Jump to content


Photo

Helpful Tutuorials for the Barracuda Email Security Service

ESS Essential spam

  • This topic is locked This topic is locked
9 replies to this topic

#1 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 387 posts

Posted 06 December 2016 - 06:08 PM

How does mail flow through the Barracuda Email Security Service from sender to recipient

The first thing that is important to know is that the Barracuda Email Security Service (ESS) is not a normal mail service. It does not accept incoming mail, close the connection, process the mail and then deliver it.

It is what is known as a relay or pass-through service. It does the following

1. The sender connects to the ESS service
2. They send the "mail from" and "rcpt to" commands
3. ESS reads the "rcpt to" and if

    a.) If it is an ESS customer domain
    b.) If it is outbound mail coming from an authorized customer IP
4. ESS connects to the domains destination server
5. ESS monitors the data between the sending and recipient servers
    a.) it checks for intent (domains or addreses on our blocklists)
    b.) viruses (signatures or malware)
    c.) content filters - Barracuda, account or domain level
    d.) sender filters - Barracuda, account, domain or user level
    e.) recipient filters - Barracuda, account or domain level

6. If for any reason mail is found that should be blocked the connection to the destination is reset (dropped) and we return back to the sending server a 5xx blocked reason. The sending server is then responsible for generating an NDR back to the sender.

IMPORTANT NOTE: Mail that is deferred for any reason is NOT delivered by ESS.

This deferral is returned back to the sending server and it is responsible for retrying the mail. This retry will be a NEW line in the message log.

The best way to find out if a deferred piece of mail has been retried and delivered is to do a search of the message log for the sender and subject of the message.

 

Finally: Email that is sent to a domain that should be going through the Barracuda Email Security Service that is not in your Barracuda Email Security Service log (this could be the sender or recipient) did not make it to BESS. Always have the senders BESS log checked first, if they are a BESS customer, to ensure they did not block their mail to you.

Thank you,
 

Please reference our terms of service page in regards to bulk or mass mailing.

https://campus.barra...neServiceTerms/


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#2 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 387 posts

Posted 06 December 2016 - 06:12 PM

Why was a message with a virus delivered when the GUI shows it as a virus
 

In ESS messages are always checked for viruses.

They are checked when they first go through the system

They are also checked each time you try to view them in the GUI

If a message has a new virus we are unaware of it is delivered.

If you later go to the GUI and look at the message is it again checked and if a virus is found we don't show it and instead display a virus warning.

Our virus updates now see this as a virus so it is not blocked at the GUI,

You can also tell that this was seen later as a virus because the virus reason will be the last line in the header, for example

 

    X-Virus-Identifiers: BN.ZeroHour-4fbf702d55f53d4

 

If the message was seen as a virus during the original scan the reason would have been at the top of the header.


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#3 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 387 posts

Posted 06 December 2016 - 06:26 PM

What is the difference between GLOBAL (ACCOUNT) and PER DOMAIN policies

If you add or change a policy in the Barracuda Email Security Service (BESS) and it doesn't work it is almost always due to their being three different policy layers in BESS.
There are the GLOBAL (ACCOUNT) level policies

There are the PER DOMAIN level policies.
There are the PER USER policies

If an admin uses only GLOBAL (ACCOUNT) level policies then those are the policies that will be used.

If however an admin (BCC admin or BESS per domain admin) saves ANY policy at the PER DOMAIN level then ONLY that PER DOMAIN policy will be used for the domain.
Once AGAIN. If a PER DOMAIN level policy is saved then the GLOBAL (ACCOUNT) level policy is no longer used.

 

ALWAYS check the PER DOMAIN policies when you run into a case where a filter is NOT working.

NOTES:

This happens even on accounts with a single domain.
This happens when PER DOMAIN admins are added to BESS and start managing their domain.

Per User policies over-ride Account and Per Domain level policies

So there are global OR per domain policies NOT global AND per domain policies.

If you want to REVERT back to using only the GLOBAL policy for a variable then please call into Barracuda technical support and they can revert all or a single setting back to global.


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#4 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 387 posts

Posted 08 December 2016 - 11:49 AM

Logging into the Barracuda Email Security Service (BESS)

To login to BESS you need to go to this URL

   https://ess.barracduanetworks.com

From there you can login to BESS using your email address and password. If your administrator has configured the BESS account to use LDAP then you can use your LDAP password, if not you will need to use a local password.

 

If you do NOT have a password yet configured then enter your email address at the login prompt and click the "Send Login Information" button.
This will send you an email with a link you can use to set your password.
If you do not get the password reset/create email then please contact your system administrator so they can manually set a password for you.

If you access your BESS account from a quarantine notification email and your account does NOT yet have a password you will be shown the set password webpage. Please create and save your password so that in the future your quarantine functions will work correctly.

   ADMINISTRATOR NOTE:

 

   This password email will be in your BESS message log.

   It will be from noreply@barracuda.com and have a subject of "Login Information"
   If it is not in the message log then either your user did not correctly click the

   button or you have a webfilter in place that is blocking this request.

   As an administrator you can manually set a password for your user.


 


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#5 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 387 posts

Posted 15 March 2017 - 10:03 AM

THE NEW BARRACUDA EMAIL SECURITY SERVICE (BESS) REDELIVERY QUEUE

 

The new redelivery queue shows BESS customers the mail they selected from the message log for manual delivery.

It is a delivery management queue for BESS that shows the status of mail selected for redelivery.

It was created to solve the problems with selecting multiple messages for redelivery where some could be delivered and others (empty messages for example) could not.

The mail selected is dumped into this queue and the queue now delivers the mail.

If it is delivered it disappears from the queue (often when you access the queue most of the mail you selected is already gone)

If there is mail in the queue there will be a link to it at the top of the message log page just above the "Message Filters"

   XX messages sent to the delivery queue. Redelivery Queue

If there is nothing in the queue then there is no need or reason to access it so there is not a link to it anywhere.

This link will remain until all the mail in the queue is delivered OR until the mail is removed because it cannot be delivered.

BESS will retry the mail that can't be delivered for few hours. If it cannot be delivered it is deleted from the queue.

This is not a log or history of mail selected for redelivery, it the active queue of mail selected for delivery that has not yet been delivered.


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#6 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 387 posts

Posted 17 March 2017 - 04:15 PM

CONFIGURING THE BARRACDUA EMAIL SECURITY SERVICE (ESS) TO ACCEPT MAIL FOR YOUR USERS

NOTE: This is all based on a customer with just one domain in their account. Comments on accounts with multiple domains is listed below.

There are two sections here, the first is with NO recipient verification enabled on the destination mail server. The second is WITH recipient verification enabled on the destination mail server. Where possible Barracuda recommends enabling recipient verification on your destination mail server.

FIRST SECTION - NO recipient verification on the destination mail server

1. No Users created

   - unmanaged users set to scan or allow
 

2. Users created

   - using LDAP sync, auto-create or manually

   - unmanaged users set to scan or allow

Methods 1 & 2 are the worst things you can do when configuring ESS. ESS will accept and deliver mail for any username associated with your domain. This means a domain with 10 users could receive mail for thousands of invalid addresses.

3. Users created

   - using LDAP sync or manually

   - unmanaged users set to BLOCK

Method 3 will allow the Barracuda to reject mail for any users not in your userlist. SEE ALIAS and LINKED ACCOUNTS below for more information on creating accounts. When using this method it is critical that your keep your userlist up to date especially if manually creating users. NOTE: You cannot use the auto-create option with unmanaged users set to BLOCK.

SECOND SECTION - Recipient Verification enabled on the destination mail server

4. No Users created

   - managed users set to SCAN

   - unmanaged users set to SCAN

Method 4 is used when you don't want or need your users to have login access to their personal account on ESS. ESS will only accept mail for users your mail server reports as valid.

5. Users created

   - using LDAP sync, auto-create or manually

   - unmanaged users set to scan or allow

Method 5 will create accounts on ESS for your users. With recipient verification enabled ESS will only deliver mail to valid users.

 

6. Users created

   - using LDAP sync or manually

   - unmanaged users set to BLOCK

Method 6 is the same as method three above but with the added security of recipient verification at the mail server. It will allow the Barracuda to reject mail for any users not in your userlist. SEE ALIAS and LINKED ACCOUNTS below for more information on creating accounts. When using this method it is critical that your keep your userlist up to date especially if manually creating users. NOTE: You cannot use the auto-create option with unmanaged users set to BLOCK.

NOTE: Method 5 is the most efficient way to manage your users on ESS but it is critical that recipient verification be enabled and working on your mail server at all times. If it is not then Method 6 is the way you should go.

NOTE: Users login to ESS by going to https://ess.barracudanetworks.com.

ALIASES and LINKED ACCOUNTS

If you have users with multiple email addresses (aliases) then that can be seen by ESS as a single user account. Aliases can be added to user accounts either manually or by using LDAP sync. If created manually you would create the primary user account, log into it and then from the "setting/linked accounts" page add that users aliased addresses. LDAP sync will automatically build your user account with aliases based on the LDAP configuration.

ESS ACCONTS WITH MULTIPLE DOMAINS

 

If you have multiple domains in your ESS account then there are a few things to remember.

First is that you can use domain aliasing for domains so they use all the same settings and policies. This is similar to the user linking detailed above. It is VERY IMPORTANT to understand that if you use domain aliasing that all usernames must be in the PRIMARY domain. For example if you have DomainA, DomainB, DomainC and you have B and C aliased to A then mail sent to user123@DomainC must be a valid user in DomainA (user123@DomainA). With domain aliasing ESS checks the PRIMARY domain to validate usernames and to manage their user accounts.

Second is that is you are using LDAP to create your users DO NOT use domain aliasing. LDAP will automatically link (alias) your users so there is no need to use domain aliasing and in most cases using both of them together will cause problems with mail delivery and user access to their mail.


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#7 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 387 posts

Posted 04 May 2017 - 02:14 PM

Why does the Barracuda Email Security Service not allow outbound NDR messages

When some mail servers receive mail for an invalid user they accept the mail and then generate a new email to the sender telling them the recipient is invalid. This is called an NDR or None Deliver Receipt.

This parctice is called backscatter and spammers and hackers rely on domains that do this to generate Denial Of Service Attacks. They will send out their mass emails to domains that generate NDRs spoofing a legitimate domain. These servers accept the mail and then flood the spoofed domain with NDR replies creating a distributed denial of service attack.

To prevent this mail to invalid user should be rejected during the connection stage. A 4xx or 5xx SMTP response code should be returned to the actual sending server when mail is sent to an invalid recipient.

There are two ways to accomplish this when using ESS

First you can create a valid user list on ESS for all your users. Then under the USERS > Default Policy set unmanaged users to block. This will require that you keep your user list on ESS up to date.

Secondarily you can turn on SMTP recipient verification on your mail server. This will tell ESS when a user is valid or invalid and the ESS will be able to relay that information directly to the sending server.

Either of these methods will eliminae the need for outbound NDR's and eliminating the possibility for backscatter.

NOTE that Barracuda does not block Out Of Office replies or Automatic Replies.

If you have a legitimate reason for sending outbound NDR's (invalid users and message to large are not considered a valid reason) you can contact Barracuda Technical Support at 888-268-4772 (US) or 408-342-5600 and we can review your issue and if needed can enable NDR's. For Barracuda to approve outbound NDR's your mail server must be configured to reject mail for invalid users. This will ensure that our service can not be used for a Backscatter attack.

If your reason for wanting to send out NDR's is for an email being too large then please call into support and we can configure your ESS account to reject mail above a certain size. By default ESS will accept mail up to 300MB. This size can be set on a per domain basis.


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#8 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 387 posts

Posted 12 February 2019 - 11:52 AM

What does the reason "Pending Scan" mean?
What does the reason "Retrying - ATP Scan Inconclusive" mean?
 
ESS is not an actual email server. It is what is known as a relay service.
 
ESS accepts connections from sending servers.
ESS gets the recipients domain and checks to see if they are an ESS customer.
If they are then ESS connects to the customers mail server.
ESS then relays the data between the servers and monitors that data for dangerous content.
 
If ESS sees anything in the data-stream that is spam, a virus, or a block or quarantine policy ESS closes the connection to the destination server (so it isn't accepted) and ESS sends a rejected packet (550 Blocked) back to the sender. That connection is then listed in our log.
 
If the mail doesn't hit any reasons to be blocked or quarantined by ESS then the mail is completed and we wait for the destination server to return the final SMTP response.
 
This can be:
 
250 OK
421 deferred
550 blocked
 
ESS returns the response we get from the destination (customers) mail server to the sending mail server and the connection is closed.
 
With ATP there is an additional filtering process that happens.
 
If the email has one of the many attachment types that we check that attachment is sent to our dedicated ATP servers for processing.
 
Because ESS is a relay service we can only wait a short while for the ATP service to return a response. This is because a many sending servers will close connections if there is too long a delay in our response to a sent packet or the end of data command. This results in a retry of the mail and could result in duplicate mail being sent.
 
ESS waits approximately 10 seconds for the resolution of the attachment scan from ATP. If ATP takes longer than that ESS closes the connection to the destination (customers) server and sends a "421 deferred" back to the sending server. This tells the sending server to retry the mail again later.
 
Even through the delivery of the mail has been deferred ATP continues the scanning of the mail will and cache the result it comes up with. If/When the sending server retries the mail with that same attachment the cached result is instantly returned and the mail is processed normally. This same cached result will be used for any future attachments that are an exact match to the one cached.
 
The reasons you are seeing in your message log:
 
Retrying. ATP Scan Inconclusive
Pending Scan
 
Is what ESS shows for mail that has been deferred because ATP could not complete the scanning of the attachment in the time allotted.

Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#9 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 387 posts

Posted 21 February 2019 - 11:15 AM

How does outbound rate control work for the Barracuda Email Security Serivce

By default Barracuda Email security service accounts Outbound Rate Limit is set to 150 recipients per 30 minutes per sender. That is 7200 recipients per day that any one user can send out. If your users are hitting rate limit it means they are sending out mail to more than 150 recipients per 30 minutes.

Please note that this is not a block of their mail it is a deferral. Your mail server should retry this mail until it is all delivered.

 

Please also note that Per User Rate Control only affects users listed in the ESS users list. Users not in the userlist are all lumped together and get the per domain rate limit which is normally 250 per 30 minutes. Anyone sending outbound mail though ESS should be listed in the userlist.

 

One of the reasons a sender might hit our rate control limits more than normal is the configuration of your mail server. For example: If a user sends out a mass mailing to 1000 people that will hit their rate control limit. It will take at least 4 hours for all this mail to be delivered. If your mail server retries this deferred mail every few minutes this can cause the sender to remain rate limited for a very long time. Barracuda recommends that you configure your mail server to retry deferred connections every 30 minutes to avoid this problem.

 

If you have mail that must go out immediately then Barracuda recommends that you either bypass ESS, sending it directly to the internet or that you use a mass mailing service that is designed for this purpose. Barracuda is also aware that some organizations use a program to mass mail that does not retry deferred mail. If you are using a program like this then we recommend that you configure it to deliver the mail directly to the internet or have it relay the mail through a fully functional mail server that can correctly handle deferred mail.

 

Exceeding rate control limits will show up on your outbound abuse report page however if there is a problem with your account that results in your outbound IP or a user email address being blocked you will hear directly from Barracuda via email or a call explaining the problem that requires attention.

 

Please reference our terms of service page in regards to bulk or mass mailing.

https://campus.barra...neServiceTerms/


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#10 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 387 posts

Posted 30 October 2019 - 10:06 AM

Validating the Outbound Connector in O365

It is important to understand that the Barracuda Email Security Service will NOT accept any mail from our customers using O365 that does not come from their registered domain and an IP in the O365 SPF record.

If mail comes to our service and is NOT coming from an O365 registered IP address (an IP in their SPF record) it will not be allowed
If mail comes to our service and is does not have your ESS registered domain as the envelope from it will not be allowed.

To send outbound mail from your O365 account to ESS you need to create an outbound connector

One of the steps in creating this outbound connector is to validate the connector 

When O365 sends the validation mail outbound to validate the connector We have seen

1. that O365 will often use the hostname that O365 gives their customers instead of your actual domain name.

2. that O365 will often send the mail from an IP that is NOT in their SPF record which we don't accept.

If you can not get the validator to work then just just skip that step and start using the connector.

As soon as you enable it you should start seeing your outbound mail in your ESS outbound message log.

We have a complete setup guide for O365 located here

    https://campus.barra...365-deployment/

however as noted we do see the validation of the outbound connector fail - 

 


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300