(s) that
will be making the SNMP connection in the SNMP Manager section of the BASIC > Administration page.
Syslog
Use the ADVANCED > Advanced Networking page to specify a server to which the Barracuda Spam
Firewall sends syslog data. Syslog is a standard UNIX/Linux tool for sending remote system logs and is
available on all UNIX/Linux systems. Syslog servers are also available for Windows platforms from a number
of free and premium vendors.
The Web Syslog data contains information about user login activities and any configuration changes made on
the machine. This syslog data appears on the local facility with login information at the info priority level, and
configuration changes appear at the debug priority level on the specified syslog server.
The Mail Syslog captures data related to mail flow and is the same information as that used to build the
Message Log in the Barracuda Spam Firewall. The Mail Syslog includes data such as the connecting IP,
envelope 'From' address, envelope 'To' address, and the spam score for the messages transmitted. This
syslog data appears on the mail facility at the debug priority level on the specified syslog server.
See the Syslog section of the ADVANCED > Troubleshooting page for the facility to open a window and view
the Mail Syslog or Web Syslog output.
84
Account Administration
Introduction
The Barracuda Spam Firewall offers several levels of 'scope' when accessing the web interface and
configuring the system. This enables delegation of tasks such as:
Domain Administration: Management of only domain-level settings for one or more domains that are
protected by the Barracuda Spam Firewall
Helpdesk duties such as supporting end-user management of quarantine inbox, passwords and associated
preferences
Application of governance, risk management and compliance policies to outbound email content by managing
messages in the outbound quarantine log
Only the administrator (Admin) role has access to the global scope, with access to all settings. Administration
of domain-level settings can be delegated to the Domain Admin role, which has the most permissions, the
Helpdesk role, with fewer permissions, or the Governance, Risk Management and Compliance (GRC) Account
role, which has very limited permissions and a specific role. Finally, the User role can only see and manage
their account, or quarantine inbox and related settings.
85
User-Features
The User role is the default role assigned to newly created accounts on the Barracuda Spam Firewall, and only
provides the account holder with a view of their quarantine inbox and some account preference settings,
depending on what has been enabled for their account.
User role permissions may include:
Modify individual settings for quarantine, spam tag and block levels.
Management of quarantine inbox - mark as Spam/Not Spam, deliver, whitelist, delete quarantined
messages.
Change password (if Single Sign-On authentication is not configured).
Create whitelists and blocklists for email addresses and domains.
Manage a personal Bayesian database.
If granted the permission, the User role can disable quarantine for their account such that all messages
quarantined for that account holders email address(es) by the Barracuda Spam Firewall will be delivered to
their regular email inbox.
86
Backup
Overview
You should back up your system on a regular basis in case you need to restore this information on a
replacement Barracuda Spam Firewall or in the event that your current system data becomes corrupt.
Three Kinds of Backup Files
The ADVANCED > Backup page lets you back up and restore three kinds of backup files for your Barracuda
Spam Firewall:
System configuration
Bayesian databases - global and per-user (if your model supports per-user)
Explicit Users to Accept For and Alias Linking data
To prepare the system for backing up, first configure your backup server information, then select which, if not
all, backups you want to create, and, if desired, a schedule of automated backups on the ADVANCED >
Backup page. If you are restoring a backup file on a new Barracuda Spam Firewall that is not configured, you
first need to assign your new system an IP address and DNS information on the BASIC > IP Configuration
page of the new system.
87
Important notes about backups:

Do not edit backup files - Any configuration changes you want to make need to be done through the Web
interface. The configuration backup file contains a checksum that prevents the file from being uploaded to
the system if any changes are made.
You can safely view a backup file in Windows WordPad or TextPad. You should avoid viewing backup files
in Windows Notepad because the file can become corrupted if you save the file from this application.
Information not backed up with the system configuration file includes system password, system IP
information, DNS information and clustering settings. For a complete list of settings that are not backed up,
please see the online help of the ADVANCED > Backup page.
For Automated Backups, you must select a server type. If you select FTP, note the following. The Barracuda
Spam Firewall, by default, initiates ftp in passive mode. If your backup times out, and your FTP server is
running in passive mode, and you have a firewall between your Barracuda Spam Firewall and your ftp
server, you may need to open ports on your firewall to allow passive-mode ftp connections. The port range
depends on your ftp server configuration. Ideally, the firewall should be configured so that only that range of
ports is accessible to the ftp server machine. Make sure that there aren't any other TCP services with port
numbers in the port range listening on the FTP server machine.
Restoring a Backup
Restoring a backup simply requires browsing your local system with the click of a button on the ADVANCED >
Backup page and selecting a backup file. Please see the online help on that page for details about restoring
backups.
Note: Do not restore a configuration file onto a machine that is currently part of a cluster. All cluster information will be
lost and the units will need to be re-clustered if this happens.
88
Additional Ressources
89
90
Lab-Guide
Chapter Overview
Lab 1.1: Initial Configuration
Lab 1.2: LDAP Configuration
Lab 1.3: IP Filtering
Lab 1.4: Basic Spam Training
Lab 1.5: Custom Spam Settings
Lab 1.6: Quarantine
Introduction and Objectives

After finishing these labs, you will be able to:
Perform an initial configuration on the Barracuda Spam Firewall
Configure an LDAP server for Recipient Verification and Single Sign-On
Block mail traffic from specific IP addresses
Fully understand and configure the Twelve Defense Layer Model
Configure email quarantine
Understand multi-domain management
Deploy a Barracuda Spam Firewall cluster
Understand the high availability / load balancing options on the Barracuda Spam Firewall
Understand how Barracuda email encryption works
Administer the Barracuda Spam Firewall
LAB Guide
Student Table
Nr
Web Interface URL
Username
E-Mail
IP
Workstation IP
http://sfw01:8000
student01
student01@cudau.org
10.1.29.21
10.1.31.21
http://sfw02:8000
student02
student02@cudau.org
10.1.29.22
10.1.31.22
http://sfw03:8000
student03
student03@cudau.org
10.1.29.23
10.1.31.23
http://sfw04:8000
student04
student04@cudau.org
10.1.29.24
10.1.31.24
http://sfw05:8000
student05
student05@cudau.org
10.1.29.25
10.1.31.25
http://sfw06:8000
student06
student06@cudau.org
10.1.29.26
10.1.31.26
http://sfw07:8000
student07
student07@cudau.org
10.1.29.27
10.1.31.27
http://sfw08:8000
student08
student08@cudau.org
10.1.29.28
10.1.31.28
http://sfw09:8000
student09
student09@cudau.org
10.1.29.29
10.1.31.29
10
http://sfw10:8000
student10
student10@cudau.org
10.1.29.30
10.1.31.30
WebEx - Overview
If you're facing any problems or questions during the lab click the Hands-on Lab button
raise hands button
and press the
in the WebEx menu. Once everything is resolved press the button again to indicate
that everything is okay again.
If the workstation advises you to press Ctrl-Alt-Del please use the
button in WebEx and go to
Remote Computer > Send Ctrl+Alt+Del.
Username: [see Student Table]
Password: CudaLearner
You can easily change the keyboard layout by using the language menu in the taskbar
BT 310- Lab-Guide
91
92
BT 310 - Lab-Guide
Lab 1.1: Initial Configuration

Assignment
Your IT department has just deployed the Barracuda Spam Firewall appliance, and you are tasked with the
initial configuration, which includes the basic IP and DNS configuration, as well as receiving and forwarding
mail. Configure these parameters on the Barracuda Spam Firewall.
Overview of Configuration Steps
Log into the workstation by using the "Username" provided in the student table and the password
"CudaLearner". If you youre already on the desktop you can skip this step.
Log into the administrative interface of the Barracuda Spam Firewall by using the default credentials and the
"Web Interface URL" provided in the student table.
Make sure that all mails are forwarded to the destination mail server 10.1.28.5. The Barracuda Spam
Firewall shall only accept mail for the domain "cudau.org".
Open the folder "Spam Firewall Scripts" on your desktop. You can check the functionality of your
configuration by executing the script "1.1 - Test Initial Configuration". You should see mail in your Outlook
client. If Outlook asks for credentials enter the username from the descriptive message in the authentication
box (e.g. student11@cudau.org) and the password CudaLearner.
Tasks
1.) Log into the workstation.
Detailed Steps
a.) Press CTRL + ALT + DEL to log in, or use the WebEx menu in the
upper-center of your screen: If you youre already on the desktop of
the workstation you can skip this step. If you need to unlock the
workstation, use the WebEx menu at the top center of your screen
to send CTRL + ALT + DEL to the workstation. Then login with the
following credentials:
2.) Log into the administrative interface

of the Barracuda Spam Firewall.
a.) Open your web browser and navigate to the web interface URL that is
stated in the [Student Table]. Use the following login credentials:
Username: admin
Password: admin
3.) Verify TCP/IP and DNS

configuration.
a.) Navigate to BASIC > IP Configuration.

b.) Check if your configuration matches these settings:
c.) Default Gateway: 10.1.30.1
d.) Primary DNS Server: 10.1.28.5
BT 310- Lab-Guide
93
Tasks
94
Detailed Steps
4.) Configure the basic settings for

receiving and forwarding email.
a.) In the Destination Mail Server TCP/IP Configuration section, enter

Server Name/IP: 10.1.28.5
and click Save
b.) In the Domain Configuration section, enter
Accepted Email Recipient Domain(s): cudau.org
c.) Click Add.
d.) Navigate to BASIC > Outbound.
e.) In the Relay Using Trusted IP/Range section, add
IP/Network Address: 10.1.28.5
Netmask: 255.255.255.255
f.) Navigate to BLOCK/ACCEPT > Rate Control.
g.) In the Rate Control Exemption IP/Range section, add
IP/Network Address: 10.1.28.5
Netmask: 255.255.255.255
5.) Check if the basic functions of the

Barracuda Spam Firewall are
working correctly.
a.) On your workstations desktop, open the folder Spam Firewall Scripts.
b.) Execute the script 1.1 - Test Initial Configuration and verify that the
script indicates a successful configuration.
c.) Click the Microsoft Outlook 2010 on your Desktop. If you see the Outlook
Client Startup Window then simply click Next and Finish until the Outlook
is fully configured. If Outlook asks for credentials enter the username
from the descriptive message in the authentication box (e.g.
student11@cudau.org) and the password CudaLearner
BT 310 - Lab-Guide
Lab 1.2: LDAP Configuration

Assignment
To let users log in with their LDAP credentials and to make sure the Spam Firewall accepts only messages
that have a valid inbox on the mail server, it is crucial to have a working LDAP configuration. The main task of
this lab exercise is to get the LDAP up and running.
Configure the following LDAP server for the domain cudau.org on your Barracuda Spam Firewall
Exchange Accelerator/LDAP Verification: yes
LDAP Server: 10.1.28.5
LDAP Server Type: Active Directory
Bind DN (Username): ldapuser@cudau.org
Bind Password: CudaLearner
Valid Email (for testing): [E-Mail from Student Table]
After testing the configuration, switch back in global configuration mode
Tasks
Detailed Steps
1.) Switch to Domain Management

mode.
a.) Navigate to DOMAINS > Domain Manager.

b.) Click Manage Domain next to cudau.org.
c.) Note the domain information admin[cudau.org] in the upper-right
corner. This indicates that you are in Domain Management mode.
2.) Configure an LDAP server for this

domain.
a.) Navigate to USERS > LDAP Configuration.

b.) Change or enter the following LDAP Settings for cudau.org.
Exchange Accelerator/LDAP Verification: Yes
LDAP Server: 10.1.28.5
LDAP Server Type: Active Directory
Bind DN (Username): ldapuser@cudau.org
Bind Password: CudaLearner
Valid Email (for testing): [see Student Table]
c.) Click Test LDAP and check if the test was successful.
d.) Click Save.
3.) Switch back to Global Configuration

mode.
a.) In the upper-right corner, click Manage System.
BT 310- Lab-Guide
95
Lab 1.3: IP Filtering

Assignment
The most effective way to block spam is by using IP address filters. The Barracuda Spam Firewall has different
ways of working with IP filters, one is by using reputation lists. This lab shows you how to configure such lists.
Block the IP address of your workstation on your Barracuda Spam Firewall.
Open the folder "Spam Firewall Scripts" on your desktop. You can check the functionality of your
configuration by executing the script "1.3 - Test IP Filtering".
Delete the IP address block that you have configured before..
Tasks
96
Detailed Steps
1.) Verify the settings.
a.) Navigate to BLOCK/ACCEPT > IP Reputation.

b.) Verify or change the following settings:
Barracuda Reputation Blocklist(BRBL): Block
Email Categorization:
Transactional Email: Whitelist
Corporate Email: Whitelist
Marketing Materials: Off
Submit RBL Exemptions to Barracuda Central: Yes
2.) Add your IP address as a blocked

IP/Range.
a.) Open a command prompt (e.g., by holding SHIFT and right clicking on
the Desktop. In the context menu click on Open command window
here).
b.) Enter ipconfig and search for the IP address of your LAN adapter
c.) Navigate to BLOCK/ACCEPT > IP Filters.
d.) Enter your workstations IP address from step b in the Blocked IP/
Range field and click Add.
3.) Test the IP blocking configuration.
b.) Execute the script 1.3 - Test IP Filtering and verify that the script
indicates a successful spam-blocking configuration.
4.) Remove the blocked IP address.
a.) Navigate to BLOCK/ACCEPT > IP Filters.

b.) Remove your IP address in the Blocked IP/Range table by clicking on
the trash can icon next to it.
BT 310 - Lab-Guide
Lab 1.4: Basic Spam Training

Assignment
Fingerprint and intent analysis are great features on the Spam Firewall. However, they must be configured
properly and, more importantly, trained to work accurately. This lab shows you how.
Configure your Barracuda Spam Firewall with the following parameters:
Spam Scoring Limits Inbound:
Block: 6
Quarantine: 4
Tag: 2
Spam Scoring Limits Outbound:
Block: 5
Quarantine: Disabled
Spam Subject Tag: [POSSIBLE SPAM]
Fingerprint Analysis: Block
Intent Analysis: Block "Spam" & "Adult/Dating"
Enable Multi-Level Intent Analysis and Realtime Intent Analysis
Bayesian Analysis: Disabled
BT 310- Lab-Guide
97
Tasks
Detailed Steps
1.) Log into workstation.
a.) Press CTRL + ALT + DEL to log in, or use the WebEx menu in the
upper-center of your screen: If you youre already on the desktop of
the workstation you can skip this step. If you need to unlock the
workstation, use the WebEx menu at the top center of your screen
to send CTRL + ALT + DEL to the workstation. Then login with the
following credentials:
98
2.) Log into the administrative interface

of the Barracuda Spam Firewall.
a.) Open your web browser and navigate to the web interface URL that is
stated in the [Student Table]. Use the following login credentials:
Username: admin
Password: admin
3.) Set your basic spam settings.
a.) Navigate to BASIC > Spam Checking.

b.) Adjust the Spam Scoring Limits for inbound mail:
Block: 6
Quarantine: 4
Tag: 2
c.) Adjust the Outbound Spam Scoring Limits for outbound mail
Block: 5
Quarantine: Disabled
d.) In the Spam Tag Configuration, set
Subject Tag:[POSSIBLE SPAM]
e.) Set the Fingerprint Analysis to Block.
f.) In the Intent Analysis section, verify that Inbound & Outbound messages
containing Spam or Adult/Dating links are blocked.
g.) Verify that Multi-Level Intent Analysis and Realtime Intent Analysis
are set to Yes.
h.) In the Global Bayesian Analysis section, verify that Use Bayesian is
set to No.
i.) Click Save.
BT 310 - Lab-Guide
Lab 1.5: Custom Spam Settings

Assignment
If all these automatic analysis capabilities are still generating false positives, it is necessary to intercept them
by creating manual rules to block spam passing to your mail server.
Block any email from the domain "buyviagra.com"
Block emails from the mail address "spammer@spam.com"
Quarantine emails from the mail address "maybespam@spam.com"
Block all email that contains the word "viagra" in the subject or body
Tag inbound mail that contains the word "free" in the subject
Block inbound attachments containing the word "inheritance"
Open the folder "Spam Firewall Scripts" on your desktop. You can check the functionality of your configuration
by executing the script "2.2 - Test Custom Spam Settings".
Tasks
Detailed Steps
1.) Block & quarantine emails from

specific domains/senders.
a.) Navigate to BLOCK/ACCEPT > Sender Filters.

b.) Enter buyviagra.com in the Blocked Email Addresses and
Domains section, leave the action at Block and click Add
c.) Enter spammer@spam.com in the Blocked Email Addresses and
Domains section, leave the action at Block and click Add.
d.) Enter maybespam@spam.com in the Blocked Email Addresses and
Domains section, change the action at Quarantine and click Add.
2.) Create a content filter for specific

words.
a.) Navigate to BLOCK/ACCEPT > Content Filtering.

b.) Add the following pattern in the Content Filters section. Dont forget to
click Add everytime you add a new pattern.
Block all email that contains the word viagra in the subject or
body.
Tag inbound email that contains the word free in the subject.
c.) Add the following pattern to the Attachment Content Filters section.
Block inbound attachments that contain the word inheritance.
3.) Test the domain blocking.
b.) Execute the script 2.2 - Test Custom Spam Settings and verify that the
script indicates a successful spam-blocking configuration.
BT 310- Lab-Guide
99
Lab 1.6: Quarantine

Assignment
Mail that is spam or that is allowed to get into the users inbox for any reason can be stored in a so-called
quarantine. The administrator or user can then verify what to do next with the message. This exercise
demonstrates how to set up the quarantine on the Spam Firewall.
Configure a "Per-User Quarantine" and set the Quarantine Reply-To Address to postmaster@cudau.org
Make sure that users from the cudau.org domain can log into the firewall with their domain/LDAP credentials
(Hint: Single Sign-On)
Open the folder "Spam Firewall Scripts" on your desktop. Execute the script "2.3 - Test quarantine".
Log into the Barracuda Spam Firewall by using the "Username" provided in the student table and the
password "CudaLearner" and check if the mail sent by the script can be found within the quarantine
Youre now finished with the webinar. You can now leave the workstation and the WebEx session. Thanks for
joining this Barracuda webinar and dont forget to take the test at http://bu.barracuda.com.
100
Tasks
Detailed Steps
1.) Change the settings from a Global

Quarantine to a Per-User
Quarantine.
a.) Navigate to BASIC > Quarantine.

b.) In the Inbound Quarantine Type section, select Per-User as
Quarantine Type.
c.) In the Per-User Quarantine Configuration section, enter
Quarantine Reply-To Address field: postmaster@cudau.org
d.) Click Save.
2.) Enable Single Sign-On for the

cudau.org domain.
a.) Navigate to DOMAINS > Domain Manager.

b.) Click Manage Domain next to cudau.org.
c.) Note the domain information admin[cudau.org] in the upper-right
corner. This indicates that you are in Domain Management mode.
d.) Navigate to USERS > Single Sign-On.
e.) Select LDAP from the Authentication Type list.
f.) Click Save .
3.) Send a message that will be

quarantined.
b.) Execute the script 2.3 - Test Quarantine and check if the email was
successfully delivered.
c.) The email should now be quarantined on the Barracuda Firewall. Open
your inbox. If Outlook requests a password enter CudaLearner.
4.) View the quarantined message.
a.) Click Sign Out in the right, upper corner of the Spam Firewall user
interface.
b.) Log into the Spam Firewall user interface:
Username: admin
Password: admin
c.) You will see the recently sent mail in the Quarantine Inbox.
5.) Close the session
a.) Youre now finished with the webinar. You can now leave the workstation
and the WebEx session. Thanks for joining this Barracuda webinar and
dont forget to take the test at http://bu.barracuda.com.
BT 310 - Lab-Guide
Barracuda Networks Inc., April 2015, BT310-7.0-104. The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No
portion of may be copied, distributed,publicized or used for other than internal documentary purposes without the written consent of an official representative of Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes no responsibility for any inaccuracies in this document.
Barracuda Networks Inc. reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

BT310 HB 104 - Barracuda Spam Firewall

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

BT310 HB 104 - Barracuda Spam Firewall

Enviado por

Direitos autorais:

Formatos disponíveis

Barracuda University

BT310 Barracuda Spam Firewall Systems Engineer

Lesson 1: Features Overview

2015 Barracuda University

BT310 - Lecture Guide

BT310 - Lecture Guide

2015 Barracuda University

2015 Barracuda University

BT310 - Lecture Guide

Using Global Quarantine

Using Per-user Quarantine

Turning Quarantine Off

BT310 - Lecture Guide

2015 Barracuda University

2015 Barracuda University

BT310 - Lecture Guide

BT310 - Lecture Guide

2015 Barracuda University

Product Models & Specifications: Appliances

*Also available in Virtual Edition (Vx)

2015 Barracuda University

BT310 - Lecture Guide

BT310 - Lecture Guide

2015 Barracuda University

Product Models & Specifications: Features

Large File Transfer

Cloud Protection Layer

Per-User Settings and

Delegated Help Desk Role

Clustering & Remote Clustering

Per Domain Settings

Per-User Score Settings

2015 Barracuda University

BT310 - Lecture Guide

BT310 - Lecture Guide

2015 Barracuda University

2015 Barracuda University

BT310 - Lecture Guide

SMTP - Simple Mail Transfer Protocol

BT310 - Lecture Guide

2015 Barracuda University

SMTP - Simple Mail Transfer Protocol

2015 Barracuda University

BT310 - Lecture Guide

BT310 - Lecture Guide

2015 Barracuda University

Deployment using Public IP Addresses

2015 Barracuda University

BT310 - Lecture Guide

Deployment Behind a Corporate Firewall

Remote diagnostics and technical support

Domain Name Server (DNS)

Virus, firmware, security and spam rule

NTP (Network Time Protocol)

BT310 - Lecture Guide

2015 Barracuda University

Initial Configuration: Getting Started

Configure IP Address and Network Settings

2015 Barracuda University

BT310 - Lecture Guide

Activate Your Barracuda Spam Firewall

A confirmation page will display the terms of your subscription.

For Virtual Appliances