1. Overview - Barracuda Campus

Transcription

1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1 Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.1 Step 1 - How the Service Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2 Step 2 - Initial Service Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2.1 How to Create User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2.2 How to Validate Your Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2.3 How to Set Up MX Records for Domain Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3 Step 3 - Configure Outbound Mail Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.4 Step 4 - Tune and Monitor the Default Spam and Virus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.5 How to Migrate Your MailFoundry Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.6 Understanding Inbound and Outbound Message Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3 Advanced Inbound Email Filtering Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.1 IP Analysis - Inbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.1.1 Barracuda Reputation and Email Categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.2 Content Analysis - Inbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.2.1 Anti-Fraud and Anti-Phishing Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.2.1.1 Link Protection FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.2.2 Attachment Filtering - Inbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.2.3 Image Analysis - Inbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.2.4 Intent Analysis - Inbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.3 Bulk Email Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.4 Rate Control Inbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.5 Understanding Advanced Threat Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.5.1 Advanced Threat Detection Sample Email Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4 The Message Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.1 Message Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.2 Advanced Threat Detection Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.2.1 Understanding Advanced Threat Detection Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5 Configure Outbound Filtering Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.1 How to Use DLP and Encryption of Outbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.1.1 Medical Dictionary Source for DLP HIPAA Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.2 Content Analysis - Outbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.3 Abuse Monitoring and Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.4 Outbound Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.5 Outbound Filtering Policies Applied by the Barracuda Email Security Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6 Advanced Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.1 Secured Message Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.2 Sender Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.3 How to Configure Sender Policy Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.4 How to Configure Recipient Verification Using LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.5 How to Configure Hosted Email Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.5.1 How to Configure Google Apps for Inbound and Outbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.5.2 How to Configure Office 365 for Inbound and Outbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7 Managing Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.8 Managing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.8.1 Quarantine Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.9 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.10 Barracuda Email Security Service User Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.11 How to Re-Enable a Suspended or Disabled Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.12 Troubleshooting and Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.13 How To Videos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.14 Online Service Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
2
13
13
15
19
20
20
21
23
24
28
32
32
33
34
34
35
36
36
37
37
37
38
39
41
42
49
49
50
51
52
53
53
54
54
55
55
55
56
57
58
58
62
72
73
75
76
76
80
81
81
82
Overview
The Barracuda Email Security Service is a comprehensive and affordable cloud-based email security service that protects both
inbound and outbound email against the latest spam, viruses, worms, phishing, and denial of service attacks. Whether you manage
your own mail server such as Microsoft Exchange or use a hosted service like Microsoft Office 365, Spam and viruses are blocked
in the cloud prior to delivery to your network, saving network bandwidth and providing additional Denial of Service protection.
Once configured, view inbound and outbound email statistics on the DASHBOARD page in the web interface.
Where to Start
Step 1 - How the Service Works
Step 2 - Initial Service Setup
Step 3 - Configure Outbound Mail Scanning
Step 4 - Tune and Monitor the Default Spam and Virus Settings
Partners/Resellers: You can manage multiple Barracuda Email Security Service accounts using the drop-down selection in the
Barracuda Cloud Control web interface. See How to Manage Multiple Accounts.
Key Features
Protection against inbound malware, spam, and Denial of Service attacks.
Anti-Fraud and Anti-Phishing Protection.
Advanced Threat Detection (ATD) – Subscription-based service that analyzes inbound email attachments in a separate, secured cloud
environment to detect new threats and determine whether to block such messages.
Link Protection – Uses URL rewriting in email messages that contain links to protect from users clicking on suspicious links. Includes
Typosquatting protection. See also: Anti-Fraud and Anti-Phishing Protection.
Service is continuously updated with the latest threat definitions and software update.
Policy configuration to automatically encrypt, quarantine, or block certain outbound emails based on content, sender, or recipient.
Outbound filtering to keep sensitive data from leaving your organization while simultaneously ensuring that legitimate emails are
delivered. Create and enforce content policies to prevent credit card numbers, social security numbers, HIPAA data, customer lists, and
other private information from being sent by email.
User Guide
Barracuda Email Security Service User Guide – Easy-to-follow guide for users to manage their accounts
Release Notes
What's New in Version 2016.11
Web Interface
View ATD Reports per attachment in the ATD Log
Admins can now deliver messages blocked for ATD through the Message Log.
When delivering messages, admin needs to view the reports on blocked attachments before delivery. This provides detailed
information about why an attachment was blocked and when a threat was first detected.
Mail Processing
Managed users are now tracked independently for outbound rate limiting
Link protect system improvements.
Miscellaneous performance improvements.
What's New in Version 2016.10
Web Interface
Customers can exempt trusted sender or recipient of an email from ATD scan based on email address, domain, and / or IP address.
Fixed issue in ATD Log where certain entries remained stuck in Scanning status.
2
Mail Processing
Improved outbound virus protection.
What's New With Version 2016.9
Miscellaneous improvements and bug fixes.
Stability improvements.
Web Interface
Mail Processing
Outbound message encryption improvements.
Barracuda Reputation Block List increased efficiency.
Advanced Threat Detection is now more robust.
Quarantine notifications now include a direct link to the whitelist action. This enables users to whitelist a sender.
Web Interface
Resellers can now manage multiple accounts using the pull-down selection in the Barracuda Cloud Control web interface.
Mail Processing
Ability to scan first and then deliver messages with Advanced Threat Detection (ATD) subscription. Messages will be deferred until the
scan has completed if the scan exceeds a certain timeframe.
Improved processing efficiency.
What's New With Version 2.8.9
Web Interface and Mail Processing
Anti-Phishing Protection
Link Protect– When enabled, automatically rewrites any URL in an email message to a safe Barracuda URL, and then delivers
the message. If the user then clicks on that URL, the service evaluates it for validity and reputation. If the domain is determined
to be valid, the user is then directed to that website. This feature protects users who click URLs in email messages from being
directed to a spoofed website or otherwise revealing private information such as logins, passwords or other sensitive data. Note:
Link Protect does not properly protect URLs in plain text messages which lack a character set identifier. See also Anti-Fraud and
Anti-Phishing Protection.
Typosquatting Protection – Automatically corrects spelling of domain names that hackers miss-spell by one letter to fool the
user into thinking they are visiting a valid site by clicking the URL in an email. In reality, the domain name, misspelled, would
direct the user to a phishing site. For example, bankofanerica.com would be re-spelled correctly by the service as bankofameri
ca.com before the email is delivered to the user to protect them from being directed to a suspicious site.
Anti-Fraud Intelligence and Intent Domain Policies settings have been moved to the INBOUND SETTINGS > Anti-Phishing page.
Documentation updates.
3
Advanced Threat Detection (ATD) – The Barracuda Email Security Service now provides access to the subscription-based ATD
service. This service analyzes inbound email attachments in a separate, secured cloud environment to detect new threats and determine
whether to block such messages. See Understanding Advanced Threat Detection for details.
Spam accuracy improvements.
Web interface improvements.
Web interface improvements and fixes.
Web interface improvements.
Fixed in Version 2.8.5
Adding users with an underscore "_" in the email address and other special symbols works as expected. (BNESS-4016)
Improved Dashboard performance. (BNESS-3885)
Improved handling of message rejection in Outbound Quarantine. (BNESS-3889)
Messages are now deferred if either the virus scanner or Cloudscan are unavailable. (BNESS-3660)
Web Interface
New Dashboard Page Layout and Features Threat Origins indicates the geographical region where blocked emails originate.
Top Recipient Domains shows the volume of email received by, and average number of recipients for, each domain.
Traffic Status lets the user know when the last messages were received and delivered.
Subscription details shows when the subscription expires.
Inbound Email Statistics shows various statistics about incoming emails.
Outbound Email Statistics shows various statistics about outgoing emails.
Inbound Top Recipients shows information about the most common recipients.
Outbound Top Senders shows information about the the most common senders.
Documentation
Updated domain LDAP documentation.
Mail Processing
Mail sent to a child domain that is not managed by the Barracuda Email Security Service will be delivered to the parent domain if it is
managed by the Barracuda Email Security Service.
Spam Accuracy
Added support for Microsoft Access files in attachment filters.
Added support for archived Microsoft Office files to attachment filters.
4
Added support for archived PDF files to attachment filters.
Envelope senders with spoofed postmaster address will now be blocked.
Fix for rare occurrences of “duplicate serial” when transferring serials to new accounts. (BNESS-3676)
Account expiration warning notices now include account information. (BNESS-3449)
Web Interface
Scalability and performance improvements:
Improved web server response time. (BNESS-3491)
Spam Accuracy
Scalability and performance improvements:
Improved spam accuracy. (BNESS-3320)
Web Interface
'Empty message' text for tables with the ability to add inline will no longer be displayed. (BNESS-3440)
Reports can now be exported to CSV format. (BNESS-2779)
Messages delivered through the Message Log are now marked as UI Delivered. (BNESS-3479)
Headers of messages contain a virus display. (BNES-2739)
Spam Accuracy
Ability to use Domain Key Identified Mail (DKIM) for inbound spam blocking. (BNESS-3419, BNESS-3420, BNESS-3426)
Web Interface
Removed Subject tag from Email Categorization setting table. (BNESS-3407)
Minor behavioral changes to Message / Quarantine logs. (BNESS-3400, BNESS-3357, BNESS-3270)
Spam Accuracy
Improvements on inherited policy settings. (BNESS-3405)
General Spam Accuracy improvements. (BNESS-3346)
Web Interface
You can click the Add link to add records 'in line' from within tables throughout the web interface. (BNESS-3392)
Tables can now be sorted by some or all data columns throughout the web interface. (BNESS-3397)
New INBOUND SETTINGS > Sender Authentication page. On this page you can configure Sender Policy Framework (previously
configured on the INBOUND SETTINGS > Anti-Spam/Antivirus page).
Spam Accuracy
Option to block on missing PTR Records, configured on the INBOUND SETTINGS > Sender Authentication page. (BNESS-3383)
Message Log
The Saved Searches window now shows all saved searches. (BNESS-2890)
Web Interface
Layout improvements for tables. (BNESS-3393, BNESS-3394)
The primary tab will now remain highlighted after a refresh/reload. (BNESS-3164)
5
The USERS > Users List page now has a Next Page link at the bottom of the page. (BNESS-3349)
Web Interface
Moved location of Save and Cancel buttons in web interface. (BNESS-3307)
Replaced Help link with a 'question mark' icon ? next to the page title to click for a help pop-up window.
Message Log
Added support for "size_lt:" (message size less than <size in bytes>) search. (BNESS-1261)
Improved accuracy of "size_gt:" (message size greater than) search. (BNESS-3277)
Searching users in linked accounts in Users list works as expected. (BNESS-3329)
Browser-specific improvements in rendering web interface. (BNESS-3278, BNESS-3279)
Improved Spam Accuracy. (BNESS-3167)
Message Processing
Improved efficiency of Multilevel-Intent. (BNESS-3081)
Web Interface
Updated the web interface styling for improved look and feel, consistency.
Improved Self-Service setup wizard. (BNESS-3150)
Improved LDAP efficiency for authentication. (BNESS-3149)
Improved handling of users' policies (See USERS > Default Policy). (BNESS-2386)
Message Processing
Rate Control for inbound mail. This feature protects your mail server from spammers or spam-programs (also known as "spam-bots") that
send large amounts of email to the server in a small amount of time. See the INBOUND SETTINGS > Rate Control page to configure.
Web Interface
Updated the web interface styling for improved look and feel. There are no navigation changes.
Added support for domain verification via CNAME records or via the technical contact from the WHOIS database. See the DOMAINS pag
e or How to Validate Your Domain.
Added support for domain verification via the technical contact from the WHOIS database in the Barracuda Email Security Service Setup
wizard.
On the OUTBOUND SETTINGS> Notifications page, the Quarantine Sender Notification default setting is No. (BNESS-3043)
If the admin tries to reject a message in the OUTBOUND QUARANTINE, but has not already filled in the Reject Notification Address fi
eld on the OUTBOUND SETTINGS> Notifications page, the error message now provides a link for the admin to click to enter that email
address (BNESS-3043)
Quarantine
Outbound quarantine support enables administrators to quarantine outbound messages based on policy - see the OUTBOUND
SETTINGS > Content Policies page to configure.
Quarantined messages are moved to an inbox, on the OUTBOUND QUARANTINE page, where the administrator can export, deliver,
reject and delete messages in the list. Notification summary emails for quarantined messages can be sent to the administrator
immediately, or on a daily or weekly basis. See the OUTBOUND SETTINGS > Notifications page to configure.
6
Quarantine notifications to senders of outbound quarantined messages can be enabled by the administrator to indicate that the message
has not been delivered, and awaits evaluation by the administrator.
An NDR (non-delivery report) will be sent to senders of quarantined outbound messages that are rejected by the administrator. See the O
UTBOUND SETTINGS > Notifications page to configure.
Web Interface
With the Barracuda Express Setup, new Barracuda Email Security Service accounts have an updated setup wizard that includes Office
365 configuration.
Fixed in Version in 2.5.4
Improved message processing. (BNESS-2785)
Mail Processing
Added support for Perfect Forward Secrecy. (BNESS-2871)
"Domain Not Found" response now includes IP address. (BNESS-2817)
Improved recipient verification. (BNESS-2785)
Spam Accuracy
Improved outbound multi-level policy processing. (BNESS-2851)
Apply email chain exemptions to bulk email. (BNESS-2869)
Documentation
Enhanced documentation regarding encryption for domain settings and for CloudScan settings.
Mail Processing
Ability to 'pass through' known cloud archivers for outbound traffic. (BNESS-2865)
Improved check for adding outbound IP addresses. (BNESS-2765)
Message Log
The Whitelist ALL function works as expected on the Quarantined Delivered page. (BNESS-2807)
Web Interface
The Domain pull-down menu now only displays when necessary. (BNESS-2766)
Improved domain-level access control. (BNESS-2810, BNESS-2527)
Increased limits on access to messages that were sent to the Barracuda Message Center (Encryption Service). (BNESS-2792)
General web interface improvements. (BNESS-2435)
Fixed rare cases in which some messages were not always listed in the user Quarantine. (BNESS-2864)
Spam Accuracy
New cloud-based spam scanning engine, CloudScan, which leverages many of the spam scanning and detection techniques currently
available on the Barracuda Spam Firewall appliance, including spam scoring.
Improved ability to handle long email discussions. (BNESS-2754)
Improved response times to TLS setting changes. (BNESS-2683)
Improved handling of URL redirects. (BNESS-2381)
Improved handling of MX record lookups. (BNESS-2388)
Additional SPF information added to message headers. (BNESS-2711)
Message Log
System-wide sender block policies as put into place by Barracuda are now identified as "System Sender Policies", to distinguish them
from sender block policies as configured by administrators. (BNESS-2773)
Ability to submit categorization requests for previously uncategorized messages. (BNESS-2737)
7
Multiple improvements to the Message Log, including to its display and filtering capabilities. (BNESS-847, BNESS-1033, BNESS-2193,
BNESS-2340, BNESS-2577, BNESS-2641, BNESS-2692, BNESS-2721)
Web Interface
Ability to limit synchronization of primary and linked addresses to the current domain. Takes effect starting after the new option on the
Directory Services section of the DOMAINS > Domain Manager > Settings page is selected. (BNESS-1798)
Ability for administrators to initiate password resets for their users. (BNESS-935)
Multiple improvements to the web interface, including to the handling of entries on the Filters page. (BNESS-990, BNESS-1919,
BNESS-2104, BNESS-2394, BNESS-2704, BNESS-2718, BNESS-2720, BNESS-2724, BNESS-2726, BNESS-2733, BNESS-2742,
BNESS-2770)
Bulk deletion of users works as expected. (BNESS-2735)
Repaired report generation. (BNESS-2675)
Mail Processing
Received headers now include TLS information, when appropriate.
More detail provided for outbound message log entries when inbound side (Barracuda Email Security Service customer) blocks
messages based on a DNSBL/RBL.
Web Interface
Improved Barracuda Message Center user experience.
New outbound attachment type / extension filter.
New Whitelist option in users' quarantine confirmation screen.
Mail Processing
Improved handling of duplicate emails. (BNESS-2673)
Improved handling of HTTP queries during intent checks. (BNESS-2681)
Fixed bug in handling of bulkmail setting. (BNESS-2682)
Spam Accuracy
Allow content blocks to override defer actions found earlier in intent. (BNESS-2699)
Improved spam-accuracy around content intent. (BNESS-2700)
Continue to look for multilevel intent block action even if there is already a Defer action for the message. (BNESS-2701)
User Management
Correctly display default quarantine notification interval for users. (BNESS-1836)
Ensure deleting linked users when deleting primary user email addresses. (BNESS-1858)
Prevent creation of users that conflict with existing linked users. (BNESS-2657)
Web Interface
The Check Archives option works as expected for Inbound Attachment filter. (BNESS-1329)
Avoid local cache for certain web interface checks of customer DNS. (BNESS-2484)
Improved user/administrator session handling. (BNESS-2641, BNESS-2702)
Correct wording in Email Categories web interface elements on the INBOUND SETTINGS > Anti-spam/Antivirus page. (BNESS-2690)
Message Log
Improved message rendering. (BNESS-2558, BNESS-2697)
Improved message log search function. (BNESS-2577)
Improved Saved Searches function. (BNESS-2644)
Miscellaneous
More robust DNS queries. (BNESS-2569)
8
Mail Processing
Email Categorization. This feature gives administrators an additional way to decide what to do with various types of emails from senders
on the Barracuda Reputation Whitelist. These emails are separated into different categories such as Transactional Emails, Corporate
Emails, and Marketing Materials, each of which can have a different delivery action associated with it from the INBOUND SETTINGS >
Anti-spam/Antivirus page. See Barracuda Reputation and Email Categorization for more details.
Sender Policy Framework (SPF) Exemptions. You can exempt trusted/known IP addresses from SPF checks by clicking Add
Exemption and adding the IP address(es) and associated netmask(s) to the table. Mail from these IP addresses will still be scanned for
spam.
Optional user notification when that user's password is changed by an account or domain admin.
Saved searches now indicate the search type (inbound, outbound)
Fixed in Version 2.5
Mail Processing
Ability to block a message from the Message Details view. (BNESS-611)
Ability to exempt IP addresses from SPF checking. (BNESS-2442)
LDAP test now takes user filter into consideration. (BNESS-2618)
Improvements to the Request IP Exemption feature on the OUTBOUND SETTINGS > Abuse Monitor page. (BNESS-1317)
Domain Management
When a domain admin manages multiple domains, the Settings page shows correct information for each domain. (BNESS-2634)
Domain admins that add a new domain are automatically granted management permissions for that domain. (BNESS-1188)
Message Delivery
Encrypted messages now display only the message headers when viewed from the Message Log and when downloaded. (BNESS-720)
Redelivery for encrypted messages is now disabled. (BNESS-2076)
Delivering from a user's quarantine delivers to only that recipient. (BNESS-2589)
Avoid redelivery of empty messages. (BNESS-2431)
Now blocking mail with no subject and no body. (BNESS-2626)
Improved detection of HTTPS URLs in multi-level intent checking. (BNESS-2632)
Messages blocked due to recipient verification are now logged with action 'Blocked' and reason 'Invalid Recipient'. (BNESS-2645)
Miscellaneous
Find (and use) primary account if user logs in with linked account (BNESS-2637)
Web Interface
Improved validation of entered data, including for incorrectly-formatted domains and other entries made via bulk edit. (BNESS-943,
BNESS-2188, BNESS-2500)
The USERS> User List page now includes the total number of users, displayed in Results number above the users list. (BNESS-1028)
Statistics for messages classified as Bulk Email are now included in the Emails Processed by Action section of the BASIC > Status pa
ge. (BNESS-2509)
The Domain level Status page now only displays the information relevant to that domain. (BNESS-1086)
The User column on the INBOUND SETTINGS > Sender Policies page has been renamed to Sender. (BNESS-1424)
Added Quarantine Status column to USERS > Users List page for account and domain admins, indicating whether or not each user in
the list receives a quarantine digest (e.g. the Quarantine Notification Interval for the user is either Daily, Weekly, Custom or Never).
(BNESS-1887)
The Sender Policy time stamp now reflects the Last Modified Time of that entry. (BNESS-2161)
The version number at the bottom of the status page now links to this Release Notes page. (BNESS-1869)
Message Log
Added a Reason column to the Message Log that indicates why a message had the listed action taken with it. (BNESS-2232)
A link for each domain within the Top Domains by Volume (30 days) report on the BASIC > Status page now leads to a 30-day Message
Log search. (BNESS-856)
Expanded contents of Exported Logs. (BNESS-1266)
Quarantined items now show as yellow in the Action column. (BNESS-1760)
9
Improvements to multilevel intent analysis (BNESS-2533, BNESS-2573)
Improved LDAP synchronization of user lists (BNESS-2563)
Improved delivery of New User Welcome Emails.
Improved scanning of extracted content. (BNESS-2344)
Restored ability for all users to specify their own Quarantine Notification interval. (BNESS-2574)
Encryption honored on explicitly allowed messages. (BNESS-2462)
Addressed rare situation where mail was sent to a domain's A record entry. (BNESS-2572)
Corrected display of special characters like % and + in recipient addresses in the Message Log. (BNESS-2106)
Security
Resolved the following vulnerabilities:
High severity: Unauthenticated; remotely exploitable; account takeover; brute force [BNSEC-3196 / BNESS-2541)
Medium severity: Cross-site request forgery (CSRF) [BNSEC-2339 / BNESS-2480, BNESS-2542)
Mail Processing
Trusted Forwarders. Ability to specify one or more IP addresses of machines that you have set up to forward email (i.e. Trusted
Forwarders) to the Barracuda Email Security Service from outside sources. The Barracuda Email Security Service exempts any IP
address in this list from Rate Control, SPF checks and IP Reputation. In the Received headers, the Barracuda Email Security Service will
continue looking beyond a Trusted Forwarder IP address until it encounters the first non-trusted IP address. At this point, Rate Control,
SPF checks and IP Reputation checks will be applied. Configure on the INBOUND SETTINGS > IP Address Policies page.
Sender Policy Framework (SPF) blocking options. When enabling SPF, you must specify one of two options:
BLOCK FAIL - The SPF FAIL (also referred to as Hard Fail) response indicates that the IP address of the message sender does
not match the IP address or range of IP addresses specified in the sending domain name's SPF record, and that the real owner
of the domain has specifically indicated that such messages should be rejected (blocked) as spoofed.
BLOCK FAIL, SOFTFAIL - The SPF SOFTFAIL response indicates that the message sender's IP address does not match the
IP address or range of IP addresses specified in the sending domain name's SPF record. A SOFTFAIL means that the domain
owner did not specify how such messages should be handled. Selecting this option means that messages in either the SPF
SOFTFAIL or FAIL state are blocked.
Improved recipient verification process.
Improved spam accuracy.
Web Interface
The Blocked action in the Emails processed by action section of the STATUS page now includes the Bulk reason.
Message Log
The Date field is now included in the Message Log export file.
Improved message search performance for related domains.
Miscellaneous
Extended medical dictionary (HIPAA) for Predefined Filters (see the OUTBOUND SETTINGS > Content Policies page).
When the sender and recipient domain are both protected by the Barracuda Email Security Service, a blocked message from/to the same
domain shows the Reason for the block only in the inbound Message Log. (BNESS-2348)
On the DOMAINS > Settings page, clicking the Synchronize Now button does not product an error message if the synchronization with
the specified LDAP server is successful. (BNESS-1812)
Dynamic Bulk Email Detection. Enables taking action with messages that contain anything that looks like unsubscribe links or
unsubscribe instructions in the message body. Configurable on the INBOUND SETTINGS > Anti-Spam/Antivirus page.
Option to create exemptions for predefined filters. See the OUTBOUND SETTINGS > Content Policies page.
Ability to scan more attachment types.
10
Message Log
Added time/date as a filter in Message Log. (BNESS-2407, BNESS-2445)
Adjusted Action Reasons for increased clarity and consistency, as displayed in Message View details in the Message Log.
(BNESS-2185, BNESS-2297)
Improved rendering of messages, including those with absent or malformed content. (BNESS-2414, BNESS-2446)
Downloaded messages now include X-BESS-* headers. (BNESS-2420)
Improved search performance in the Message Log. (BNESS-2449)
Spam Accuracy
Improved detection of suspect URLs in message body. (BNESS-2443)
Improved interaction between Trusted Forwarder and Sender Policy Framework (SPF). (BNESS-2459)
Mail Processing
All messages going through the Barracuda Email Security Service will now be subject to a size limit of 300MB. (BNESS-1082)
Enhancements to spam detection, including improved URL scanning and handling of embedded URLs.
Improved support for customer domains that rely on suspect nameservers. (BNESS-2419)
Improved handling of emails sent to multiple recipients of different suspect domains. (BNESS-2426)
Improved outbound TLS functionality. (BNESS-2428)
Search
Ability to search through MIME-encoded From, To, Subject header fields (only for messages received using version 2.3.5 and later).
(BNESS-2370)
Administration
Confirmation now required when deleting users. (BNESS-2400)
"451 possible mail loop" events are now logged. (BNESS-2311)
Web Interface
Improved performance when displaying information for accounts with a large number of emails. (BNESS-2415)
Improved display of messages encoded in UTF-8. (BNESS-2418)
Filtering for aliases (on the USERS > Users List page) is no longer case sensitive. (BNESS-2434)
Handling of emails with lines greater than 990 characters. (BNESS-2187)
Whitelist function in the Users' Message Log. (BNESS-2408)
Improved Spam Accuracy
Enhanced the algorithms for detecting spams in attachments, multi-level intent, and URL detection.
LDAP Support Enhancements
New User Filter setting in the Directory Services section of DOMAINS > Domain Settings page. This allows the administrator to better
manage which accounts should be synced with the LDAP server.
Administration
Ability to disable notifications when adding aliases (linked addresses) to user accounts. (BNESS-2308)
Miscellaneous
Support for using CNAMEs in PTR records. IP addresses that resolve to a CNAME record can now be used as an outbound IP address,
avoiding lack of Reverse DNS errors. (BNESS-2294)
Enhancements
11
Message Log
Improved layout for usability. (BNESS-2306)
Updated the Reason filters. (BNESS-1244)
Various documentation updates. (BNESS-2323, BNESS-2322, BNESS-1005)
Improved font size consistency in Quarantine Notifications. (BNESS-2325)
Improved deferral deduplication with multi-recipient messages. (BNESS-2355)
Message Log
Long domain or email address entries do not run into the Policy column. (BNESS-1009)
The Message Log properly displays large HTML-rich messages. (BNESS-2279)
The Saved Searches section has been moved to the right of Advanced Filters. (BNESS-2270)
Improved search performance. (BNESS-946)
Improved description of multilevel/intent action reasons
URL blocking for Multi-Level Intent is correctly reported. (BNESS-2295)
Quarantine Notifications
Improved rendering of non-English text in Subject and From fields.
Quarantine Notifications render character encodings as expected. (BNESS-1036), (BNESS-1767)
Enhancements
Length of domain names is now limited. (BNESS-1126)
When a domain administrator adds a new domain, it is immediately visible in the domain administrator's view. (BNESS-1188)
Fixes:
Count for graph Emails processed in the last 30 days no longer repeat when the range is 0k - 3k. (BNESS-1026)
Email notification to alias (Linked) address is no longer blocked when UnManaged Users are set to BLOCK. (BNESS-1098)
One alias email address cannot be linked to multiple BESS users. (BNESS-2194)
The Return to Previous Page link in the Printable View works as expected. (BNESS-2272)
Destination server priority defaults to the current priority instead of 10. (BNESS-2293)
Selecting (No Content) messages and clicking the SPAM button works as expected. (BNESS-2296)
Clicking the SPAM button for a selected message does not show the message as Delivered in the Message Log. (BNESS-2305)
Trying to deliver a blocked message changes the Delivery Status in the Message Log list and in the Message Details page as expected.
(BNESS-2315)
Immediate notification in web interface if an IP address the admin enters is on the BRBL. (BNESS-2206)
Message Content Filter matching attachments works as expected for PDFs. (BNESS-2115)
Predefined Filtering blocks PDF attachments containing a valid credit card number, as expected. (BNESS-2170)
LDAP syncing of user names works as expected, preventing incorrect blocking of legitimate users when UnManaged Users is set to
BLOCK. (BNESS-2286)
When a message includes a domain which indicates suspicious intent, then Multi-Level Intent correctly defers the message instead of
blocking it. (BNESS-2300)
The IP address owner is correctly identified when applying outbound rate control. (BNESS-2317)
Enhancements to the Message Log functionality including:
Sender's email address is now displayed in the From column instead of display name. (BNESS-2212)
Resizable columns. (BNESS-1825)
Message preview pane, which can be configured for location on the screen or can be turned off.
Double clicking on a message now opens a new web page.
Ability to edit Mail Server configuration. (BNESS-1856)
Ability to define action (Defer, Block, Quarantine, or No Action) on Multi-Level Intent scanning from the INBOUND SETTINGS >
Anti-Spam/Antivirus page. (BNESS-2247)
Ability to print Message Log & Help screens. (BNESS-2251)
Support for multiple Barracuda Cloud Control accounts. (BNESS-2264)
12
Ensure duplicate entries are not being created (BNESS-987) E
Email addresses that have underscores work as expected. (BNESS-2216)
Ensure rate control is applied even to trusted forwarders. (BNESS-2215)
PTR records are cached correctly. (BNESS-2143)
Getting Started
In this Section
How to Migrate Your MailFoundry Account
Understanding Inbound and Outbound Message Flow
Related Articles
How to Configure Google Apps for Inbound and Outbound Mail
How to Configure Office 365 for Inbound and Outbound Mail
The Barracuda Email Security Service is a pass-through service, accepting connections from a mail server, getting the initial "rcpt to" line and
connecting to the destination mail server. The service then monitors the data stream for any spam or virus content and applies policies you
configure in the web interface.
Barracuda recommends understanding the concepts described in this article before customizing the Barracuda Email Security Service.
Connection Management Layers
Connection Management layers identify and block unwanted email messages before accepting the message body for further processing. For the
average small or medium organization, you can block more than half of the total email volume using Connection Management techniques.
Extremely large Internet Service Providers (ISPs) or even small web hosts, while under attack, may observe block rates at the Connection
Management layers exceeding 99 percent of total email volume.
Denial of Service Protection
The Barracuda Email Security Service receives inbound email on behalf of the organization, insulating your organization's mail server from
receiving direct Internet connections and associated threats. This layer does not apply to outbound mail.
Rate Control
Automated spam software can be used to send large amounts of email to a single mail server. To protect the email infrastructure from these
flood-based attacks, the Barracuda Email Security Service counts the number of recipients from a sender to a domain during a 30 minute interval
and defers the connections once a particular threshold is exceeded. Inbound Rate Control is a threshold for the number of recipients a domain is
willing to receive from a sender (a single IP address) during a 30 minute interval. Inbound Rate Control is configurable while Outbound Rate
Control is set automatically by the Barracuda Email Security Service.
IP Analysis
After applying rate controls based on IP address, the Barracuda Email Security Service performs analysis on the IP address of email based on the
following:
13
Barracuda Reputation – Leverages data on network addresses and domain names collected from spam traps and throughout other
systems on the Internet. The sending histories associated with the IP addresses of all sending mail servers are analyzed to determine the
likelihood of legitimate messages arriving from those addresses. Incoming connection IP addresses are compared to the Barracuda
Reputation list, if enabled, and connections from suspicious senders are dropped.
External blocklists – Also known as real-time blocklists (RBLs) or DNS blocklists (DNSBLs). Several organizations maintain external
blocklists of known spammers.
Allowed and blocked IP address lists – Customer-defined policy for allowed and blocked IP addresses. By listing trusted mail servers
by IP address, administrators can avoid spam scanning good email, reducing processing requirements and eliminating the chance of
false positives. Likewise, administrators can define a list of bad email senders for blocking. In some cases, it may be necessary to use the
IP blocklists to restrict specific mail servers as a matter of policy rather than as a matter of spam protection.
Sender Authentication
Declaring an invalid "from" address is a common practice used by spammers. The Barracuda Email Security Service Sender Authentication layer
uses a number of techniques on inbound mail to both validate the sender of an email message and apply policy. Sender Policy Framework (SPF)
tracks sender authentication by having domains publish reverse MX records to display which machines are designated as mail sending machines
for that domain. The recipient can check those records to make sure mail is coming from a designated sending machine.
Mail Scanning Layers
Virus Scanning
The most basic level of mail scanning is virus scanning. The Barracuda Email Security Service utilizes three layers of virus scanning and
automatically decompresses archives for comprehensive protection. By utilizing virus definitions, Barracuda Email Security Service customers
receive the best and most comprehensive virus and malware protection available. The three layers of virus scanning of inbound and outbound
mail include:
Powerful open source virus definitions from the open source community help monitor and block the latest virus threats.
Proprietary virus definitions, gathered and maintained by Barracuda Central, our advanced 24/7 security operations center that works to
continuously monitor and block the latest Internet threats.
Barracuda Real-Time System (BRTS). This feature provides fingerprint analysis, virus protection and intent analysis. When enabled, any
new virus or spam outbreak can be stopped in real-time for industry-leading response times to email-borne threats. BRTS allows
customers to report virus and spam propagation activity at an early stage to Barracuda Central. Virus Scanning takes precedence over all
other mail scanning techniques and is applied even when mail passes through the Connection Management layers. As such, even email
coming from exempt IP addresses, sender domains, sender email addresses, or recipients are still scanned for viruses and quarantined if
a virus is detected.
Additionally, Barracuda offers the subscription-based Advanced Threat Detection (ATD) service, a cloud-based virus service that applies to
inbound messages. ATD analyzes email attachments in a separate secured cloud environment to detect new threats and determine whether to
block such messages.
Barracuda Antivirus Supercomputing Grid
An additional, patent-pending layer of virus protection offered by the Barracuda Email Security Service is the Barracuda Antivirus Supercomputing
Grid, which can protect your network from polymorphic viruses. Not only does it detect new outbreaks similar to known viruses, it also identifies
new threats for which signatures have never existed using "premonition" technology.
Intent Analysis
All spam messages have an "intent" – to get a user to reply to an email, to visit a website, or to call a phone number. Intent analysis involves
researching email addresses, web links and phone numbers embedded in email messages to determine whether they are associated with
legitimate entities. Frequently, Intent Analysis is the defense layer that catches phishing attacks. When enabled, the Barracuda Email Security
Service applies various forms of Intent Analysis to both inbound and outbound mail, including real-time and multi-level intent (or 'content')
analysis. Multi-level intent is the process of identifying URLs in an email message body that redirect to known spam or malware sites.
Advanced Spam Detection
You can configure spam detection for custom categories by setting a content type score. This score ranges from 0 (definitely not spam) to 10
(definitely spam). Based on this score, the Barracuda Email Security Service blocks messages that appear to be spam. These messages display
in the user's Message Log with the category responsible for the block.
Predictive Sender Profiling
14
When spammers try to hide their identities, the Barracuda Email Security Service can use Predictive Sender Profiling to identify behavior of all
senders and reject connections and/or messages from spammers. This involves looking beyond the reputation of the apparent sender of a
message, just like a bank needs to look beyond the reputation of a valid credit card holder of a card that is lost or stolen and used for fraud. Some
examples of spammer behavior that attempts to hide behind a valid domain, and the Barracuda Email Security Service features that address
them, include the following:
Sending too many emails from a single network address – Automated spam software can be used to send large amounts of email from a
single mail server. Through Rate Control the Barracuda Email Security Service limits the number of connections made from any IP
address within a 30 minute time period. Violations are logged to identify spammers. Inbound Rate Control is configurable while Outbound
rate control is set automatically by the Barracuda Email Security Service.
Attempting to send to too many invalid recipients – Many spammers attack email infrastructures by harvesting email addresses. Recipient
Verification on the Barracuda Email Security Service allows the system to automatically reject SMTP connection attempts from email
senders that attempt to send to too many invalid recipients, a behavior indicative of directory harvest or dictionary attacks.
Registering new domains for spam campaigns – Because registering new domain names is fast and inexpensive, many spammers switch
domain names used in a campaign and send blast emails on the first day of domain registration. Realtime Intent Analysis on the
Barracuda Email Security Service is typically used for new domain names and involves performing DNS lookups and comparing DNS
configuration of new domains against the DNS configurations of known spammer domains.
Using free Internet services to redirect to known spam domains – Use of free websites to redirect to known spammer websites is a
growing practice used by spammers to hide or obfuscate their identity from mail scanning techniques such as Intent Analysis. With
Multi-level Intent Analysis, the Barracuda Email Security Service inspects the results of web queries to URIs of well-known free websites
for redirections to known spammer sites.
Notifications
The Barracuda Email Security Service sends out two kinds of notifications:
Quarantine Digest – For email recipients listed in the Barracuda Email Security Service database, a notification email containing a
summary of quarantined email is sent to their email address at an interval you specify for users.
Attachment Blocking for Content – A notification is sent to the message sender when it is blocked due to attachment content filtering.
Monitored Outbound Email Volume
The Barracuda Email Security Service monitors the volume of outbound email from the system to the Internet. If the volume exceeds normal
thresholds during any given 30 minute interval, the Rate Control function will take effect, causing all outbound mail to be deferred until the end of
the 30 minute time frame. The outbound mail flow then continues unless the volume is exceeded again in the next 30 minute interval. If so, Rate
Control is again triggered and outbound mail is deferred until the end of the time frame. The allowable volume of outbound mail for an IP address
can potentially be increased if the user clicks Request Increased Limit on the OUTBOUND Settings > Abuse Monitor page. The request is
reviewed by Barracuda Networks to determine whether to increase the limit on the rate of outbound mail. If this situation occurs frequently for a
particular sending IP address, that IP address is listed in the OUTBOUND Settings > Abuse Monitor page in the IP Addresses With Recent
Abuse table.
Continue with Step 2 - Initial Service Setup.
The Barracuda Email Security Service connects with your network from various IP addresses, including performing LDAP lookups. To
ensure that the service can connect with your network,
Allow traffic originating from the IP range 64.235.144.0/20
Block all port 25 traffic except for that originating from the IP range 64.235.144.0/20
Where relevant, verify your network subnet is granted access to your mail server ACL and LDAP server
Before you can connect the Barracuda Email Security Service to Barracuda Cloud Control, you must first create an account:
1.
2.
3.
4.
If you do not have a Barracuda Cloud Control account, go to https://login.barracudanetworks.com/ and click Create a user.
Enter your name, email address, and company name, and specify whether this is a partner account. Click Create User.
Follow the instructions emailed to the entered email account to log in and create your Barracuda Cloud Control account.
After submitting your new account information, the Account page displays your account name, associated privileges, and username.
If you have a Barracuda Cloud Control account:
1. Go to https://login.barracudanetworks.com/ and enter your Barracuda Cloud Control credentials.
2.
15
2.
3.
4.
5.
Click Email Security in the left pane, click Start Email Security setup, and follow the onscreen steps to get started.
Enter your credit card and billing information, and click Place Order. An email confirmation is sent to the address of record.
Once the setup process is complete, click Launch Barracuda Cloud Control.
You are redirected to Barracuda Cloud Control.
Step 1. Ensure Connectivity and Redundancy
Open your firewall ports to allow the IP address range 64.235.144.0/20
Where relevant, verify your network subnet is granted access in the ACL on your mail server (and LDAP server, for that matter)
Block all port 25 traffic except for that originating from the Barracuda Email Security Service IP address range 64.235.144.0/20
Step 2. Launch the Barracuda Email Security Service Setup Wizard
1. In the login screen, enter your Barracuda Cloud Control credentials, and click Sign In.
2. The Barracuda Email Security Service Dashboard displays. Click the Wizard link at the top of the page to use the setup wizard.
Alternatively, you can click the Domains tab to use the web interface to manually configure domains and settings.
3. In the Setup Wizard, click Get Started. The Specify Primary Email Domain page displays. Enter the primary email domain you want to
filter, for example:
cudaware.com
4. Click Next. The Specify Email Servers page displays. Enter the mail server hostname (FQDN) or IP address for the domain entered in
the previous step, for example:
cudaware-com.mail.protection.outlook.com
If the Barracuda Email Security Service Setup wizard has already identified your mail server IP based on the MX record, the M
ail Server field pre-populates.
5. Click Add. Enter an email address to test the server configuration, and click Test All Mail Servers.
6. Once the mail server is verified, the Verified (
) icon displays in the status column and a confirmation message displays at the top of
the page.
7. Click Next. The Configure Settings page displays. Select from the following options:
a. Virus Protection – Set to On to direct the Barracuda Email Security Service to detect and block viruses on inbound email.
b. Spam Protection – Set to On to direct the Barracuda Email Security Service to evaluate inbound mail for spam based on a
score assigned to each processed message. When set to Off inbound mail is not scanned for spam.
c. Spam Scoring – Set Spam Protection to On to enable Spam Scoring. Scoring ranges from 1 (definitely not spam) to 10
(definitely spam). Setting a score of '1' blocks most legitimate messages while setting a score of '10' allows more messages
through the system. Based on this score the Barracuda Email Security Service blocks messages that appear to be spam and
logs these messages in the user's Message Log with Score as the reason for the block.
The following features, configured on the INBOUND SETTINGS > Anti-Spam/Antivirus page, are enabled when Spa
m Protection is set to On:
• Barracuda Reputation Block List (BRBL) – Database of IP addresses manually verified to be a noted source of
spam.
• Barracuda Real-Time System (BRTS) – Advanced service to detect zero-hour spam and virus outbreaks even
where traditional heuristics and signatures to detect such messages do not yet exist.
• Sender Policy Framework (SPF) – Block Fail is disabled.
• Barracuda Anti-Fraud Intelligence – Barracuda Networks anti-phishing detection which uses a special Bayesian
database for detecting Phishing scams.
• Intent Analysis – Blocking based on intent analysis.
• CloudScan Scoring – A cloud-based spam scanning engine which assigns a score to each message processed
ranging from 0 (definitely not spam) to 10 (definitely spam).
8. Click Next. The Route Email Through Barracuda page displays.
9. To verify your domain, replace your current MX records with the Barracuda Email Security Service Primary and Backup MX records
displayed on the page.
During the evaluation period, to complete the verification process but allow your legitimate mail to continue using your current
mail server, you can add the MX records with a low priority, for example, 99.
Some mail may appear in the Message Log after making this MX record change as spammers routinely send mail to all MX
16
records for a domain.
Once you have made the change to your MX records, return to the Route Email Through Barracuda page and click Verify
MX Records. The Barracuda Email Security Service should see the changes made and verify your domain. If the domain does
not verify correctly, verify that your MX changes are live. You can do this by using the following sites that return your MX
information:
http://mxtoolbox.com/
https://toolbox.googleapps.com/apps/dig/ (select the MX option)
If your domain's MX records do not display in the Barracuda Email Security Service MX records, you must wait until they
display before your domain can be verified.
10. If you only want to route your inbound mail through the Barracuda Email Security Service and not your outbound mail, select I do not
want to route my e-mail through Barracuda at this time , and select the verification option:
a. CNAME Records – To use the CNAME records method to verify the domain ownership:
i. Log in to your DNS Server and, under this domain, create a subdomain whose name is created by concatenating
'barracuda' and the CNAME token shown in the Route Email Through Barracuda page. For example:
barracuda30929916985.corpdomain.com
ii. Point the CNAME record of that subdomain to ess.barracuda.com
Allow the DNS propagation to take effect before proceeding.
iii. Click Confirm Validation in the Route Email Through Barracuda page.
b. Email to Postmaster – This method sends a verification email to the postmaster email address for your domain. The
confirmation email includes a link that the recipient must click to verify the domain. Click Send Email.
c. Email to Technical Contact – This method sends a verification email to the technical contact email address, if it exists, listed on
your domain's WHOIS entry. This verification option is not available if the Barracuda Email Security Service cannot find your
domain's WHOIS entry. Click Send Email. If there is not a technical contact, only the MX Records and Email to the
Postmaster options display on this page.
11. Click Next.
12. The Confirmation page displays. Confirm domain ownership, and then click Done.
Important
If you have Sender Policy Framework (SPF) checking enabled on your mail server or network, it is critical when using the Barracuda
Email Security Service that you either disable SPF checking in the service OR add the Barracuda Email Security Service IP range
64.235.144.0/20 to your SPF exemptions. If this is not done, your SPF checker will block mail from domains with an SPF record set to B
lock. This is because the mail will be coming from a Barracuda Email Security Service IP address which is not in the sender's SPF
record. For more information about SPF, see Sender Authentication.
Step 3. Set Up User Accounts
You can add users manually or use LDAP authentication to automatically synchronize the Barracuda Email Security Service with your LDAP
server. To create a few test accounts during the evaluation period, use the Manually Add Users steps below.
Decide how you want to use quarantine:
Global quarantine – When selected, the administrator monitors the Message Log for quarantined mail and decides whether or not it is
spam.
Per-user quarantine – When selected, users have quarantine accounts and can decide whether or not mail is spam. Set up several
users for the evaluation and test the results. This option requires more initial effort to set up user accounts, possibly with sync to your
LDAP server, but less work for the administrator over time since users manage their quarantined mail.
Quarantine Type
Create User Accounts
Manages Quarantine?
User can Create
Sender Exempt/Blocklist
Global
No
Admin
No
Per-user
Yes
User
Yes
1. If you select Global quarantine, there is no need to create user accounts.
2. If you select Per-user quarantine, then from the USERS > Add/Update Users page manually add a few test accounts, and set Enable
17
2.
User Quarantine to Yes. The first time the Barracuda Email Security Service receives an email for that user and the message is
quarantined, the user receives a quarantine notification email at the scheduled quarantine notification interval. Depending on how you
configure the quarantine notification interval on the USERS > Quarantine Notification page, the user receives a quarantine digest at a
specified time.
LDAP Synchronization
Click to set up LDAP authentication...
Automatically create user accounts for all users in the domain based on your LDAP directory.
Important
The Barracuda Email Security Service connects with your network from various IP addresses, including performing LDAP lookups.
To ensure that the service can connect with your network, allow traffic originating from this range of network addresses:
64.235.144.0/20
1. Click DOMAINS, and click Settings in the Actions column for the desired domain.
2. In the DOMAINS > Domain Settings page, scroll to the Directory Services section, and enter your LDAP settings:
a. LDAP Host – LDAP lookup server. If this setting is a hostname, and is contained in multiple A records, or multiple
space-separated hosts are provided, then fail-over capabilities will be available if the Barracuda Email Security Service is
unable to connect to one of the machines listed here.
b. Port – Port used to connect to the LDAP service on the specified LDAP server. Typically port 389 is used for regular LDAP
and LDAP using the STARTTLS mode for privacy. Port 636 is assigned to the LDAP over SSL/TLS (LDAPS) service.
c. Use SSL (LDAPS) – By default, LDAP traffic is transmitted unsecured. Set to Yes to use Secure Sockets Layer (SSL) /
Transport Layer Security (TLS) technology to make LDAP traffic confidential and secure.
d. Bind DN/Username – Username used to connect to the LDAP service on the specified LDAP server. If of the form accountn
[email protected], the username is transformed into a proper LDAP bind DN when accessing the LDAP server, for
example, CN=accountname,CN=users,DC=domain,DC=com. Sometimes the default transformation does not generate a
proper bind DN. In such cases, you must enter a fully formed and valid bind DN.
e. Bind Password – Password used to connect to the LDAP service on the specified LDAP server.
f. Base DN – Base DN directory. This is the starting search point in the LDAP tree. The default value looks up the
defaultNamingContext top-level attribute and uses it as the search base. For example, if your domain is test.com and your
Base DN is dc=test,dc=com.
g. Authentication Filter – Filter used to look up an email address and determine if it is valid for this domain. The filter consists
of a series of attributes that might contain the email address. If the email address is found in any of those attributes, then the
account is valid and is allowed by the Barracuda Email Security Service.
h. User Filter – Filter used to limit the accounts that the Barracuda Email Security Service creates when an LDAP query is
made. For example, limit the LDAP synchronization to users in sub-domains using the mail= parameter, or synchronize
user-objects in a specific organizational unit (OU) using the ou= parameter. Each type of LDAP server has specific query
syntax, so consult the documentation for your LDAP server. See the Microsoft TechNet article LDAP Query Basics for LDAP
query syntax and examples.
Example: The list of valid users in your directory server includes 'User1', 'User2', 'User3', 'BJones', 'RWong', and 'JDoe', and
you create the User Filter (name=*User*). In this case, the service only creates accounts for 'User1', 'User2', and 'User3'.
i. Custom User Filter – Set to Yes to limit newly synchronized email users and linked email users to this one domain.
j. Mail Attributes – Attribute in your LDAP directory that contains the user's email address.
k. Testing Email Address – Valid email address for use in testing LDAP settings. When left blank, LDAP settings are only
tested for connection.
l. Synchronize Automatically – Set to Yes to automatically synchronize your LDAP users to the Barracuda Email Security
Service database on a regular basis for recipient verification. With Microsoft Exchange server, the synchronization is
incremental. When set to No, you must click Synchronize Now at the top of the section to manually synchronize your LDAP
users to the Barracuda Email Security Service database.
m. Use LDAP for Authentication – Set to Yes to enable LDAP for user login authentication. Set to No if your LDAP server will
be unavailable for a period of time.
3. In the Advanced Configurations section, set Sender Rewriting Scheme (SRS) to On to direct the Barracuda Email Security
Service to rewrite the Envelope FROM address of inbound messages so that they appear to come from Barracuda Networks rather
than the original sender. This is useful if you are using a hosted email service that cannot turn off Sender Policy Framework (SPF)
checking. For more information, see Sender Policy Framework.
4. Click Save Changes.
The first time the Barracuda Email Security Service receives a Not Allowed email for a valid user, the service does the following:
18
Uses the email address of the recipient as the username of the account and auto-generates a password. If Use LDAP for
Authentication is set to No on the DOMAINS > Domain Settings page, the user receives an email with the login
information so they can access their quarantine account, otherwise, the user can use single sign-on via LDAP lookup.
Places the quarantined message in the account holder’s quarantine inbox.
Sends a quarantine summary report to the account holder at the specified notification interval, as set on the USERS
> Quarantine Notification page. If Allow users to specify interval is set to Yes on this page, then the quarantine
summary report is sent to the user on the schedule specified on the SETTINGS > Quarantine Notification page once they
log into their account. The default is Daily.
Manually Add Users
Click to manually add users...
1. Go to USERS > Add/Update Users.
2. In the User Accounts field, enter each user email address for the domain on a separate line, and then select from the following
options:
a. Enable User Quarantine – All emails for the user which meet the configured block policy go to the user's quarantine
account.
Depending on how you have configured the quarantine notification interval on the USERS > Quarantine
Notification page, the user receives a quarantine digest at a specified time. From the USERS > Quarantine
Notification page you can also allow the user to set their own quarantine notification interval.
b. Notify New Users – When set to Yes, users receive a welcome email when the account is created.
3. Click Save Changes. The users are added to the USERS > Users List table where you can select from the following actions:
a. Edit – Click to specify domains this user can manage.
b. Reset – Click to send the user an email with instructions on how to reset their account password.
c. Log in as this user – Click to view or change the user's settings (for example, quarantine notifications), view/manage the
domains this user manages, and view/search/manage the user's Message Log.
d. Delete – Click to remove the user account.
The first time the Barracuda Email Security Service receives an Allowed email for a non-existent user at a domain configured for
the service, if that same recipient receives a second email within six days, a new user account is created. This method of new
account creation does not use LDAP lookup, and the user receives an email from the Barracuda Email Security Service with their
login information so they can access their quarantine account.
Continue with Step 3 - Configure Outbound Mail Scanning.
How to Create User Accounts
Local User Accounts
From the USERS > User List page you can manually add, update, or delete local user accounts in the Barracuda Email Security Service if you
are not using LDAP, or if you just want to create a few test accounts.
The first time the Barracuda Email Security Service receives an email for that user and the message is quarantined, and if Enable User
Quarantine is set to Yes on the USERS > Add/Update Users page, the user receives a quarantine notification email at the scheduled quarantine
notification interval. Depending on how you configure the quarantine notification interval on the USERS > Quarantine Notification page, the user
receives a quarantine digest at a specified time. From the USERS > Quarantine Notification page you can also allow the user to set their own q
uarantine notification interval.
If Notify New Users is set to Yes on the USERS > Add/Update Users page, the user receives a welcome email when the account is created.
The welcome email is only sent to a user when an account is manually created.
LDAP Accounts
Automatically create user accounts for all users in the domain based on your LDAP directory. This allows the Barracuda Email Security Service to
19
validate the receiving email address of a message against your LDAP server before creating an account. See How to Configure Recipient
Verification Using LDAP for details. Once configured, if Synchronize Automatically is set to Yes on the DOMAINS > Domain Settings page, th
e user list is synchronized with your LDAP server on a regular basis.
The first time the Barracuda Email Security Service receives a Not Allowed email for a valid user, the service does the following:
1. Uses the email address of the recipient as the username of the account and auto-generates a password. If Use LDAP for
Authentication is set to No on the DOMAINS > Domain Settings page, the user receives an email with the login information so they
can access their quarantine account. Otherwise the user must use single sign-on via LDAP lookup.
2. Places the quarantined message in the account holder’s quarantine inbox.
3. Sends a quarantine summary report to the account holder at the specified notification interval, as set on the USERS > Quarantine
Notification page. If Allow users to specify interval is set to Yes on this page, then the quarantine summary report is sent to the user
on the schedule specified on the SETTINGS > Quarantine Notification page once they log into their account. Default is Daily.
The first time the Barracuda Email Security Service receives an Allowed email for a nonexistent user at a domain configured for the service, if
that same recipient receives a second email 1-6 days later, a new user account is created. This method of new account creation does not use
LDAP lookup, and the user receives an email from the Barracuda Email Security Service with their login information so they can access their
quarantine account.
How to Validate Your Domain
Before you can route mail for your domain through the Barracuda Email Security Service, you must verify ownership of the domain. If you didn't
already do this through the Setup wizard, see the DOMAINS page and click on Verify in the Status column next to your domain. Choose one of
the following methods for ownership verification.
MX Records
See How to Set Up MX Records for Domain Verification.
Additional Verification Options
If you only want to route your inbound mail through the Barracuda Email Security Service and not your outbound mail, select I do not want to
route my e-mail through Barracuda at this time, and then select the verification method:
CNAME Validation
Email to the Postmaster
Email to Technical Contact
CNAME Validation
You must have access to your DNS server to use this verification method.
1. To use the CNAME records method to verify the domain ownership, log in to your DNS Server and, under this domain, create a
subdomain whose name is created by concatenating 'barracuda' and the CNAME token shown in the Route Email Through Barracuda
page. For example: barracuda30929916985.mydomain.com
2. Point the CNAME record of that subdomain to ess.barracuda.com
3. Click Confirm Validation in the Route Email Through Barracuda page.
Email to the Postmaster
This method sends a verification email to the postmaster email address for your domain. The confirmation email includes a link that the recipient
must click to verify the domain.
Email to Technical Contact
This method sends a verification email to the technical contact email address, if it exists, listed on your domain's WHOIS entry. This verification
option is not available if the Barracuda Email Security Service cannot find your domain's WHOIS entry. If there is not a technical contact, then only
the MX Records and Email to the Postmaster options displays on this page.
20
How to Set Up MX Records for Domain Verification
Begin by adding each domain for which you want the Barracuda Email Security Service to filter email on the DOMAINS page. Each of the
domains must be verified by the Barracuda Email Security Service for proof of ownership. After adding a domain, the DOMAINS > Domain
Verification page will prompt you to select one of three ways to verify the domain ownership. To use the MX Records method:
1. Click the (Verify) link for your newly added domain on the DOMAINS page.
2. Click the radio button for the MX records.
3. Replace your current MX records with the BESS MX records displayed on the verify page.
NOTE: If you want to first test the Barracuda Email Security Service, or you just want to be careful moving your mail to the Barracuda
service, then just ADD the MX records with a LOW priority (99 for example). This will allow you to complete the verification process, but
your legitimate mail will still use your current mail server.
For example:
mydomain.com. 21600 IN MX 10 mailserver1.mydomain.com.
mydomain.com. 21600 IN MX 15 mailserver2.mydomain.com.
mydomain.com. 21600 IN MX 99 xxxxxxx.ess.barracudanetworks.com.
mydomain.com. 21600 IN MX 99 xxxxxxx.ess.barracudanetworks.com.
It is possible that you may see some mail in the Message Log after making this MX record change. This is because spammers routinely
send mail to all MX records for a domain.
Once you have made the change to your MX records, return to the verification page in the Barracuda Email Security Service and click Next. The
Barracuda Email Security Service should see the changes made and verify your domain. If the domain does not verify correctly, please check that
your MX changes are live. You can do this by using the following sites that return your MX information:
If your domain's MX records are not yet showing the Barracuda Email Security Service MX records, then you will need to wait until they do before
your domain can be verified.
To view the MX record configuration or mail statistics for a verified domain, click the Settings link in the table for your domain on the Domains
Manager page.
Important
Before using the Barracuda Email Security Service outbound filter, go to http://barracudacentral.org/lookups and verify that your
outbound IP address is not on the Barracuda Reputation list. If it is present on the list, contact Barracuda Technical Support and
request removal before using the outbound service.
You can configure the Barracuda Email Security Service to simultaneously scan both inbound and outbound mail. Use the steps in this article to
enable outbound mail spam and virus scanning.
Step 1. Add Valid Sender IP Address Ranges
1. Log in to the Barracuda Email Security Service, and go to OUTBOUND SETTINGS > Sender IP Address Ranges.
2. Enter the IP Address and Domain Name (logging domain) and optional Comment for IP address ranges allowed to send outgoing email
from your domains, and click Add. Note that each mail server must contain a reverse DNS PTR record.
Add all IP addresses from which outgoing mail is allowed to flow through the Barracuda Email Security Service. The Logging Domain is the
domain name that appears in the Message Log as the sending domain for the associated IP address.
21
Important
To assure Barracuda Networks is the authorized sending mail service for outbound mail recipients, review your domain's Sender Policy
Framework (SPF) record. SPF is an open standard specifying a method to prevent sender address forgery. See Sender Authentication f
or more information. If you have an SPF record set up for your domain, edit the existing record and add the following to the INCLUDE lin
e for each domain sending outbound mail: include:spf.ess.barracudanetworks.com
If you do not have an SPF record set up for your domain, use the following value to create a TXT record that creates a SOFTFAIL SPF
for your domain: v=spf1 include:spf.ess.barracudanetworks.com ~all
Step 2. Configure Your Mail Server or Smart Host
Complete the following steps for each domain from which you are relaying outbound mail:
1. Log in to the Barracuda Email Security Service, and go to DOMAINS > Domain Manager.
2. Note the Outbound Hostname for the domain that is to relay outbound mail.
3. Specify this value in your mail mail server or smart host.
Step 3. Verify Mail is Flowing
1. Log in to the Barracuda Email Security Service.
2. In the DASHBOARD page verify inbound and outbound messages are being logged for the selected domain.
You can also click MESSAGE LOG to view inbound and outbound email traffic. Use the filters to refine your search. See The
Message Log for more information on message filtering.
Table 1. Outbound Mail Settings.
Feature
Description
Related Articles
Outbound Mail Scanning
Outbound Quarantine
All messages routed through the
Barracuda Email Security Service
are subject to a 300MB size limit.
This includes all headers, body,
and attached content.
Outbound mail scanning includes:
Spam Scanning with Block or
Quarantine actions
Virus Scanning
IP Address Filtering
Sender Domain, Username or Email
Address Filtering
Recipient Email Address Filtering
Content Filtering (Subject, Header and
Body) with Block, Allow, Encrypt, or
Quarantine actions
Attachment Filtering
Intent Analysis
The following tools are not applied to
outbound mail:
IP Reputation, a sender authentication
mechanism
Sender Policy Framework (SPF), a
sender authentication mechanism
DomainKeys (DKIM) inspection
Exempt/blocklist
22
Outbound Mail Encryption
To prevent data leakage and ensure
compliance with financial, healthcare, and
other federally regulated agency information
policies, you can require all email sent from
any or all configured domains to be
encrypted by configuring outbound mail
encryption policies on the OUTBOUND
SETTINGS > Content Policies page at the
domain level.
How to Use DLP and Encryption of
Outbound Mail
Secured Message Transmission
Inbound and outbound email transmission
can also be required over a TLS channel.
Outbound Message Footer
You can configure Barracuda Email Security
Service to append a custom text and/or html
footer to each outbound message at the
global level on the OUTBOUND SETTINGS
> Tagline/Footer page.
Continue with Step 4 - Tune and Monitor the Default Spam and Virus Settings.
Once email is flowing through the Barracuda Email Security Service, use the MESSAGE LOG page to see which messages are being blocked or
quarantined and for what reasons based on the current Barracuda Email Security Service settings. Click on a message in the Message Log to
view message details including the action and reason if the message was blocked or quarantined. See The Message Log for more information.
Per-Domain Management
Configure specific settings, including spam and virus settings, policies for inbound and outbound mail, and quarantine settings for each domain
you add to the service by drilling down via the DOMAINS > Domain Manager page. Click the Manage link for the domain you want to configure
using the same feature configuration pages available at the global level for the domain. For example, you can turn off virus scanning for a domain
that is internal and already protected by an anti-virus solution or customize content and attachment filtering policies for each domain based on the
type of email you expect to be flowing to and from the domains.
Important
When you click the Manage link on the DOMAINS > Domain Manager page, the settings you change apply to that domain specifically
and override global settings for that domain.
Click the Return to account management link above the feature configuration pages to return to the global domain management.
Basic Spam and Virus Checking
By default, virus scanning is enabled in the Barracuda Email Security Service and the system checks for definition updates on a regular basis
(hourly by default). Virus scanning takes precedence over all other mail scanning techniques; email coming from exempt IP addresses, sender
domains, sender email addresses, or recipients is scanned for viruses and blocked if a virus is detected.
Advanced Threat Detection
In addition to basic virus scanning, you can select to subscribe to the Barracuda Advanced Threat Detection (ATD) service. ATD is a cloud-based
virus scanning service that applies to inbound messages, analyzing email attachments in a separate, secured cloud environment to detect new
threats and determine whether to block such messages. See Advanced Threat Detection Configuration.
Use the INBOUND SETTING > Anti-Spam/Antivirus page to enable or disable virus checking. If you enable Use Barracuda Real-Time System
on the INBOUND SETTINGS > Anti-Spam/Antivirus page, the Barracuda Email Security Service checks unrecognized spam and virus
fingerprints against the latest virus threats logged at Barracuda Central.
Use the INBOUND SETTINGS > Anti-Spam/Antivirus page to enable or disable spam filtering mechanisms and set scoring for spam categories.
See Advanced Inbound Email Filtering Policy to determine settings based on the needs of your organization. Once you change the settings, use
the DASHBOARD and MESSAGE LOG pages to monitor and tune your configuration.
23
View Email Statistics
The DASHBOARD page provides an email statistics overview for inbound and outbound mail traffic protected by the Barracuda Email Security
Service including:
A graph of the geographic origins of threats detected by the Barracuda Email Security Service
Email statistics of the number of inbound and outbound messages blocked, allowed, and quarantined for the selected time period, either
the Last 24 Hours or Last 30 Days
Top domains for which mail has been processed by the system
Top blocked domains, recipients, and senders for the selected time period
Click the Help (
) icon on the DASHBOARD page for more information.
Each time you log into the Barracuda Email Security Service, the DASHBOARD page displays. If you have added domains which are not yet
verified by the service, a warning message displays at the top of the page. Click on the link to complete the verification process for the domain.
How to Migrate Your MailFoundry Account
This article lists the steps needed to finish the migration of your mailfoundry email account to the Barracuda Email Security Service.
The following steps have already been completed for your account migration:
1. Barracuda has migrated configuration information from your mailfoundry account.
2. Barracuda has created an administrator account for your organization in the Barracuda Email Security Service. You will have a chance to
reset the password for this account.
You should have received an email from Barracuda outlining the high level steps. Follow the steps below to finish migrating your account to the
Barracuda Email Security Service.
Step 1. Log in as Administrator
This step ensures you have administrator level access to your account.
1. Click the link sent to you in an email from Barracuda. The subject of the email is Mailfoundry to Barracuda Email Security Service
migration. The login page displays:
2. Click Request Password. A new password is sent to the email address on file.
3. When you receive the email, click on the link in the email to reset the password.
4. Enter a new secure password. Remember that this is the password for your administrator account. For security, do not share this
password with anyone.
5. Once you are logged in with the new password, click Email Security in the left navigation bar. The Dashboard page displays and you
are logged into the Barracuda Email Security Service as administrator:
24
Step 2. Verify Domains and Configuration
1. Click the Domains tab. The Domains Manager page displays:
2. Confirm each of your domains is listed here.
3. Double check that the IP address of the Mail Server for each host is correct. If it is not correct for any domain, click Settings for that
domain to make modifications:
4. Verify the IP address for the mail server for the domain. Click Save Changes.
Connectivity from Barracuda Email Security Service to the mail server is verified in a separate step.
5. For each of the domains, click Manage, one domain at a time.
6. For each domain, verify all settings on the INBOUND SETTINGS pages are correct for each sub-tab: Anti-Spam/Antivirus, Custom
RBLs, Rate Control, IP Address Policies, Recipient Policies, Sender Policies, Sender Authentication, and Content Policies.
These pages are used for creating policies for inbound mail.
25
Step 3. Ensure Connectivity
1. If you have trouble routing email traffic through the service, make sure that your firewall allows traffic originating from the Barracuda Email
Security Service. To allow mail traffic from the service, open your firewall ports to allow the IP address range 64.235.144.0/20 such that
your LDAP and Microsoft Exchange servers can communicate with the Barracuda Email Security Service.
2. Additionally, open these ports in your corporate firewall to allow communication between the Barracuda Email Security Service and
remote servers:
Port
Direction
Used for
25
In/Out
SMTP
389
In/Out
LDAP
636
In/Out
LDAP
3. To ensure that the service can send traffic to the mail servers listed for each of your domains, go to the Domains Manager page:
4. Click Settings for the first domain in the list; the domain settings page for this domain displays:
5.
6. Click Test. The Mail Server Test page displays:
26
6.
7. Enter the username of a mailbox that you can readily test, and click Send. If the email is routed correctly, a Success message displays.
If the Success message does not display and the recipient does not receive the test email, double check the steps above. If a problem
persists, see the troubleshooting section below.
8. Verify that the Barracuda Email Security Service is able to reach your configured LDAP server. Go to DOMAINS > Domain Manager >
Settings, configure your LDAP host and click Test Settings. If you have problems connecting, open your firewall ports as described
below.
Troubleshooting
Verify that your firewall allows traffic originating from the Barracuda Email Security Service. To allow mail traffic from the service, open your
firewall ports to allow the IP address range 64.235.144.0/20 such that your LDAP and Microsoft Exchange servers can communicate with the
Barracuda Email Security Service.
Additionally, open these ports in your corporate firewall to allow communication between the Barracuda Email Security Service and remote
servers.
Port
Direction
Used for
25
In/Out
SMTP
389
In/Out
LDAP
636
In/Out
LDAP
Step 4. Route Email through the Barracuda Email Security Service
1. Go to the Settings page for this domain:
2. Make note of the two MX records listed under the section MX Records Configuration. They are listed as Primary and Backup.
3. Log in to your ISP or hosting provider and change the MX records to the records listed above.
4. Depending on your ISP settings, this change can take a few minutes to a few hours to complete. Once complete, email begins flowing
through the Barracuda Email Security Service.
5. Check the MESSAGE LOG page for incoming email. Your email is now being filtered by Barracuda Networks:
27
Once you are satisfied with the process of changing the MX records for one domain, you must repeat this process for each additional domain.
Important
Email Security Service that you either disable SPF checking in the service or add the Barracuda Email Security Service IP range
64.235.144.0/20 to your SPF exemptions. Otherwise, your SPF checker blocks mail from domains with an SPF record set to Block bec
ause mail is coming from a Barracuda Email Security Service IP address not in the sender's SPF record.
See Also
Overview and inbound policy configuration:
Overview
Advanced Inbound Email Filtering Policy
Outbound policy and encryption settings:
How to Use DLP and Encryption of Outbound Mail
Configure Outbound Filtering Policy
Advanced topics:
Advanced Configuration - Sender Authentication, SPF, Recipient Verification
Managing User Accounts
Reporting
Understanding Inbound and Outbound Message Flow
Inbound Mail Flow
Click to view Inbound mail flow...
28
29
Outbound Mail Flow
Click to view Outbound mail flow...
30
31
Advanced Inbound Email Filtering Policy
The Barracuda Email Security Service includes a rich set of inbound and outbound email filtering policy options including anti-spam, antivirus, rate
control, IP policies, sender reputation, and more. In addition, you can opt to subscribe to the Barracuda Advanced Threat Detection (ATD) service.
ATD is a cloud-based virus scanning service that applies to inbound messages, analyzing email attachments in a separate, secure cloud
environment to detect new threats and determine whether to block such messages.
In this Section
IP Analysis - Inbound
Barracuda Reputation and Email Categorization
Content Analysis - Inbound Mail
Anti-Fraud and Anti-Phishing Protection
Attachment Filtering - Inbound
Image Analysis - Inbound Mail
Intent Analysis - Inbound Mail
Bulk Email Detection
Rate Control Inbound
Understanding Advanced Threat Detection
Advanced Threat Detection Sample Email Notifications
IP Analysis - Inbound
Create Custom IP Policy
32
Once the true sender of an email message is identified, the reputation and intent of that sender should be determined before accepting the
message as valid, or "not spam". The best way to address both issues is to know the IP addresses of trusted email senders and forwarders and
define those as exempt from scanning by adding them to a list of known good senders.
Add exempt/trusted sender IP addresses and block those you know are not trusted on the INBOUND SETTINGS > IP Address Policies page.
Barracuda Networks does not recommend exempting domains because spammers may spoof domain names. When possible, it is
recommended to exempt by IP address only.
You can create a list of Trusted Forwarders by specifying one or more IP addresses of machines that you have set up to forward email to the
Barracuda Email Security Service from outside sources. The Barracuda Email Security Service exempts any IP address in this list from Rate
Control, SPF checks, and IP Reputation. In the Received headers, the Barracuda Email Security Service continues looking beyond a Trusted
Forwarder IP address until it encounters the first non-trusted IP address. At this point, Rate Control, SPF checks, and IP Reputation checks are
applied. Configure on the INBOUND SETTINGS > IP Address Policies page.
Barracuda Reputation and Email Categorization
Barracuda Reputation is a database maintained by Barracuda Central and includes a list of IP addresses of known good senders as well as
known spammers, or IP addresses with a "poor" reputation. This data is collected from spam traps and other systems throughout the Internet. The
sending history associated with the IP addresses of all sending mail servers is analyzed to determine the likelihood of legitimate messages
arriving from those addresses. Updates to Barracuda Reputation are made continuously by Barracuda Central engineering.
On the INBOUND SETTINGS > Anti-Spam/Antivirus page, it is strongly recommended that you select Use Barracuda Reputation BlockList
(BRBL).
Subscribe to External Blocklist Services
Use the INBOUND SETTINGS > Custom RBLs page to use various blocklist services. Several organizations maintain external blocklists such as
spamhaus.org. External blocklists, sometimes called DNSBLs or RBLs, are lists of IP addresses from which potential spam originates. In
conjunction with Barracuda Reputation, the Barracuda Email Security Service uses these lists to verify the authenticity of the messages you
receive.
Be aware that blocklists can generate false-positives (legitimate messages that are blocked). Messages blocked due to external blocklists or the
BRBL are the only blocked messages that are not sent to the user's Message Log.
Email Categorization
Email Categorization gives administrators more control over what they believe to be spam, even if those messages do not meet the technical
definition of spam. Most users do not realize that newsletters and other subscription-based emails, while they are considered to be bulk email, are
not technically unsolicited - which means that they cannot be blocked by default as spam. The senders of these emails may have a good
reputation, but the user may no longer want to receive, for example, a mass mailing from a club or vendor membership. The Email Categorization
feature assigns this type of email to categories that display on the INBOUND SETTINGS > Anti-Spam/Antivirus page, and the administrator can
then create block, quarantine, or allow policies by category. When set to Off, no categorization scanning is performed.
Supported categories:
Corporate Emails – Emails sent from Microsoft Exchange Server that involve general corporate communications. This does not include
marketing newsletters. The default action is Allow.
Transactional Emails – Emails related to order confirmation, bills, bank statements, invoices, monthly bills, UPS shipping notices,
surveys relating to services rendered, and/or where transactions took place. The default action is Allow.
Barracuda recommends setting the Transactional email category to Allow so that critical emails are not blocked or
quarantined.
Marketing Materials – Promotional emails and newsletters from companies such as Constant Contact. The default action is Allow.
Mailing Lists – Emails from mailing lists, newsgroups, and other subscription-based services such as Google and Yahoo! Groups. The
default action is Allow.
Social Media – Social media notifications from sites such as Facebook, LinkedIn, and Twitter. The default action is Allow.
Email Categorization supports the following actions, in the following order of precedence:
Allow – Deliver the message.
Block – Do not deliver the message.
33
Quarantine – Put the message in quarantine if there are no other checks for other categories that can result in actions of higher
precedence (Allow, Block).
Off – No action is taken. All other spam scanning and policy processing is performed on the message.
Messages that have been categorized appear in the Message Log with Email Categorization (category) as the Reason. The administrator can
then select one or more categorized emails and click Recategorize to change the category, as shown in Figure 1. This information is submitted
with the sender IP for Email Categorization. Optionally, you can assign a 'custom' category by selecting Other in the drop-down for a particular
email. See the Message Log help page for details.
Figure 1. Recategorizing the message from Corporate to Marketing Materials
Content Analysis - Inbound Mail
The Barracuda Email Security Service enables administrators to set custom content filters for inbound messages based on message content and
attachment file name or MIME type. See the INBOUND SETTINGS > Content Policies page for settings.
Custom Content Filters
Message content filtering can be based on any combination of subject, headers, body, attachments, sender or recipient filters, and you can
specify actions to take with messages based on pre-made patterns (regular expressions) in the subject line, headers, message body, sender or
recipient lines. See Regular Expressions for text patterns you can use for advanced filtering.
Note that HTML comments and tags imbedded between characters in the HTML source of a message are filtered out so that content filtering
applies to the actual words as they appear when viewed in a web browser.
For information about content filtering for outbound messages, see Content Analysis - Outbound Mail.
Anti-Fraud and Anti-Phishing Protection
Phishing scams are typically fraudulent email messages appearing to come from legitimate senders (e.g., a university, an Internet service
provider, a healthcare or financial institution). These messages typically contain URLs that, if the user clicks them, directs them to a spoofed
website or otherwise gets them to reveal private information such as logins, passwords or other sensitive data. This information is then used to
commit identity and/or monetary theft.
The following settings in the Barracuda Email Security Service can evaluate and rewrite fraudulent URLs so that if the user clicks them, they will
be safely redirected to a valid domain or to a Barracuda domain warning of the fraud. Configure on the INBOUND SETTINGS > Anti-Phishing pa
ge.
Barracuda Anti-Fraud Intelligence - This Barracuda Networks anti-phishing detection feature uses a special Bayesian database for
detecting Phishing scams.
Link Protection - When set to Yes, the Barracuda Link Protection Service automatically rewrites any URL in an email message to a safe
Barracuda URL, and then delivers the message. If the user then clicks on that URL, the service evaluates it for validity and reputation. If
the domain is determined to be valid, the user is then directed to that website. If the URL is suspicious, the user is directed to the
Barracuda Link Protection Service warning page, which displays Access Denied, a message about why the URL was blocked, and the
actual link.
34
Figure 1. Warning popup from the Barracuda Link Protection Service
In order to minimize false positives and page load delays, Barracuda continuously maintains a list of domains that are considered to be
safe. Because of this, some links detected in email messages by this feature are "wrapped", while others are not. For example,
Barracuda does not currently wrap "google.com", but will wrap "googlegroups.com" because it provides user-generated content.
Typosquatting Protection - Typosquatting is a common trick used by hackers to fool users into thinking they're visiting a valid domain
such as https://www.tripadivsor.com , but two letters ('v' and 'i') are switched in the domain name which leads the user to a different site
that may be 'spoofing' the domain they wanted. The Typosquatting Protection feature checks for common typos in the domain name of
the url and, if found, rewrites the url to the correct domain name so that the user visits the intended website. For example, if the URL
https://www.tripadivsor.com appears in an email message, the service detects the switched letters and rewrites the URL to be https://ww
w.tripadvisor.com, the valid domain. See Figure 1 above for the warning the user will see before being redirected to the correct website.
Note: Link Protection must be set to Yes before enabling Typosquatting Protection.
Link Protection is only applied to messages which have NOT been allowed, blocked or quarantined due to other policies such as IP
address policies, sender policies or managed user policies. URLs which are exempt are not rewritten. Barracuda typosquatting
works with tools such as Desvio to determine misspelled domain names. To protect your misspelled domains, contact providers such as
Desvio to add your misspelled domain name variations to their list.
See also Intent Analysis - Inbound Mail.
Link Protection FAQ
Q.With Link Protection enabled, are there messages for which URLs are not rewritten?
URLs contained within messages encrypted by the Barracuda Encryption Service will not be rewritten.
Q. How can you confirm if a URL has been rewritten?
Hover over the URL in the message. It will look like the following if it has been rewritten by the Barracuda Link Protection Service:
For example, the URL "http://www.codestore.net" would be rewritten to:
https://linkprotect.cudasvc.com/url?a=http://www.codestore.net&c=E,1,5bEVim247z1fGhtUhmYwbNu1H8iIZr4N
rgaCfUxKZdTyuUxW48gwPUfsoILDy-FCjYA5-2MCgtJlXy5N3PAFAD47XFHidB4K4cNJC7Z-FhFR1P96vPVq&typo=1
Q. What happens when a user clicks on a rewritten URL?
If the URL is considered bad: The user is re-directed to the Barracuda Link Protection Service warning page, which displays Access
Denied, a message about why the URL was rewritten, and the actual link.
35
If the URL is considered good: The user is re-directed to the website.
Q. Will all URLs in a message be rewritten?
URLs located in attachments are not rewritten.
Link Protection is only applied to messages which have NOT been allowed, blocked or quarantined due to other policies such as IP
address policies, sender policies or managed user policies.
URLs which are exempt are not rewritten.
Q. What if my brand has misspelled domain names? Will those URLs be rewritten?
Barracuda typosquatting works with tools such as Desvio to determine misspelled domain names. To protect your misspelled domains,
contact providers such as Desvio to add your misspelled domain name variations to their list.
Q. Is there a noticeable delay when a user clicks on a rewritten URL?
No. Rewritten URLs are checked real-time to ensure that the latest status determines it to be safe.
Q. Is Link Protection available for customers with a trial subscription?
Yes.
Q. How long will rewritten URLs continue to work?
Rewritten URLs will not expire. They will continue to function indefinitely.
If the redirection service is not available (i.e., Barracuda cannot verify the URL's reputation), the user is directed to the original link.
Q. Does Link Protection protect a URL that is safe at one-time but becomes compromised later?
Yes. Each time a URL is clicked the status of that URL is verified before the redirect is allowed.
Attachment Filtering - Inbound
For outbound attachment filtering, see Attachment Content Filtering - Outbound .
All messages, except those from exempt senders, go through attachment filtering. Use the INBOUND SETTINGS > Content Policies page to
specify actions to take on inbound messages if they contain attachments with certain file name patterns or MIME types.
You can select Archive Files Content with any filter to search the contents of attached archives. Use the Password Protected Archive
Filtering feature as follows:
When set to Scan, any email containing a password protected attachment is blocked.
When set to Ignore, your attachment filter policies are applied to any email containing a password protected attachment.
Messages that are blocked due to attachment filtering appear in the Message Log with the word Attachment for the Reason if you click Show
Details for the message. For example, if you create a filter to block messages with attachments whose file names match a pattern of word*, the
entry in the Message Log would contain:
Action:Blocked Reason:Attachment (word_2010_xml.tgz)
where word_2010_xml.tgz is the attachment file name that caused the message to be blocked.
Image Analysis - Inbound Mail
Image spam represents about one third of all traffic on the Internet. The Barracuda Email Security Service uses Image Analysis, which includes
investigating image dimensions in JPG/JPEG images, to protect against new image variants. In the Message Log, Image Analysis may
36
sometimes result in one of the following:
A message is deferred if determined to be suspicious, with a Reason of Suspicious
A message is blocked with a Reason of Image Analysis
Intent Analysis - Inbound Mail
All spam messages have an "intent" - to get a user to reply to an email, to visit a web site or to call a phone number. Intent analysis involves
researching email addresses, web links (URLs) and phone numbers embedded in email messages to determine whether they are associated with
legitimate entities. Phishing emails are examples of Intent.
Frequently, Intent Analysis is the defense layer that catches phishing attacks. The Barracuda Email Security Service applies the following forms of
Intent Analysis to inbound mail, including real-time and multi-level intent analysis.
Intent Analysis – Markers of intent, such as URLs, are extracted and compared against a database maintained by Barracuda Central.
Real-Time Intent Analysis – For new domain names that may come into use, Real-Time Intent Analysis involves performing DNS
lookups against known URL blocklists.
Multilevel intent analysis – Use of free websites to redirect to known spammer websites is a growing practice used by spammers to
hide or obfuscate their identity from mail scanning techniques such as Intent Analysis. Multilevel Intent Analysis involves inspecting the
results of Web queries to URLs of well-known free websites for redirections to known spammer sites.
Intent Analysis can be enabled or disabled on the INBOUND SETTINGS > Anti-Phishing page. Domains found in the body of email messages
can also be blocked based on or exempt from Intent Analysis on that page. See also Anti-Fraud and Anti-Phishing Protection.
Bulk Email Detection
Many users subscribe to websites and lists and later forget that they subscribed, or subscribed unknowingly. Email messages containing anything
that looks like an unsubscribe link or instruction may or may not be considered spam by the recipient. To provide users the opportunity to decide,
you can quarantine bulk email messages that contain unsubscribe links or instructions, or you can choose to block them all, thereby reducing the
load on your mail server. Configure Bulk Email Detection on the INBOUND SETTINGS > Anti-Spam/Antivirus page.
To allow all such emails that are not otherwise tagged as spam, set this feature to Off.
If this feature is set to Block or Quarantine, email messages/domains that are exempted by users or the administrator override this
setting and are allowed.
Rate Control Inbound
The Barracuda Email Security Service Rate Control feature protects your organization from spammers or spam-programs (also known as
"spam-bots") that send large amounts of email to the server in a small amount of time. Rate Control for inbound mail is configured on the INBOUN
D SETTINGS > Rate Control page. Rate control for outbound mail is configured automatically by the Barracuda Email Security Service.
The Rate Control mechanism counts the number recipients for a domain from a sender (a single IP address) over a half-hour timeframe and
compares that number to the Maximum Recipients per Sender IP Address/ 30 minutes threshold you set on the page. If the number of
inbound recipients for a domain from a sender (a single IP address) exceeds this threshold within a half hour period, the Barracuda Email Security
Service defers any further connection attempts from that particular IP address until the next half hour time frame and logs each attempt as deferre
d in the Message Log with a Reason of Rate Control.
Exemptions from Rate Control
You can exempt trusted IP addresses from Rate Control by adding a trusted IP address to the Rate Control Exemption list. Organizations that
relay email through known servers or communicate frequently with known partners can and should add the IP addresses of those trusted relays
and good mail servers to this list.
37
Understanding Advanced Threat Detection
The Barracuda Email Security Service provides access to the subscription-based Advanced Threat Detection (ATD) service. This service
analyzes inbound email attachments in a separate, secured cloud environment, detecting new threats and determining whether to block such
messages. ATD offers protection against advanced malware, zero-day exploits, and targeted attacks not detected by the Barracuda Email
Security Service virus scanning features. Enable ATD on the INBOUND SETTINGS > ATD page.
When ATD determines an attachment contains a threat and blocks the message, review the ATD Report before determining whether to
deliver the message. See Advanced Threat Detection Reports and Understanding Advanced Threat Detection Reports for more
information.
Advanced Threat Detection Options
Configure policies on the INBOUND SETTINGS > Content Policies page, and specify how and when attachments are scanned on the INBOUN
D Settings > ATD page:
Deliver First, Then Scan – When selected, the ATD service attempts to scan the mail in real time. If the ATD scan completes in real
time and a virus is detected, the message is blocked and is not delivered. If the ATD scan does not complete in real time, the message is
delivered; if the ATD service determines the attachment to be suspicious or virus-infected upon completion, the recipient is notified, and
if Notify Admin is set to Yes, an email alert is sent to the specified admin address.
This option does not delay email processing, however, the email recipient can potentially open an infected attachment.
Scan First, Then Deliver – When selected, the ATD service scans messages with attachments before delivery. If a virus is detected in
an attachment, the message is blocked, otherwise, the message is delivered to the recipient.
This option provides more security and prevents the email recipient from opening infected attachments. Note that messages
with attachments may be temporarily deferred while queued for scanning. These messages appear in the Message log and Pe
nding Scan displays in the Reason column. The mail server retries until the scan is complete and no virus is detected in the
attachment, at which point the message is delivered.
No – When selected, ATD is disabled.
Advanced Threat Detection Exemptions
When ATD is set to either Deliver First, then Scan or Scan First, then Deliver, you can exempt sender email addresses, sender domains,
recipient email addresses, recipient domains, or sender IP addresses from ATD scanning in the ATD Exemptions section on the INBOUND
SETTINGS > Advanced Threat Detection page.
Attachments from exempted entries are not sent to the ATD cloud. Note that these exemptions apply to ATD scanning only and do not
apply to Barracuda Email Security Service virus scanning.
Scanned File Types
Table 1 lists the file types scanned by the ATD service.
Table 1. Scanned File Types.
MIME Type
File Extension
application/pdf
.pdf
application/msword
.doc
application/vnd.ms-powerpoint
.ppt
application/vnd.ms-excel
.xls
38
application/x-msaccess
.mdb
application/vnd.openxmlformats-officedocument.presentationml.pres
entation
.pptx
application/x-dosexec
.exe
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
.xlsx
application/vnd.microsoft.portable-executable
.exe
application/x-executable
.exe
application/vnd.ms-cab-compressed
.cab
text/x-msdos-batch
.bat
application/rtf
.rtf
application/vnd.android.package-archive
.apk
application/zip
.zip
application/x-tar
.tar
application/java-archive
.jar
application/javascript
.js
application/vnd.openxmlformats-officedocument.wordprocessingml.d
ocument
.docx
Administrator Notification
When Deliver First, Then Scan is selected, select Yes for Notify Admin to notify the administrator when a virus is detected by the ATD service
in a scanned attachment. The email notification includes the sender, recipient, attachment type, and detected virus. Enter the admin email
address in the ATD Notification Email field address. Infected attachments are listed in the ATD Log.
ATD Exemptions
When ATD is set to either Deliver First, then Scan or Scan First, then Deliver, you can exempt sender email addresses, sender domains,
recipient email addresses, recipient domains, or sender IP addresses from ATD scanning. Attachments from exempted entries are not sent to the
ATD cloud. Note that these exemptions apply to ATD scanning only and do not apply to Barracuda Email Security Service virus scanning.
Message Log
Messages blocked or deferred by the ATD service are listed in the Message Log with the following codes listed in the Reason column:
Advanced Threat Detection – Message is blocked by the ATD service due to an infected attachment.
Pending Scan (Scan First, Then Deliver enabled) – Message is deferred while the attachment is scanned. The mail server retries until
the scan is complete. Once complete, if no virus is detected, the message is delivered.
ATD Service Unavailable – Message is deferred because the ATD service is temporarily unavailable. The message is retried and, when
the scan is complete and if no virus is detected, the message is delivered.
View ATD Statistics
The DASHBOARD page displays statistics of scanned attachments determined to be infected by the ATD service.
Advanced Threat Detection Sample Email Notifications
When the Advanced Threat Detection (ATD) Service detects a virus or suspicious attachment in an email message, the recipient may receive an
email notification per the conditions described below. Email notifications are dependent on the selections made on the INBOUND SETTINGS >
ATD page:
Enable Advanced Threat Detection – When set to Deliver First, then Scan on, the message, including attachments, is first delivered
to the recipient and then scanned by the ATD service.
39
Enable Advanced Threat Detection – When set to Scan First, Then Deliver, an email notification may be sent to the email recipient
depending on the following:
If ATD detects a virus or suspicious attachment upon initial scan, the message is blocked and no email notification is sent to the
recipient. However, if the message is deferred for additional scanning, an email notification is automatically sent to the email
recipient warning them of the threat.
Notify Admin – When set to Yes, an email notification is automatically sent to the email entered in the ATD Notification Email field
when ATD detects a virus or suspicious attachment.
Example 1. Recipient Email Notification.
In this example, ATD detected a virus, and notifies [email protected] that a virus was detected in an attachment from sender@org
anization1.com:
Example 2. Admin Email Notification.
In this example, Advanced Threat Detection is set to Deliver First, then Scan, and Notify Admin is set to Yes. ATD detected a virus after
delivering the email. The admin at [email protected] is sent an email notification that a virus was detected in an attachment
from [email protected] sent to [email protected]:
40
The Message Log
The Message Log is a window into how the current spam, virus, and policy settings are filtering email coming through the Barracuda Email
Security Service. Use the information in the log to help tune your inbound and outbound policy settings.
Sorting messages using the Advanced Search feature to quickly view email by allowed, deferred, quarantined, encrypted (outbound), or blocked
messages by domain, sender, recipient, time range (last 2- 30 days), envelope to, envelope from, reason, action taken (see Message Actions),
date or subject. The Message Log reflects all email traffic through the Barracuda Email Security Service at the global level. If you click on a
verified domain on the DOMAINS > Domain Manager page, a tab for the Message Log for that domain displays.
All messages going through the Barracuda Email Security Service are subject to a size limit of 300MB. This includes headers, body,
and any attached content.
Filter the Message Log
When viewing the global Message Log, you can choose to view only Inbound or only Outbound mail using the Message Log Filter. You can
filter on All, Allowed, Not Allowed, Blocked, Deferred, or Quarantined messages. For details on each of these actions, see Message Actions.
Note that if you have configured more than 10 domains, you cannot search on All Domains at one time; rather, you must select one
domain at a time to search. For more information on filtering at the global level, click the Help button on the MESSAGE LOG page.
41
The User Message Log is less comprehensive than the global, administrator's Message Log. For example, users cannot see outbound mail in
their Message Log. For more information about viewing and filtering messages, click Help on the MESSAGE LOG page at the global level or after
logging into a User account.
Spam or Not Spam
Occasionally the Barracuda Email Security Service may incorrectly identify a piece of mail as Spam (false positive) or Not Spam relative to the
policies you have set. You can tune the Advanced Spam Detection Scoring levels on the INBOUND SETTINGS > Anti-spam Antivirus page
by selecting Custom and adjusting the score for each category based on what type of mail you consider to be spam.
Use the Spam and Not Spam options on the Message Log page (both at the global level and the user account level) to mark a message as such.
Those messages are then sent to Barracuda Central for analysis.
Deliver Messages to Recipient
You can click Deliver for one or more selected messages in the Message Log if you decide the message is valid. If the message is successfully
delivered, the Delivery Status changes to Delivered. If the mail cannot be delivered, this is reflected as a notice in your browser window and the
Delivery Status does not change.
If the Reason field for a blocked message displays as Advanced Threat Detection, you cannot immediately deliver the message. See
Advanced Threat Detection Reports for details.
If delivered messages are not making it to the recipient's mailbox, it may be due to a filter on your mail server or a service on your network
catching the mail as spam. Check your local trash/spam folder to locate the mail.
User's Message Log
Individual users have an additional option to remove selected messages from their personal message log. The user can select one or
more messages, and click Delete.
Message Details
Click on a message in the table, and click Show Details in the message header to view additional information including IP address, recipients,
action, reason, and delivery status. The administrator (or user, when viewing their own account) can then elect to View the entire message and
take actions on the message.
With the Barracuda Email Security Service version 2.3.1 and higher, if your Message Log shows an email message with a subject of Me
ssage has no content, this is due to a failed connection. The Barracuda Email Security Service now logs all failed connections. The
record for a failed connection shows the from/to data, but the log entry does not have any header or body content. As a consequence,
mail that is malformed or is addressed to an invalid recipient displays in the logs with the Message has no content in the Subject line.
Message Actions
The following table describes the actions the Barracuda Email Security Service takes with messages on the MESSAGE LOG > Message Log pa
ge.
Table 1. Message Actions.
Action
Description
Notes
Account Suspended
If your Barracuda Email Security Service
subscription expired more than 60 days ago,
your account is marked as Suspended, and
email are no longer scanned for spam.
Email is still scanned for viruses.
42
Advanced Threat Detection
Message blocked by the Advanced Threat
Detection (ATD) cloud-based virus scanning
service.
ATD is an advanced virus scanning service
which, when enabled on the INBOUND
SETTINGS > ATD page, provides additional
scanning for the attachment file types you
specify.
See also:
Understanding Advanced Threat
Detection Reports
Advanced Threat Detection Reports
Anti-Fraud
Barracuda Anti-Fraud Intelligence detected a
potential phishing scheme, which could be
used to gather confidential information about
an organization or its individual users.
Antivirus
The message had a virus attached.
ATD Service Unavailable
Message was deferred by the ATD service
because the ATD scanning service was
temporarily unavailable.
Attachment Content
Content in a message attachment matched a
Message Content Filter rule specified on
the INBOUND SETTINGS > Content
Policies page.
Attachment Filter
Content in a message attachment matched
an attachment filter defined on either the INB
OUND SETTINGS > Content Policies or the
OUTBOUND SETTINGS > Content Policies
page.
AV Service Unavailable
The Scan Email for Viruses setting on the I
NBOUND SETTINGS >
Anti-Spam/Antivirus page is set to Yes, but
the virus scanning service was temporarily
unavailable when the message came
through.
The message is deferred and retried when
the virus scanning service is available.
BRTS
Barracuda Real-Time System (BRTS)
detected a zero-hour spam or virus.
This advanced service detects spam or virus
outbreaks even where traditional heuristics
and signatures to detect such messages do
not yet exist.
Barracuda Reputation
Message was sent from a particular IP
address on the Barracuda Reputation Block
List (BRBL).
A list maintained by Barracuda Central that
includes IP addresses of known spammers.
Body Content
Message body content matched a Message
Content Filter rule specified on the INBOUN
D SETTINGS > Content Policies page.
Bulk Email
The Bulk Email Detection setting on the IN
BOUND SETTINGS > Anti-Spam/Antivirus
page is set to Yes, and the message
qualifies as Bulk.
43
The message is retried and, when the scan
is complete, delivered.
Cloudscan Service Unavailable
The Enable Cloudscan setting on the INBO
UND SETTINGS > Anti-Spam/Antivirus pa
ge is set to Yes, but the Cloudscan spam
scoring service was temporarily unavailable
when the message came through.
The message is deferred and is retried when
the Cloudscan service is available.
Content Protected
The message has a password-protected
archive attachment.
See settings for Attachment Filter on the IN
BOUND SETTINGS > Content Policies and
OUTBOUND SETTINGS > Content Policies
pages.
Content URL
The message contained one or more URLs
listed in the Intent Domains section on the I
NBOUND SETTINGS > Content Policies pa
ge.
DKIM
The DomainKeys Identified Mail (DKIM) se
tting on the INBOUND SETTINGS > Sender
Authorization page is set to Quarantine or
Block and the message is from a domain
that fails DKIM verification.
Per settings on the INBOUND SETTINGS >
Anti-spam/Antivirus page, email from this
sender is categorized as not necessarily
spam, but rather something that the user
may have subscribed to at one time and may
no longer wish to receive. For example,
newsletters and memberships, or marketing
information. Categories supported appear in
the Message Log Reason as:
Email Categorization (corporate)
Emails sent by a user at an
authenticated organization from an MS
Exchange Server that involves general
corporate communications. Does not
include marketing newsletters
Email Categorization (transactional)
Emails related to order confirmations,
bills, invoices, bank statements,
delivery/shipping notices, and
service-related surveys
Email Categorization (marketing)
Promotional emails from companies
such as Constant Contact.
Email Categorization (mailing lists)
Emails from mailing lists, newsgroups,
and other subscription-based services
such as Google and Yahoo! Groups.
Email Categorization (social media)
Notifications and other emails from
social media sites such as Facebook
and LinkedIn.
From Address
A sender or content rule for From Address
was encountered.
Header Content
Content in the message header matched a
Message Content Filter rule specified on the
INBOUND SETTINGS > Content Policies p
age.
44
Email Categorization assigns some of these
emails to specific categories which the admin
can set to allow, block, or quarantine on the I
NBOUND SETTINGS >
Anti-spam/Antivirus page.
IP Address Policies
The sending IP address is listed as Blocked
or Exempt on the INBOUND Settings > IP
Address Policies page.
Image Analysis
Image Analysis identified this message as a
bulk/spam message.
Intent Analysis
Intention Analysis identified this message as
a bulk/spam message.
Invalid Recipient
The To address does not exist on the mail
server.
Malformed
The message did not conform to the SMTP
protocol; for example, the Sender, From, Da
te, or other required fields may be empty.
Message Too Large
The message exceeded the maximum
message size allowed by the destination mail
server, which rejected the message.
No PTR Record
Action was taken because:
(1) The Block on No PTR Records setting
on the INBOUND SETTINGS > Sender
Authentication page was set to Yes, and
Because of (1), the Barracuda Email Security
Service queried DNS for the SPF record of
the sending domain, and no PTR record was
found.
Pending Scan
When ATD is enabled with the Scan First,
Then Deliver option, the message is
deferred because attachment scanning is
pending.
Possible Mail Loop
IP address for the destination mail server is
not correctly configured in the Barracuda
Email Security Service, and may instead
contain the IP address for the Barracuda
Email Security Service, causing a mail loop.
Predefined Attachment Content
An attachment contained content that
matched a Predefined filter based on data
leakage patterns (specific to United States).
See the OUTBOUND SETTINGS > Content
Policies page.
Predefined Body Content
The message body contained content that
matched a predefined filter based on data
Policies page.
Predefined Filter Exceptions
The message body contained content that
matched a predefined filter exception to
HIPAA or Privacy content filters.
Policies page.
Predefined From Address
The message From address contained
content that matched a predefined filter
based on data leakage patterns (specific to
United States).
Policies page.
Predefined Header Content
The message header contained content that
Policies page.
45
The Barracuda Email Security Service allows
messages of up to 300 MB.
The mail server retries later to check if the
scan is complete and, if it is, delivers the
message.
Predefined Subject Content
The message subject contained content that
Policies page.
Predefined To/CC Address
The message To/CC address contained
content that matched a predefined filter
based on data leakage patterns (specific to
United States).
Policies page.
Rate Control
Sender IP address exceeded maximum
number of allowed connections in a half-hour
period.
The message is deferred unless the client
continues to make connections.
Realtime Blocklist
IP Reputation Analysis determined that the
sending IP address is listed on a real-time
blocklist (RBL) or DNS blocklist (DNSBL).
Recipient
Action was taken because of a rule for the T
o address.
Score
The message score exceeded the Cloudsca
n Scoring setting on the INBOUND
SETTINGS > Anti-Spam/Antivirus page.
Sender Policies
Action was taken because settings
configured on the INBOUND SETTINGS >
Sender Policies page.
Sender Policy Framework
The Sender IP address is not listed as an
allowed sender for the specified domain
using the SPF protocol.
Subject Content
Content in the subject line matched a
Message Content Filter rule specified on the
INBOUND SETTINGS > Content Policies p
age.
Suspicious
Message deferred or blocked due to
multi-level intent checks or Barracuda
Anti-Fraud Intelligence checks, as configured
on the INBOUND SETTINGS >
Anti-spam/Antivirus page.
System Sender Policies
The sender has been blocked per policy set
by Barracuda Networks; this action prevents
the Barracuda Email Security Service IP
address from being blacklisted. Contact your
email administrator if you have questions.
46
A subject line of Message Has No Content i
ndicates an incomplete SMTP transaction
due to a failed connection. The log entry
shows the from/to data, but has no header or
body content. This mail includes messages
that are malformed or are addressed to
invalid recipients.
Applies to outbound mail.
TLS Required
If the message is:
Inbound
On the DOMAINS > Settings page, the
SMTP over TLS option is set to Yes,
meaning that inbound messages must
be sent over a TLS connection. If,
however, the mail server does not
support TLS connections, the inbound
message is blocked with a reason of TL
S Required.
Outbound
On the OUTBOUND SETTINGS >
DLP/Encryption page, the recipient
domain is listed, requiring all outbound
messages to that domain to be
transmitted across a TLS connection. If
a TLS connection cannot be
established, then the mail is not
delivered and is blocked, with a reason
of TLS required.
To/CC Address
Action was taken because of a recipient or
content rule for To/CC Address.
UI Delivered
For emails blocked or quarantined in the
Message Log, the admin can manually
deliver those messages. Once the message
is delivered, the reason code for that
message displays as Allowed with a reason
of UI Delivered.
When searching for messages in the Message Log, you can use the filters listed in Table 2.
Table 2. Search Filters.
Filter
Description
Inbound Mail
Allowed
Search for delivered messages.
Not Allowed
Search for undelivered messages. To further refine your search,
select Blocked, Deferred, or Quarantined.
Blocked
Search for blocked messages. Messages are blocked due to a policy
specified on the INBOUND SETTINGS and OUTBOUND SETTINGS
pages.
47
Search for deferred messages. Indicates that the Barracuda Email
Security Service returned a 4xx response to the sending mail server.
There are several reasons for deferring messages:
Deferred
The destination mail server was offline. For inbound email, if
Spooling is enabled, then the messages would be spooled and n
ot deferred, until the server is reachable. See Email Spooling bel
ow for more information.
The recipient was not valid.
The destination mail server returned a 4xx response (try later).
Rate control. See Rate Control Inbound for how rate control is
applied to inbound email.
The administrator can decide to defer messages per policy
regarding Content Intent on the INBOUND SETTINGS >
Anti-Spam/Antivirus page. When a message is deferred due to
intent, if the sender retries the message, it is allowed and
delivered to the recipient.
Search for quarantined messages. Messages are quarantined due to
policies specified on the INBOUND SETTINGS and OUTBOUND
SETTINGS pages.
Quarantined
Outbound Mail
Allowed
Search for delivered messages.
Not Allowed
Search for undelivered messages. To further refine your search,
select Blocked, Deferred, or Quarantined.
Blocked
Search for blocked messages. Messages are blocked due to policies
specified on the INBOUND SETTINGS and OUTBOUND SETTINGS
pages.
Deferred
Search for deferred messages. Indicates that the Barracuda Email
Security Service returned a 4xx response to the sending mail server.
There are several reasons for deferring messages:
The destination mail server was offline.
The recipient was not valid.
The destination mail server returned a 4xx response (try later).
Rate control. See Rate Control Inbound for how rate control is
applied to outbound email.
The administrator can decide to defer messages per policy
regarding Content Intent on the INBOUND SETTINGS >
Anti-Spam/Antivirus page. When a message is deferred due to
intent, if the sender retries the message, it is allowed and
delivered to the recipient.
Quarantined
Search for quarantined messages. Messages are quarantined due to
policies specified on the INBOUND SETTINGS and OUTBOUND
SETTINGS pages.
Encrypted
Search for encrypted messages. The Barracuda Email Encryption
Service encrypts messages due to policy as specified in the INBOUN
D SETTINGS and OUTBOUND SETTINGS pages. The Barracuda
Email Security Service sends the message recipient(s) a notification
email directing them to visit the Barracuda Message Center to
retrieve the encrypted message.
Rejected
Search for rejected messages.
Email Spooling
48
You can enable Spooling if you want the Barracuda Email Security Service to retain all of your email for up to 96 hours if your mail server goes
down. Select On to enable or Off to disable. If Spooling is Off and the service cannot connect to your mail server, the mail is deferred and the Del
ivery Status in the Message Log displays as Not Delivered. The sending mail server, depending on its configuration, has the option of retrying
the message or notifying the sender that the mail was deferred or failed.
–
Advanced Threat Detection Reports
The Advanced Threat Detection (ATD) service analyzes inbound email attachments in a separate, secured cloud environment, detecting new
threats and determining whether to block such messages.
When ATD determines an attachment contains a threat and blocks the message, Barracuda highly recommends that you review each
infected ATD Report before determining whether to deliver the message. For more information, see Understanding Advanced Threat
Detection Reports.
Determine Whether to Deliver Message
1.
2.
3.
4.
5.
6.
7.
8.
9.
Log in to Barracuda Email Security Service as the administrator, and go to MESSAGE LOG > Message Log.
Set message filters and search criteria as needed, and click Search.
Messages blocked by ATD display as Not Delivered.
Click on the message, and in the reading pane, click ATD Reports.
The Email Delivery Warning dialog box displays a list of attachments, one or more of which is suspected of being Infected. If you want
to deliver the email and the associated attachments, first review the report for each attachment.
Click View Report for the suspicious attachment, and review the report details.
Repeat step 6 for each attachment.
Once you review all attachments, and if you determine you want to deliver the email and the associated attachments, review and accept
the disclaimer, and click Deliver in the Email Delivery Warning dialog box.
If the message is delivered successfully, the Delivery Status changes to Delivered. If the mail cannot be delivered, this is reflected as a
notice in your browser window and the Delivery Status does not change.
Understanding Advanced Threat Detection Reports
The Advanced Threat Detection (ATD) service scans files for malware, zero-day exploits, and targeted attacks not detected by the Barracuda
Email Security Service virus scanning features or intrusion prevention system. ATD analyzes files in a separate, secured cloud environment, and
once scanning is complete, determines the risk level for each scan (determination), and then assigns a verdict.
ATD Classifications
Malicious – File classified as high risk. File is highly likely to be malware.
Suspicious – File classified as medium risk. File may pose a potential risk.
Clean – File classified as low risk. No malicious indicators were detected.
49
Exercise caution even with files marked CLEAN as malware authors are continually finding new ways to evade detection.
Terminology
Determination versus Verdict – When a scan is complete and the risk potential is classified, that scan displays a Determination. For
example, if the file is determined to have medium risk, the determination is Suspicious, After all scans are complete, a Verdict displays
based on the determination of all scans.
Reclassified – If a scan determination is Malicious or Suspicious, but the file is reviewed by the Barracuda Analyst Team and
determined to be Clean, the Verdict displays as Clean and Reclassified by Analyst displays.
ATD Report Sections
The ATD report is divided into the following sections:
Scan Description
This section provides a short description of the ATD report and how the scan verdict is reached.
Overall Determination
This section displays the scan verdict and reason for this file. The verdict is based on the outcome, or determination, of each scan.
File Metadata
This section lists file-specific details including file extension, file size, meta-data, and when the file was first submitted.
Threat Analysis
This section lists the outcome of each scan:
Enhanced Antivirus detection scans the file through a comprehensive system of traditional antivirus signatures.
Behavioral Heuristics analyzes through a heuristics engine utilizing behavioral indicators.
Sandboxing executes the file in an isolated environment where its behavior is analyzed and assigned a risk level.
Configure Outbound Filtering Policy
By scanning all outbound messages, you can ensure that all email leaving your organization is legitimate, virus free and does not leak private or
sensitive information from inside the organization.
In this section:
Content Analysis - Outbound Mail
Abuse Monitoring and Notifications
Outbound Quarantine
Outbound Filtering Policies Applied by the Barracuda Email Security Service
Outbound Filtering Policy Settings
Outbound filtering options are configured on the OUTBOUND SETTINGS pages of the Barracuda Email Security Service and are different from
those for inbound filtering, including:
Optional encryption for secure message transmission.
Data Leak Prevention (DLP) filtering using pre-defined patterns such as credit card number, social security number, driver's license or
HIPAA medical terms, to block, quarantine or encrypt outbound messages. Exceptions to DLP block/quarantine policy can be created for
emails containing phone numbers and/or street addresses. See the OUTBOUND SETTINGS > Content Policies page for details.
Outbound Quarantine and quarantine notifications, enabling administrators to deliver, reject, delete or export outbound messages from
senders within the organization.
50
See also Outbound Filtering Policies Applied by the Barracuda Email Security Service.
For health care providers, governmental agencies and other entities who need to protect private, sensitive and valuable information
communicated via email, the Barracuda Email Security Service provides Data Leak Prevention (DLP) features using email encryption. DLP
enables your organization to satisfy email compliance filtering for corporate policies and government regulations such as HIPAA and
Sarbanes-Oxley (SOX). Advanced content scanning is applied for keywords inside commonly used text attachments, as well as email encryption.
You can configure email encryption policies per domain.
Using Encryption for Outbound Mail
Encryption is performed by the Barracuda Email Encryption Service, which also provides a web interface, the Barracuda Message Center, for
recipients to retrieve encrypted messages.
Figure 1: Mail Flow for Encrypted messages sent through the Barracuda Email Security Service.
Encryption Privacy
When the Barracuda Email Encryption Service encrypts the contents of a message, the message body will not be displayed in the Mes
sage Log. Only the sender of the encrypted message(s) and the recipient can view the body of an encrypted message. For more
information about privacy, please see the Barracuda Networks Privacy Policy.
How to Secure Transmission of Sensitive Messages
TLS provides secure transmission of email content, both inbound and outbound, over an encrypted channel using the Secure Sockets Layer
(SSL) - also known as TLS. For DLP, you should require mail to be sent outbound from the Barracuda Email Security Service over a TLS
connection. To do so, enable Force TLS for each domain on the OUTBOUND SETTINGS > DLP/Encryption page. Mail sent to these domains
must be transmitted across a TLS connection. If a TLS connection can not be established, then the mail will not be delivered. See also Secured
Message Transmission.
How to Create Policies For When to Encrypt Messages
Use the OUTBOUND SETTINGS > Content Policies page to create policies for encryption of outbound message in one or both sections:
Message Content Filters: You can select the Encrypt action for outbound email based on characteristics of the message's subject,
header or body. You can specify simple words or phrases, or use Regular Expressions. Note: Content filtering is case sensitive.
Predefined Filters: You can select the Encrypt action for outbound email messages that contain matches to pre-made patterns in the
subject line, message body or attachment. Use the following pre-defined data leakage patterns (specific to U.S. - see Note below) to
meet HIPAA and other email security regulations:
Credit Cards - Messages sent through the Barracuda Email Security Service containing recognizable Master Card,
Visa, American Express, Diners Club or Discover card numbers will be subject to the action you choose.
Social Security - Messages sent with valid social security numbers will be subject to the action you choose. U.S. Social
Security Numbers (SSN) must be entered in the format nnn-nn-nnnn.
Privacy - Messages will be subject to the action you choose if they contain two or more of the following data types,
using common U.S. data patterns only: credit cards (including Japanese Credit Bureau), expiration date, date of birth,
Social Security number, driver's license number, street address, or phone number. Phone numbers must be entered in
the format nnn-nnn-nnnn or (nnn)nnn-nnnn or nnn.nnn.nnnn .
HIPAA - Messages will be subject to the action you choose if they contain TWO of the types of items as described in
51
Privacy above and ONE medical term, or ONE Privacy item, ONE Address and ONE medical term. A street address can
take the place of Privacy patterns. So, for example, a U.S. Social Security Number (SSN), an address, and one medical
term is enough to trigger the HIPAA filter.
The format of this data varies depending on the country, and these filters are more commonly used in the U.S.; they do not
apply to other locales. Because of the millions of ways that any of the above information can be formatted, a determined person will
likely be able to find a way to defeat the patterns used. These filter options are no match for educating employees about what is and is
not permissible to transmit via unencrypted email.
See the OUTBOUND SETTINGS > Content Policies page of the Barracuda Email Security Service web interface for more details in the online H
elp.
How to Send and Receive Encrypted Messages
The Barracuda Message Center is a web-based email client for receiving and managing encrypted email sent by the Barracuda Email Security
Service. The email client looks and behaves much like any web-based email program (see Figure 2). For a user's guide, please see Barracuda
Message Center User's Guide. The workflow for sending and receiving encrypted messages is as follows:
1. Outbound messages that meet the filtering criteria and policies configured as described above are encrypted and appear in the Message
Log, but the message body does not appear in the log for security purposes.
2. The Barracuda Message Center sends a notification to the recipient of the email message that includes a link the recipient can click to
view and retrieve the message from the Barracuda Message Center.
3. The first time the recipient clicks this link, the Barracuda Message Center will prompt for creation of a password. Thereafter the recipient
can re-use that password to pick up subsequent encrypted messages.
4. The recipient logs into the Barracuda Message Center and is presented with a list of email messages, much like any web-based email
program. All encrypted messages received will appear in this list for a finite retention period or until deleted by the recipient.
Figure 2: Barracuda Message Center web interface
When the recipient replies to the encrypted email message, the response will also be encrypted and the sender will receive a notification that
includes a link to view and retrieve the message from the Barracuda Message Center.
Medical Dictionary Source for DLP HIPAA Compliance
The DLP/HIPAA compliance engine is powered by the UMLS Metathesaurus, version 2013AA, created by the U.S. National Library of Medicine,
National Institutes of Health. Within the UMLS Metathesaurus, it uses medical vocabulary from:
COSTAR, by Massachusetts General Hospital, Harvard Medical School
DXplain, by Massachusetts General Hospital, Harvard Medical School
FMA*, by Structural Informatics Group, University of Washington
HCPCS, by Centers for Medicare and Medicaid Services
ICD-9-CM, by U.S. Department of Health and Human Services
MTHICD0, by U.S. National Library of Medicine, National Institutes of Health
NCI Thesaurus, by National Cancer Institute, National Institutes of Health
52
VANDF, by U.S. Department of Veteran's Affairs
The compliance engine uses only portions of each of the above vocabularies. It also uses vocabulary which is not a part of the UMLS
Metathesaurus, developed by the Barracuda Networks research team.
Some material in the UMLS Metathesaurus is from copyrighted sources of the respective copyright holders. Users of the UMLS Metathesaurus
are solely responsible for compliance with any copyright, patent or trademark restrictions and are referred to the copyright, patent or trademark
notices appearing in the original sources, all of which are hereby incorporated by reference.
*FMA is the intellectual property of the University of Washington and was developed at the University of Washington by the Structural Informatics
Group.
Content Analysis - Outbound Mail
See Regular Expressions for advanced filtering text patterns. HTML comments and tags in message HTML source are filtered out so
that content filtering applies to the actual words as they appear when viewed in a web browser.
See Outbound Quarantine for more information on messages can then be viewed, delivered, rejected, deleted, or exported from the OU
TBOUND QUARANTINE page.
Custom Content Filters
Custom content filtering can be based on any combination of subject, headers, body, attachments, sender, or recipient and can be applied to
outbound mail just as it can be to inbound mail. See the OUTBOUND SETTINGS > Content Policies page for settings. Filter actions for
outbound mail include Block, Allow, Quarantine, and Encrypt.
Messages that meet the Quarantine criteria are sent to the outbound quarantine for the administrator to evaluate. Messages can then be viewed,
delivered, rejected, deleted, or exported from the OUTBOUND QUARANTINE page.
Attachment Content Filtering
All outbound messages, including those from exempt senders, go through attachment filtering. You can allow, block, quarantine, or encrypt
outbound messages that contain attachments which include text matching the patterns you enter here. Attachment Content Filtering is limited to
text files. See the OUTBOUND SETTINGS > Content Policies page for settings.
Image Analysis
Image Analysis techniques protect against new image variants. Image Analysis is automatically configured in the Barracuda Email Security
Service.
Abuse Monitoring and Notifications
Outbound email traffic is automatically monitored for Rate Control by the Barracuda Email Security Service. If the volume of outbound mail
messages from the service exceeds normal levels during a 30 minute time frame, the Rate Control feature will take effect and outbound mail will
be deferred until the end of the 30 minute time frame. IP addresses of senders of outbound mail who consistently trigger Rate Control will be
logged on the OUTBOUND SETTINGS > Abuse Monitor page in the IP Addresses With Recent Abuse table (see below).
What Triggers Abuse Notifications
An abuse notification email may be sent to the administrator of your Barracuda Email Security Service for various reasons. These include but are
not limited to:
Sending mail to more recipients per 30 minute period then allowed by the Barracuda Email Security Service.
Sending out mail to more invalid recipients than allowed by the Barracuda Email Security Service.
Sending out mail that has been classified by the Barracuda Email Security Service as spam or as containing a virus.
If your network sends out a large email blast, this may trigger an abuse notice from the Barracuda Email Security Service. This notice informs you
that you are sending out mail to more recipients per 30 minute period then the Barracuda Email Security Service allows. This is not a block of your
mail, but rather delays the delivery of the messages. The mail will eventually go out, but at a much slower rate over a longer period of time.
53
To prevent generation of an abuse notice, it is recommended that you spread out the delivery of email blasts over a longer period of time or to
smaller groups of recipients, and to make sure that the addresses you are sending to are legitimate. The limits set by the Barracuda Email
Security Service on the number of recipients that can be sent mail per 30 minutes protects against an outbound spam attack from a customer's
network.
IP Addresses With Recent Abuse
The owner of an IP address that appears in this table on the OUTBOUND SETTINGS > Abuse Monitor page for consistently exceeding Rate
Controls may use the Request Increased Limit button to request Barracuda Networks to allow a higher volume of outbound mail so that Rate
Control does not take effect.
Suspended IP Addresses
IP addresses that send very high volumes of email, consistently triggering Rate Controls, may be suspended from sending outbound mail through
the Barracuda Email Security Service. Please contact Barracuda Networks Technical Support if your IP address appears in this list.
Outbound Quarantine
How Outbound Quarantine Works
You can configure policies on the OUTBOUND SETTINGS pages to quarantine outgoing messages that meet certain criteria. The OUTBOUND
QUARANTINE page enables the administrator to view all quarantined outbound messages from senders within the organization, and to take
action - delete, reject, deliver or export those messages. The administrator receives a notification email about quarantined messages as
described below.
For rejected messages, the sender will receive a non-delivery report (NDR) indicating that their message will not be sent to the recipient.
Outbound Quarantine Notifications
The following notifications and NDRs (non-delivery reports) can be configured for administrators and senders of quarantined mail from the OUTB
OUND SETTING S > Notifications page.
Admin Quarantine Notification
The domain administrator receives a quarantine summary report at a specified interval, listing outbound quarantined messages since the last
report. Settings include:
Frequency (Immediately, Daily, Weekly or Never)
Start time
Email address.
Sender Quarantine Notification
When a message ends up in the outbound quarantine, the sender receives an NDR (non-delivery report) email if the administrator enables
Quarantine Sender Notification on the OUTBOUND SETTINGS > Notifications page. The email template is configurable.
Sender Notification of Rejected Mail
If the administrator rejects an email in the outbound quarantine, then an NDR is sent to the sender of the email. The email template is
configurable.
Outbound Filtering Policies Applied by the Barracuda Email Security Service
The following policies are applied to all outbound mail by the Barracuda Email Security Service by default:
Scanning for viruses and intent.
Scanning and scoring for spam content.
If a virus or spam is discovered in an outbound message, the message will not be delivered; however, mail caught for spam can be
manually delivered by the administrator.
54
Important
It is not possible to bypass the virus or spam filtering of outbound mail.
For information about configuring other outbound policy settings, including DLP and encryption, see Configure Outbound Filtering Policy. Or see
the pages on the OUTBOUND SETTINGS tab in the Barracuda Email Security Service web interface.
Advanced Configuration
In this Section
How to Configure Sender Policy Framework
How to Configure Recipient Verification Using LDAP
How to Configure Hosted Email Services
To prevent data leakage and ensure compliance with financial, health care and other federally-regulated agency information policies, the
Barracuda Email Security Service provides several types of encryption for inbound and outbound message traffic.
Sending Messages Over an Encrypted Channel
TLS provides secure transmission of email content, both inbound and outbound, over an encrypted channel using the Secure Sockets Layer
(SSL) - also known as TLS.
To require mail to be sent outbound from the Barracuda Email Security Service over a TLS connection, you can enable Force TLS for each
domain on the OUTBOUND SETTINGS > DLP/Encryption page. Mail sent to these domains must be transmitted across a TLS connection. If a
TLS connection can not be established, then the mail will not be delivered.
To require mail coming inbound to the Barracuda Email Security Service to use a TLS connection, use the SMTP Over TLS setting on the DOMAI
NS > Settings page for each domain. If you enable SMTP over TLS, then if TLS is available on your organization's mail server, inbound mail is
sent over a TLS channel. If not, mail is sent in cleartext.
Encryption of Outbound Mail
For guaranteed message encryption and ensured delivery of outbound messages, use the Barracuda Message Center to encrypt the contents of
certain outbound messages. You can create policies for when to encrypt outbound messages on the OUTBOUND SETTINGS > Content
Policies page for a domain. For details about using encryption with the Barracuda Message Center, see How to Use Encryption of Outbound Mail
. For end-users, see the Barracuda Message Center User's Guide.
Sender Authentication mechanisms enable the Barracuda Email Security Service to protect your network and users from spammers who might
"spoof" a domain or otherwise hide the identity of the true sender. This article describes the techniques used to verify the "from" address of a
message.
Sender Policy Framework
Important!
Email Security Service that you either disable SPF checking in the service OR add the Barracuda Email Security Service IP range
(64.235.144.0/20) to your SPF exemptions. If this is not done, your SPF checker will block mail from domains with an SPF record set to
Block. This is because the mail will be coming from a Barracuda Email Security Service IP address which is not in the sender's SPF
record.
55
Sender Policy Framework (SPF) is an open standard specifying a method to prevent sender address forgery. The current version of SPF protects
the envelope sender address, which is used for the delivery of messages. SPF works by having domains publish reverse MX records to display
which machines are designated as mail sending machines for that domain. When receiving a message from a domain, the recipient can check
those records to make sure mail is coming from a designated sending machine. If the message fails the SPF check, it is assumed to be spam. For
more information on SPF, visit http://www.openspf.org.
Messages that fail SPF check can be blocked and will be logged as such. Enable or disable the Sender Policy Framework feature for checking
inbound mail from the INBOUND SETTINGS > Sender Authentication page. To configure, see How to Configure Sender Policy Framework.
Note that if you enable SPF, you might also want to enable the Sender Rewriting Scheme (SRS). This option is configurable from the Advanced
Configuration section of the DOMAINS > Domain Settings page and, if enabled, the Barracuda Email Security Service will make the IP
address of your sending mail server visible to the agent doing Sender Policy Framework (SPF) verification on the recipient's end.
Blocking No PTR Records
While the A record for a domain points to an IP address, the PTR record resolves the IP address to a domain/hostname; PTR records are used
for reverse DNS lookup. Enabling this feature means that the Barracuda Email Security Service will query DNS for the SPF record of the sending
domain and, if there is no entry for the sending IP address, i.e. no PTR record, the message will be blocked. Configure on the INBOUND
SETTINGS > Sender Authentication page.
Custom Policies and Sender Spoof Protection
For inbound email, organizations can define their own allowed sender domains, users or email addresses for sender authentication using the INB
OUND SETTINGS > Sender Policies page. However, the safest way to indicate valid senders on the Barracuda Email Security Service is to
exempt the IP addresses of trusted email servers from being scanned on the INBOUND SETTINGS > IP Address Policies page, then blocklist
(block) their domain names on the INBOUND SETTINGS > Sender Policies page to prevent domain name spoofing. See Content Analysis Outbound Mail, to configure sender policies for outbound email.
How to Configure Sender Policy Framework
Use the steps in this article to configure Sender Policy Framework (SPF) checking for the Barracuda Email Security Service.
Important
If you have SPF checking enabled on your mail server or network, it is critical when using the Barracuda Email Security Service that
you either disable SPF checking in the service or add the Barracuda Email Security Service IP range 64.235.144.0/20 to your SPF
exemptions. Otherwise, your SPF checker blocks mail from domains with an SPF record set to Block because the mail is coming from
a Barracuda Email Security Service IP address not in the sender's SPF record. For more information, see the Sender Policy
Framework Project Overview.
Configure SPF for Inbound Mail
1. Log in to your Barracuda Cloud Control account using your Essentials for Office 365 credentials, and click Email Security in the left
pane.
2. Go to the INBOUND SETTINGS > Sender Authentication page, and in the Use Sender Policy Framework section, select the desired
option:
BLOCK FAIL – When selected, indicates the IP address of the message sender does not match the IP address or range of IP
addresses specified in the sending domain name's SPF record, and that the real owner of the domain has specifically indicated
that such messages should be rejected (blocked) as spoofed.
BLOCK Fail, SOFTFAIL – When selected, indicates the message sender's IP address does not match the IP address or range
of IP addresses specified in the sending domain name's SPF record and the domain owner did not specify how such messages
are to be handled. Messages in either the SPF SOFTFAIL or FAIL state are blocked.
You can optionally enable Sender Rewriting Scheme (SRS) for a specific domain on the DOMAINS > Domain
Manager > Settings page. When enabled, the sending mail server IP address is visible to the SPF verification agent
on the recipient's end. The recipient's SPF agent checks the reverse MX records for your domain and verifies your IP
address as an authorized sender to ensure message delivery to the recipient.
56
Exempt Trusted IP Addresses from SPF Checks
You can exempt mail relay servers and other machines from SPF checks that are set up specifically to forward mail to the Barracuda Email
Security Service from outside sources. Mail from these IP addresses is still scanned for spam.
1. Log in to your Barracuda Cloud Control account using your Essentials for Office 365 credentials, and click Email Security in the left
pane.
2. Go to the INBOUND SETTINGS > Sender Authentication page, and in the Use Sender Policy Framework section, enter the IP
Address and Netmask and optional Comment.
3. Click Add in the Actions column, and click Save Changes.
Configure SPF for Outbound Mail
To assure outbound mail from your Barracuda Email Security Service that Barracuda Networks is the authorized sending mail service, add the
following to the INCLUDE line of the SPF record for each domain sending outbound mail:
include:spf.ess.barracudanetworks.com
How to Configure Recipient Verification Using LDAP
Sender authentication and recipient verification are a critical part of maintaining security of email flowing into and out of your organization. By
identifying known trusted senders and recipients of email, you can block a large percentage of spam, viruses and malware from your network.
Once you have entered information about your LDAP server per instructions below, click the Test Settings button on the DOMAINS > Domain
Settings page to ensure that the Barracuda Email Security Service can communicate with the server. LDAP server types supported include
Active Directory, Novell eDirectory, Domino Directory and OpenLDAP.
LDAP Lookup
You can 'synchronize' the Barracuda Email Security Service with your existing LDAP server to automatically create accounts for all users in the
domain. For more information about user accounts, see Managing User Accounts.
LDAP lookup configuration and LDAP authentication of user logins is done by domain from the DOMAINS > Domain Settings page. From the D
OMAINS > Domain Manager page, click Settings in the Actions column to the right of the domain name. Once you configure your LDAP
settings on the DOMAINS > Domain Settings page as described below, click Synchronize Now to create user accounts for all users in your
LDAP server.
Important
The Barracuda Email Security Service connects with your network from various IP addresses including performing LDAP lookups. To
ensure the service can connect with your network, allow traffic originating from the following range of network addresses:
64.235.144.0/20
The following variables must be configured:
LDAP Host, Port – The server utilized for LDAP lookups. If this setting is a hostname, and is contained in multiple A records, then
fail-over capabilities are available if the Barracuda Email Security Service is unable to connect to one of the machines listed here.
Port – Port used to connect to the LDAP service on the specified LDAP Server. Typically port 389 is used for regular LDAP and LDAP
using the STARTTLS mode for privacy. Port 636 is assigned to the LDAPS service (LDAP over SSL/TLS).
Use SSL (LDAPS) – By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology by selecting Yes for this option.
Bind DN (Username) – Username used to connect to the LDAP service on the specified LDAP Server. If of the form accountname@dom
ain.com, the username is transformed into a proper LDAP bind DN like CN=accountname,CN=users,DC=domain,DC=com when
accessing the LDAP server. Sometimes the default transformation does not generate a proper bind DN. In such cases, a fully formed and
valid bind DN must be entered.
Bind Password – Password used to connect to the LDAP service on the specified LDAP Server.
Base DN – Base DN for your directory. This is the starting search point in the LDAP tree. The default value will look up the
'defaultNamingContext' top-level attribute and use it as the search base. For example, if your domain is test.com, your Base DN might be
dc=test,dc=com.
Authentication Filter – Filter used to look up an email address and determine if it is valid for this domain. The filter consists of a series of
57
attributes that might contain the email address. If the email address is found in any of those attributes, then the account is valid and is
allowed by the Barracuda Email Security Service.
User Filter – Filter used to limit the accounts that the Barracuda Email Security Service will create when an LDAP query is made. For
example, you could limit the LDAP synchronization to just users in certain sub-domains using the mail= parameter, or only synchronize
user-objects in a certain organizational unit (OU) using the ou= parameter. Each type of LDAP server has specific query syntax, so
consult the documentation for your LDAP server. For Microsoft Exchange syntax and examples, see the TechNet article LDAP Query
Basics.
Example: Your list of valid users on your directory server includes 'User1', 'User2', 'User3', 'BJones', 'RWong', and 'JDoe', and you create
the User Filter (name=*User*). In this case, the service only creates accounts for 'User1', 'User2', and 'User3'.
Mail Attributes – Attribute in your LDAP directory that contains the user's email address.
Testing Email Address – Enter a valid email address for use in testing LDAP settings. If this field is left blank, LDAP settings are only
tested for connection.
Synchronize Automatically – Set to Yes if you are using LDAP and want the Barracuda Email Security Service to automatically
synchronize your LDAP users to its database on a regular basis for recipient verification. With Microsoft Exchange server, the
synchronization is incremental. Select No if you want to synchronize manually in case your LDAP server is not always available. To
synchronize manually, click Synchronize Now.
Use LDAP for Authentication – Set to Yes to enable LDAP for user login authentication. You can disable this setting if your LDAP
server will be unavailable for a period of time.
How to Configure Hosted Email Services
In This Section
This article addresses configuring Google Apps Business and Education editions with the Barracuda Email Security Service as your
inbound and/or outbound mail gateway.
You can specify the Barracuda Email Security Service as an inbound mail gateway through which all incoming mail for your domain passes before
reaching your Google Apps account. The Barracuda Email Security Service filters out spam and viruses, and then passes the mail on to the
Google Apps mail servers. Use the Inbound Configuration instructions below to configure.
You can likewise specify the Barracuda Email Security Service as the outbound mail gateway through which all mail is sent from your domain via
your Google Apps account to the recipient. As the outbound gateway, the Barracuda Email Security Service processes the mail by filtering out
spam and viruses before final delivery. By using the configuration described in Outbound Configuration below, you instruct the Google Apps
mail servers to pass all outgoing mail from your domain to the Barracuda Email Security Service (the gateway server).
Google Apps IP addresses and user interfaces can change; refer to the Google Apps Administrator Help Center for updates and
configuration details.
Step 1. Allow Only Barracuda Access to Google Apps
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Sign in to the Google Admin console.
From the dashboard, go to Apps > Google Apps > Gmail > Advanced settings.
Open Content compliance.
Type the following as the rule name: Barracuda ESS
Under Email messages to affect, select Inbound.
From the menu, select If ALL of the following match the message.
In the Expressions section, click Add.
From the menu, click Metadata match.
From the Attribute menu, click Source IP.
From the Match type menu, click is not within the following range.
In the field under the menu, type: 64.235.144.0/20
12. Click Save.
13. Select Reject Message for the expression match.
14. Optional. Enter a rejection notice.
58
14.
15. Click Add Setting, and click Save in the bottom right of the window.
Step 2. Launch the Barracuda Email Security Service Setup Wizard
Alternatively, you can manually set up the Barracuda Email Security Service using the web interface.
Click here to expand...
Configure Domain
1. Log in to Barracuda Email Security Service, and go to the DOMAINS page.
2. Under Domain Name, enter the primary email domain to be filtered
3.
59
3. Enter the primary Google Apps destination mail server: ASPMX.L.GOOGLE.COM
4. Click Add.
5. Click Add Mail Server to continue adding the remaining Google Apps destination servers and their respective priority:
Priority
Google Apps Destination mail Server
5
ALT1.ASPMX.L.GOOGLE.COM
5
10
ASPMX2.GOOGLEMAIL.COM
10
1
ASPMX.L.GOOGLE.COM
1. Log in to Barracuda Email Security Service, and click the link to launch the Email Security Service Setup wizard.
2. Click Get Started; the Specify Primary Email Domain page displays. Enter the primary email domain to be filtered. You can add
additional domains later.
3. Click Next. The Specify Email Servers page displays. Enter the hostname/IP address of the mail server for the entered domain. Emails
will be sent to this server after being scanned by the Barracuda Email Security Service. If the servers do not pre-populate, enter the
primary Google Apps destination mail servers as follows:
Priority
Google Apps Destination mail Server
5
5
10
10
1
ASPMX.L.GOOGLE.COM
After completing the setup, you must manually edit the priorities for each server from the Domain Settings page.
4. Enter an email address to test the server configuration, and click Test All Mail Servers .
) icon displays in the Status column and a confirmation message displays at the top of
the page.
(definitely spam). Setting a score of '1' will likely block legitimate messages while setting a score of '10' will allow more messages
spam.
where traditional heuristics and signatures to detect such messages do not yet exist. Each quarantined message has a
reason of BRTS in the Message Log.
60
information:
9. If you do not want to route your email through Barracuda Email Security, select I do not want to route my e-mail through Barracuda at
this time, and select the verification option:
Click here to expand...
b. Email to the postmaster – This method sends a verification email to the postmaster email address for your domain. The
confirmation email includes a link that the recipient must click to verify the domain.
c. Email to Technical Contact – This method sends a verification email to the technical contact email address, if it exists,
listed on your domain's WHOIS entry. This verification option is not available if the Barracuda Email Security Service cannot
find your domain's WHOIS entry. If there is not a technical contact, then only the MX Records and Email to the Postmaster
options displays on this page.
10. Click Next.
12. Go to the DOMAINS page and verify your settings.
Step 3. (Optional) Configure Outbound Mail Flow
To ensure outbound mail delivery, contact Barracuda Technical Support to have Hosted Outbound Relay enabled on your account.
Failure to do so will result in undeliverable messages.
1. In the Routing section, locate Outbound gateway.
2. Enter the Outbound Hostname provided to you in the settings for your domain within the Email Security interface:
61
3. Click Save in the bottom right corner.
Step 4. Configure Sender Policy Framework for Outbound Mail
To assure Barracuda Networks is the authorized sending mail service for outbound mail recipients, review your domain's SPF record. See Sender
Authentication for more information.
If you have an SPF record set up for your domain, edit the existing record and add the following to the INCLUDE line for each domain
sending outbound mail: include:spf.ess.barracudanetworks.com
If you do not have an SPF record set up for your domain, use the following value to create a TXT record that creates a SOFTFAIL SPF
for your domain: v=spf1 include:spf.ess.barracudanetworks.com ~all
ESS, host name, hosted
GApps
You can configure Microsoft Office 365 with the Barracuda Email Security Service as your inbound and/or outbound mail gateway.
Use this article to prepare your Barracuda Email Security Service deployment to connect with Office 365.
For information on basic configuration of outbound mail scanning with the Barracuda Email Security Service, refer to Step 3 Configure Outbound Mail Scanning.
Important
Office 365 IP addresses and user interfaces can change, so please refer to Microsoft documentation for details on configuration. This
article is current with Microsoft procedures as of May, 2016.
Before getting started, contact Barracuda Technical Support and request that Outbound Groups be enabled on your Barracuda Email
Security Service account.
You can specify the Barracuda Email Security Service as an inbound mail gateway through which all incoming mail for your domain is filtered
before reaching your Office 365 account. The Barracuda Email Security Service filters out spam and viruses, then passes the mail on to the Office
365 mail servers. Use the Configure Inbound Mail Flow instructions below to configure.
You can also specify the Barracuda Email Security Service as the outbound mail gateway through which all mail is sent from your domain via your
Office 365 account to the recipient. As the outbound gateway, the Barracuda Email Security Service processes the mail by filtering out spam and
viruses before final delivery. By configuring Office 365 as described in Configure Outbound Mail Flow below, you instruct the Office 365 mail
servers to pass all outgoing mail from your domain to the Barracuda Email Security Service (the gateway server).
1. In the login screen, enter your Barracuda Cloud Control credentials, and click Sign In.
2. The Barracuda Email Security Service Dashboard displays. Click the Wizard link at the top of the page to use the setup wizard.
Alternatively, you can click the Domains tab to use the web interface to manually configure domains and settings.
3. In the Setup Wizard, click Get Started. The Specify Primary Email Domain page displays. Enter the primary email domain you want to
filter, for example:
cudaware.com
4. Click Next. The Specify Email Servers page displays. Enter the mail server hostname (FQDN) or IP address for the domain entered in
the previous step, for example:
cudaware-com.mail.protection.outlook.com
If the Barracuda Email Security Service Setup wizard has already identified your mail server IP based on the MX record, the M
ail Server field pre-populates.
5.
62
5. Click Add. Enter an email address to test the server configuration, and click Test All Mail Servers.
) icon displays in the status column and a confirmation message displays at the top of
the page.
(definitely spam). Setting a score of '1' blocks most legitimate messages while setting a score of '10' allows more messages
spam.
where traditional heuristics and signatures to detect such messages do not yet exist.
information:
10. If you only want to route your inbound mail through the Barracuda Email Security Service and not your outbound mail, select I do not
want to route my e-mail through Barracuda at this time , and select the verification option:
b. Email to Postmaster – This method sends a verification email to the postmaster email address for your domain. The
confirmation email includes a link that the recipient must click to verify the domain. Click Send Email.
c. Email to Technical Contact – This method sends a verification email to the technical contact email address, if it exists, listed on
your domain's WHOIS entry. This verification option is not available if the Barracuda Email Security Service cannot find your
63
c.
domain's WHOIS entry. Click Send Email. If there is not a technical contact, only the MX Records and Email to the
Postmaster options display on this page.
11. Click Next.
Step 4. Add Additional Email Domains (Optional)
Use the steps in this section only if you wish to manually add additional email domains, otherwise, go to Step 5. Create Transport Rule.
Obtain the hostname:
1.
2.
3.
4.
Log in to the Office 365 admin center.
In the left pane, click Settings >Domains.
In the Domains table, click on your domain.
Take note of the hostname. This is the address of your destination mail server, for example, cudaware-com.mail.protection.outlook.com
Enter the hostname:
Barracuda recommends using a hostname rather than an IP address so that you can move the destination mail server and update DNS
records without making changes to the Barracuda Email Security Service configuration. This address indicates where the Barracuda
Email Security Service should direct inbound mail from the Internet to your Office 365 Exchange server. For example, your domain
displays to the Internet as: bess-domain.mail.protection.outlook.com
1. Log in to the Barracuda Email Security Service as administrator, and click DOMAINS.
2. Enter the domain name and destination mail server hostname obtained from your Office 365 account:
3. Click Add; the Domain Settings page displays.
Step 5. Create Transport Rule
1. If you have not already done so, contact Barracuda Technical Support and request that Outbound Groups be enabled on your Barracuda
Email Security Service account.
2. Log in to the Office 365 admin center, and go to Admin centers > Exchange.
3. In the left pane, click mail flow, and click rules.
4. Click the + symbol, and click Bypass spam filtering:
64
5. In the new rule page, enter a Name to represent the rule.
6. From the Apply this rule drop-down menu, select The sender > IP address is in any of these ranges or exactly matches:
65
7. In the specify IP address ranges page, type 64.235.144.0/20 as the IP address/range for the Sender (Barracuda Email Security
Service), and click the + symbol:
8. Click OK, and click Save to create the transport rule.
Step 6. Configure Outbound Mail
1. Log in to the Barracuda Email Security Service, and click DOMAINS; make note of the Outbound Hostname:
66
1.
2.
3.
4.
5.
Log in to the Office 365 admin center, and go to Admin centers > Exchange.
In the left pane, click mail flow, and click connectors.
Click the + symbol, and use the wizard to create a new connector.
From the From drop-down menu, select Office 365, and from the To drop-down menu, select Partner organization:
6. Enter a Name and (optional) Description to identify the connector:
67
7. Click Next. Select Only when email messages are sent to these domains, click the + symbol, and enter an asterisk ( * ) in the add
domain field:
68
8. Click OK, and click Next. Select Route email through these smart hosts, and click the + symbol.
9. Go to the Barracuda Email Security Service, and click the DOMAINS tab. Copy your outbound hostname from the MX records, and enter
it in the add smart host page:
69
10. Click Save, and click Next. Use the default setting, Always use Transport Layer Security (TLS) to secure the connection
(recommended) > Issues by Trusted certificate authority (CA):
70
11. Click Next. In the confirmation page, verify your settings and click Next. Office 365 runs a test to verify your settings:
71
12. When the verification page displays, enter a test email address, and click Validate. Once the verification is complete, your mail flow
settings are added.
Barracuda Email Security Service will now accept outbound traffic from Outlook 365.
For additional configuration options and features, log in to the web interface and click Help.
O365
Managing Domains
Your Barracuda Email Security Service only accepts emails addressed to domains that it is configured to recognize. After adding and verifying all
domains you want the service to manage (see the Configure Your Mail Servers and Domains section of Step 2 - Initial Service Setup), you can
select to manage each domain individually so that you can configure different policies and settings.
Configure Policy for Individual Domains
To configure a policy for an individual domains, in the Domains Manager, click Manage in the Actions column to view the Message Log, view
Statistics, and manage all per-domain settings for the selected domain.
Domain Level Settings
Domains you add and verify are initially configured with the specified default global settings. Once you are managing an individual domain, the
72
same Message Log, Inbound Settings, and other tabs display, but the DOMAINS tab is not visible. At the top of the DASHBOARD page, the
following message displays:
You are now managing settings for <domain name>. Return to account management.
Click Return to account management to manage global settings for all domains, or to manage settings and policies for another domain.
Important
When managing a particular domain, the settings you change apply to that domain specifically and override global settings for that
domain.
If the administrator deletes a domain, a dialog box prompts for confirmation of deletion. For details about domain settings, see the DOMAINS >
Domain Manager > Settings page and click the Help button.
Designate Domain Administrators
You can assign certain users to manage one or more domains in the Barracuda Email Security Service. These users can add mail servers, edit
domain settings, view the DASHBOARD page, and manage all policies for those domains.
To designate a domain administrator:
1.
2.
3.
4.
Go to the USERS > User List page.
Select a user, and click Edit in the Actions column.
In the Managed Domains list, select one or more domains that this user can manage.
Click Save.
This user is now a Domain Administrator for the selected domains, and can now manage inbound and outbound email policies for these domains
in the Barracuda Email Security Service.
Managing User Accounts
User-level documentation:
Barracuda Email Security Service User Guide
From the USERS > Users List page an administrator can:
Search for users
Sort the user list
Reset a user password (if the user was added manually)
Add new users (based on how user accounts were initially set up)
Set an account as a domain owner
Log in as a user
Edit user settings
Delete users
User Roles
User roles determine Barracuda Email Security Service access privileges:
Administrator – An administrator can view and modify all aspects of all domains, and configure global and domain-level settings.
Domain administrator – A domain administrator can configure domain-level settings and view all domain settings and users for the
assigned domains.
User – A user can configure user-level settings on their own account.
Search for Users
Enter all or part of a username or email address, and click Search to display all matching results.
Sort Users
73
Click the column titles to sort by user account, user type, or notification status.
Manually Add Users
You can manually add and update users one at a time or in bulk as a list in the USERS > Users List page. Once a user is added manually, the U
ser Type field displays as Manual. When you click Add/Update Users, the USERS > Add/Update Users page displays where you can:
User Accounts – Enter each user email address for the domain on a separate line
Enable User Quarantine – When set to Yes, all email for all users in the User Accounts field which meet the configured block policy go
to the user's quarantine account. When a user receives their first quarantined email in their quarantine inbox (Message Log), a second
email is generated as the first quarantine notification, and goes to the user's email account. This email is only generated if there is a
notification interval set and that recipient has received at least one message marked with the Action of Quarantine.
Notify New Users – When set to Yes, each user in the User Accounts field receives a welcome email when the account is created.
Once you add users, click Save Changes to add the users and return to the USERS > Users List page.
Add LDAP Users
If the user accounts are set up through LDAP authentication, you can automatically add users through LDAP synchronization:
Synchronize Now – To manually synchronize LDAP users on a domain, set Synchronize Automatically to No on the DOMAINS >
Domain Settings page, and click Synchronize Now whenever you want to sync users.
If you have numerous LDAP users (over 300 hundred), and you click Synchronize Now in the DOMAINS > Domain Settings
page, your LDAP server may time-out before LDAP synchronization is complete. To resolve this issue, go to the DOMAINS >
Domain Settings page, and set Synchronize Automatically to Yes.
Synchronize Automatically – To automatically synchronize LDAP users on a domain, set Synchronize Automatically to Yes on the D
OMAINS > Domain Settings page. Barracuda Email Security Service automatically synchronizes your LDA users to its database
incrementally for recipient verification.
Set an Account as Domain Administrator
You can set an account as a domain owner, and select verified domains you want the user to manage to set up delegated administration:
1. Go to the USERS > Users List page, and click Edit in the Actions column to the right of an Enabled user.
2. In the Edit User page, click All to select all available domains, or select domains individually:
3. Click Save.
Log in as a User
An administrator can click Log in as this user to:
View or change user settings
View and manage the domains the user manages
View, search, and manage the user's Message Log
74
Edit Users
You can edit the following user settings:
Click Edit to add or remove domain administration privileges;
Click Reset to reset the selected user's password; when clicked, an email is sent to the user with a link to reset their password.
Delete Users
You can select to delete a single user or click Bulk Delete to delete all users.
Default User Settings
Set the default scan/block/allow policies for both managed users and unmanaged users on the USERS > Default Policy page:
Managed Users – Users display on the USERS > Users List page and are configured either manually or by synchronizing with your
LDAP server.
Unmanaged Users – Senders and recipients of email for the configured domains not in the USERS > Users List.
By default, all email is scanned as opposed to blocked or allowed unless changed in the Default Policy page.
Select the Default Time Zone for all users from the drop-down menu.
User Actions
Users can view their quarantine inbox (Message Log) and set some account preferences, depending on what is enabled on their account.
Available permissions include:
Quarantine Notification reports – Modify individual settings for quarantine notification reports.
Manage quarantine inbox – Deliver or delete quarantined messages.
Password – Change their password.
Link Accounts – Select to use the current account as an alias. From the SETTINGS > Linked Accounts page, the user can add
additional email addresses they have in the same domain for which quarantined email is to be forwarded to this account.
Exempt – Create exempt and blocklists for email addresses, users, and domains in the SETTINGS > Sender Policy page.
Office 365
Managed Accounts
Delegated Administration
O365
Quarantine Notifications
The Barracuda Email Security Service can send notifications (quarantine digest) at predefined intervals. The administrator can set the notification
interval for all users on the USERS > Quarantine Notification page, or set Allow users to specify interval to Yes so that users can set their
own notification interval on the SETTINGS > Quarantine Notification page when logged into their user account.
The Default interval for user quarantine notifications is Daily. You can select to set notifications to Weekly or None, or select Custom to select
the days and time of the week to send notifications.
The Quarantine Digest
The quarantine digest (summary) is sent when new quarantined mail is saved in the user's account (inbox) since the last notification cycle. Each
day the quarantine notification service runs for all users. If there is no new quarantined mail for a user since the last notification interval, no
quarantine digest is generated and sent to that user for that same 24 hour period.
75
The links in the quarantine notification email allow the user to access their Barracuda Email Security Service user account without entering their
username and password. The link is valid for seven days. After that, the user must manually log in to https://ess.barracudanetworks.com.
The links in the Action column allow the user to:
Deliver – Click to deliver the message to regular inbox.
Whitelist – Click to whitelist the sender. All future messages from the sender are allowed and go directly to the user's regular inbox.
Figure 1. Sample Quarantined Notification Email.
Reporting
Use the REPORTS tab to choose from Inbound or Outbound email traffic. Reports cover global activity across all domains for which you have
mail filtered, with up to a maximum history of 30 days of data. Select the Start Date and End Date using the calendar controls. Note that you
cannot run a report that covers more than a 7 day period.
Reports can be anchored on:
Message filtering statistics, including number of messages rate controlled, encrypted, blocked due to policy, blocked due to spam, etc.
Select Inbound or Outbound in the Report Type control.
User activity – Top senders of messages, top recipients of messages, top spam senders, top virus senders, etc. Select a report title, start
and end dates, and indicate how many of the Top senders or recipients to show in the report.
Barracuda Email Security Service User Guide
The Barracuda Email Security Service is a cloud-based email security service that protects both inbound and outbound email against the latest
spam, viruses, worms, phishing, and denial of service attacks. The Barracuda Email Security Service web interface includes the Message Log
from which you can manage your quarantined messages. Additionally, you can set account preferences based on features enabled for your
account by the administrator.
Permissions may include:
Modify quarantine notification report settings. Set email receipt frequency with a list of messages in your quarantine account. Once
76
received, you can select whether to delete or deliver these messages to your email address.
Create exemption (accept mail from), block, or quarantine policies for email addresses, domains, and users.
Manage quarantine inbox delivery or delete quarantined messages.
Change password.
Link Accounts. Use the current account as an alias and add additional email addresses in the same domain for which quarantined email
is to be forwarded to this account.
Welcome Email
Once your system administrator creates your account, the Barracuda Email Security Service sends you a welcome email including a login link.
Note that the link expires after seven days.
Quarantined Mail
You are notified on a regular interval when you have quarantined messages. The quarantine notification interval (daily, weekly, etc.) is set either
by your administrator or, if you have permissions, you.
Figure 1. Quarantined Email Notification.
Manage Quarantined Mail
Use the Message Log to manage quarantined mail. The Message Log page displays all email messages that come through the Barracuda Email
Security Service to your account. You can filter the view by All, Allowed, Not Allowed, Blocked, Deferred, or Quarantined using the drop-down
menu.
Figure 2. Filter Messages in the Message Log.
77
Messages are blocked due to the following:
Spam and virus policies set by your administrator for the domain; and
Email address or domain block policies, as well as email from other users, set by your administrator for the domain.
Messages are deferred for various reasons. Click the Help
searching for and filtering messages.
icon on the Message Log page for more information as well as details on
From the Message Log page you can select one or more messages, and then click on an action, as illustrated in Figure 3. To select all
messages, select the check box at the top of the Message List.
Figure 3. Message Actions.
Once you select one or more messages, you can take the following actions:
Spam – Selected messages are sent to Barracuda Central for analysis.
Not Spam – Selected messages are sent to Barracuda Central for analysis.
Export – Selected messages are exported to a CSV file. When prompted, enter a file name and select whether to save to your local
desktop or network.
Deliver – Attempts to deliver the selected message(s) to your mailbox. If a message is successfully delivered, the Delivery Status chang
es to Delivered. The mail remains in the log until you select the message and click Delete. If the mail cannot be delivered, a notice
displays in your browser window and the Delivery Status does not change. If delivered messages are not delivered to the recipient's
mailbox, it may be due to a filter on the mail server or a service on your network catching the mail as spam. Check with your system
administrator for more information. Additionally, check your local trash/spam folder for the mail.
Delete – Selected messages are removed from the Message Log.
Whitelist – Always accept mail from the selected email addresses, domains, and/or users.
Recategorize – When one or more categorized emails are selected, allows you to change the category. For example, if the message is
categorized as Corporate but you believe it should be categorized as Marketing Materials, you can change the category via the Recate
gorize drop-down. This action submits this email message for recategorization to your selected category. If you select Other and enter a
custom category, the category updates for that particular email message. For more information, see Email Categorization below.
If the Reason for a message in your Message Log displays as Email Categorization, the email from this sender is categorized as not necessarily
spam, but something that you may have subscribed to at one time but no longer want to receive. For example, newsletters and memberships, or
78
marketing information. Email Categorization assigns some of these emails to specific categories, which the administrator can decide to allow,
block, or quarantine. Supported categories display in the Message Log Reason field as:
Email Categorization (corporate) – Emails sent by a user at an authenticated organization that involves general corporate
communications; this does not include marketing newsletters.
Email Categorization (transactional) – Emails related to order confirmations, bills, invoices, bank statements, delivery/shipping notices,
and service-related surveys.
Email Categorization (marketing) – Promotional emails from companies such as Constant Contact.
View Message
To view the message source, headers, and available options, double-click the message; the message content displays. You can take the
following options:
Click Source to view all headers
Click Deliver to deliver the email to your regular mailbox
Click Download to download the message to your local system or network
Click Whitelist to exempt the sender, that is, specify that all future mail from the sender is not quarantined and instead goes directly to
your regular mailbox
Alternatively, you can use the SETTINGS > Sender Policy page to exempt or block senders. See Set Exempt and Blocklist
Policies later in this article for additional information.
Click Block and select whether to block the message Domain or Email
Click Delete to remove the message
Click Download to download and open the email
Figure 4. Message Source with Headers.
Set Quarantine Notification Interval
79
You can direct the Barracuda Email Security Service to notify you by email when you have quarantined messages. On the SETTINGS >
Quarantine Notifications page, select Never, Daily, Weekly, or select Custom and set the time of day for quarantine notification email delivery
for any or all days of the week. Clear a day if you do not want to send quarantine notifications for that day. Click Save Changes to save your
settings.
Figure 5. Set Quarantine Notification Interval.
Set Exempt and Blocklist Policies
Use the Sender Policy page to specify whether to block, allow, or quarantine messages from a specific sender or domain. These are called
exempt/blocklist policies. To create a new policy:
1. Go to SETTINGS > Sender Policy, and enter the email address or domain:
2. From the Policy drop-down menu, select whether to Block, Exempt, or Quarantine the Sender.
3. Optionally, you can add a comment to indicate why you created the policy.
4. Click Add to save the policy.
Link Quarantine Accounts
You can add additional email addresses in the same domain for which quarantined email is to be forwarded to this account. From the SETTINGS
> Linked Accounts page, click Link an Account, fill in the email address to link, select whether to Link account without verification, and then
click Add.
Change Your Password
Use the SETTINGS > Change Password page to change your password. Click Save Changes to change your password.
80
How to Re-Enable a Suspended or Disabled Account
If your trial period expires before you purchase a subscription, or if you do not renew your subscription, a warning message displays at the top of
every page indicating that your account has expired and is either suspended or disabled, and an email notification is sent to you:
Dear Administrator,
Thank you for using the Barracuda Email Security Service. Your Barracuda Email Security Service trial will expire in 15 day(s)
and your account will be suspended in 75 day(s).
In order to continue your service, please visit: http://www.barracudanetworks.com/ns/purchase/.
For questions, please visit http://www.barracudanetworks.com/ns/support/ or call 408-342-5300.
Thank you,
Barracuda Email Security Service Team
Suspended – If your account is suspended, the service continues to scan viruses only; configured policies are no longer applied, spam is
not blocked, and spooling is disabled.
Disabled – If your account is disabled, all mail to your domains is rejected by the service.
Troubleshooting and Error Messages
Issue
Description
Message Log entries with subject:
Message has no content
Indicates an incomplete SMTP transaction due to a failed connection.
Disabled or suspended account
If your trial period expires before you purchase a subscription, or if
you do not renew your subscription, a warning message displays at
the top of every page indicating that your account has expired and is
either suspended or disabled.
The Barracuda Email Security Service logs all failed connections and
the log entry for the message shows the from/to data, but does not
have any header or body content. This mail includes messages that
are malformed or are addressed to invalid recipients.
See How to Re-Enable a Suspended or Disabled Account.
Mail incorrectly blocked for the reason: Score
Message Log displays Score as the reason a message is blocked.
If a message is incorrectly blocked, select the message and click NO
T SPAM. The message is then sent to Barracuda Networks where
scoring is reviewed and any necessary modifications are made.
Messages marked Delivered from Message Log are not delivered to
recipient account.
When you click Deliver for one or more selected messages in the
Message Log, if the message is successfully delivered, the Delivery
Status displays as Delivered. The mail remains in the log unless you
select the message again and click Delete. If the mail cannot be
delivered, a notice displays in your browser and the Delivery Status
does not change.
If delivered messages are not making it to the recipient's mailbox, it
may be due to a filter on your mail server or a service on your
network catching the mail as spam. Check your local trash/spam
folder for the missing mail.
How To Videos
Initial Configuration
81
Watch this video for a look at domain settings and MX record configuration:
Videos are not visible in the PDF export.
Dashboard
Watch this video for a look at the dashboard:
Configuring Inbound Email
Watch this video for an overview of configuring inbound email:
Configuring Outbound Email
Watch this video for an overview of configuring outbound email:
Outbound Quarantine, User Management, Reports, and Message Log
Watch this video for a look at the outbound quarantine, user management, reports, and message log features:
Online Service Terms
Cloud Service Terms
"Cloud Service" means a Barracuda-hosted service to which Customer subscribes or uses at any time.
Cloud Service Term Updates & International Availability
At all times, use of the Cloud Services is subject to the then-current Cloud Service Terms. Barracuda may make changes to each Cloud Service
from time to time. Barracuda may terminate a Cloud Service in any country where Barracuda is subject to a government regulation, obligation or
other requirement that is not generally applicable to businesses operating there. Availability, functionality, and language versions for each Cloud
Service may vary by country.
Data Retention
At all times during the term of Customer’s subscription, and subject to data retention configurations, Customer will have the ability to access and
extract Customer Data stored in each Cloud Service. "Customer Data" means all data, including all text, sound, video, or image files, and
software, that are provided to Barracuda by, or on behalf of, Customer through use of the Cloud Service.
Except for free trials, Barracuda will retain Customer Data stored in the Cloud Service in a limited function account for 30 days after expiration or
termination of Customer’s subscription so that Customer may extract the data. After the 30-day retention period ends, Barracuda will disable
Customer’s account and may delete the Customer Data at its discretion.
The Cloud Service may not support retention or extraction of software provided by Customer. Barracuda has no liability for the deletion of
Customer Data as described in this section.
Use of Software with the Cloud Service
Cloud Services contain software. Use of the software by customer is subject to the following terms:
Barracuda Software License Terms
Customer may install and use the software only for use with the Cloud Service. The Cloud Service may limit the number of copies of the
software Customer may use or the number of devices on which Customer may use it. Customer’s right to use the software begins when the
Cloud Service is activated and ends when Customer’s right to use the Cloud Service ends. Customer must uninstall the software when
82
Customer’s right to use it ends. Barracuda may disable it at that time.
Validation, Automatic Updates, and Collection for Software
Barracuda may automatically check the version of any of its software. Devices on which the software is installed may periodically provide
information to enable Barracuda to verify that the software is properly licensed. This information includes the software version, the end
user’s user account, product ID information, a machine ID, and the internet protocol address of the device. If the software is not properly
licensed, its functionality will be affected. Customer may only obtain updates or upgrades for the software from Barracuda or authorized
sources. By using the software, Customer consents to the transmission of the information described in this section. Barracuda may, at its
discretion, recommend or download to Customer’s devices updates or supplements to this software, with or without notice. Some Cloud
Services may require, or may be enhanced by, the installation of local software (e.g., agents, device management applications) ("Apps").
The Apps may collect data about the use and performance of the Apps, which may be transmitted to Barracuda and used for the purposes
described in this Cloud Service Terms .
Third-party Software Components
The software may contain third party software components. Unless otherwise disclosed in that software, Barracuda, not the third party,
licenses these components to Customer under Barracuda’s license terms and notices.
Non-Barracuda Products
"Non-Barracuda Product" means any third-party-branded software, data, service, website or product.
Barracuda may make Non-Barracuda Products available to Customer through Customer’s use of the Cloud Services. If Customer installs or uses
any Non-Barracuda Product with a Cloud Service, Customer’s use is subject to third party license terms only and customer may not do so in any
way that would subject Barracuda’s intellectual property or technology to obligations. For Customer’s convenience, Barracuda may include
charges for the Non-Barracuda Product as part of Customer’s bill for Cloud Services. Barracuda, however, assumes no responsibility or liability
whatsoever for the Non-Barracuda Product. Customer is solely responsible for any Non-Barracuda Product that it installs or uses with a Cloud
Service.
Acceptable Use Policy
Neither Customer, nor those that access a Cloud Service through Customer, may use a Cloud Service:
in a way prohibited by law, regulation, governmental order or decree;
to violate the rights of others;
to try to gain unauthorized access to or disrupt any service, device, data, account or network;
to spam or distribute malware;
in a way that could harm the Cloud Service or impair anyone else’s use of it; or
in any application or situation where failure of the Cloud Service could lead to the death or serious bodily injury of any person, or to
severe physical or environmental damage.
Violation of the terms in this section may result in suspension or cancellation of the Cloud Service. Barracuda may provide reasonable notice
before suspending a Cloud Service.
Technical Limitations
Customer must comply with, and may not work around, any technical limitations in a Cloud Service that only allow Customer to use it in certain
ways. Customer may not download or otherwise remove copies of software or source code from a Cloud Service except as explicitly authorized.
Compliance with Laws
Barracuda will comply with all laws and regulations applicable to its provision of the Cloud Services, including security breach notification law.
However, Barracuda is not responsible for compliance with any laws or regulations applicable to Customer or Customer’s industry. Barracuda
does not determine whether Customer Data includes information subject to any specific law or regulation.
Customer must comply with all laws and regulations applicable to its use of Cloud Services, including laws related to privacy, data protection and
confidentiality of communications. Customer is responsible for implementing and maintaining privacy protections and security measures for
components that Customer provides or controls, and for determining whether the Cloud Services are appropriate for storage and processing of
information subject to any specific law or regulation. Customer is responsible for responding to any request from a third party regarding
Customer’s use of a Cloud Service, such as a request to take down content under the U.S. Digital Millennium Copyright Act or other applicable
laws.
Import/Export Services
Customer’s use of any tools provided in the cloud services which allows for the import or export of data is conditioned upon its compliance with all
instructions provided by Barracuda regarding the preparation, treatment and shipment of physical media containing its data ("storage media").
83
Customer is solely responsible for ensuring the storage media and data are provided in compliance with all laws and regulations. Barracuda has
no duty with respect to the storage media and no liability for lost, damaged or destroyed storage media.
Electronic Notices
Barracuda may provide Customer with information and notices about Cloud Services electronically, including via email, through the portal for the
Cloud Service, or through a web site that Barracuda identifies. Notice is given as of the date it is made available by Barracuda.
Privacy and Security Terms
General Privacy and Security Terms
Scope
The terms in this section apply to all Barracuda Cloud Services.
Use of Customer Data
Customer Data will be used only to provide Customer the Cloud Services including purposes compatible with providing those services. Barracuda
will not use Customer Data or derive information from it for any advertising or similar commercial purposes.
In addition to providing the service and day-to-day operations, Barracuda may use your data for the following:
Troubleshooting aimed at preventing, detecting, and repairing problems affecting the operation of services.
Ongoing improvement of features, such as those that improve the reliability of our services, or involve the detection of, and protection
against, threats to the services or customer data (such as malware or spam).
Providing personalized customer experiences.
Contacting you about new products and services.
As between the parties, Customer retains all right, title and interest in and to Customer Data. Barracuda acquires no rights in Customer Data,
other than the rights Customer grants to Barracuda for the uses set forth above. This paragraph does not affect Barracuda’s rights in software or
services Barracuda licenses to Customer.
Disclosure of Customer Data
Barracuda will not voluntarily disclose Customer Data outside of Barracuda or its controlled subsidiaries and affiliates except (1) as Customer
directs, (2) as described in the Cloud Service Terms , or (3) as required by law.
Barracuda does not disclose Customer Data to law enforcement or third parties and when required to disclose Customer Data to law enforcement
or a third party, Barracuda will do so only to the extent necessary.
In support of the above, Barracuda may provide Customer’s basic contact information to the third party.
Educational Institutions
If Customer is an educational agency or institution to which regulations under the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g
(FERPA) apply, Customer understands that Barracuda may possess limited or no contact information for Customer’s students and students’
parents. Consequently, Customer will be responsible for obtaining any parental consent for any end user’s use of the Cloud Service that may be
required by applicable law and to convey notification on behalf of Barracuda to students (or, with respect to a student under 18 years of age and
not in attendance at a postsecondary institution, to the student’s parent) of any judicial order or lawfully-issued subpoena requiring the disclosure
of Customer Data in Barracuda’s possession as may be required under applicable law.
HIPAA Business Associate
Barracuda complies with any portions of HIPAA or the HITECH Act that are directly applicable to Barracuda. In particular, the Barracuda Cloud
safeguards data in such a way as to satisfy HIPAA’s Security Rule. Customers wishing to establish a Business Associate relationship with
Barracuda per 45 CFR 164.502(e) and 164.504(e) should request a Business Associate Agreement from Barracuda. The Business Associate
Agreement defines commitments that Barracuda will make to maintain HIPAA and HITECH compliance as required.
Security
Barracuda is committed to helping protect the security of Customer’s information. Barracuda has implemented and will maintain and follow
appropriate technical and organizational measures intended to protect Customer Data against accidental, unauthorized or unlawful access,
disclosure, alteration, loss, or destruction.
Security Incident Notification
84
If Barracuda becomes aware of any unlawful access to any Customer Data stored on Barracuda’s equipment or in Barracuda’s facilities resulting
in loss, disclosure, or alteration of Customer Data (each a "Security Incident"), Barracuda will promptly (1) notify Customer of the Security
Incident; (2) investigate the Security Incident; and (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the
Security Incident.
Notification(s) of Security Incidents will be delivered to one or more of Customer’s administrators by any means Barracuda selects, including via
email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on each applicable Cloud
Services portal. Barracuda’s obligation to report or respond to a Security Incident under this section is not an acknowledgement by Barracuda of
any fault or liability with respect to the Security Incident.
Customer must notify Barracuda promptly about any possible misuse of its accounts or authentication credentials or any security incident related
to a Cloud Service.
Location of Data Processing
Except as described elsewhere in the Cloud Service Terms, Customer Data that Barracuda processes on Customer’s behalf may be transferred
to, and stored and processed in, the United States or any other country in which Barracuda or its affiliates or subcontractors maintain facilities.
Customer appoints Barracuda to perform any such transfer of Customer Data to any such country and to store and process Customer Data in
order to provide the Cloud Services.
Preview Releases
Barracuda may offer preview, beta or other pre-release features, data center locations, and services ("Previews") for optional evaluation.
Previews may employ lesser or different privacy and security measures than those typically present in the Cloud Services.
Use of Subcontractors
Barracuda may hire subcontractors to provide services on its behalf. Any such subcontractors will be permitted to obtain Customer Data only to
deliver the services Barracuda has retained them to provide and will be prohibited from using Customer Data for any other purpose. Barracuda
remains responsible for its subcontractors’ compliance with Barracuda’s obligations in the Cloud Service Terms. Customer consents to
Barracuda’s transfer of Customer Data to subcontractors.
How to Contact Barracuda
If Customer believes that Barracuda is not adhering to its privacy or security commitments, Customer may contact customer support or use
Barracuda’s Privacy web form, located at https://www.barracuda.com/company/contact
Data Processing
Location of Customer Data at Rest
Barracuda will store Customer Data at rest within secure data centers in the United States, Canada, Europe and APAC.
Barracuda does not control or limit the regions from which Customer or Customer’s end users may access or move Customer Data.
Privacy
Customer Data Deletion or Return. We aim to maintain our services in a manner that protects information from accidental or malicious
destruction. We are not obligated to immediately delete residual copies from our active servers and may not remove information from our
backup systems.
Barracuda Personnel. Barracuda personnel are granted access to confidential information only when necessary under management
oversight. Barracuda personnel will use customer data only for purposes compatible with providing you the services, which can include
customer support and troubleshooting the service and are obligated to maintain the security and confidentiality of any Customer Data.
This obligation continues even after their engagements end.
Subcontractor Transfer. Barracuda may hire subcontractors to provide certain limited or ancillary services on its behalf. Any
subcontractors to whom Barracuda transfers Customer Data, even those used for storage purposes, will have entered into confidential
written agreements with Barracuda. Customer has previously consented to Barracuda’s transfer of Customer Data to subcontractors as
described in the Cloud Service Terms.
Security
General Practices. Barracuda has implemented and follows for the Cloud Services the following security measures.
Domain
Practices
85
Organization of Information Security
Security Ownership. Barracuda has appointed one or more
managers responsible for coordinating and monitoring the security
rules and procedures.
Security Roles and Responsibilities. Barracuda personnel with
access to Customer Data are subject to confidentiality obligations.
Asset Management
Barracuda treats all Customer Data as confidential to allow for
access to it to be appropriately restricted.
Barracuda imposes restrictions on printing Customer Data
Human Resources Security
Barracuda informs its personnel about relevant security procedures
and their respective roles. Barracuda also informs its personnel of
possible consequences of breaching the security rules and
procedures.
Physical and Environmental Security
Physical Access to Facilities. Barracuda limits access to facilities
where information systems that process Customer Data are located
to identified authorized individuals.
Protection from Disruptions. Barracuda uses a variety of industry
standard systems to protect against loss of data due to power supply
failure or line interference.
Component Disposal. Barracuda uses industry standard processes
to delete Customer.
Communications and Operations Management
Operational Policy. Barracuda maintains security documents
describing its security measures and the relevant procedures and
responsibilities of its personnel who have access to Customer Data.
Data Recovery Procedures
Barracuda has specific procedures in place governing access to
copies of Customer Data.
Barracuda reviews data recovery procedures at least every
twelve months.
Barracuda logs data restoration efforts, including the person
responsible, the description of the restored data and where
applicable, the person responsible and which data (if any) had to
be input manually in the data recovery process.
Malicious Software. Barracuda has anti-malware controls to help
avoid malicious software gaining unauthorized access to Customer
Data, including malicious software originating from public networks.
Data Beyond Boundaries
- Barracuda encrypts, or enables Customer to encrypt, Customer
Data that is transmitted over public networks.
Event Logging. Barracuda logs, or enables Customer to log, access
and use of information systems containing Customer Data,
registering the access ID, time, authorization granted or denied, and
relevant activity.
86
Access Control
Access Policy. Barracuda maintains a record of security privileges of
individuals having access to Customer Data.
Access Authorization
Barracuda maintains and updates a record of personnel
authorized to access Barracuda systems that contain Customer
Data.
Barracuda deactivates authentication credentials that have not
been used for a period of time.
Barracuda identifies those personnel who may grant, alter or
cancel authorized access to data and resources.
Barracuda ensures that where more than one individual has
access to systems containing Customer Data, the individuals
have separate identifiers/log-ins.
Least Privilege
Barracuda restricts access to Customer Data to only those
individuals who require such access to perform their job function.
Integrity and Confidentiality
Barracuda instructs Barracuda personnel to disable
administrative sessions when leaving premises Barracuda
controls or when computers are otherwise left unattended.
Barracuda stores passwords in a way that makes them
unintelligible while they are in force.
Authentication
Barracuda uses industry standard practices to identify and
authenticate users who attempt to access information systems.
Where authentication mechanisms are based on passwords,
Barracuda requires that the passwords are renewed regularly.
Where authentication mechanisms are based on passwords,
Barracuda sets rules requiring password complexity.
Barracuda ensures that de-activated or expired identifiers are not
granted to other individuals.
Barracuda monitors, or enables Customer to monitor, repeated
attempts to gain access to the information system using an
invalid password.
Barracuda maintains industry standard procedures to deactivate
passwords that have been corrupted or inadvertently disclosed.
Barracuda uses industry standard password protection practices,
including practices designed to maintain the confidentiality and
integrity of passwords when they are assigned and distributed,
and during storage.
Business Continuity Management
Barracuda’s redundant storage and its procedures for recovering
data are designed to attempt to reconstruct Customer Data in its
original or last-replicated state from before the time it was lost or
destroyed.
Cloud Services Information Security Policy
The following services are certified as follows
Cloud Service
Audit Type
CudaSign
SSAE 16 SOC 2 Type II
87
Backup
Intronis
Subject to non-disclosure obligations, Barracuda will make product specific security overviews available to Customer.
Customer is solely responsible for reviewing each Security Overview and making an independent determination as to whether it meets
Customer’s requirements.
Barracuda Review of Cloud Services
Barracuda will review the security of the computers, computing environment and physical data centers that it uses in processing Customer Data
(including personal data), as follows:
Where a standard or framework provides for audits or reviews, a review of such control standard or framework will be initiated at least
annually for each Cloud Service.
Each review will be performed according to the standards and rules of the regulatory or accreditation body for each applicable control
standard or framework.
Barracuda will promptly remediate issues raised in any Barracuda review.
88

1. Overview - Barracuda Campus

Transcription

Similar documents

barracuda yacht design northwind 100` sy

barracuda message archiver

brochure

iPhone Instructions - New Albany Schools website

FS 1000 Owners Manual

ordering instructions mail order

Service Request - MEDI

The Premier Tribute to The Rock Band Heart!

Hoover`s Ride, Ball Stud Hemi

has royalty free clip art images to use for business cards or brochures.