Jump to content


Harald Reindl's Content

There have been 17 items by Harald Reindl (Search limited from 23-June 09)


By content type

See this member's

Sort by                Order  

#67636 ZeroHour Intent catches

Posted by Harald Reindl on 10 October 2014 - 11:02 AM in Barracuda Email Security Gateway

Hi Harald,

 

if you would like to discuss this please don't hesitate to give us a call/email when you get time. 

 

the barracuda partner where we bought the appliance talked to Barracuda about refund and after two weeks i got a callback Barracuda sees no way how to handle that, so what is the best way to get that issue payed for 2015/2016 while the VM and all backups are deleted in the meantime for #BAR-SF-468635 5FCC?




#67615 ZeroHour Intent catches

Posted by Harald Reindl on 09 October 2014 - 04:49 PM in Barracuda Email Security Gateway

Feel better?   Back to our regular program.

if Barracuda Networks would not refuse refund the subscription for 2015/2016 as they also did ignore the existing one by switch from physical hardware to the VM appliance back in 2010 i would feel better - buy the subscription for 3 years was based on the assumption it is still a konowldegeable company knowing what they are doing - they don't and they violate any common sense for security and common practice in context of email in the meantime




#67612 ZeroHour Intent catches

Posted by Harald Reindl on 09 October 2014 - 12:27 PM in Barracuda Email Security Gateway

You should contact Tech Support because it is obvious you are not looking for a solution to a problem.

 

Give them a call and see if they listen to you. At least they get paid to do so.

 

there is no solution for the broken design of the Barracuda

or why do you think it deleted to VMware Appliance while have a support subscription until 2016/10 and invested 450 hours worktime to create a own solution which works *far better* in any context - way less spam and way less false positives while the latter is unacceptable if you are responsible for customers email

nobody right in his mind changes spoofing-protection to the From-Header as Barracuda did with the 6.x firmware, that is pure incompetence and no idea how email and mailing-lists are working, nobody right in his mind blocks mails based on *a single list* without scoring and nobody right in his mind silently drops false positives leading in destory the relieabilty of SMTP - i could list some dozens of other issues showing that they lost their brain in the past 3 years in how email works and what people expect from their mailserver

and also nobody right in his mind does repeatly deep-header-inspection for PTR filters or implement them at all with only "ends-with"

if you are clueless - fine setup that crap and suck the results - but if you have technical knowledge you don't accept that behavior




#67522 ZeroHour Intent catches

Posted by Harald Reindl on 06 October 2014 - 07:11 PM in Barracuda Email Security Gateway

A "250" response happens upon a standard opening exchange... e.g. in response to a HELO message, etc.

 

TAR-pitting and Honey-potting results in a 250 response given to the connecting server so it remains connected.

 

Try contacting Barracuda Tech support.

tar-pitting don't supress messages silently, it makes things only slower
as long as you have not written your own honeypot you can't pretend in what it results - it my vary
for what reason should i call the Barracuda Tech support?
they are unable to solve security and broken-by.design issues over many months

guess what - a few weeks after replace the Barracuda with a own soultion the delivery attepmts at all dropped from 30000 per day to 30000 per week - just because high-score spam no longer get a 250 repsonse insteda a reject, not spoken about working PTR filters, spoofing protection no longerbreaking mailing-lists, filter out dynamic clients properly and so on 

they way the Barracuda is implemented leads only in troubles and in a magnet for spammers because you xan do hardly something more stupid than accept a mail with socre 65 and say "250 OK" instead reject it properly - it breaks any intention in how email has to work, it makes email unrelieable and if i would have imagnined thatt a so called "proefssional spamfilter" is implemented that way we would have saved a lot of money and troubles years ago

frankly one person with knowledge can implement a replacement in a few weeks which works way better, lot less spam passes to the users and lot less false positives while if someone sends you an mail he can be sure if it get filtered you reject it instead a stupid silent drop - that is besides law just inacceptable behavior




#67493 ZeroHour Intent catches

Posted by Harald Reindl on 03 October 2014 - 05:02 PM in Barracuda Email Security Gateway

> Dumb law. I guess Tar Pitting and Honey-Potting are also out of the question for you

you should get some basics how email works - a message is counted as delivered after a "250 OK"
in case of "tar pitting" that don't happen - if the sending server is not able to deliver the message
within 5 days it gives up and sends a NDR *to his own user*

how can you compare that behavior to a silent drop?

in fact a sane MTA setip for inbound mail waits 6-10 seconds until the client is
allowed to speak and if the client acts standards conform and passes that stage
he needs to repeat that test only a few days later again, if he speak too early: reject

get some basics right and read how Postscreen works




#67492 ZeroHour Intent catches

Posted by Harald Reindl on 03 October 2014 - 04:09 PM in Barracuda Email Security Gateway

>  you must not accept highscore spam, answer with 250 OK and drop it silently *by law*

Dumb law. I guess Tar Pitting and Honey-Potting are also out of the question for you

there is nothing dumb except devices silently drop mail and defeat the design of SMTP that way

* if you repsond with 250 OK you have to deliver the mail
* if you reject it the other side is reponsible for bounce and a zombie won't do anything
* in case of legit mail so the sender get a bounce without backscattering on your side or silent drop
* spammers realize it was rejected instead highscore your machine because braineded "250 OK" signaling

a honeypot doe not need to respond with 250 OK

frankly i wrote my own one - it just writes the connecting IP to a database feeding rbldnsd
why should i need to talk SMTP there? no legit MX points to that device and just close
the connection is fine - any sane MTA will 5 days later send a bounce *to his user* and
any zombie don't need a response - try to connect again and the RBL record will last longer
and only disappear if you don#t connect 7 days

the barracuda appliances are for people with little technical knowledge or security ignorant
it's a blackbox with security flaws by design and violates RFC's all the time - period




#67490 ZeroHour Intent catches

Posted by Harald Reindl on 03 October 2014 - 04:00 PM in Barracuda Email Security Gateway

 

You CAN get unsolicited zerohour intent messages through if you wish.   You can also send a message to the sender's actual address ( check the e-mail headers ) to help whitelist the message.

 

 

 

it is not my job to handholding that crap and waste my time - if the user says "i want mail from that sender" then it has to be that way - there is not but and if
unconditional blocking because one domain blacklist is just idiotic and nothing else
it's the result of a NHI syndrome

that is how such a system has to work - SCORE BASED - there is no but or if

anything else leads to lost of legit mail and one false positive does more harm than 50 junk
mails in both cases - support costs and reputation loss as well as depending on the content
lose direct money or the money of your customers because they can not respond in
time to important mail or even don't know it was silently dropped


score URIBL_AB_SURBL 4.5
score URIBL_JP_SURBL 4.5
score URIBL_WS_SURBL 2.5
score URIBL_MW_SURBL 1.5
score URIBL_SC_SURBL 0.5
score URIBL_RHS_DOB 1.5
score URIBL_SBL 1.1
score URIBL_DBL_BOTNETCC 2.2
score URIBL_DBL_SPAM 2.2
score URIBL_DBL_PHISH 3.0
score URIBL_DBL_MALWARE 3.0
score URIBL_DBL_ABUSE_SPAM 2.2
score URIBL_DBL_ABUSE_PHISH 3.0
score URIBL_DBL_ABUSE_MALW 3.0
score URIBL_DBL_ABUSE_BOTCC 2.2
score URIBL_BLACK 2.5
score URIBL_GREY 1.1
score URIBL_DBL_REDIR 0.1
score URIBL_DBL_ABUSE_REDIR 0.3
 




#67489 ZeroHour Intent catches

Posted by Harald Reindl on 03 October 2014 - 03:55 PM in Barracuda Email Security Gateway

 

Your best bet is to CALL Barracuda and TALK to their tech support people.

 

I found that they are very good at helping out the customer, particularly those that don't scream "bullshit" at everything.

 

 

if it comes to easy solveable things yes, if it comes to realy design problems and security issues like the complely idiotic session token which is part of the referer if you click on a link in the message preview and so *anybody* form everywhere can own your session or unacceptable privacy behavior (leak links of mailbody to US servers)  or other security issues like laughable encryption (RC4 in the webinterface) no forward-secrecry at all or MIEDIUM SCORED CVSS in security scans of the device they can do nothing

forget it - i wish i would have saved all the time discuss with the support the last two years and alread ybuilt my own solution which works trustable, controllable, offers state-of-the-art security and IN GENERAL SCORE BASED operations leading to a far better scan result with A LOT OF LESS false positives and is able to REJECT instead accept and silent discard which is a design error and not permitted by law

frankly after a mont hwithout the barracuda device the daily spam delivery attempts dropped to 30% of before because we no longer accept high score junk with a "250 OK" and so sign "yes, you can place your crap here" - if i would have had the time in 2010 where siwtch from a 300 phsical device to the virtual appliance leaded in throw away 2 years of existing subscription because they are unable to take that into account for a new contract i should had start to replace the device 4 years ago

the aggresive filtering is only needed because they rely on one single RBL instead scroing, do *not* reject senders with a non existing domain, support only "ends-with" PTR filters and have no dial-up filter at all which is 90% of the typical botspam - would the device support some basic features any ordinary postfix installation has you would see lot less spam with less aggresive and less error prone settings




#67403 ZeroHour Intent catches

Posted by Harald Reindl on 30 September 2014 - 05:19 PM in Barracuda Email Security Gateway

While that is true opjose, we don't recommend utilizing email address whitelisting as this has the possibility of being spoofed and allowing spam in

and in fact it don't work or how do you explain me all that blocked mail where the senders already where whitelisted?

sorry, but i used that crap 8 years but the behavior of that devices is just unacceptable

* you must not accept highscore spam, answer with 250 OK and drop it silently *by law*
* you must not block freeware antispam pages with ZeroHour intent
* you must not block mails where the sender already is whitelisted
* you must not block unconditional instead score based

the accept and silently drop behavior brings the admin 2 years into jail in germany
we bought that stuff because we *thaught* it would work basically professional
and not try to get a 100% hit-rate for every price of false positives




#67402 ZeroHour Intent catches

Posted by Harald Reindl on 30 September 2014 - 05:14 PM in Barracuda Email Security Gateway

> Whew... a lot of requests for removal, but frankly I do NOT want
> YOUR SPAM hitting and getting through OUR ANTI-SPAM

bullshit - i replaced the Barracuda Appliance because i want my email and not because my email get blocked

> Individually, you can go to "Block/Accept" / "Sender Filters" / "Allowed E-mail Addresses and Domains"
> to add domains and e-mail addresses that you DO NOT want scanned for Zerohour Intent nor any Intent options.

bullshit, i have enough examples where customers whitelisted a sender and mails
still got blocked by "ZeroHour Intent" which is unacceptable

a sane solution works score based and not because some idiots too dumb for
unsubscribe from something he subscribed forward legit mail as spam block
domains unconditional and lust but not least block domains of freeware
antipsam solutions by ZeroHour is just illegal in most countries




#66935 ZeroHour Intent catches

Posted by Harald Reindl on 04 September 2014 - 03:37 PM in Barracuda Email Security Gateway

We am sorry you feel this way and I've reviewed your case and seen that it was handled just as expected

just expected would have been you don't need the support all the time to remove ZeroHour blacklistings for get your own mail
amusing is that the reason for running a spamfirewall is to get in doubt no mail at all

*no* the reason is to block most spam *but* get your legit email without contact the vendor or dig in the appliance




#66917 ZeroHour Intent catches

Posted by Harald Reindl on 03 September 2014 - 05:53 PM in Barracuda Email Security Gateway

they are not incorrect - without a good reason i would not have spent the last 4 weeks day and night build up a relieable solution based on postfix/postscreen/spamassasin-milter/clamav-milter and moved nearly all domains to that device on monday to prepare shutdown the Barracuda appliance on Friday by having a support contract until autumn 2016 - well, and while build up that replacement you even blocked messages from the spamassassin list because they contained "local.cf" or links to "amavis.com"

while prepare that device i found also out that the contentfilter accepts messages and drop them silently in case of high score because it runs after-queue which is even not permitted by law in many european countries and the decision to not renew the subscription after 2016 was simply a privacy reason known by your support and very likely also not permitted by law in the way it is implemented

http://www.postfix.org/MILTER_README.html is they way to go for implement a contentfilter
Sep  4 00:45:19 localhost postfix/cleanup[29532]: 3hpKws48HZz1y: milter-reject: END-OF-MESSAGE from mailoutjs01.rmx.de[94.199.90.117]: 5.7.1 Blocked by SpamAssassin; from=<***> to=<***> proto=ESMTP helo=<mailoutjs01.rmx.de>

there are repeatly technical wrong decisions like extend the spoofing-protection to From-headers breaking any mailing-list, make deep header inspection for PTR decisions and apply PTR rules to Received headers and what not else - and i tell you what the reson for that non working QA and wrong decisions is "In November 2013, Barracuda Networks went public on the New York Stock Exchange under the ticker symbol CUDA" which i was not aware by re-new the subscription for 3 years, in the past it was quality and technical knowledge - in the meantime it is all about the money - and well, i want some money back!




#66915 ZeroHour Intent catches

Posted by Harald Reindl on 03 September 2014 - 05:26 PM in Barracuda Email Security Gateway

every .cf domain you just listed we've already seen and have had in our database since 2011 and higher.. I would assume the fact that .cf was one of the highest spammed utilized domains years ago due to them giving away free domains was the cause of it.

 

master.cf = 2012

main.cf = 2011

local.cf = 2013

 

in terms of your comment on youtube page being the only url in there, we'd like to see this data to review how this may have occurred :D

how wil you taken serious by list non existing domains?
try out the 3 domains above - do they exist?
oh, wait, they don't - how can there be a reason to block them?

i tell you what happened as so often:
* some idiot subsribed to a mailing-list
* years later he want to unsubscribe
* he is too stupid to click on the list footer to do so and nobody else does after "unsubscribe" posts to the list
* the idiot starts to click on the spam buton for every future list mail and hopes sooner or later the mails are blocked
* exactly the same happens for newsletters
* you funny guys ananlyze that so reported messages and find repeatly "linked" config-file-names and your bot put them in zerohour

even if - that justifies block own mailing-lists posts on postfix and spamassassin mailing-lists from the list and in general use ZEROHOUR for that and override any whitelist because it runs as part of the virus scanner? frankly i can't count how often a mailing-list complained in the last year the my address bounces and i may get unsubscribed caused by that or how often a customer complained why he don't get mail from whitelisted senders including firewall-alerts from Zyxel devices?

Sender: outmail019.ash2.facebook.com[66.220.155.153]
ZeroHour Intent (dollypartonentertainment.com)

the string "dollypartonentertainment.com" did not exist in the whole RAW message
it only existed on the linked page:

and i have countless hits of ZeroHour for *my incoming mail* blocked where i though "who do they think they are to tell me what mail i want to receive if i even whitelist the sender?" - not spoken about other uneccaptable privacy and security issues i will publish if i don't hear back how to handle the last 2014-2016 extended subscription not knowing at that time that the Barracuda BSF will have that lot of repeating issues making it no longer acceptable for business usage

in short: not Barracuda nor myself are in the position to decide un-whitelistable for a customer which mails he don't get

frankly with that ZeroHour behavior you can't even subscribe to security mailing-lists for your daily-job because you can't whitelist them




#66913 ZeroHour Intent catches

Posted by Harald Reindl on 03 September 2014 - 04:26 PM in Barracuda Email Security Gateway

Hi Harald,

 

I am sorry you feel that way, but I can tell you there is always legitimate , if not multiple reasons why things become negatively listed on our reputation services. We do not do random!

 

If you care to dispute this we would gladly like to entertain this information if you can contact support to discuss.

It is randomly - or how would you try to explain the the whole *CF COUNTRY TLD* was blocked confirmed tody as cleared?

how else would you explain that a message is rejected by ZeroHour naming a domain which don't exist in the whole
message source and is only linked on the YouTube page referred from the facebook notification?




#66911 ZeroHour Intent catches

Posted by Harald Reindl on 03 September 2014 - 04:14 PM in Barracuda Email Security Gateway

That's great to hear and viewing the website does indeed seem to confirm those details.

 

The problem is the spam like emails going out with the website URL in the emails to begin with.

 

We would recommend your marketing team works to fix these email blasts to be in line with CAN  SPAM compliance and typical mass marketing practices to ensure your emails always get through in the future, and so that we can remove this domain off the list as soon as you've fixed the emails.

And that behavior put anything on ZeroHour which can't be whitelisted and be it whole country TLD's like .cf leading in block mail with "main.cf", "master.cf", "local.cf" as well as put "amavis.org" on that list as well as even follow links in incoming mail and reject them because the youtube page linked from the message and not the message itself should lead in lose more customers than us

you just have no permission to supress messages if my user or myself has whitelisted the sender because that Barracuda Networks behavior - frankly - anybody can trigger such listing by send out enough spam and linking the URL he want to get blocked on the ZeroHour list

that whole thread is a tragedy - your support says "that is part of the virus scanner and can't be whitelisted", well then stop to list half of the world there and be sure if we ever get blocked by Barracuda in the future i can prove that you act completly randomly and with no reason by screenshots and logs




#50862 Thunderbird-Plugin

Posted by Harald Reindl on 26 December 2010 - 01:00 PM in Feature Requests

PLEASE PLEASE can we have a maintained thunder-ird-pluginThere are many users outside which are not using winodws or windows-users which are using thunderbird and it hurts really to be ignored :-(



#50491 PHP: Add Domain with target-server and port

Posted by Harald Reindl on 21 November 2010 - 12:32 PM in API Intersections

HiI need some php-functions to add a domain with explicit target-server / port, remove domain and get a full ost of all configured domainsAbove my current functions for add/remove domain, but they are using old API-class and there is no way to set the target-server defined in the php-class and afaik "add_domain.gci" will be removed in future firmware-versionsThis should be intergated in our self developed backend for http://www.dbmail.org/ and is useable standalone tooThe option to get all confugured domains as php-array would be nice to get the data in our billing-system
class dbmail_barracuda {  public $enabled   = false;  public $url       = '';  public $password  = '';  public $mta       = '';  public $mta_port  = '';  /**   * @param  string $domain   * @access public   * @return boolean  */  public function domain_add($domain)  {   if(!$this->enabled)   {    return false;   }   else   {    $call = $this->url . 'cgi-mod/add_domain.cgi?password=' . $this->password . '&domain=' . urlencode($domain);    $rw = file_get_contents($call);    $xml = simplexml_load_string($rw);    $status_code = $xml->Result->Code;    if($status_code == 200)    {     return true;    }    else    {     return false;    }   }  }  /**   * @param  string $domain   * @access public   * @return boolean  */  public function domain_remove($domain)  {   if(!$this->enabled)   {    return false;   }   else   {    $call = $this->url . 'cgi-mod/delete_domain.cgi?password=' . $this->password . '&domain=' . urlencode($domain);    $rw = file_get_contents($call);    $xml = simplexml_load_string($rw);    $status_code = $xml->Result->Code;    if($status_code == 200)    {     return true;    }    else    {     return false;    }   }  } }?>
[/code]