Jump to content


Photo

Helpful Tutuorials for the Barracuda Email Security Service

ESS Essential spam

  • This topic is locked This topic is locked
7 replies to this topic

#1 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 355 posts

Posted 06 December 2016 - 06:08 PM

How does outbound rate control work for the Barracuda Email Security Serivce

By default Barracuda Email security service accounts Outbound Rate Limit is set to 150 recipients per 30 minutes per sender. That is 7200 recipients per day that any one user can send out. If your users are hitting rate limit it means they are sending out mail to more than 150 recipients per 30 minutes.

Please note that this is not a block of their mail it is a deferral. Your mail server should retry this mail until it is all delivered.

 

Please also note that Per User Rate Control only affects users listed in the ESS users list. Users not in the userlist are all lumped together and get the per domain rate limit which is normally 250 per 30 minutes. Anyone sending outbound mail though ESS should be listed in the userlist.

 

One of the reasons a sender might hit our rate control limits more than normal is the configuration of your mail server. For example: If a user sends out a mass mailing to 1000 people that will hit their rate control limit. It will take at least 4 hours for all this mail to be delivered. If your mail server retries this deferred mail every few minutes this can cause the sender to remain rate limited for a very long time. Barracuda recommends that you configure your mail server to retry deferred connections every 30 minutes to avoid this problem.

 

If you have mail that must go out immediately then Barracuda recommends that you either bypass ESS, sending it directly to the internet or that you use a mass mailing service that is designed for this purpose. Barracuda is also aware that some organizations use a program to mass mail that does not retry deferred mail. If you are using a program like this then we recommend that you configure it to deliver the mail directly to the internet or have it relay the mail through a fully functional mail server that can correctly handle deferred mail.

 

Exceeding rate control limits will show up on your outbound abuse report page however if there is a problem with your account that results in your outbound IP or a user email address being blocked you will hear directly from Barracuda via email or a call explaining the problem that requires attention.

 

Please reference our terms of service page in regards to bulk or mass mailing.

https://campus.barra...neServiceTerms/


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#2 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 355 posts

Posted 06 December 2016 - 06:12 PM

Why was a message with a virus delivered when the GUI shows it as a virus
 

In ESS messages are always checked for viruses.

They are checked when they first go through the system

They are also checked each time you try to view them in the GUI

If a message has a new virus we are unaware of it is delivered.

If you later go to the GUI and look at the message is it again checked and if a virus is found we don't show it and instead display a virus warning.

Our virus updates now see this as a virus so it is not blocked at the GUI,

You can also tell that this was seen later as a virus because the virus reason will be the last line in the header, for example

 

    X-Virus-Identifiers: BN.ZeroHour-4fbf702d55f53d4

 

If the message was seen as a virus during the original scan the reason would have been at the top of the header.


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#3 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 355 posts

Posted 06 December 2016 - 06:23 PM

Why does the Email Security Service not deliver deferred mail in the message log (eg: ATP Pending Scan).

 

Mail can be deferred for many reasons,
 

Destination server off line
Destination address invalid
Destination server rejects mail for size
ATP service unavailable or pending scan

No Response to HELO/EHLO
and many more

 

When the mail fails to be delivered for any reason the sending server is notified of the failure and it is then responsible for retrying the message. Each time the sending server retries the message it will show up as a new line in the Email Security Service message log.

The easiest way to find out if a deferred message was retried and delivered is to do a search for all or part of the message subject.

This will show you all of the attempts at delivery.

Note that at any time you can manually deliver mail from the Email Security Service message log however at the time of this posting there is an issue with manually delivering large messages. This is being worked on and should be resolved soon,


 


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#4 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 355 posts

Posted 06 December 2016 - 06:26 PM

What is the difference between GLOBAL (ACCOUNT) and PER DOMAIN policies

If you add or change a policy in the Barracuda Email Security Service (BESS) and it doesn't work it is almost always due to their being three different policy layers in BESS.
There are the GLOBAL (ACCOUNT) level policies

There are the PER DOMAIN level policies.
There are the PER USER policies

If an admin uses only GLOBAL (ACCOUNT) level policies then those are the policies that will be used.

If however an admin (BCC admin or BESS per domain admin) saves ANY policy at the PER DOMAIN level then ONLY that PER DOMAIN policy will be used for the domain.
Once AGAIN. If a PER DOMAIN level policy is saved then the GLOBAL (ACCOUNT) level policy is no longer used.

 

ALWAYS check the PER DOMAIN policies when you run into a case where a filter is NOT working.

NOTES:

This happens even on accounts with a single domain.
This happens when PER DOMAIN admins are added to BESS and start managing their domain.

Per User policies over-ride Account and Per Domain level policies

So there are global OR per domain policies NOT global AND per domain policies.

If you want to REVERT back to using only the GLOBAL policy for a variable then please call into Barracuda technical support and they can revert all or a single setting back to global.


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#5 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 355 posts

Posted 08 December 2016 - 11:49 AM

Logging into the Barracuda Email Security Service (BESS)

To login to BESS you need to go to this URL

   https://ess.barracduanetworks.com

From there you can login to BESS using your email address and password. If your administrator has configured the BESS account to use LDAP then you can use your LDAP password, if not you will need to use a local password.

 

If you do NOT have a password yet configured then enter your email address at the login prompt and click the "Send Login Information" button.
This will send you an email with a link you can use to set your password.
If you do not get the password reset/create email then please contact your system administrator so they can manually set a password for you.

If you access your BESS account from a quarantine notification email and your account does NOT yet have a password you will be shown the set password webpage. Please create and save your password so that in the future your quarantine functions will work correctly.

   ADMINISTRATOR NOTE:

 

   This password email will be in your BESS message log.

   It will be from noreply@barracuda.com and have a subject of "Login Information"
   If it is not in the message log then either your user did not correctly click the

   button or you have a webfilter in place that is blocking this request.

   As an administrator you can manually set a password for your user.


 


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#6 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 355 posts

Posted 15 March 2017 - 10:03 AM

THE NEW BARRACUDA EMAIL SECURITY SERVICE (BESS) REDELIVERY QUEUE

 

The new redelivery queue shows BESS customers the mail they selected from the message log for manual delivery.

It is a delivery management queue for BESS that shows the status of mail selected for redelivery.

It was created to solve the problems with selecting multiple messages for redelivery where some could be delivered and others (empty messages for example) could not.

The mail selected is dumped into this queue and the queue now delivers the mail.

If it is delivered it disappears from the queue (often when you access the queue most of the mail you selected is already gone)

If there is mail in the queue there will be a link to it at the top of the message log page just above the "Message Filters"

   XX messages sent to the delivery queue. Redelivery Queue

If there is nothing in the queue then there is no need or reason to access it so there is not a link to it anywhere.

This link will remain until all the mail in the queue is delivered OR until the mail is removed because it cannot be delivered.

BESS will retry the mail that can't be delivered for few hours. If it cannot be delivered it is deleted from the queue.

This is not a log or history of mail selected for redelivery, it the active queue of mail selected for delivery that has not yet been delivered.


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#7 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 355 posts

Posted 17 March 2017 - 04:15 PM

CONFIGURING THE BARRACDUA EMAIL SECURITY SERVICE (ESS) TO ACCEPT MAIL FOR YOUR USERS

NOTE: This is all based on a customer with just one domain in their account. Comments on accounts with multiple domains is listed below.

There are two sections here, the first is with NO recipient verification enabled on the destination mail server. The second is WITH recipient verification enabled on the destination mail server. Where possible Barracuda recommends enabling recipient verification on your destination mail server.

FIRST SECTION - NO recipient verification on the destination mail server

1. No Users created

   - unmanaged users set to scan or allow
 

2. Users created

   - using LDAP sync, auto-create or manually

   - unmanaged users set to scan or allow

Methods 1 & 2 are the worst things you can do when configuring ESS. ESS will accept and deliver mail for any username associated with your domain. This means a domain with 10 users could receive mail for thousands of invalid addresses.

3. Users created

   - using LDAP sync or manually

   - unmanaged users set to BLOCK

Method 3 will allow the Barracuda to reject mail for any users not in your userlist. SEE ALIAS and LINKED ACCOUNTS below for more information on creating accounts. When using this method it is critical that your keep your userlist up to date especially if manually creating users. NOTE: You cannot use the auto-create option with unmanaged users set to BLOCK.

SECOND SECTION - Recipient Verification enabled on the destination mail server

4. No Users created

   - managed users set to SCAN

   - unmanaged users set to SCAN

Method 4 is used when you don't want or need your users to have login access to their personal account on ESS. ESS will only accept mail for users your mail server reports as valid.

5. Users created

   - using LDAP sync, auto-create or manually

   - unmanaged users set to scan or allow

Method 5 will create accounts on ESS for your users. With recipient verification enabled ESS will only deliver mail to valid users.

 

6. Users created

   - using LDAP sync or manually

   - unmanaged users set to BLOCK

Method 6 is the same as method three above but with the added security of recipient verification at the mail server. It will allow the Barracuda to reject mail for any users not in your userlist. SEE ALIAS and LINKED ACCOUNTS below for more information on creating accounts. When using this method it is critical that your keep your userlist up to date especially if manually creating users. NOTE: You cannot use the auto-create option with unmanaged users set to BLOCK.

NOTE: Method 5 is the most efficient way to manage your users on ESS but it is critical that recipient verification be enabled and working on your mail server at all times. If it is not then Method 6 is the way you should go.

NOTE: Users login to ESS by going to https://ess.barracudanetworks.com.

ALIASES and LINKED ACCOUNTS

If you have users with multiple email addresses (aliases) then that can be seen by ESS as a single user account. Aliases can be added to user accounts either manually or by using LDAP sync. If created manually you would create the primary user account, log into it and then from the "setting/linked accounts" page add that users aliased addresses. LDAP sync will automatically build your user account with aliases based on the LDAP configuration.

ESS ACCONTS WITH MULTIPLE DOMAINS

 

If you have multiple domains in your ESS account then there are a few things to remember.

First is that you can use domain aliasing for domains so they use all the same settings and policies. This is similar to the user linking detailed above. It is VERY IMPORTANT to understand that if you use domain aliasing that all usernames must be in the PRIMARY domain. For example if you have DomainA, DomainB, DomainC and you have B and C aliased to A then mail sent to user123@DomainC must be a valid user in DomainA (user123@DomainA). With domain aliasing ESS checks the PRIMARY domain to validate usernames and to manage their user accounts.

Second is that is you are using LDAP to create your users DO NOT use domain aliasing. LDAP will automatically link (alias) your users so there is no need to use domain aliasing and in most cases using both of them together will cause problems with mail delivery and user access to their mail.


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#8 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 355 posts

Posted 04 May 2017 - 02:14 PM

Why does the Barracuda Email Security Service not allow outbound NDR messages

When some mail servers receive mail for an invalid user they accept the mail and then generate a new email to the sender telling them the recipient is invalid. This is called an NDR or None Deliver Receipt.

This parctice is called backscatter and spammers and hackers rely on domains that do this to generate Denial Of Service Attacks. They will send out their mass emails to domains that generate NDRs spoofing a legitimate domain. These servers accept the mail and then flood the spoofed domain with NDR replies creating a distributed denial of service attack.

To prevent this mail to invalid user should be rejected during the connection stage. A 4xx or 5xx SMTP response code should be returned to the actual sending server when mail is sent to an invalid recipient.

There are two ways to accomplish this when using ESS

First you can create a valid user list on ESS for all your users. Then under the USERS > Default Policy set unmanaged users to block. This will require that you keep your user list on ESS up to date.

Secondarily you can turn on SMTP recipient verification on your mail server. This will tell ESS when a user is valid or invalid and the ESS will be able to relay that information directly to the sending server.

Either of these methods will eliminae the need for outbound NDR's and eliminating the possibility for backscatter.
 


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300