Built on a hardened and secure operating system, the Barracuda Spam Firewall receives email on behalf of the organization insulating the organization’s email server from receiving direct Internet connections and their associated threats.

Automated spam software can be used to send large amounts of email to a single email server. To protect the email infrastructure from these flood-based attacks, the Barracuda Spam Firewall counts the number of incoming connections from a particular IP address and throttles the connections once a particular threshold is exceeded.

Organizations who relay email through known servers before reaching the Barracuda Spam Firewall or who communicate frequently with known partners should add the IP addresses of those known relays and good email servers to the Rate Control exemption list.

After applying rate controls based on IP address, the Barracuda Spam Firewall then performs analysis on the IP address.

• Customer-defined policy for allowed IP addresses. The Barracuda Spam Firewall enables administrators to define a list of trusted email servers by IP address. By adding IP addresses to this list, administrators can avoid spam scanning of good email, both reducing processing requirements and eliminating the chances of false positives.
• Customer-defined policy for blocked IP addresses. The Barracuda Spam Firewall also enables administrators to define a list of known bad email senders. In general, administrators need not enter blacklists of spam senders, as these are typically added by Barracuda Central to the Barracuda Blacklist Service. In some cases, administrators may choose to utilize the IP block lists to restrict specific email servers as a matter of policy rather than as a matter of spam protection.
• Barracuda Reputation. Barracuda Reputation is maintained by Barracuda Central and includes a list of IP addresses of known, good senders as well as known spammers. Updates to the Barracuda Reputation database are delivered to the Barracuda Spam Firewall via Barracuda Energize Updates.
• External block lists. The Barracuda Spam Firewall enables administrators to take advantage of external block lists which are also known as real-time block lists (RBLs) or DNS block lists (DNSBLs). Several organizations maintain external block lists, such as spamhaus.org.

In general, external blacklists take precedence over subsequent allow lists (“whitelists”) on the sender email address or domain, recipient, headers or message body. The Barracuda Spam Firewall does have an option to delay RBL checks so that subsequent allow lists can take precedence over external block lists.

Declaring an invalid “from” address is a common practice by spammers. The Barracuda Spam Firewall utilizes a number of techniques to both validate the sender and to apply policy.

• Protocol compliance. Before even validating a sender, the Barracuda Spam Firewall validates that the sender is specified properly. Examples of enforcement policies include forcing RFC 821 compliance or requiring fully qualified domain names.
• DNS lookup. To prevent senders from faking a “from” domain, the Barracuda Spam Firewall can perform a DNS lookup on the sender domain to ensure that the domain exists.
• Sender spoof protection. Optionally, the Barracuda Spam Firewall can prevent “spoofing” of their own domain by disallowing emails from the outside using the customer’s own domain name. Note that sender spoof protection should not be enabled if the organizations send messages from outside their internal email infrastructure (e.g., in the case of marketing bulk-mail services).
• Custom policies. Organizations can define their own allowed sender domains or email addresses. They can also define their own block lists based on sender domains or email addresses. Note that allow lists override block lists.
• Sender Policy Framework (SPF) . SPF is a proposed standard with growing momentum designed to prevent spoofing of email domains. SPF provides a means for organizations to declare their known email servers in their DNS records so that email recipients can validate the identity of the sender domain based on the IP address of the sending email server. The Barracuda Spam Firewall enables email administrators to block or tag messages on failed SPF checks.

Many spammers attack email infrastructures by harvesting email addresses. The Barracuda Spam Firewall verifies the validity of recipient email addresses through multiple techniques.

• Protocol compliance. Before even validating a recipient, the Barracuda Spam Firewall validates that the recipient is specified properly. An example of an enforcement policy includes forcing RFC 821 compliance.
• Custom policies. Organizations can define their policies based on allowed recipient email addresses for which spam scanning should be disabled. They can also define their own block lists based on email addresses. Note that allow lists override block lists.
• LDAP recipient verification. Customers of Barracuda Spam Firewall models 300 and higher can choose to reject messages if the recipient email addresses do not appear in the LDAP directory.
• SMTP recipient verification. By default, the Barracuda Spam Firewall rejects messages if the downstream mail server does not accept mail for that recipient.

The most basic level of mail scanning is virus scanning. The Barracuda Spam Firewall utilizes two layers of virus scanning and automatically decompresses archives for comprehensive protection.

Virus scanning takes precedence over all other mail scanning techniques, and it is applied even when mail passes through the connection management layers. As such, even email coming from “whitelisted” IP addresses, sender domains, sender email addresses or recipients are still scanned for viruses and blocked if a virus is detected.

Administrators can choose to define their own policies, perhaps for compliance or governance reasons, which take precedence over spam blocking rules delivered to the system automatically through Barracuda Energize Updates. The Barracuda Spam Firewall enables administrators to set custom content filters based on the subject, message headers, message bodies and attachment file type.

In general, administrators do not need to set their own filters for the purposes of blocking spam, as these forms of rules are delivered to Barracuda Spam Firewalls automatically through Barracuda Energize Updates.

A message “fingerprint” is based on commonly used message components (e.g., an image) across many instances of spam. Fingerprint analysis is often a useful mechanism to block future instances of spam once an early outbreak is identified.

Engineers at Barracuda Central work around the clock to identify new spam fingerprints which are then updated on all Barracuda Spam Firewalls through Barracuda Energize Updates.

All spam messages have an “intent” – which is to get a user to reply to an email, visit a Web site or call a phone number. Intent analysis involves researching email addresses, Web links and phone numbers embedded in email messages to determine whether they are associated with legitimate entities. Frequently, intent analysis is the defense layer that catches phishing attacks.

The Barracuda Spam Firewall features multiple forms of intent analysis:

• Intent analysis. The Barracuda Spam Firewall extracts markers of intent such as URLs and compares them against a database maintained by Barracuda Central and delivered to the Barracuda Spam Firewall via Barracuda Energize Updates.
• Realtime intent analysis. For new domain names that may come into use, real-time intent analysis involves performing DNS lookups against known URL block lists.
• Multilevel intent analysis. Use of free Web sites to redirect to known spammer sites is a growing practice used by spammers to hide or obfuscate their identity from mail scanning techniques such as Intent Analysis. Multilevel intent analysis involves inspecting the results of Web queries to URLs of well-known free Web sites for redirections to known spammer sites.

Today, image spam represents about one-third of all traffic on the Internet. While fingerprint analysis captures a significant percentage of images after they have been seen, the Barracuda Spam Firewall also uses image analysis techniques which protect against new image variants. These techniques include:

• Optical Character Recognition (OCR). Embedding text in images is a popular spamming practice to avoid text processing in anti-spam engines. OCR enables the Barracuda Spam Firewall to analyze the text rendered inside the images.
• Image Processing. To mitigate attempts by spammers to foil optical character recognition through speckling, shading, or color manipulation, the Barracuda Spam Firewall also utilizes a number of lightweight image processing technologies to normalize the images prior to the OCR phase. More heavyweight image processing algorithms are utilized at Barracuda Central to quickly generate fingerprints that can be used by Barracuda Spam Firewalls to block messages.
• Animated GIF Analysis. In addition, the Barracuda Spam Firewall contains specialized algorithms for analyzing animated GIFs for suspect content.

Bayesian Analysis is a linguistic algorithm that profiles language used in both spam messages and legitimate email for any particular user or organization. To determine the likelihood that a new email is spam, Bayesian Analysis compares the words and phrases used in the new email against the corpus of previously received email.

The Barracuda Spam Firewall only uses Bayesian Analysis after administrators or users profile a corpus of at least 200 legitimate messages and 200 spam messages.

Beyond absolute blocks that a single filter can apply, the Barracuda Spam Firewall also includes a sophisticated scoring engine that weighs multiple factors where a single filter may result into restrictive policy. By combining multiple rules with known weightings, the Barracuda Spam Firewall can deliver a strong confidence interval for spam messages.

The Barracuda Spam Firewall enables administrators to set global spam scores. Certain models of the Barracuda Spam Firewall also support per domain and per user thresholds.