BARRACUDA. N e t w o r k s SPAM FIREWALL 600

BARRACUDA N e t w o r k s SPAM FIREWALL 600

Contents: I. What is Barracuda?...1 II. III. IV. How does Barracuda Work?...1 Quarantine Summary Notification...2 Quarantine Inbox...4 V. Sort the Quarantine Inbox Contents...6 VI. VII. VIII. IX. Using the Spam Classification Button...7 Add Email Addresses and Domains to your Whitelist or Blacklist...9 Spam Scoring...13 Spam Filtering Methods...18 X. Definitions...20 XI. Common Questions...21

I. What is Barracuda? The Barracuda Networks Spam Firewall 600 has been installed to control the massive amounts of spam targeting ISU. The Barracuda Spam Firewall is an integrated hardware and software solution that is placed between the internet and the ISU mail server in the Computer Center Operations room. It provides a powerful, easy to use solution to eliminate spam at ISU. It s Main Features are: Enterprise Class Solution Full size 1U rack mount with rails 25 million email messages per day Web configuration interface Virus scanning Spam blocking Redundant disk array for superior reliability Clustering for larger capacity and redundancy 25,000 active email users Microsoft Exchange 5.5/2000/2003 LDAP Message Accelerator Per User Settings and Quarantine Two Gigabit Ethernet Ports II. How Does Barracuda Work? The Barracuda Spam Firewall 600 computer sits between the internet and the ISU mail server to intercept all email and removes spam before delivering the remainder to your inbox. Addresses that appear on your Whitelist are automatically sent to your inbox while addresses on your Blacklist are deleted immediately. The remaining email is scored (evaluated as to the likelihood that it is spam), and handled according to your configuration settings. (See VIII. Spam Scoring for details.) It takes about 200 spam and nonspam messages before the Bayesian analysis starts to recognize and block spam. (See definition list for Bayesian.) While the ISU Email Administrator has set a basic configuration to catch most forms of spam, we haven't closed it down too tightly. You may receive some email which the server has not classified as spam. It is possible to alter your Barracuda quarantine and spam settings configuration to deliver all email or, you can limit it so only mail from addresses on your Whitelist can get through. Page 1 of 21

III. Quarantine Summary Notification Barracuda determines if email is spam by the score it receives. An email with a score between 3.0 and 7.9 will be placed into your Quarantine Inbox so that you can teach Barracuda how to handle it. Once messages are placed into Quarantine, Barracuda will generate an email telling you how to access it. (See section VIII. Spam Scoring, IX. Definitions and X. Comments to learn how email is scored). The email will state the following: From: Barracuda Spam Firewall with the Subject: Spam Quarantine Summary. Click on the Spam Quarantine Summary link to review a list of the messages currently residing in quarantine. Or, access your Quarantine Inbox directly - http://barracuda.isu.edu:8000 Page 2 of 21

The Quarantine Summary email contents will display a brief list of the Quarantine Inbox contents. To access the Barracuda Quarantine Inbox, scroll down to the bottom of the list and click on the click here link. Or, bypass the email notification link and access your Quarantine Inbox directly - http://barracuda.isu.edu:8000 Page 3 of 21

IV. Quarantine Inbox The Barracuda Quarantine Inbox will display a list of quarantined email in the order it was received. It is recommended that you review this list daily and classify as many messages as you can so that you can teach the Barracuda Spam Firewall Bayesian learning engine how to classify your email. It takes about 200 spam and non-spam messages before the learning engine will start to function. View the message content by clicking on the Subject or From line. Deliver a message to your inbox. Make sure you add wanted messages to your Whitelist before you deliver it. Once Barracuda delivers a message, it is removed from quarantine. Add it to your Whitelist. A Whitelist is a list of addresses that you do want to receive email from. All Whitelisted messages go straight to your inbox. Add the address to your Blacklist so all future mailings from this sender are deleted immediately. Or, you may Delete it. Deletes the selected message from quarantine. Note: You cannot recover deleted messages. Page 4 of 21

You may also block classify several messages at once by checking the box next to them and then selecting either: Classify as Not Spam - Classifies the selected messages as not spam. Note: It takes about 200 messages to teach the Bayesian database learning engine. Classify as Spam - Classifies the selected messages as spam. Note: It takes about 200 messages to teach the Bayesian database learning engine. Page 5 of 21

V. Sort the Quarantine Inbox contents If you have large quantities of quarantined email to wade through, you can sort it by a common address or by a common word on the subject line. In this example, there were several scattered entries for FREE stuff. To search for FREE messages, sort those messages out from the rest of the messages by using the Filter tool at the top of the Quarantine Inbox page. For Filter, select: Subject Contains: For Pattern, type: FREE As you can see, the pattern FREE brings up email you may want to keep. Place a check mark in the box to select the message. Add it to your Whitelist, (see Whitelist section for details), before you click the CLASSIFY AS NOT SPAM button. Alternately, check unwanted messages and click the CLASSIFY AS SPAM button to teach the learning engine about what you don't want. After 200 or so messages, the Bayesian database will have enough data to recognize messages you consider to be spam. Page 6 of 21

VI. Using the Spam Classification Button The quarantine contents are a mixed bag. Check the messages you don't want and then click the Classify as Spam button. Alternately, you may select the messages you do want and click the Classify as Not Spam button to send them on to your inbox Page 7 of 21

You may classify several messages at once by checking the box next to them and then selecting either: Classify as Not Spam - Note: It takes about 200 messages to teach the Bayesian database learning engine. For repetitive email, it may be more effective to add desired mail addresses to your Whitelist or unwanted email addresses to your Blacklist. See the Whitelist/Blacklist documentation for details. Classify as Spam - Classes the selected messages as spam. Note: It takes about 200 messages to teach the Bayesian database learning engine. Page 8 of 21

VII. Add Email Addresses and Domains to your Whitelist or Blacklist For repetitive email that you frequently receive, rather than classifying them as Not Spam, you may want to enter the addresses that you do want into your Whitelist and the addresses you don't want to receive email from into your Blacklist: Whitelist A list of e-mail addresses and/or domains that you wish to receive email from. All Whitelisted messages go straight to your inbox except in the following instances: Viruses and banned file types are deleted silently. You will not be notified. Barracuda will block all attachments ending with a.pif or.scr extension since these are usually problematic. Email containing attachments with the following file types will be sent to your Quarantine Inbox rather than your regular email inbox. ade adp bas bat chm cmd com cpl crt dll exe hlp hta inf ins isp js jse lnk mdb mde msc msi msp mst pcd reg sct shb shs vb vbe wsc wsf wsh Note: Commercial mailings often come from different servers such as mail3.abcbank.com and another one may come from mail2.abcbank.com. You will need to add all of them to your Whitelist. Only enter email addresses that you frequently receive email from on your Whitelist. Blacklist A list of e-mail addresses and/or domains that you never want to receive email from. Email from Blacklisted senders is immediately discarded. It is not tagged or quarantined and can't be recovered. Neither the sender nor you receive notice that the messages were deleted. Page 9 of 21

To Whitelist or Blacklist Email Addresses and/or Domains: In your regular email INBOX, find your Spam Quarantine Summary notice Open it, scroll down and to the bottom of the message. Use the "To view your entire quarantine inbox or manage your preferences, click here." link to access the Quarantine Inbox. Or, go directly to your Barracuda Quarantine Inbox. - http://barracuda.isu.edu:8000 and log in with your ISU email username and password. Inside the Quarantine Inbox, click on the Preferences tab. Click on the Whitelist/Blacklist tab. Page 10 of 21

A list of your existing Whitelisted and Blacklisted addresses appears on the page. Allowed Email Address and Domains (Whitelist) appears at the top. Blocked Email Addresses and Domains (Blacklist) appears below the Whitelist addresses Tips on Specifying Addresses: It is recommended that you only enter addresses that occur frequently. It's a waste of your time to enter an address that you'll only receive email from once or twice. If you enter a full address, such as smitjohn@isu.edu, just that user is specified. If you enter just a domain, isu.edu, then all users in that domain are specified. If you enter a domain such as isu.edu, all subdomains are also included, such as my.isu.edu, help.isu.edu, calendar.isu.edu, etc. Mass mailings often come from domains that do not resemble the company's web site name. For example, you may want to receive mailings from historybookclub.com, but you will find that this site sends out it's mail from the domain hbcfyi.com. Examine the From: address of an actual email that you are trying to Whitelist or Blacklist to determine what to enter. Spammers often forge the email address to disguise where their spam truly comes from. Be careful when blocking domains. For example, if you get tired of all the junk mail supposedly from @yahoo.com, don't block the yahoo.com domain if you have friends and associates who have yahoo accounts. You'll never receive their email. Page 11 of 21

Add an Email address or Domain to your Whitelist - For email that you do want to receive: Look under 'Allowed Email Addresses and Domains (Whitelist)' Type the email address or Domain into the Email Address box Click on the ADD button Add an Email Address to your Blacklist: To allow Barracuda to sort and delete unwanted email correctly, on the Blocked Email Addresses and Domains (Blacklist), section enter the address that you want deleted automatically and click the Add button. Blacklists do not work for spammers who regularly fake different addresses. It will only work for mail that is sent from the address you specify on your Blacklist. If you use the Classify as Spam button for problematic email, eventually the Barracuda Bayesian learning engine will recognize it. Blacklist is best used for consistent email that you don't want. Look under the 'Blocked Email Addresses and Domains (Blacklist)', section. Type the email address or Domain into the Email Address box Click on the ADD button. To Remove an Address or Domain from either list: Locate the address you want to remove Click on the trash can button next to the address Page 12 of 21

VIII. Spam Scoring To teach Barracuda how to differentiate between good mail and bad, it is suggested that you review your Quarantine Inbox on a daily basis at first so that you can classify as many messages as possible. The Barracuda Networks Spam Firewall is a learning engine that learns how to deal with future messages based on how you teach the system to classify messages and by your Blacklist/Whitelist contents. Spam filtering will be applied to all email addressed to anyone at username@isu.edu. The Computer Center has thoroughly tested the Barracuda Spam Firewall 600 and has found it to be an excellent spam fighting tool. We have configured it to block the most blatant spam and any email that receives a score between 3.0 and 7.9 gets sent to your Quarantine Inbox. There are many people on campus who are concerned that some of their email may be accidently considered spam and deleted. For those who want to take the time to test the Barracuda spam firewall and assure yourselves that you are truly receiving the mail you want, you may alter your spam score settings so that everything will be sent to your Quarantine Inbox where you can easily tell Barracuda whether it is something you want to add to your Whitelist or that you consider spam. Currently, it takes about 200 spam messages and 200 non-spam messages before the Barracuda Spam Firewall 600 Bayesian database will start to recognize a message as spam. Page 13 of 21

The first thing to do is to make sure spam filtering is enabled, then you can change your spam scoring configuration. To Enable or Disable spam filtering; Log in to your Barracuda Quarantine Inbox Click on the Preferences tab Click on the Spam Settings tab Select YES to enable spam filtering. or, Select NO to disable spam filtering. Click the Save Changes button Spam Scoring - Enable / Disable Use System Defaults Select YES to use the default scoring levels. Or, Select NO to change the Spam Scoring Levels section as described below. Page 14 of 21

How Spam is Scored: The Barracuda Spam Firewall scans your email for spam content and scores it using several spam filtering methods. The ISU default configuration is set to delete messages having a score 8 through 10. The score ranges from 0 (definitely not spam) to 10 (definitely spam) Based on the score, the Barracuda Spam Firewall will allow, quarantine or block the message. When a message is sent to you, Barracuda handles it in the following order: 1. If sender is on the Whitelist, Barracuda places the message in your inbox. (See exceptions in the Whitelist documentation section.) 2. If sender is on the Blacklist, Barracuda deletes the message. 3. The remaining email is given a score. Email receiving a score of 0 to 2.4 is placed in your regular email Inbox. Email receiving a score of 3.0 to 7.9 is placed in your Quarantine Inbox. Email receiving a score of 8-10 is blocked. No notice of blocked email is given to any party. Spam scoring is the rules based system (about 4000 rules) that looks for characteristics in the email. The Spam scores are used to determine what to do with the email. Page 15 of 21

Spam Scoring Levels Possible values for the TAG score are: 0 through 10 0 = All messages not blocked are tagged with the word [BULK] added to the subject line. Tag Score 10 = Turned off - No messages will have [BULK] on the subject line. The ISU default setting is 10 (turned off). If you want your messages to have the word [BULK] added to the subject line of mass mail, change the TAG number. You may use any number between 0 and 10. Page 16 of 21

Possible values for the QUARANTINE score are: 0 through 10 Quarantine score 0 = All messages are that are not blocked are quarantined. All messages except those listed on your Whitelist, will go to your Quarantine Inbox. 10 = Quarantine disabled. All email not blocked will go directly to your regular inbox. The ISU default setting is 3.0 This means that quarantine is enabled and anything that is under the block threshold (score 3.0 to 8) will go to quarantine unless you have added it to your Whitelist. To enable the quarantine feature, the quarantine setting must have a value lower than the block threshold. Block Score Possible values for the BLOCK score are: 0 through 10 0 = All messages are blocked. Exception - Addresses on your Whitelist will be placed in your inbox. 10 = Disabled. No messages are blocked. You'll get everything sent to you. The ISU default value is 8. The setting of 8 means that only the most obvious junk mail will be deleted. The rest will go to quarantine where you have the opportunity to review it and teach Barracuda how to handle future messages from that sender. Page 17 of 21

IX. Spam Filtering Methods The Barracuda Spam Firewall provides comprehensive spam-blocking for ISU. The algorithms and methods used by the Barracuda Spam Firewall are the most comprehensive and most advanced in the industry. The Barracuda Spam Firewall even includes Bayesian analysis which has been shown to be the most effective and most accurate method of blocking spam. The methods and techniques used by the Barracuda Spam Firewall are constantly updated (via hourly Energize Updates), to keep up with changes that spammers and virus writers are constantly making. The Barracuda Spam Firewall provides a number of parameters that can be adjusted and tuned for your specific environment. These parameters do not have to be adjusted to obtain extremely effective spam blocking, but are available for advanced users. Some of the algorithms employed to block spam are listed below with a short description. Blacklisting of web sites & domains Keyword scanning of email Checksum technology Message authenticity checking Barracuda Central maintains an up to date list of the largest and most aggressive known spammers. This list is maintained by both Barracuda and other anti-spam groups. This list is automatically updated on each Barracuda Spam Firewall. This can be configured on a per user basis. Our scanning methods include a scoring system such that emails are scored based on a number of criteria. If the score is above a threshold, then that email is flagged as spam. The Barracuda Spam Firewall comes with default criteria and thresholds but you may change these. Barracuda Central monitors email traffic through the Internet and uses checksum technology to keep track of the number of times a particular message has appeared on the Internet. If a message has appeared very broadly, it would be categorized as known spam. Checksums of known spam messages are utilized by the Barracuda Spam Firewall to block spam messages. Several algorithms are utilized to verify the authenticity of a message. Some of these are simple checks to verify that the "from address" is authentic. Some are more complex relating to SMTP protocol. Page 18 of 21

Blacklists and Whitelists Rate controls Bayesian Algorithms Spam Fingerprint Checking Intention Analysis Domains, IPs, and email addresses can be blocked or Whitelisted (allowed through). These lists may be maintained on a per user basis or on a corporate basis. Rate controls are utilized to stop denial of service (DOS) attacks as well as dictionary based spam attacks. These are integrated and automatic in the Barracuda Spam Firewall. Bayesian filters are personalized to each user and adapt automatically to changes in spam. To determine the likelihood that an email is spam, these filters use Bayesian analysis to compare the words or phrases in the email in question to the frequency of the same words or phrases in the intended recipient's previous emails (both legitimate and spam). Fingerprinting techniques examine the characteristics, or fingerprint, of emails previously identified as spam and use this information to identify the same or similar email each time one is intercepted. These real time fingerprint checks are continuously updated by Barracuda Central and provide a method of identifying spam with nearly zero false positives. Intention Analysis is used to look at the objective or goal of the email. If the objective of the email is to sell something, try and have you click on a commercial link, or get you to take a particular action that is indicative of spam, the email will be categorized as spam. Much of the above information was taken from the Barracuda Networks online documentation. To review the Barracuda Networks support site documentation directly, please visit: http://www.barracudanetworks.com/support/documentation.php Page 19 of 21

X. Definitions Bayesian Blacklist Block Denial of Service - (DOS) Firewall Quarantine SMTP Spam Score Tag Whitelist A statistical analysis tool, named after Thomas Bayes, the "mathematician who first used probability inductively and established a mathematical basis for probability inference (a means of calculating, from the number of times an event has not occurred, the probability that it will occur in future trials)." See "ISBA - The International Society For Bayesian Analysis - www.bayesian.org." A list of Email Addresses and Domains that will be blocked Email that will be blocked and not delivered. A Denial of Service attack, or DOS, is characterized by hackers who flood a network with useless activity in order to prevent legitimate users from using a network/internet resource. The hackers create a network gridlock by breaking into multiple vulnerable computers to create zombies which they then use to stage their attacks against which ever company they want to shut down. A term used to denote a security system consisting of a combination of hardware and software designed to limit the exposure of the network to attack from hackers. The special inbox where Barracuda holds email that has a numerical score falling within the range designated in the spam settings Simple Mail Transfer Protocol - This is the protocol that handles your send mail. A value of 0 through 10 applied to individual messages as configured in the Spam Settings area of Barracuda. The word BULK is appended to the subject line of spam messages - unused at ISU. A list of email addresses and domains that you will accept email from. Page 20 of 21

XI. Common Questions Will I get false positives? How is Spam filtered? What happens to quarantined email? What is Spam scoring? What is Bayesian Analysis? What is Email Fingerprinting? Is it possible to define different spam checking, rating and blocking policies for individual users? How current are your spam and virus definitions? The Barracuda false positive rate is one of the lowest in the industry. For any false positives, the sender will receive a bounce message indicating the email did not go through. Users can train the Bayesian filters and further reduce the occurrence of false positives. Incoming email is routed through the Barracuda Spam Firewall. Spam is tagged, quarantined or blocked based on preferences. Legitimate email is allowed through to the recipient. Quarantined email is sent to a mailbox specified by the administrator. With the exception of viruses, email messages are stored in their entirety, and can be retrieved should the need arise. Per user quarantined email, if available (model 300 and higher), is stored on the Barracuda Spam Firewall itself. Spam scoring is the rules based system (about 4000 rules) that looks for characteristics in the email. The Spam scores are used to determine what to do with the email. They do not contribute directly to the future analysis. The rules are updated regularly. Bayesian analysis, also contributes to the Spam scoring. This is done using email that you flag as either SPAM, or NOT SPAM in the message log. Fingerprinting is the identification of exact or substantially similar email via the Barracuda Central clearing house. When an email is identified as being Spam, it is also sent to our clearing house and fingerprinted. In the Barracuda Spam Firewall 600 model, we support per user settings, allowing users to manage their quarantine messages through their email. Spam rules and virus definitions are automatically updated on the Barracuda Spam Firewall through the Barracuda Energize Updates Subscription. Users can configure this feature to update hourly or daily. The virus definitions are kept very up to date. Page 21 of 21