1. Overview - Barracuda Campus
Transcription
1. Overview - Barracuda Campus
1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1 Step 1 - How the Service Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2 Step 2 - Initial Service Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2.1 How to Create User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2.2 How to Validate Your Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2.3 How to Set Up MX Records for Domain Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3 Step 3 - Configure Outbound Mail Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.4 Step 4 - Tune and Monitor the Default Spam and Virus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.5 How to Migrate Your MailFoundry Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.6 Understanding Inbound and Outbound Message Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Advanced Inbound Email Filtering Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.1 IP Analysis - Inbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.1.1 Barracuda Reputation and Email Categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.2 Content Analysis - Inbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.2.1 Anti-Fraud and Anti-Phishing Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.2.1.1 Link Protection FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.2.2 Attachment Filtering - Inbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.2.3 Image Analysis - Inbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.2.4 Intent Analysis - Inbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.3 Bulk Email Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.4 Rate Control Inbound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.5 Understanding Advanced Threat Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.5.1 Advanced Threat Detection Sample Email Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4 The Message Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.1 Message Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.2 Advanced Threat Detection Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.2.1 Understanding Advanced Threat Detection Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5 Configure Outbound Filtering Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.1 How to Use DLP and Encryption of Outbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.1.1 Medical Dictionary Source for DLP HIPAA Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.2 Content Analysis - Outbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.3 Abuse Monitoring and Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.4 Outbound Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.5 Outbound Filtering Policies Applied by the Barracuda Email Security Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.6 Advanced Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.6.1 Secured Message Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.6.2 Sender Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.6.3 How to Configure Sender Policy Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.6.4 How to Configure Recipient Verification Using LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.6.5 How to Configure Hosted Email Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.6.5.1 How to Configure Google Apps for Inbound and Outbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.6.5.2 How to Configure Office 365 for Inbound and Outbound Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7 Managing Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8 Managing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8.1 Quarantine Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.9 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.10 Barracuda Email Security Service User Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.11 How to Re-Enable a Suspended or Disabled Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.12 Troubleshooting and Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.13 How To Videos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.14 Online Service Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 13 13 15 19 20 20 21 23 24 28 32 32 33 34 34 35 36 36 37 37 37 38 39 41 42 49 49 50 51 52 53 53 54 54 55 55 55 56 57 58 58 62 72 73 75 76 76 80 81 81 82 Overview The Barracuda Email Security Service is a comprehensive and affordable cloud-based email security service that protects both inbound and outbound email against the latest spam, viruses, worms, phishing, and denial of service attacks. Whether you manage your own mail server such as Microsoft Exchange or use a hosted service like Microsoft Office 365, Spam and viruses are blocked in the cloud prior to delivery to your network, saving network bandwidth and providing additional Denial of Service protection. Once configured, view inbound and outbound email statistics on the DASHBOARD page in the web interface. Where to Start Step 1 - How the Service Works Step 2 - Initial Service Setup Step 3 - Configure Outbound Mail Scanning Step 4 - Tune and Monitor the Default Spam and Virus Settings Partners/Resellers: You can manage multiple Barracuda Email Security Service accounts using the drop-down selection in the Barracuda Cloud Control web interface. See How to Manage Multiple Accounts. Key Features Protection against inbound malware, spam, and Denial of Service attacks. Anti-Fraud and Anti-Phishing Protection. Advanced Threat Detection (ATD) – Subscription-based service that analyzes inbound email attachments in a separate, secured cloud environment to detect new threats and determine whether to block such messages. Link Protection – Uses URL rewriting in email messages that contain links to protect from users clicking on suspicious links. Includes Typosquatting protection. See also: Anti-Fraud and Anti-Phishing Protection. Service is continuously updated with the latest threat definitions and software update. Policy configuration to automatically encrypt, quarantine, or block certain outbound emails based on content, sender, or recipient. Outbound filtering to keep sensitive data from leaving your organization while simultaneously ensuring that legitimate emails are delivered. Create and enforce content policies to prevent credit card numbers, social security numbers, HIPAA data, customer lists, and other private information from being sent by email. User Guide Barracuda Email Security Service User Guide – Easy-to-follow guide for users to manage their accounts Release Notes What's New in Version 2016.11 Web Interface View ATD Reports per attachment in the ATD Log Admins can now deliver messages blocked for ATD through the Message Log. When delivering messages, admin needs to view the reports on blocked attachments before delivery. This provides detailed information about why an attachment was blocked and when a threat was first detected. Mail Processing Managed users are now tracked independently for outbound rate limiting Link protect system improvements. Miscellaneous performance improvements. What's New in Version 2016.10 Web Interface Customers can exempt trusted sender or recipient of an email from ATD scan based on email address, domain, and / or IP address. Fixed issue in ATD Log where certain entries remained stuck in Scanning status. 2 Mail Processing Improved outbound virus protection. What's New With Version 2016.9 Miscellaneous improvements and bug fixes. What's New With Version 2016.8 Stability improvements. What's New With Version 2016.7 Web Interface Miscellaneous improvements and bug fixes. Mail Processing Outbound message encryption improvements. Barracuda Reputation Block List increased efficiency. Advanced Threat Detection is now more robust. What's New With Version 2016.6 Stability improvements. What's New With Version 2016.5 Quarantine notifications now include a direct link to the whitelist action. This enables users to whitelist a sender. Stability improvements. What's New With Version 2016.4 Web Interface Resellers can now manage multiple accounts using the pull-down selection in the Barracuda Cloud Control web interface. Miscellaneous improvements and bug fixes. Mail Processing Ability to scan first and then deliver messages with Advanced Threat Detection (ATD) subscription. Messages will be deferred until the scan has completed if the scan exceeds a certain timeframe. Improved processing efficiency. What's New With Version 2.8.9 Web Interface and Mail Processing Anti-Phishing Protection Link Protect– When enabled, automatically rewrites any URL in an email message to a safe Barracuda URL, and then delivers the message. If the user then clicks on that URL, the service evaluates it for validity and reputation. If the domain is determined to be valid, the user is then directed to that website. This feature protects users who click URLs in email messages from being directed to a spoofed website or otherwise revealing private information such as logins, passwords or other sensitive data. Note: Link Protect does not properly protect URLs in plain text messages which lack a character set identifier. See also Anti-Fraud and Anti-Phishing Protection. Typosquatting Protection – Automatically corrects spelling of domain names that hackers miss-spell by one letter to fool the user into thinking they are visiting a valid site by clicking the URL in an email. In reality, the domain name, misspelled, would direct the user to a phishing site. For example, bankofanerica.com would be re-spelled correctly by the service as bankofameri ca.com before the email is delivered to the user to protect them from being directed to a suspicious site. Anti-Fraud Intelligence and Intent Domain Policies settings have been moved to the INBOUND SETTINGS > Anti-Phishing page. Miscellaneous improvements and bug fixes. Documentation updates. 3 What's New With Version 2.8.8 Advanced Threat Detection (ATD) – The Barracuda Email Security Service now provides access to the subscription-based ATD service. This service analyzes inbound email attachments in a separate, secured cloud environment to detect new threats and determine whether to block such messages. See Understanding Advanced Threat Detection for details. Spam accuracy improvements. What's New With Version 2.8.7 Stability improvements. Web interface improvements. What's New With Version 2.8.6 Web interface improvements and fixes. What's New With Version 2.8.5 Stability improvements. Web interface improvements. Fixed in Version 2.8.5 Adding users with an underscore "_" in the email address and other special symbols works as expected. (BNESS-4016) What's New With Version 2.8.4 Stability improvements. What's New With Version 2.8.3 Improved Dashboard performance. (BNESS-3885) Improved handling of message rejection in Outbound Quarantine. (BNESS-3889) Fixed in Version 2.8.1 Messages are now deferred if either the virus scanner or Cloudscan are unavailable. (BNESS-3660) What's New With Version 2.8.0 Web Interface New Dashboard Page Layout and Features Threat Origins indicates the geographical region where blocked emails originate. Top Recipient Domains shows the volume of email received by, and average number of recipients for, each domain. Traffic Status lets the user know when the last messages were received and delivered. Subscription details shows when the subscription expires. Inbound Email Statistics shows various statistics about incoming emails. Outbound Email Statistics shows various statistics about outgoing emails. Inbound Top Recipients shows information about the most common recipients. Outbound Top Senders shows information about the the most common senders. Documentation Updated domain LDAP documentation. Mail Processing Mail sent to a child domain that is not managed by the Barracuda Email Security Service will be delivered to the parent domain if it is managed by the Barracuda Email Security Service. Spam Accuracy Added support for Microsoft Access files in attachment filters. Added support for archived Microsoft Office files to attachment filters. 4 Added support for archived PDF files to attachment filters. Envelope senders with spoofed postmaster address will now be blocked. Fixed in Version 2.8.0 Fix for rare occurrences of “duplicate serial” when transferring serials to new accounts. (BNESS-3676) Account expiration warning notices now include account information. (BNESS-3449) What's New With Version 2.7.2 Web Interface Scalability and performance improvements: Improved web server response time. (BNESS-3491) Spam Accuracy Scalability and performance improvements: Improved spam accuracy. (BNESS-3320) What's New With Version 2.7.1 Web Interface 'Empty message' text for tables with the ability to add inline will no longer be displayed. (BNESS-3440) Reports can now be exported to CSV format. (BNESS-2779) Messages delivered through the Message Log are now marked as UI Delivered. (BNESS-3479) Headers of messages contain a virus display. (BNES-2739) Spam Accuracy Ability to use Domain Key Identified Mail (DKIM) for inbound spam blocking. (BNESS-3419, BNESS-3420, BNESS-3426) Fixed in Version 2.7.1 Web Interface Removed Subject tag from Email Categorization setting table. (BNESS-3407) Minor behavioral changes to Message / Quarantine logs. (BNESS-3400, BNESS-3357, BNESS-3270) Spam Accuracy Improvements on inherited policy settings. (BNESS-3405) General Spam Accuracy improvements. (BNESS-3346) What's New With Version 2.7.0 Web Interface You can click the Add link to add records 'in line' from within tables throughout the web interface. (BNESS-3392) Tables can now be sorted by some or all data columns throughout the web interface. (BNESS-3397) New INBOUND SETTINGS > Sender Authentication page. On this page you can configure Sender Policy Framework (previously configured on the INBOUND SETTINGS > Anti-Spam/Antivirus page). Spam Accuracy Option to block on missing PTR Records, configured on the INBOUND SETTINGS > Sender Authentication page. (BNESS-3383) Fixed in Version 2.7.0 Message Log The Saved Searches window now shows all saved searches. (BNESS-2890) Web Interface Layout improvements for tables. (BNESS-3393, BNESS-3394) The primary tab will now remain highlighted after a refresh/reload. (BNESS-3164) 5 The USERS > Users List page now has a Next Page link at the bottom of the page. (BNESS-3349) What's New With Version 2.6.2 Web Interface Moved location of Save and Cancel buttons in web interface. (BNESS-3307) Replaced Help link with a 'question mark' icon ? next to the page title to click for a help pop-up window. Message Log Added support for "size_lt:" (message size less than <size in bytes>) search. (BNESS-1261) Fixed in Version 2.6.2 Improved accuracy of "size_gt:" (message size greater than) search. (BNESS-3277) Searching users in linked accounts in Users list works as expected. (BNESS-3329) Browser-specific improvements in rendering web interface. (BNESS-3278, BNESS-3279) Improved Spam Accuracy. (BNESS-3167) What's New With Version 2.6.1 Message Processing Improved efficiency of Multilevel-Intent. (BNESS-3081) Web Interface Updated the web interface styling for improved look and feel, consistency. Improved Self-Service setup wizard. (BNESS-3150) Improved LDAP efficiency for authentication. (BNESS-3149) Fixed in Version 2.6.1 Improved handling of users' policies (See USERS > Default Policy). (BNESS-2386) What's New With Version 2.6.0 Message Processing Rate Control for inbound mail. This feature protects your mail server from spammers or spam-programs (also known as "spam-bots") that send large amounts of email to the server in a small amount of time. See the INBOUND SETTINGS > Rate Control page to configure. Web Interface Updated the web interface styling for improved look and feel. There are no navigation changes. Added support for domain verification via CNAME records or via the technical contact from the WHOIS database. See the DOMAINS pag e or How to Validate Your Domain. Added support for domain verification via the technical contact from the WHOIS database in the Barracuda Email Security Service Setup wizard. Fixed in Version 2.6.0 On the OUTBOUND SETTINGS> Notifications page, the Quarantine Sender Notification default setting is No. (BNESS-3043) If the admin tries to reject a message in the OUTBOUND QUARANTINE, but has not already filled in the Reject Notification Address fi eld on the OUTBOUND SETTINGS> Notifications page, the error message now provides a link for the admin to click to enter that email address (BNESS-3043) What's New With Version 2.5.4 Quarantine Outbound quarantine support enables administrators to quarantine outbound messages based on policy - see the OUTBOUND SETTINGS > Content Policies page to configure. Quarantined messages are moved to an inbox, on the OUTBOUND QUARANTINE page, where the administrator can export, deliver, reject and delete messages in the list. Notification summary emails for quarantined messages can be sent to the administrator immediately, or on a daily or weekly basis. See the OUTBOUND SETTINGS > Notifications page to configure. 6 Quarantine notifications to senders of outbound quarantined messages can be enabled by the administrator to indicate that the message has not been delivered, and awaits evaluation by the administrator. An NDR (non-delivery report) will be sent to senders of quarantined outbound messages that are rejected by the administrator. See the O UTBOUND SETTINGS > Notifications page to configure. Web Interface With the Barracuda Express Setup, new Barracuda Email Security Service accounts have an updated setup wizard that includes Office 365 configuration. Fixed in Version in 2.5.4 Improved message processing. (BNESS-2785) What's New With Version 2.5.3 Mail Processing Added support for Perfect Forward Secrecy. (BNESS-2871) "Domain Not Found" response now includes IP address. (BNESS-2817) Improved recipient verification. (BNESS-2785) Spam Accuracy Improved outbound multi-level policy processing. (BNESS-2851) Apply email chain exemptions to bulk email. (BNESS-2869) Documentation Enhanced documentation regarding encryption for domain settings and for CloudScan settings. Fixed in Version 2.5.3 Mail Processing Ability to 'pass through' known cloud archivers for outbound traffic. (BNESS-2865) Improved check for adding outbound IP addresses. (BNESS-2765) Message Log The Whitelist ALL function works as expected on the Quarantined Delivered page. (BNESS-2807) Web Interface The Domain pull-down menu now only displays when necessary. (BNESS-2766) Improved domain-level access control. (BNESS-2810, BNESS-2527) Increased limits on access to messages that were sent to the Barracuda Message Center (Encryption Service). (BNESS-2792) General web interface improvements. (BNESS-2435) Fixed rare cases in which some messages were not always listed in the user Quarantine. (BNESS-2864) What's New With Version 2.5.2 Spam Accuracy New cloud-based spam scanning engine, CloudScan, which leverages many of the spam scanning and detection techniques currently available on the Barracuda Spam Firewall appliance, including spam scoring. Improved ability to handle long email discussions. (BNESS-2754) Improved response times to TLS setting changes. (BNESS-2683) Improved handling of URL redirects. (BNESS-2381) Improved handling of MX record lookups. (BNESS-2388) Additional SPF information added to message headers. (BNESS-2711) Message Log System-wide sender block policies as put into place by Barracuda are now identified as "System Sender Policies", to distinguish them from sender block policies as configured by administrators. (BNESS-2773) Ability to submit categorization requests for previously uncategorized messages. (BNESS-2737) 7 Multiple improvements to the Message Log, including to its display and filtering capabilities. (BNESS-847, BNESS-1033, BNESS-2193, BNESS-2340, BNESS-2577, BNESS-2641, BNESS-2692, BNESS-2721) Web Interface Ability to limit synchronization of primary and linked addresses to the current domain. Takes effect starting after the new option on the Directory Services section of the DOMAINS > Domain Manager > Settings page is selected. (BNESS-1798) Ability for administrators to initiate password resets for their users. (BNESS-935) Multiple improvements to the web interface, including to the handling of entries on the Filters page. (BNESS-990, BNESS-1919, BNESS-2104, BNESS-2394, BNESS-2704, BNESS-2718, BNESS-2720, BNESS-2724, BNESS-2726, BNESS-2733, BNESS-2742, BNESS-2770) Fixed in Version 2.5.2 Bulk deletion of users works as expected. (BNESS-2735) Repaired report generation. (BNESS-2675) What's New With Version 2.5.1 Mail Processing Received headers now include TLS information, when appropriate. More detail provided for outbound message log entries when inbound side (Barracuda Email Security Service customer) blocks messages based on a DNSBL/RBL. Web Interface Improved Barracuda Message Center user experience. New outbound attachment type / extension filter. New Whitelist option in users' quarantine confirmation screen. Fixed in Version 2.5.1 Mail Processing Improved handling of duplicate emails. (BNESS-2673) Improved handling of HTTP queries during intent checks. (BNESS-2681) Fixed bug in handling of bulkmail setting. (BNESS-2682) Spam Accuracy Allow content blocks to override defer actions found earlier in intent. (BNESS-2699) Improved spam-accuracy around content intent. (BNESS-2700) Continue to look for multilevel intent block action even if there is already a Defer action for the message. (BNESS-2701) User Management Correctly display default quarantine notification interval for users. (BNESS-1836) Ensure deleting linked users when deleting primary user email addresses. (BNESS-1858) Prevent creation of users that conflict with existing linked users. (BNESS-2657) Web Interface The Check Archives option works as expected for Inbound Attachment filter. (BNESS-1329) Avoid local cache for certain web interface checks of customer DNS. (BNESS-2484) Improved user/administrator session handling. (BNESS-2641, BNESS-2702) Correct wording in Email Categories web interface elements on the INBOUND SETTINGS > Anti-spam/Antivirus page. (BNESS-2690) Message Log Improved message rendering. (BNESS-2558, BNESS-2697) Improved message log search function. (BNESS-2577) Improved Saved Searches function. (BNESS-2644) Miscellaneous More robust DNS queries. (BNESS-2569) 8 What's New With Version 2.5 Mail Processing Email Categorization. This feature gives administrators an additional way to decide what to do with various types of emails from senders on the Barracuda Reputation Whitelist. These emails are separated into different categories such as Transactional Emails, Corporate Emails, and Marketing Materials, each of which can have a different delivery action associated with it from the INBOUND SETTINGS > Anti-spam/Antivirus page. See Barracuda Reputation and Email Categorization for more details. Sender Policy Framework (SPF) Exemptions. You can exempt trusted/known IP addresses from SPF checks by clicking Add Exemption and adding the IP address(es) and associated netmask(s) to the table. Mail from these IP addresses will still be scanned for spam. Optional user notification when that user's password is changed by an account or domain admin. Saved searches now indicate the search type (inbound, outbound) Fixed in Version 2.5 Mail Processing Ability to block a message from the Message Details view. (BNESS-611) Ability to exempt IP addresses from SPF checking. (BNESS-2442) LDAP test now takes user filter into consideration. (BNESS-2618) Improvements to the Request IP Exemption feature on the OUTBOUND SETTINGS > Abuse Monitor page. (BNESS-1317) Domain Management When a domain admin manages multiple domains, the Settings page shows correct information for each domain. (BNESS-2634) Domain admins that add a new domain are automatically granted management permissions for that domain. (BNESS-1188) Message Delivery Encrypted messages now display only the message headers when viewed from the Message Log and when downloaded. (BNESS-720) Redelivery for encrypted messages is now disabled. (BNESS-2076) Delivering from a user's quarantine delivers to only that recipient. (BNESS-2589) Avoid redelivery of empty messages. (BNESS-2431) Now blocking mail with no subject and no body. (BNESS-2626) Improved detection of HTTPS URLs in multi-level intent checking. (BNESS-2632) Messages blocked due to recipient verification are now logged with action 'Blocked' and reason 'Invalid Recipient'. (BNESS-2645) Miscellaneous Find (and use) primary account if user logs in with linked account (BNESS-2637) What's New With Version 2.4.2 Web Interface Improved validation of entered data, including for incorrectly-formatted domains and other entries made via bulk edit. (BNESS-943, BNESS-2188, BNESS-2500) The USERS> User List page now includes the total number of users, displayed in Results number above the users list. (BNESS-1028) Statistics for messages classified as Bulk Email are now included in the Emails Processed by Action section of the BASIC > Status pa ge. (BNESS-2509) The Domain level Status page now only displays the information relevant to that domain. (BNESS-1086) The User column on the INBOUND SETTINGS > Sender Policies page has been renamed to Sender. (BNESS-1424) Added Quarantine Status column to USERS > Users List page for account and domain admins, indicating whether or not each user in the list receives a quarantine digest (e.g. the Quarantine Notification Interval for the user is either Daily, Weekly, Custom or Never). (BNESS-1887) The Sender Policy time stamp now reflects the Last Modified Time of that entry. (BNESS-2161) The version number at the bottom of the status page now links to this Release Notes page. (BNESS-1869) Message Log Added a Reason column to the Message Log that indicates why a message had the listed action taken with it. (BNESS-2232) A link for each domain within the Top Domains by Volume (30 days) report on the BASIC > Status page now leads to a 30-day Message Log search. (BNESS-856) Expanded contents of Exported Logs. (BNESS-1266) Quarantined items now show as yellow in the Action column. (BNESS-1760) 9 Fixed in Version 2.4.2 Improvements to multilevel intent analysis (BNESS-2533, BNESS-2573) Improved LDAP synchronization of user lists (BNESS-2563) Improved delivery of New User Welcome Emails. Improved scanning of extracted content. (BNESS-2344) Restored ability for all users to specify their own Quarantine Notification interval. (BNESS-2574) Encryption honored on explicitly allowed messages. (BNESS-2462) Addressed rare situation where mail was sent to a domain's A record entry. (BNESS-2572) Corrected display of special characters like % and + in recipient addresses in the Message Log. (BNESS-2106) Security Resolved the following vulnerabilities: High severity: Unauthenticated; remotely exploitable; account takeover; brute force [BNSEC-3196 / BNESS-2541) Medium severity: Cross-site request forgery (CSRF) [BNSEC-2339 / BNESS-2480, BNESS-2542) What's New With Version 2.4.1 Mail Processing Trusted Forwarders. Ability to specify one or more IP addresses of machines that you have set up to forward email (i.e. Trusted Forwarders) to the Barracuda Email Security Service from outside sources. The Barracuda Email Security Service exempts any IP address in this list from Rate Control, SPF checks and IP Reputation. In the Received headers, the Barracuda Email Security Service will continue looking beyond a Trusted Forwarder IP address until it encounters the first non-trusted IP address. At this point, Rate Control, SPF checks and IP Reputation checks will be applied. Configure on the INBOUND SETTINGS > IP Address Policies page. Sender Policy Framework (SPF) blocking options. When enabling SPF, you must specify one of two options: BLOCK FAIL - The SPF FAIL (also referred to as Hard Fail) response indicates that the IP address of the message sender does not match the IP address or range of IP addresses specified in the sending domain name's SPF record, and that the real owner of the domain has specifically indicated that such messages should be rejected (blocked) as spoofed. BLOCK FAIL, SOFTFAIL - The SPF SOFTFAIL response indicates that the message sender's IP address does not match the IP address or range of IP addresses specified in the sending domain name's SPF record. A SOFTFAIL means that the domain owner did not specify how such messages should be handled. Selecting this option means that messages in either the SPF SOFTFAIL or FAIL state are blocked. Improved recipient verification process. Improved spam accuracy. Web Interface The Blocked action in the Emails processed by action section of the STATUS page now includes the Bulk reason. Message Log The Date field is now included in the Message Log export file. Improved message search performance for related domains. Miscellaneous Extended medical dictionary (HIPAA) for Predefined Filters (see the OUTBOUND SETTINGS > Content Policies page). Fixed in Version 2.4.1 When the sender and recipient domain are both protected by the Barracuda Email Security Service, a blocked message from/to the same domain shows the Reason for the block only in the inbound Message Log. (BNESS-2348) On the DOMAINS > Settings page, clicking the Synchronize Now button does not product an error message if the synchronization with the specified LDAP server is successful. (BNESS-1812) What's New With Version 2.4.0 Dynamic Bulk Email Detection. Enables taking action with messages that contain anything that looks like unsubscribe links or unsubscribe instructions in the message body. Configurable on the INBOUND SETTINGS > Anti-Spam/Antivirus page. Option to create exemptions for predefined filters. See the OUTBOUND SETTINGS > Content Policies page. Ability to scan more attachment types. 10 Message Log Added time/date as a filter in Message Log. (BNESS-2407, BNESS-2445) Adjusted Action Reasons for increased clarity and consistency, as displayed in Message View details in the Message Log. (BNESS-2185, BNESS-2297) Improved rendering of messages, including those with absent or malformed content. (BNESS-2414, BNESS-2446) Downloaded messages now include X-BESS-* headers. (BNESS-2420) Improved search performance in the Message Log. (BNESS-2449) Spam Accuracy Improved detection of suspect URLs in message body. (BNESS-2443) Improved interaction between Trusted Forwarder and Sender Policy Framework (SPF). (BNESS-2459) What's New With Version 2.3.5 Mail Processing All messages going through the Barracuda Email Security Service will now be subject to a size limit of 300MB. (BNESS-1082) Enhancements to spam detection, including improved URL scanning and handling of embedded URLs. Improved support for customer domains that rely on suspect nameservers. (BNESS-2419) Improved handling of emails sent to multiple recipients of different suspect domains. (BNESS-2426) Improved outbound TLS functionality. (BNESS-2428) Search Ability to search through MIME-encoded From, To, Subject header fields (only for messages received using version 2.3.5 and later). (BNESS-2370) Administration Confirmation now required when deleting users. (BNESS-2400) "451 possible mail loop" events are now logged. (BNESS-2311) Web Interface Improved performance when displaying information for accounts with a large number of emails. (BNESS-2415) Improved display of messages encoded in UTF-8. (BNESS-2418) Filtering for aliases (on the USERS > Users List page) is no longer case sensitive. (BNESS-2434) Fixed in Version 2.3.5 Handling of emails with lines greater than 990 characters. (BNESS-2187) Whitelist function in the Users' Message Log. (BNESS-2408) What's New With Version 2.3.4 Improved Spam Accuracy Enhanced the algorithms for detecting spams in attachments, multi-level intent, and URL detection. LDAP Support Enhancements New User Filter setting in the Directory Services section of DOMAINS > Domain Settings page. This allows the administrator to better manage which accounts should be synced with the LDAP server. Administration Ability to disable notifications when adding aliases (linked addresses) to user accounts. (BNESS-2308) Miscellaneous Support for using CNAMEs in PTR records. IP addresses that resolve to a CNAME record can now be used as an outbound IP address, avoiding lack of Reverse DNS errors. (BNESS-2294) Fixed in Version 2.3.4 Enhancements 11 Message Log Improved layout for usability. (BNESS-2306) Updated the Reason filters. (BNESS-1244) Various documentation updates. (BNESS-2323, BNESS-2322, BNESS-1005) Improved font size consistency in Quarantine Notifications. (BNESS-2325) Improved deferral deduplication with multi-recipient messages. (BNESS-2355) What's New With Version 2.3.3 Message Log Long domain or email address entries do not run into the Policy column. (BNESS-1009) The Message Log properly displays large HTML-rich messages. (BNESS-2279) The Saved Searches section has been moved to the right of Advanced Filters. (BNESS-2270) Improved search performance. (BNESS-946) Improved description of multilevel/intent action reasons URL blocking for Multi-Level Intent is correctly reported. (BNESS-2295) Quarantine Notifications Improved rendering of non-English text in Subject and From fields. Quarantine Notifications render character encodings as expected. (BNESS-1036), (BNESS-1767) Fixed in Version 2.3.3 Enhancements Length of domain names is now limited. (BNESS-1126) When a domain administrator adds a new domain, it is immediately visible in the domain administrator's view. (BNESS-1188) Fixes: Count for graph Emails processed in the last 30 days no longer repeat when the range is 0k - 3k. (BNESS-1026) Email notification to alias (Linked) address is no longer blocked when UnManaged Users are set to BLOCK. (BNESS-1098) One alias email address cannot be linked to multiple BESS users. (BNESS-2194) The Return to Previous Page link in the Printable View works as expected. (BNESS-2272) Destination server priority defaults to the current priority instead of 10. (BNESS-2293) Selecting (No Content) messages and clicking the SPAM button works as expected. (BNESS-2296) Clicking the SPAM button for a selected message does not show the message as Delivered in the Message Log. (BNESS-2305) Trying to deliver a blocked message changes the Delivery Status in the Message Log list and in the Message Details page as expected. (BNESS-2315) Immediate notification in web interface if an IP address the admin enters is on the BRBL. (BNESS-2206) Message Content Filter matching attachments works as expected for PDFs. (BNESS-2115) Predefined Filtering blocks PDF attachments containing a valid credit card number, as expected. (BNESS-2170) LDAP syncing of user names works as expected, preventing incorrect blocking of legitimate users when UnManaged Users is set to BLOCK. (BNESS-2286) When a message includes a domain which indicates suspicious intent, then Multi-Level Intent correctly defers the message instead of blocking it. (BNESS-2300) The IP address owner is correctly identified when applying outbound rate control. (BNESS-2317) What's New With Version 2.3.2 Enhancements to the Message Log functionality including: Sender's email address is now displayed in the From column instead of display name. (BNESS-2212) Resizable columns. (BNESS-1825) Message preview pane, which can be configured for location on the screen or can be turned off. Double clicking on a message now opens a new web page. Ability to edit Mail Server configuration. (BNESS-1856) Ability to define action (Defer, Block, Quarantine, or No Action) on Multi-Level Intent scanning from the INBOUND SETTINGS > Anti-Spam/Antivirus page. (BNESS-2247) Ability to print Message Log & Help screens. (BNESS-2251) Support for multiple Barracuda Cloud Control accounts. (BNESS-2264) 12 Fixed in Version 2.3.2 Ensure duplicate entries are not being created (BNESS-987) E Email addresses that have underscores work as expected. (BNESS-2216) Ensure rate control is applied even to trusted forwarders. (BNESS-2215) PTR records are cached correctly. (BNESS-2143) Getting Started In this Section Step 1 - How the Service Works Step 2 - Initial Service Setup Step 3 - Configure Outbound Mail Scanning Step 4 - Tune and Monitor the Default Spam and Virus Settings How to Migrate Your MailFoundry Account Understanding Inbound and Outbound Message Flow Related Articles How to Configure Google Apps for Inbound and Outbound Mail How to Configure Office 365 for Inbound and Outbound Mail Step 1 - How the Service Works The Barracuda Email Security Service is a pass-through service, accepting connections from a mail server, getting the initial "rcpt to" line and connecting to the destination mail server. The service then monitors the data stream for any spam or virus content and applies policies you configure in the web interface. Barracuda recommends understanding the concepts described in this article before customizing the Barracuda Email Security Service. Connection Management Layers Connection Management layers identify and block unwanted email messages before accepting the message body for further processing. For the average small or medium organization, you can block more than half of the total email volume using Connection Management techniques. Extremely large Internet Service Providers (ISPs) or even small web hosts, while under attack, may observe block rates at the Connection Management layers exceeding 99 percent of total email volume. Denial of Service Protection The Barracuda Email Security Service receives inbound email on behalf of the organization, insulating your organization's mail server from receiving direct Internet connections and associated threats. This layer does not apply to outbound mail. Rate Control Automated spam software can be used to send large amounts of email to a single mail server. To protect the email infrastructure from these flood-based attacks, the Barracuda Email Security Service counts the number of recipients from a sender to a domain during a 30 minute interval and defers the connections once a particular threshold is exceeded. Inbound Rate Control is a threshold for the number of recipients a domain is willing to receive from a sender (a single IP address) during a 30 minute interval. Inbound Rate Control is configurable while Outbound Rate Control is set automatically by the Barracuda Email Security Service. IP Analysis After applying rate controls based on IP address, the Barracuda Email Security Service performs analysis on the IP address of email based on the following: 13 Barracuda Reputation – Leverages data on network addresses and domain names collected from spam traps and throughout other systems on the Internet. The sending histories associated with the IP addresses of all sending mail servers are analyzed to determine the likelihood of legitimate messages arriving from those addresses. Incoming connection IP addresses are compared to the Barracuda Reputation list, if enabled, and connections from suspicious senders are dropped. External blocklists – Also known as real-time blocklists (RBLs) or DNS blocklists (DNSBLs). Several organizations maintain external blocklists of known spammers. Allowed and blocked IP address lists – Customer-defined policy for allowed and blocked IP addresses. By listing trusted mail servers by IP address, administrators can avoid spam scanning good email, reducing processing requirements and eliminating the chance of false positives. Likewise, administrators can define a list of bad email senders for blocking. In some cases, it may be necessary to use the IP blocklists to restrict specific mail servers as a matter of policy rather than as a matter of spam protection. Sender Authentication Declaring an invalid "from" address is a common practice used by spammers. The Barracuda Email Security Service Sender Authentication layer uses a number of techniques on inbound mail to both validate the sender of an email message and apply policy. Sender Policy Framework (SPF) tracks sender authentication by having domains publish reverse MX records to display which machines are designated as mail sending machines for that domain. The recipient can check those records to make sure mail is coming from a designated sending machine. Mail Scanning Layers Virus Scanning The most basic level of mail scanning is virus scanning. The Barracuda Email Security Service utilizes three layers of virus scanning and automatically decompresses archives for comprehensive protection. By utilizing virus definitions, Barracuda Email Security Service customers receive the best and most comprehensive virus and malware protection available. The three layers of virus scanning of inbound and outbound mail include: Powerful open source virus definitions from the open source community help monitor and block the latest virus threats. Proprietary virus definitions, gathered and maintained by Barracuda Central, our advanced 24/7 security operations center that works to continuously monitor and block the latest Internet threats. Barracuda Real-Time System (BRTS). This feature provides fingerprint analysis, virus protection and intent analysis. When enabled, any new virus or spam outbreak can be stopped in real-time for industry-leading response times to email-borne threats. BRTS allows customers to report virus and spam propagation activity at an early stage to Barracuda Central. Virus Scanning takes precedence over all other mail scanning techniques and is applied even when mail passes through the Connection Management layers. As such, even email coming from exempt IP addresses, sender domains, sender email addresses, or recipients are still scanned for viruses and quarantined if a virus is detected. Additionally, Barracuda offers the subscription-based Advanced Threat Detection (ATD) service, a cloud-based virus service that applies to inbound messages. ATD analyzes email attachments in a separate secured cloud environment to detect new threats and determine whether to block such messages. Barracuda Antivirus Supercomputing Grid An additional, patent-pending layer of virus protection offered by the Barracuda Email Security Service is the Barracuda Antivirus Supercomputing Grid, which can protect your network from polymorphic viruses. Not only does it detect new outbreaks similar to known viruses, it also identifies new threats for which signatures have never existed using "premonition" technology. Intent Analysis All spam messages have an "intent" – to get a user to reply to an email, to visit a website, or to call a phone number. Intent analysis involves researching email addresses, web links and phone numbers embedded in email messages to determine whether they are associated with legitimate entities. Frequently, Intent Analysis is the defense layer that catches phishing attacks. When enabled, the Barracuda Email Security Service applies various forms of Intent Analysis to both inbound and outbound mail, including real-time and multi-level intent (or 'content') analysis. Multi-level intent is the process of identifying URLs in an email message body that redirect to known spam or malware sites. Advanced Spam Detection You can configure spam detection for custom categories by setting a content type score. This score ranges from 0 (definitely not spam) to 10 (definitely spam). Based on this score, the Barracuda Email Security Service blocks messages that appear to be spam. These messages display in the user's Message Log with the category responsible for the block. Predictive Sender Profiling 14 When spammers try to hide their identities, the Barracuda Email Security Service can use Predictive Sender Profiling to identify behavior of all senders and reject connections and/or messages from spammers. This involves looking beyond the reputation of the apparent sender of a message, just like a bank needs to look beyond the reputation of a valid credit card holder of a card that is lost or stolen and used for fraud. Some examples of spammer behavior that attempts to hide behind a valid domain, and the Barracuda Email Security Service features that address them, include the following: Sending too many emails from a single network address – Automated spam software can be used to send large amounts of email from a single mail server. Through Rate Control the Barracuda Email Security Service limits the number of connections made from any IP address within a 30 minute time period. Violations are logged to identify spammers. Inbound Rate Control is configurable while Outbound rate control is set automatically by the Barracuda Email Security Service. Attempting to send to too many invalid recipients – Many spammers attack email infrastructures by harvesting email addresses. Recipient Verification on the Barracuda Email Security Service allows the system to automatically reject SMTP connection attempts from email senders that attempt to send to too many invalid recipients, a behavior indicative of directory harvest or dictionary attacks. Registering new domains for spam campaigns – Because registering new domain names is fast and inexpensive, many spammers switch domain names used in a campaign and send blast emails on the first day of domain registration. Realtime Intent Analysis on the Barracuda Email Security Service is typically used for new domain names and involves performing DNS lookups and comparing DNS configuration of new domains against the DNS configurations of known spammer domains. Using free Internet services to redirect to known spam domains – Use of free websites to redirect to known spammer websites is a growing practice used by spammers to hide or obfuscate their identity from mail scanning techniques such as Intent Analysis. With Multi-level Intent Analysis, the Barracuda Email Security Service inspects the results of web queries to URIs of well-known free websites for redirections to known spammer sites. Notifications The Barracuda Email Security Service sends out two kinds of notifications: Quarantine Digest – For email recipients listed in the Barracuda Email Security Service database, a notification email containing a summary of quarantined email is sent to their email address at an interval you specify for users. Attachment Blocking for Content – A notification is sent to the message sender when it is blocked due to attachment content filtering. Monitored Outbound Email Volume The Barracuda Email Security Service monitors the volume of outbound email from the system to the Internet. If the volume exceeds normal thresholds during any given 30 minute interval, the Rate Control function will take effect, causing all outbound mail to be deferred until the end of the 30 minute time frame. The outbound mail flow then continues unless the volume is exceeded again in the next 30 minute interval. If so, Rate Control is again triggered and outbound mail is deferred until the end of the time frame. The allowable volume of outbound mail for an IP address can potentially be increased if the user clicks Request Increased Limit on the OUTBOUND Settings > Abuse Monitor page. The request is reviewed by Barracuda Networks to determine whether to increase the limit on the rate of outbound mail. If this situation occurs frequently for a particular sending IP address, that IP address is listed in the OUTBOUND Settings > Abuse Monitor page in the IP Addresses With Recent Abuse table. Continue with Step 2 - Initial Service Setup. Step 2 - Initial Service Setup The Barracuda Email Security Service connects with your network from various IP addresses, including performing LDAP lookups. To ensure that the service can connect with your network, Allow traffic originating from the IP range 64.235.144.0/20 Block all port 25 traffic except for that originating from the IP range 64.235.144.0/20 Where relevant, verify your network subnet is granted access to your mail server ACL and LDAP server Before you can connect the Barracuda Email Security Service to Barracuda Cloud Control, you must first create an account: 1. 2. 3. 4. If you do not have a Barracuda Cloud Control account, go to https://login.barracudanetworks.com/ and click Create a user. Enter your name, email address, and company name, and specify whether this is a partner account. Click Create User. Follow the instructions emailed to the entered email account to log in and create your Barracuda Cloud Control account. After submitting your new account information, the Account page displays your account name, associated privileges, and username. If you have a Barracuda Cloud Control account: 1. Go to https://login.barracudanetworks.com/ and enter your Barracuda Cloud Control credentials. 2. 15 2. 3. 4. 5. Click Email Security in the left pane, click Start Email Security setup, and follow the onscreen steps to get started. Enter your credit card and billing information, and click Place Order. An email confirmation is sent to the address of record. Once the setup process is complete, click Launch Barracuda Cloud Control. You are redirected to Barracuda Cloud Control. Step 1. Ensure Connectivity and Redundancy Open your firewall ports to allow the IP address range 64.235.144.0/20 Where relevant, verify your network subnet is granted access in the ACL on your mail server (and LDAP server, for that matter) Block all port 25 traffic except for that originating from the Barracuda Email Security Service IP address range 64.235.144.0/20 Step 2. Launch the Barracuda Email Security Service Setup Wizard 1. In the login screen, enter your Barracuda Cloud Control credentials, and click Sign In. 2. The Barracuda Email Security Service Dashboard displays. Click the Wizard link at the top of the page to use the setup wizard. Alternatively, you can click the Domains tab to use the web interface to manually configure domains and settings. 3. In the Setup Wizard, click Get Started. The Specify Primary Email Domain page displays. Enter the primary email domain you want to filter, for example: cudaware.com 4. Click Next. The Specify Email Servers page displays. Enter the mail server hostname (FQDN) or IP address for the domain entered in the previous step, for example: cudaware-com.mail.protection.outlook.com If the Barracuda Email Security Service Setup wizard has already identified your mail server IP based on the MX record, the M ail Server field pre-populates. 5. Click Add. Enter an email address to test the server configuration, and click Test All Mail Servers. 6. Once the mail server is verified, the Verified ( ) icon displays in the status column and a confirmation message displays at the top of the page. 7. Click Next. The Configure Settings page displays. Select from the following options: a. Virus Protection – Set to On to direct the Barracuda Email Security Service to detect and block viruses on inbound email. b. Spam Protection – Set to On to direct the Barracuda Email Security Service to evaluate inbound mail for spam based on a score assigned to each processed message. When set to Off inbound mail is not scanned for spam. c. Spam Scoring – Set Spam Protection to On to enable Spam Scoring. Scoring ranges from 1 (definitely not spam) to 10 (definitely spam). Setting a score of '1' blocks most legitimate messages while setting a score of '10' allows more messages through the system. Based on this score the Barracuda Email Security Service blocks messages that appear to be spam and logs these messages in the user's Message Log with Score as the reason for the block. The following features, configured on the INBOUND SETTINGS > Anti-Spam/Antivirus page, are enabled when Spa m Protection is set to On: • Barracuda Reputation Block List (BRBL) – Database of IP addresses manually verified to be a noted source of spam. • Barracuda Real-Time System (BRTS) – Advanced service to detect zero-hour spam and virus outbreaks even where traditional heuristics and signatures to detect such messages do not yet exist. • Sender Policy Framework (SPF) – Block Fail is disabled. • Barracuda Anti-Fraud Intelligence – Barracuda Networks anti-phishing detection which uses a special Bayesian database for detecting Phishing scams. • Intent Analysis – Blocking based on intent analysis. • CloudScan Scoring – A cloud-based spam scanning engine which assigns a score to each message processed ranging from 0 (definitely not spam) to 10 (definitely spam). 8. Click Next. The Route Email Through Barracuda page displays. 9. To verify your domain, replace your current MX records with the Barracuda Email Security Service Primary and Backup MX records displayed on the page. During the evaluation period, to complete the verification process but allow your legitimate mail to continue using your current mail server, you can add the MX records with a low priority, for example, 99. Some mail may appear in the Message Log after making this MX record change as spammers routinely send mail to all MX 16 records for a domain. Once you have made the change to your MX records, return to the Route Email Through Barracuda page and click Verify MX Records. The Barracuda Email Security Service should see the changes made and verify your domain. If the domain does not verify correctly, verify that your MX changes are live. You can do this by using the following sites that return your MX information: http://mxtoolbox.com/ https://toolbox.googleapps.com/apps/dig/ (select the MX option) If your domain's MX records do not display in the Barracuda Email Security Service MX records, you must wait until they display before your domain can be verified. 10. If you only want to route your inbound mail through the Barracuda Email Security Service and not your outbound mail, select I do not want to route my e-mail through Barracuda at this time , and select the verification option: a. CNAME Records – To use the CNAME records method to verify the domain ownership: i. Log in to your DNS Server and, under this domain, create a subdomain whose name is created by concatenating 'barracuda' and the CNAME token shown in the Route Email Through Barracuda page. For example: barracuda30929916985.corpdomain.com ii. Point the CNAME record of that subdomain to ess.barracuda.com Allow the DNS propagation to take effect before proceeding. iii. Click Confirm Validation in the Route Email Through Barracuda page. b. Email to Postmaster – This method sends a verification email to the postmaster email address for your domain. The confirmation email includes a link that the recipient must click to verify the domain. Click Send Email. c. Email to Technical Contact – This method sends a verification email to the technical contact email address, if it exists, listed on your domain's WHOIS entry. This verification option is not available if the Barracuda Email Security Service cannot find your domain's WHOIS entry. Click Send Email. If there is not a technical contact, only the MX Records and Email to the Postmaster options display on this page. 11. Click Next. 12. The Confirmation page displays. Confirm domain ownership, and then click Done. Important If you have Sender Policy Framework (SPF) checking enabled on your mail server or network, it is critical when using the Barracuda Email Security Service that you either disable SPF checking in the service OR add the Barracuda Email Security Service IP range 64.235.144.0/20 to your SPF exemptions. If this is not done, your SPF checker will block mail from domains with an SPF record set to B lock. This is because the mail will be coming from a Barracuda Email Security Service IP address which is not in the sender's SPF record. For more information about SPF, see Sender Authentication. Step 3. Set Up User Accounts You can add users manually or use LDAP authentication to automatically synchronize the Barracuda Email Security Service with your LDAP server. To create a few test accounts during the evaluation period, use the Manually Add Users steps below. Decide how you want to use quarantine: Global quarantine – When selected, the administrator monitors the Message Log for quarantined mail and decides whether or not it is spam. Per-user quarantine – When selected, users have quarantine accounts and can decide whether or not mail is spam. Set up several users for the evaluation and test the results. This option requires more initial effort to set up user accounts, possibly with sync to your LDAP server, but less work for the administrator over time since users manage their quarantined mail. Quarantine Type Create User Accounts Manages Quarantine? User can Create Sender Exempt/Blocklist Global No Admin No Per-user Yes User Yes 1. If you select Global quarantine, there is no need to create user accounts. 2. If you select Per-user quarantine, then from the USERS > Add/Update Users page manually add a few test accounts, and set Enable 17 2. User Quarantine to Yes. The first time the Barracuda Email Security Service receives an email for that user and the message is quarantined, the user receives a quarantine notification email at the scheduled quarantine notification interval. Depending on how you configure the quarantine notification interval on the USERS > Quarantine Notification page, the user receives a quarantine digest at a specified time. LDAP Synchronization Click to set up LDAP authentication... Automatically create user accounts for all users in the domain based on your LDAP directory. Important The Barracuda Email Security Service connects with your network from various IP addresses, including performing LDAP lookups. To ensure that the service can connect with your network, allow traffic originating from this range of network addresses: 64.235.144.0/20 1. Click DOMAINS, and click Settings in the Actions column for the desired domain. 2. In the DOMAINS > Domain Settings page, scroll to the Directory Services section, and enter your LDAP settings: a. LDAP Host – LDAP lookup server. If this setting is a hostname, and is contained in multiple A records, or multiple space-separated hosts are provided, then fail-over capabilities will be available if the Barracuda Email Security Service is unable to connect to one of the machines listed here. b. Port – Port used to connect to the LDAP service on the specified LDAP server. Typically port 389 is used for regular LDAP and LDAP using the STARTTLS mode for privacy. Port 636 is assigned to the LDAP over SSL/TLS (LDAPS) service. c. Use SSL (LDAPS) – By default, LDAP traffic is transmitted unsecured. Set to Yes to use Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology to make LDAP traffic confidential and secure. d. Bind DN/Username – Username used to connect to the LDAP service on the specified LDAP server. If of the form accountn [email protected], the username is transformed into a proper LDAP bind DN when accessing the LDAP server, for example, CN=accountname,CN=users,DC=domain,DC=com. Sometimes the default transformation does not generate a proper bind DN. In such cases, you must enter a fully formed and valid bind DN. e. Bind Password – Password used to connect to the LDAP service on the specified LDAP server. f. Base DN – Base DN directory. This is the starting search point in the LDAP tree. The default value looks up the defaultNamingContext top-level attribute and uses it as the search base. For example, if your domain is test.com and your Base DN is dc=test,dc=com. g. Authentication Filter – Filter used to look up an email address and determine if it is valid for this domain. The filter consists of a series of attributes that might contain the email address. If the email address is found in any of those attributes, then the account is valid and is allowed by the Barracuda Email Security Service. h. User Filter – Filter used to limit the accounts that the Barracuda Email Security Service creates when an LDAP query is made. For example, limit the LDAP synchronization to users in sub-domains using the mail= parameter, or synchronize user-objects in a specific organizational unit (OU) using the ou= parameter. Each type of LDAP server has specific query syntax, so consult the documentation for your LDAP server. See the Microsoft TechNet article LDAP Query Basics for LDAP query syntax and examples. Example: The list of valid users in your directory server includes 'User1', 'User2', 'User3', 'BJones', 'RWong', and 'JDoe', and you create the User Filter (name=*User*). In this case, the service only creates accounts for 'User1', 'User2', and 'User3'. i. Custom User Filter – Set to Yes to limit newly synchronized email users and linked email users to this one domain. j. Mail Attributes – Attribute in your LDAP directory that contains the user's email address. k. Testing Email Address – Valid email address for use in testing LDAP settings. When left blank, LDAP settings are only tested for connection. l. Synchronize Automatically – Set to Yes to automatically synchronize your LDAP users to the Barracuda Email Security Service database on a regular basis for recipient verification. With Microsoft Exchange server, the synchronization is incremental. When set to No, you must click Synchronize Now at the top of the section to manually synchronize your LDAP users to the Barracuda Email Security Service database. m. Use LDAP for Authentication – Set to Yes to enable LDAP for user login authentication. Set to No if your LDAP server will be unavailable for a period of time. 3. In the Advanced Configurations section, set Sender Rewriting Scheme (SRS) to On to direct the Barracuda Email Security Service to rewrite the Envelope FROM address of inbound messages so that they appear to come from Barracuda Networks rather than the original sender. This is useful if you are using a hosted email service that cannot turn off Sender Policy Framework (SPF) checking. For more information, see Sender Policy Framework. 4. Click Save Changes. The first time the Barracuda Email Security Service receives a Not Allowed email for a valid user, the service does the following: 18 Uses the email address of the recipient as the username of the account and auto-generates a password. If Use LDAP for Authentication is set to No on the DOMAINS > Domain Settings page, the user receives an email with the login information so they can access their quarantine account, otherwise, the user can use single sign-on via LDAP lookup. Places the quarantined message in the account holder’s quarantine inbox. Sends a quarantine summary report to the account holder at the specified notification interval, as set on the USERS > Quarantine Notification page. If Allow users to specify interval is set to Yes on this page, then the quarantine summary report is sent to the user on the schedule specified on the SETTINGS > Quarantine Notification page once they log into their account. The default is Daily. Manually Add Users Click to manually add users... 1. Go to USERS > Add/Update Users. 2. In the User Accounts field, enter each user email address for the domain on a separate line, and then select from the following options: a. Enable User Quarantine – All emails for the user which meet the configured block policy go to the user's quarantine account. Depending on how you have configured the quarantine notification interval on the USERS > Quarantine Notification page, the user receives a quarantine digest at a specified time. From the USERS > Quarantine Notification page you can also allow the user to set their own quarantine notification interval. b. Notify New Users – When set to Yes, users receive a welcome email when the account is created. 3. Click Save Changes. The users are added to the USERS > Users List table where you can select from the following actions: a. Edit – Click to specify domains this user can manage. b. Reset – Click to send the user an email with instructions on how to reset their account password. c. Log in as this user – Click to view or change the user's settings (for example, quarantine notifications), view/manage the domains this user manages, and view/search/manage the user's Message Log. d. Delete – Click to remove the user account. The first time the Barracuda Email Security Service receives an Allowed email for a non-existent user at a domain configured for the service, if that same recipient receives a second email within six days, a new user account is created. This method of new account creation does not use LDAP lookup, and the user receives an email from the Barracuda Email Security Service with their login information so they can access their quarantine account. Continue with Step 3 - Configure Outbound Mail Scanning. How to Create User Accounts Local User Accounts From the USERS > User List page you can manually add, update, or delete local user accounts in the Barracuda Email Security Service if you are not using LDAP, or if you just want to create a few test accounts. The first time the Barracuda Email Security Service receives an email for that user and the message is quarantined, and if Enable User Quarantine is set to Yes on the USERS > Add/Update Users page, the user receives a quarantine notification email at the scheduled quarantine notification interval. Depending on how you configure the quarantine notification interval on the USERS > Quarantine Notification page, the user receives a quarantine digest at a specified time. From the USERS > Quarantine Notification page you can also allow the user to set their own q uarantine notification interval. If Notify New Users is set to Yes on the USERS > Add/Update Users page, the user receives a welcome email when the account is created. The welcome email is only sent to a user when an account is manually created. LDAP Accounts Automatically create user accounts for all users in the domain based on your LDAP directory. This allows the Barracuda Email Security Service to 19 validate the receiving email address of a message against your LDAP server before creating an account. See How to Configure Recipient Verification Using LDAP for details. Once configured, if Synchronize Automatically is set to Yes on the DOMAINS > Domain Settings page, th e user list is synchronized with your LDAP server on a regular basis. The first time the Barracuda Email Security Service receives a Not Allowed email for a valid user, the service does the following: 1. Uses the email address of the recipient as the username of the account and auto-generates a password. If Use LDAP for Authentication is set to No on the DOMAINS > Domain Settings page, the user receives an email with the login information so they can access their quarantine account. Otherwise the user must use single sign-on via LDAP lookup. 2. Places the quarantined message in the account holder’s quarantine inbox. 3. Sends a quarantine summary report to the account holder at the specified notification interval, as set on the USERS > Quarantine Notification page. If Allow users to specify interval is set to Yes on this page, then the quarantine summary report is sent to the user on the schedule specified on the SETTINGS > Quarantine Notification page once they log into their account. Default is Daily. The first time the Barracuda Email Security Service receives an Allowed email for a nonexistent user at a domain configured for the service, if that same recipient receives a second email 1-6 days later, a new user account is created. This method of new account creation does not use LDAP lookup, and the user receives an email from the Barracuda Email Security Service with their login information so they can access their quarantine account. How to Validate Your Domain Before you can route mail for your domain through the Barracuda Email Security Service, you must verify ownership of the domain. If you didn't already do this through the Setup wizard, see the DOMAINS page and click on Verify in the Status column next to your domain. Choose one of the following methods for ownership verification. MX Records See How to Set Up MX Records for Domain Verification. Additional Verification Options If you only want to route your inbound mail through the Barracuda Email Security Service and not your outbound mail, select I do not want to route my e-mail through Barracuda at this time, and then select the verification method: CNAME Validation Email to the Postmaster Email to Technical Contact CNAME Validation You must have access to your DNS server to use this verification method. 1. To use the CNAME records method to verify the domain ownership, log in to your DNS Server and, under this domain, create a subdomain whose name is created by concatenating 'barracuda' and the CNAME token shown in the Route Email Through Barracuda page. For example: barracuda30929916985.mydomain.com 2. Point the CNAME record of that subdomain to ess.barracuda.com Allow the DNS propagation to take effect before proceeding. 3. Click Confirm Validation in the Route Email Through Barracuda page. Email to the Postmaster This method sends a verification email to the postmaster email address for your domain. The confirmation email includes a link that the recipient must click to verify the domain. Email to Technical Contact This method sends a verification email to the technical contact email address, if it exists, listed on your domain's WHOIS entry. This verification option is not available if the Barracuda Email Security Service cannot find your domain's WHOIS entry. If there is not a technical contact, then only the MX Records and Email to the Postmaster options displays on this page. 20 How to Set Up MX Records for Domain Verification Begin by adding each domain for which you want the Barracuda Email Security Service to filter email on the DOMAINS page. Each of the domains must be verified by the Barracuda Email Security Service for proof of ownership. After adding a domain, the DOMAINS > Domain Verification page will prompt you to select one of three ways to verify the domain ownership. To use the MX Records method: 1. Click the (Verify) link for your newly added domain on the DOMAINS page. 2. Click the radio button for the MX records. 3. Replace your current MX records with the BESS MX records displayed on the verify page. NOTE: If you want to first test the Barracuda Email Security Service, or you just want to be careful moving your mail to the Barracuda service, then just ADD the MX records with a LOW priority (99 for example). This will allow you to complete the verification process, but your legitimate mail will still use your current mail server. For example: mydomain.com. 21600 IN MX 10 mailserver1.mydomain.com. mydomain.com. 21600 IN MX 15 mailserver2.mydomain.com. mydomain.com. 21600 IN MX 99 xxxxxxx.ess.barracudanetworks.com. mydomain.com. 21600 IN MX 99 xxxxxxx.ess.barracudanetworks.com. It is possible that you may see some mail in the Message Log after making this MX record change. This is because spammers routinely send mail to all MX records for a domain. Once you have made the change to your MX records, return to the verification page in the Barracuda Email Security Service and click Next. The Barracuda Email Security Service should see the changes made and verify your domain. If the domain does not verify correctly, please check that your MX changes are live. You can do this by using the following sites that return your MX information: http://mxtoolbox.com/ https://toolbox.googleapps.com/apps/dig/ (select the MX option) If your domain's MX records are not yet showing the Barracuda Email Security Service MX records, then you will need to wait until they do before your domain can be verified. To view the MX record configuration or mail statistics for a verified domain, click the Settings link in the table for your domain on the Domains Manager page. Step 3 - Configure Outbound Mail Scanning Important Before using the Barracuda Email Security Service outbound filter, go to http://barracudacentral.org/lookups and verify that your outbound IP address is not on the Barracuda Reputation list. If it is present on the list, contact Barracuda Technical Support and request removal before using the outbound service. You can configure the Barracuda Email Security Service to simultaneously scan both inbound and outbound mail. Use the steps in this article to enable outbound mail spam and virus scanning. Step 1. Add Valid Sender IP Address Ranges 1. Log in to the Barracuda Email Security Service, and go to OUTBOUND SETTINGS > Sender IP Address Ranges. 2. Enter the IP Address and Domain Name (logging domain) and optional Comment for IP address ranges allowed to send outgoing email from your domains, and click Add. Note that each mail server must contain a reverse DNS PTR record. Add all IP addresses from which outgoing mail is allowed to flow through the Barracuda Email Security Service. The Logging Domain is the domain name that appears in the Message Log as the sending domain for the associated IP address. 21 Important To assure Barracuda Networks is the authorized sending mail service for outbound mail recipients, review your domain's Sender Policy Framework (SPF) record. SPF is an open standard specifying a method to prevent sender address forgery. See Sender Authentication f or more information. If you have an SPF record set up for your domain, edit the existing record and add the following to the INCLUDE lin e for each domain sending outbound mail: include:spf.ess.barracudanetworks.com If you do not have an SPF record set up for your domain, use the following value to create a TXT record that creates a SOFTFAIL SPF for your domain: v=spf1 include:spf.ess.barracudanetworks.com ~all Step 2. Configure Your Mail Server or Smart Host Complete the following steps for each domain from which you are relaying outbound mail: 1. Log in to the Barracuda Email Security Service, and go to DOMAINS > Domain Manager. 2. Note the Outbound Hostname for the domain that is to relay outbound mail. 3. Specify this value in your mail mail server or smart host. Step 3. Verify Mail is Flowing 1. Log in to the Barracuda Email Security Service. 2. In the DASHBOARD page verify inbound and outbound messages are being logged for the selected domain. You can also click MESSAGE LOG to view inbound and outbound email traffic. Use the filters to refine your search. See The Message Log for more information on message filtering. Table 1. Outbound Mail Settings. Feature Description Related Articles Outbound Mail Scanning Outbound Quarantine All messages routed through the Barracuda Email Security Service are subject to a 300MB size limit. This includes all headers, body, and attached content. Outbound mail scanning includes: Spam Scanning with Block or Quarantine actions Virus Scanning IP Address Filtering Sender Domain, Username or Email Address Filtering Recipient Email Address Filtering Content Filtering (Subject, Header and Body) with Block, Allow, Encrypt, or Quarantine actions Attachment Filtering Intent Analysis The following tools are not applied to outbound mail: IP Reputation, a sender authentication mechanism Sender Policy Framework (SPF), a sender authentication mechanism DomainKeys (DKIM) inspection Exempt/blocklist 22 Outbound Mail Encryption To prevent data leakage and ensure compliance with financial, healthcare, and other federally regulated agency information policies, you can require all email sent from any or all configured domains to be encrypted by configuring outbound mail encryption policies on the OUTBOUND SETTINGS > Content Policies page at the domain level. How to Use DLP and Encryption of Outbound Mail Secured Message Transmission Inbound and outbound email transmission can also be required over a TLS channel. Outbound Message Footer You can configure Barracuda Email Security Service to append a custom text and/or html footer to each outbound message at the global level on the OUTBOUND SETTINGS > Tagline/Footer page. Continue with Step 4 - Tune and Monitor the Default Spam and Virus Settings. Step 4 - Tune and Monitor the Default Spam and Virus Settings Once email is flowing through the Barracuda Email Security Service, use the MESSAGE LOG page to see which messages are being blocked or quarantined and for what reasons based on the current Barracuda Email Security Service settings. Click on a message in the Message Log to view message details including the action and reason if the message was blocked or quarantined. See The Message Log for more information. Per-Domain Management Configure specific settings, including spam and virus settings, policies for inbound and outbound mail, and quarantine settings for each domain you add to the service by drilling down via the DOMAINS > Domain Manager page. Click the Manage link for the domain you want to configure using the same feature configuration pages available at the global level for the domain. For example, you can turn off virus scanning for a domain that is internal and already protected by an anti-virus solution or customize content and attachment filtering policies for each domain based on the type of email you expect to be flowing to and from the domains. Important When you click the Manage link on the DOMAINS > Domain Manager page, the settings you change apply to that domain specifically and override global settings for that domain. Click the Return to account management link above the feature configuration pages to return to the global domain management. Basic Spam and Virus Checking By default, virus scanning is enabled in the Barracuda Email Security Service and the system checks for definition updates on a regular basis (hourly by default). Virus scanning takes precedence over all other mail scanning techniques; email coming from exempt IP addresses, sender domains, sender email addresses, or recipients is scanned for viruses and blocked if a virus is detected. Advanced Threat Detection In addition to basic virus scanning, you can select to subscribe to the Barracuda Advanced Threat Detection (ATD) service. ATD is a cloud-based virus scanning service that applies to inbound messages, analyzing email attachments in a separate, secured cloud environment to detect new threats and determine whether to block such messages. See Advanced Threat Detection Configuration. Use the INBOUND SETTING > Anti-Spam/Antivirus page to enable or disable virus checking. If you enable Use Barracuda Real-Time System on the INBOUND SETTINGS > Anti-Spam/Antivirus page, the Barracuda Email Security Service checks unrecognized spam and virus fingerprints against the latest virus threats logged at Barracuda Central. Use the INBOUND SETTINGS > Anti-Spam/Antivirus page to enable or disable spam filtering mechanisms and set scoring for spam categories. See Advanced Inbound Email Filtering Policy to determine settings based on the needs of your organization. Once you change the settings, use the DASHBOARD and MESSAGE LOG pages to monitor and tune your configuration. 23 View Email Statistics The DASHBOARD page provides an email statistics overview for inbound and outbound mail traffic protected by the Barracuda Email Security Service including: A graph of the geographic origins of threats detected by the Barracuda Email Security Service Email statistics of the number of inbound and outbound messages blocked, allowed, and quarantined for the selected time period, either the Last 24 Hours or Last 30 Days Top domains for which mail has been processed by the system Top blocked domains, recipients, and senders for the selected time period Click the Help ( ) icon on the DASHBOARD page for more information. Each time you log into the Barracuda Email Security Service, the DASHBOARD page displays. If you have added domains which are not yet verified by the service, a warning message displays at the top of the page. Click on the link to complete the verification process for the domain. How to Migrate Your MailFoundry Account This article lists the steps needed to finish the migration of your mailfoundry email account to the Barracuda Email Security Service. The following steps have already been completed for your account migration: 1. Barracuda has migrated configuration information from your mailfoundry account. 2. Barracuda has created an administrator account for your organization in the Barracuda Email Security Service. You will have a chance to reset the password for this account. You should have received an email from Barracuda outlining the high level steps. Follow the steps below to finish migrating your account to the Barracuda Email Security Service. Step 1. Log in as Administrator This step ensures you have administrator level access to your account. 1. Click the link sent to you in an email from Barracuda. The subject of the email is Mailfoundry to Barracuda Email Security Service migration. The login page displays: 2. Click Request Password. A new password is sent to the email address on file. 3. When you receive the email, click on the link in the email to reset the password. 4. Enter a new secure password. Remember that this is the password for your administrator account. For security, do not share this password with anyone. 5. Once you are logged in with the new password, click Email Security in the left navigation bar. The Dashboard page displays and you are logged into the Barracuda Email Security Service as administrator: 24 Step 2. Verify Domains and Configuration 1. Click the Domains tab. The Domains Manager page displays: 2. Confirm each of your domains is listed here. 3. Double check that the IP address of the Mail Server for each host is correct. If it is not correct for any domain, click Settings for that domain to make modifications: 4. Verify the IP address for the mail server for the domain. Click Save Changes. Connectivity from Barracuda Email Security Service to the mail server is verified in a separate step. 5. For each of the domains, click Manage, one domain at a time. 6. For each domain, verify all settings on the INBOUND SETTINGS pages are correct for each sub-tab: Anti-Spam/Antivirus, Custom RBLs, Rate Control, IP Address Policies, Recipient Policies, Sender Policies, Sender Authentication, and Content Policies. These pages are used for creating policies for inbound mail. 25 Step 3. Ensure Connectivity 1. If you have trouble routing email traffic through the service, make sure that your firewall allows traffic originating from the Barracuda Email Security Service. To allow mail traffic from the service, open your firewall ports to allow the IP address range 64.235.144.0/20 such that your LDAP and Microsoft Exchange servers can communicate with the Barracuda Email Security Service. 2. Additionally, open these ports in your corporate firewall to allow communication between the Barracuda Email Security Service and remote servers: Port Direction Used for 25 In/Out SMTP 389 In/Out LDAP 636 In/Out LDAP 3. To ensure that the service can send traffic to the mail servers listed for each of your domains, go to the Domains Manager page: 4. Click Settings for the first domain in the list; the domain settings page for this domain displays: 5. 6. Click Test. The Mail Server Test page displays: 26 6. 7. Enter the username of a mailbox that you can readily test, and click Send. If the email is routed correctly, a Success message displays. If the Success message does not display and the recipient does not receive the test email, double check the steps above. If a problem persists, see the troubleshooting section below. 8. Verify that the Barracuda Email Security Service is able to reach your configured LDAP server. Go to DOMAINS > Domain Manager > Settings, configure your LDAP host and click Test Settings. If you have problems connecting, open your firewall ports as described below. Troubleshooting Verify that your firewall allows traffic originating from the Barracuda Email Security Service. To allow mail traffic from the service, open your firewall ports to allow the IP address range 64.235.144.0/20 such that your LDAP and Microsoft Exchange servers can communicate with the Barracuda Email Security Service. Additionally, open these ports in your corporate firewall to allow communication between the Barracuda Email Security Service and remote servers. Port Direction Used for 25 In/Out SMTP 389 In/Out LDAP 636 In/Out LDAP Step 4. Route Email through the Barracuda Email Security Service 1. Go to the Settings page for this domain: 2. Make note of the two MX records listed under the section MX Records Configuration. They are listed as Primary and Backup. 3. Log in to your ISP or hosting provider and change the MX records to the records listed above. 4. Depending on your ISP settings, this change can take a few minutes to a few hours to complete. Once complete, email begins flowing through the Barracuda Email Security Service. 5. Check the MESSAGE LOG page for incoming email. Your email is now being filtered by Barracuda Networks: 27 Once you are satisfied with the process of changing the MX records for one domain, you must repeat this process for each additional domain. Important If you have Sender Policy Framework (SPF) checking enabled on your mail server or network, it is critical when using the Barracuda Email Security Service that you either disable SPF checking in the service or add the Barracuda Email Security Service IP range 64.235.144.0/20 to your SPF exemptions. Otherwise, your SPF checker blocks mail from domains with an SPF record set to Block bec ause mail is coming from a Barracuda Email Security Service IP address not in the sender's SPF record. See Also Overview and inbound policy configuration: Overview Advanced Inbound Email Filtering Policy Outbound policy and encryption settings: How to Use DLP and Encryption of Outbound Mail Configure Outbound Filtering Policy Advanced topics: Advanced Configuration - Sender Authentication, SPF, Recipient Verification Managing User Accounts Reporting Understanding Inbound and Outbound Message Flow Inbound Mail Flow Click to view Inbound mail flow... 28 29 Outbound Mail Flow Click to view Outbound mail flow... 30 31 Advanced Inbound Email Filtering Policy The Barracuda Email Security Service includes a rich set of inbound and outbound email filtering policy options including anti-spam, antivirus, rate control, IP policies, sender reputation, and more. In addition, you can opt to subscribe to the Barracuda Advanced Threat Detection (ATD) service. ATD is a cloud-based virus scanning service that applies to inbound messages, analyzing email attachments in a separate, secure cloud environment to detect new threats and determine whether to block such messages. In this Section IP Analysis - Inbound Barracuda Reputation and Email Categorization Content Analysis - Inbound Mail Anti-Fraud and Anti-Phishing Protection Attachment Filtering - Inbound Image Analysis - Inbound Mail Intent Analysis - Inbound Mail Bulk Email Detection Rate Control Inbound Understanding Advanced Threat Detection Advanced Threat Detection Sample Email Notifications IP Analysis - Inbound Create Custom IP Policy 32 Once the true sender of an email message is identified, the reputation and intent of that sender should be determined before accepting the message as valid, or "not spam". The best way to address both issues is to know the IP addresses of trusted email senders and forwarders and define those as exempt from scanning by adding them to a list of known good senders. Add exempt/trusted sender IP addresses and block those you know are not trusted on the INBOUND SETTINGS > IP Address Policies page. Barracuda Networks does not recommend exempting domains because spammers may spoof domain names. When possible, it is recommended to exempt by IP address only. You can create a list of Trusted Forwarders by specifying one or more IP addresses of machines that you have set up to forward email to the Barracuda Email Security Service from outside sources. The Barracuda Email Security Service exempts any IP address in this list from Rate Control, SPF checks, and IP Reputation. In the Received headers, the Barracuda Email Security Service continues looking beyond a Trusted Forwarder IP address until it encounters the first non-trusted IP address. At this point, Rate Control, SPF checks, and IP Reputation checks are applied. Configure on the INBOUND SETTINGS > IP Address Policies page. Barracuda Reputation and Email Categorization Barracuda Reputation is a database maintained by Barracuda Central and includes a list of IP addresses of known good senders as well as known spammers, or IP addresses with a "poor" reputation. This data is collected from spam traps and other systems throughout the Internet. The sending history associated with the IP addresses of all sending mail servers is analyzed to determine the likelihood of legitimate messages arriving from those addresses. Updates to Barracuda Reputation are made continuously by Barracuda Central engineering. On the INBOUND SETTINGS > Anti-Spam/Antivirus page, it is strongly recommended that you select Use Barracuda Reputation BlockList (BRBL). Subscribe to External Blocklist Services Use the INBOUND SETTINGS > Custom RBLs page to use various blocklist services. Several organizations maintain external blocklists such as spamhaus.org. External blocklists, sometimes called DNSBLs or RBLs, are lists of IP addresses from which potential spam originates. In conjunction with Barracuda Reputation, the Barracuda Email Security Service uses these lists to verify the authenticity of the messages you receive. Be aware that blocklists can generate false-positives (legitimate messages that are blocked). Messages blocked due to external blocklists or the BRBL are the only blocked messages that are not sent to the user's Message Log. Email Categorization Email Categorization gives administrators more control over what they believe to be spam, even if those messages do not meet the technical definition of spam. Most users do not realize that newsletters and other subscription-based emails, while they are considered to be bulk email, are not technically unsolicited - which means that they cannot be blocked by default as spam. The senders of these emails may have a good reputation, but the user may no longer want to receive, for example, a mass mailing from a club or vendor membership. The Email Categorization feature assigns this type of email to categories that display on the INBOUND SETTINGS > Anti-Spam/Antivirus page, and the administrator can then create block, quarantine, or allow policies by category. When set to Off, no categorization scanning is performed. Supported categories: Corporate Emails – Emails sent from Microsoft Exchange Server that involve general corporate communications. This does not include marketing newsletters. The default action is Allow. Transactional Emails – Emails related to order confirmation, bills, bank statements, invoices, monthly bills, UPS shipping notices, surveys relating to services rendered, and/or where transactions took place. The default action is Allow. Barracuda recommends setting the Transactional email category to Allow so that critical emails are not blocked or quarantined. Marketing Materials – Promotional emails and newsletters from companies such as Constant Contact. The default action is Allow. Mailing Lists – Emails from mailing lists, newsgroups, and other subscription-based services such as Google and Yahoo! Groups. The default action is Allow. Social Media – Social media notifications from sites such as Facebook, LinkedIn, and Twitter. The default action is Allow. Email Categorization supports the following actions, in the following order of precedence: Allow – Deliver the message. Block – Do not deliver the message. 33 Quarantine – Put the message in quarantine if there are no other checks for other categories that can result in actions of higher precedence (Allow, Block). Off – No action is taken. All other spam scanning and policy processing is performed on the message. Messages that have been categorized appear in the Message Log with Email Categorization (category) as the Reason. The administrator can then select one or more categorized emails and click Recategorize to change the category, as shown in Figure 1. This information is submitted with the sender IP for Email Categorization. Optionally, you can assign a 'custom' category by selecting Other in the drop-down for a particular email. See the Message Log help page for details. Figure 1. Recategorizing the message from Corporate to Marketing Materials Content Analysis - Inbound Mail The Barracuda Email Security Service enables administrators to set custom content filters for inbound messages based on message content and attachment file name or MIME type. See the INBOUND SETTINGS > Content Policies page for settings. Custom Content Filters Message content filtering can be based on any combination of subject, headers, body, attachments, sender or recipient filters, and you can specify actions to take with messages based on pre-made patterns (regular expressions) in the subject line, headers, message body, sender or recipient lines. See Regular Expressions for text patterns you can use for advanced filtering. Note that HTML comments and tags imbedded between characters in the HTML source of a message are filtered out so that content filtering applies to the actual words as they appear when viewed in a web browser. For information about content filtering for outbound messages, see Content Analysis - Outbound Mail. Anti-Fraud and Anti-Phishing Protection Phishing scams are typically fraudulent email messages appearing to come from legitimate senders (e.g., a university, an Internet service provider, a healthcare or financial institution). These messages typically contain URLs that, if the user clicks them, directs them to a spoofed website or otherwise gets them to reveal private information such as logins, passwords or other sensitive data. This information is then used to commit identity and/or monetary theft. The following settings in the Barracuda Email Security Service can evaluate and rewrite fraudulent URLs so that if the user clicks them, they will be safely redirected to a valid domain or to a Barracuda domain warning of the fraud. Configure on the INBOUND SETTINGS > Anti-Phishing pa ge. Barracuda Anti-Fraud Intelligence - This Barracuda Networks anti-phishing detection feature uses a special Bayesian database for detecting Phishing scams. Link Protection - When set to Yes, the Barracuda Link Protection Service automatically rewrites any URL in an email message to a safe Barracuda URL, and then delivers the message. If the user then clicks on that URL, the service evaluates it for validity and reputation. If the domain is determined to be valid, the user is then directed to that website. If the URL is suspicious, the user is directed to the Barracuda Link Protection Service warning page, which displays Access Denied, a message about why the URL was blocked, and the actual link. 34 Figure 1. Warning popup from the Barracuda Link Protection Service In order to minimize false positives and page load delays, Barracuda continuously maintains a list of domains that are considered to be safe. Because of this, some links detected in email messages by this feature are "wrapped", while others are not. For example, Barracuda does not currently wrap "google.com", but will wrap "googlegroups.com" because it provides user-generated content. Typosquatting Protection - Typosquatting is a common trick used by hackers to fool users into thinking they're visiting a valid domain such as https://www.tripadivsor.com , but two letters ('v' and 'i') are switched in the domain name which leads the user to a different site that may be 'spoofing' the domain they wanted. The Typosquatting Protection feature checks for common typos in the domain name of the url and, if found, rewrites the url to the correct domain name so that the user visits the intended website. For example, if the URL https://www.tripadivsor.com appears in an email message, the service detects the switched letters and rewrites the URL to be https://ww w.tripadvisor.com, the valid domain. See Figure 1 above for the warning the user will see before being redirected to the correct website. Note: Link Protection must be set to Yes before enabling Typosquatting Protection. Link Protection is only applied to messages which have NOT been allowed, blocked or quarantined due to other policies such as IP address policies, sender policies or managed user policies. URLs which are exempt are not rewritten. Barracuda typosquatting works with tools such as Desvio to determine misspelled domain names. To protect your misspelled domains, contact providers such as Desvio to add your misspelled domain name variations to their list. See also Intent Analysis - Inbound Mail. Link Protection FAQ Q.With Link Protection enabled, are there messages for which URLs are not rewritten? URLs contained within messages encrypted by the Barracuda Encryption Service will not be rewritten. Q. How can you confirm if a URL has been rewritten? Hover over the URL in the message. It will look like the following if it has been rewritten by the Barracuda Link Protection Service: For example, the URL "http://www.codestore.net" would be rewritten to: https://linkprotect.cudasvc.com/url?a=http://www.codestore.net&c=E,1,5bEVim247z1fGhtUhmYwbNu1H8iIZr4N rgaCfUxKZdTyuUxW48gwPUfsoILDy-FCjYA5-2MCgtJlXy5N3PAFAD47XFHidB4K4cNJC7Z-FhFR1P96vPVq&typo=1 Q. What happens when a user clicks on a rewritten URL? If the URL is considered bad: The user is re-directed to the Barracuda Link Protection Service warning page, which displays Access Denied, a message about why the URL was rewritten, and the actual link. 35 If the URL is considered good: The user is re-directed to the website. Q. Will all URLs in a message be rewritten? URLs located in attachments are not rewritten. Link Protection is only applied to messages which have NOT been allowed, blocked or quarantined due to other policies such as IP address policies, sender policies or managed user policies. URLs which are exempt are not rewritten. Q. What if my brand has misspelled domain names? Will those URLs be rewritten? Barracuda typosquatting works with tools such as Desvio to determine misspelled domain names. To protect your misspelled domains, contact providers such as Desvio to add your misspelled domain name variations to their list. Q. Is there a noticeable delay when a user clicks on a rewritten URL? No. Rewritten URLs are checked real-time to ensure that the latest status determines it to be safe. Q. Is Link Protection available for customers with a trial subscription? Yes. Q. How long will rewritten URLs continue to work? Rewritten URLs will not expire. They will continue to function indefinitely. If the redirection service is not available (i.e., Barracuda cannot verify the URL's reputation), the user is directed to the original link. Q. Does Link Protection protect a URL that is safe at one-time but becomes compromised later? Yes. Each time a URL is clicked the status of that URL is verified before the redirect is allowed. Attachment Filtering - Inbound For outbound attachment filtering, see Attachment Content Filtering - Outbound . All messages, except those from exempt senders, go through attachment filtering. Use the INBOUND SETTINGS > Content Policies page to specify actions to take on inbound messages if they contain attachments with certain file name patterns or MIME types. You can select Archive Files Content with any filter to search the contents of attached archives. Use the Password Protected Archive Filtering feature as follows: When set to Scan, any email containing a password protected attachment is blocked. When set to Ignore, your attachment filter policies are applied to any email containing a password protected attachment. Messages that are blocked due to attachment filtering appear in the Message Log with the word Attachment for the Reason if you click Show Details for the message. For example, if you create a filter to block messages with attachments whose file names match a pattern of word*, the entry in the Message Log would contain: Action:Blocked Reason:Attachment (word_2010_xml.tgz) where word_2010_xml.tgz is the attachment file name that caused the message to be blocked. Image Analysis - Inbound Mail Image spam represents about one third of all traffic on the Internet. The Barracuda Email Security Service uses Image Analysis, which includes investigating image dimensions in JPG/JPEG images, to protect against new image variants. In the Message Log, Image Analysis may 36 sometimes result in one of the following: A message is deferred if determined to be suspicious, with a Reason of Suspicious A message is blocked with a Reason of Image Analysis Intent Analysis - Inbound Mail All spam messages have an "intent" - to get a user to reply to an email, to visit a web site or to call a phone number. Intent analysis involves researching email addresses, web links (URLs) and phone numbers embedded in email messages to determine whether they are associated with legitimate entities. Phishing emails are examples of Intent. Frequently, Intent Analysis is the defense layer that catches phishing attacks. The Barracuda Email Security Service applies the following forms of Intent Analysis to inbound mail, including real-time and multi-level intent analysis. Intent Analysis – Markers of intent, such as URLs, are extracted and compared against a database maintained by Barracuda Central. Real-Time Intent Analysis – For new domain names that may come into use, Real-Time Intent Analysis involves performing DNS lookups against known URL blocklists. Multilevel intent analysis – Use of free websites to redirect to known spammer websites is a growing practice used by spammers to hide or obfuscate their identity from mail scanning techniques such as Intent Analysis. Multilevel Intent Analysis involves inspecting the results of Web queries to URLs of well-known free websites for redirections to known spammer sites. Intent Analysis can be enabled or disabled on the INBOUND SETTINGS > Anti-Phishing page. Domains found in the body of email messages can also be blocked based on or exempt from Intent Analysis on that page. See also Anti-Fraud and Anti-Phishing Protection. Bulk Email Detection Many users subscribe to websites and lists and later forget that they subscribed, or subscribed unknowingly. Email messages containing anything that looks like an unsubscribe link or instruction may or may not be considered spam by the recipient. To provide users the opportunity to decide, you can quarantine bulk email messages that contain unsubscribe links or instructions, or you can choose to block them all, thereby reducing the load on your mail server. Configure Bulk Email Detection on the INBOUND SETTINGS > Anti-Spam/Antivirus page. To allow all such emails that are not otherwise tagged as spam, set this feature to Off. If this feature is set to Block or Quarantine, email messages/domains that are exempted by users or the administrator override this setting and are allowed. Rate Control Inbound The Barracuda Email Security Service Rate Control feature protects your organization from spammers or spam-programs (also known as "spam-bots") that send large amounts of email to the server in a small amount of time. Rate Control for inbound mail is configured on the INBOUN D SETTINGS > Rate Control page. Rate control for outbound mail is configured automatically by the Barracuda Email Security Service. The Rate Control mechanism counts the number recipients for a domain from a sender (a single IP address) over a half-hour timeframe and compares that number to the Maximum Recipients per Sender IP Address/ 30 minutes threshold you set on the page. If the number of inbound recipients for a domain from a sender (a single IP address) exceeds this threshold within a half hour period, the Barracuda Email Security Service defers any further connection attempts from that particular IP address until the next half hour time frame and logs each attempt as deferre d in the Message Log with a Reason of Rate Control. Exemptions from Rate Control You can exempt trusted IP addresses from Rate Control by adding a trusted IP address to the Rate Control Exemption list. Organizations that relay email through known servers or communicate frequently with known partners can and should add the IP addresses of those trusted relays and good mail servers to this list. 37 Understanding Advanced Threat Detection The Barracuda Email Security Service provides access to the subscription-based Advanced Threat Detection (ATD) service. This service analyzes inbound email attachments in a separate, secured cloud environment, detecting new threats and determining whether to block such messages. ATD offers protection against advanced malware, zero-day exploits, and targeted attacks not detected by the Barracuda Email Security Service virus scanning features. Enable ATD on the INBOUND SETTINGS > ATD page. When ATD determines an attachment contains a threat and blocks the message, review the ATD Report before determining whether to deliver the message. See Advanced Threat Detection Reports and Understanding Advanced Threat Detection Reports for more information. Advanced Threat Detection Options Configure policies on the INBOUND SETTINGS > Content Policies page, and specify how and when attachments are scanned on the INBOUN D Settings > ATD page: Deliver First, Then Scan – When selected, the ATD service attempts to scan the mail in real time. If the ATD scan completes in real time and a virus is detected, the message is blocked and is not delivered. If the ATD scan does not complete in real time, the message is delivered; if the ATD service determines the attachment to be suspicious or virus-infected upon completion, the recipient is notified, and if Notify Admin is set to Yes, an email alert is sent to the specified admin address. This option does not delay email processing, however, the email recipient can potentially open an infected attachment. Scan First, Then Deliver – When selected, the ATD service scans messages with attachments before delivery. If a virus is detected in an attachment, the message is blocked, otherwise, the message is delivered to the recipient. This option provides more security and prevents the email recipient from opening infected attachments. Note that messages with attachments may be temporarily deferred while queued for scanning. These messages appear in the Message log and Pe nding Scan displays in the Reason column. The mail server retries until the scan is complete and no virus is detected in the attachment, at which point the message is delivered. No – When selected, ATD is disabled. Advanced Threat Detection Exemptions When ATD is set to either Deliver First, then Scan or Scan First, then Deliver, you can exempt sender email addresses, sender domains, recipient email addresses, recipient domains, or sender IP addresses from ATD scanning in the ATD Exemptions section on the INBOUND SETTINGS > Advanced Threat Detection page. Attachments from exempted entries are not sent to the ATD cloud. Note that these exemptions apply to ATD scanning only and do not apply to Barracuda Email Security Service virus scanning. Scanned File Types Table 1 lists the file types scanned by the ATD service. Table 1. Scanned File Types. MIME Type File Extension application/pdf .pdf application/msword .doc application/vnd.ms-powerpoint .ppt application/vnd.ms-excel .xls 38 application/x-msaccess .mdb application/vnd.openxmlformats-officedocument.presentationml.pres entation .pptx application/x-dosexec .exe application/vnd.openxmlformats-officedocument.spreadsheetml.sheet .xlsx application/vnd.microsoft.portable-executable .exe application/x-executable .exe application/vnd.ms-cab-compressed .cab text/x-msdos-batch .bat application/rtf .rtf application/vnd.android.package-archive .apk application/zip .zip application/x-tar .tar application/java-archive .jar application/javascript .js application/vnd.openxmlformats-officedocument.wordprocessingml.d ocument .docx Administrator Notification When Deliver First, Then Scan is selected, select Yes for Notify Admin to notify the administrator when a virus is detected by the ATD service in a scanned attachment. The email notification includes the sender, recipient, attachment type, and detected virus. Enter the admin email address in the ATD Notification Email field address. Infected attachments are listed in the ATD Log. ATD Exemptions When ATD is set to either Deliver First, then Scan or Scan First, then Deliver, you can exempt sender email addresses, sender domains, recipient email addresses, recipient domains, or sender IP addresses from ATD scanning. Attachments from exempted entries are not sent to the ATD cloud. Note that these exemptions apply to ATD scanning only and do not apply to Barracuda Email Security Service virus scanning. Message Log Messages blocked or deferred by the ATD service are listed in the Message Log with the following codes listed in the Reason column: Advanced Threat Detection – Message is blocked by the ATD service due to an infected attachment. Pending Scan (Scan First, Then Deliver enabled) – Message is deferred while the attachment is scanned. The mail server retries until the scan is complete. Once complete, if no virus is detected, the message is delivered. ATD Service Unavailable – Message is deferred because the ATD service is temporarily unavailable. The message is retried and, when the scan is complete and if no virus is detected, the message is delivered. View ATD Statistics The DASHBOARD page displays statistics of scanned attachments determined to be infected by the ATD service. Advanced Threat Detection Sample Email Notifications When the Advanced Threat Detection (ATD) Service detects a virus or suspicious attachment in an email message, the recipient may receive an email notification per the conditions described below. Email notifications are dependent on the selections made on the INBOUND SETTINGS > ATD page: Enable Advanced Threat Detection – When set to Deliver First, then Scan on, the message, including attachments, is first delivered to the recipient and then scanned by the ATD service. 39 Enable Advanced Threat Detection – When set to Scan First, Then Deliver, an email notification may be sent to the email recipient depending on the following: If ATD detects a virus or suspicious attachment upon initial scan, the message is blocked and no email notification is sent to the recipient. However, if the message is deferred for additional scanning, an email notification is automatically sent to the email recipient warning them of the threat. Notify Admin – When set to Yes, an email notification is automatically sent to the email entered in the ATD Notification Email field when ATD detects a virus or suspicious attachment. Example 1. Recipient Email Notification. In this example, ATD detected a virus, and notifies [email protected] that a virus was detected in an attachment from sender@org anization1.com: Example 2. Admin Email Notification. In this example, Advanced Threat Detection is set to Deliver First, then Scan, and Notify Admin is set to Yes. ATD detected a virus after delivering the email. The admin at [email protected] is sent an email notification that a virus was detected in an attachment from [email protected] sent to [email protected]: 40 The Message Log The Message Log is a window into how the current spam, virus, and policy settings are filtering email coming through the Barracuda Email Security Service. Use the information in the log to help tune your inbound and outbound policy settings. Sorting messages using the Advanced Search feature to quickly view email by allowed, deferred, quarantined, encrypted (outbound), or blocked messages by domain, sender, recipient, time range (last 2- 30 days), envelope to, envelope from, reason, action taken (see Message Actions), date or subject. The Message Log reflects all email traffic through the Barracuda Email Security Service at the global level. If you click on a verified domain on the DOMAINS > Domain Manager page, a tab for the Message Log for that domain displays. All messages going through the Barracuda Email Security Service are subject to a size limit of 300MB. This includes headers, body, and any attached content. Filter the Message Log When viewing the global Message Log, you can choose to view only Inbound or only Outbound mail using the Message Log Filter. You can filter on All, Allowed, Not Allowed, Blocked, Deferred, or Quarantined messages. For details on each of these actions, see Message Actions. Note that if you have configured more than 10 domains, you cannot search on All Domains at one time; rather, you must select one domain at a time to search. For more information on filtering at the global level, click the Help button on the MESSAGE LOG page. 41 The User Message Log is less comprehensive than the global, administrator's Message Log. For example, users cannot see outbound mail in their Message Log. For more information about viewing and filtering messages, click Help on the MESSAGE LOG page at the global level or after logging into a User account. Spam or Not Spam Occasionally the Barracuda Email Security Service may incorrectly identify a piece of mail as Spam (false positive) or Not Spam relative to the policies you have set. You can tune the Advanced Spam Detection Scoring levels on the INBOUND SETTINGS > Anti-spam Antivirus page by selecting Custom and adjusting the score for each category based on what type of mail you consider to be spam. Use the Spam and Not Spam options on the Message Log page (both at the global level and the user account level) to mark a message as such. Those messages are then sent to Barracuda Central for analysis. Deliver Messages to Recipient You can click Deliver for one or more selected messages in the Message Log if you decide the message is valid. If the message is successfully delivered, the Delivery Status changes to Delivered. If the mail cannot be delivered, this is reflected as a notice in your browser window and the Delivery Status does not change. If the Reason field for a blocked message displays as Advanced Threat Detection, you cannot immediately deliver the message. See Advanced Threat Detection Reports for details. If delivered messages are not making it to the recipient's mailbox, it may be due to a filter on your mail server or a service on your network catching the mail as spam. Check your local trash/spam folder to locate the mail. User's Message Log Individual users have an additional option to remove selected messages from their personal message log. The user can select one or more messages, and click Delete. Message Details Click on a message in the table, and click Show Details in the message header to view additional information including IP address, recipients, action, reason, and delivery status. The administrator (or user, when viewing their own account) can then elect to View the entire message and take actions on the message. With the Barracuda Email Security Service version 2.3.1 and higher, if your Message Log shows an email message with a subject of Me ssage has no content, this is due to a failed connection. The Barracuda Email Security Service now logs all failed connections. The record for a failed connection shows the from/to data, but the log entry does not have any header or body content. As a consequence, mail that is malformed or is addressed to an invalid recipient displays in the logs with the Message has no content in the Subject line. Message Actions The following table describes the actions the Barracuda Email Security Service takes with messages on the MESSAGE LOG > Message Log pa ge. Table 1. Message Actions. Action Description Notes Account Suspended If your Barracuda Email Security Service subscription expired more than 60 days ago, your account is marked as Suspended, and email are no longer scanned for spam. Email is still scanned for viruses. 42 Advanced Threat Detection Message blocked by the Advanced Threat Detection (ATD) cloud-based virus scanning service. ATD is an advanced virus scanning service which, when enabled on the INBOUND SETTINGS > ATD page, provides additional scanning for the attachment file types you specify. See also: Understanding Advanced Threat Detection Reports Advanced Threat Detection Reports Anti-Fraud Barracuda Anti-Fraud Intelligence detected a potential phishing scheme, which could be used to gather confidential information about an organization or its individual users. Antivirus The message had a virus attached. ATD Service Unavailable Message was deferred by the ATD service because the ATD scanning service was temporarily unavailable. Attachment Content Content in a message attachment matched a Message Content Filter rule specified on the INBOUND SETTINGS > Content Policies page. Attachment Filter Content in a message attachment matched an attachment filter defined on either the INB OUND SETTINGS > Content Policies or the OUTBOUND SETTINGS > Content Policies page. AV Service Unavailable The Scan Email for Viruses setting on the I NBOUND SETTINGS > Anti-Spam/Antivirus page is set to Yes, but the virus scanning service was temporarily unavailable when the message came through. The message is deferred and retried when the virus scanning service is available. BRTS Barracuda Real-Time System (BRTS) detected a zero-hour spam or virus. This advanced service detects spam or virus outbreaks even where traditional heuristics and signatures to detect such messages do not yet exist. Barracuda Reputation Message was sent from a particular IP address on the Barracuda Reputation Block List (BRBL). A list maintained by Barracuda Central that includes IP addresses of known spammers. Body Content Message body content matched a Message Content Filter rule specified on the INBOUN D SETTINGS > Content Policies page. Bulk Email The Bulk Email Detection setting on the IN BOUND SETTINGS > Anti-Spam/Antivirus page is set to Yes, and the message qualifies as Bulk. 43 The message is retried and, when the scan is complete, delivered. Cloudscan Service Unavailable The Enable Cloudscan setting on the INBO UND SETTINGS > Anti-Spam/Antivirus pa ge is set to Yes, but the Cloudscan spam scoring service was temporarily unavailable when the message came through. The message is deferred and is retried when the Cloudscan service is available. Content Protected The message has a password-protected archive attachment. See settings for Attachment Filter on the IN BOUND SETTINGS > Content Policies and OUTBOUND SETTINGS > Content Policies pages. Content URL The message contained one or more URLs listed in the Intent Domains section on the I NBOUND SETTINGS > Content Policies pa ge. DKIM The DomainKeys Identified Mail (DKIM) se tting on the INBOUND SETTINGS > Sender Authorization page is set to Quarantine or Block and the message is from a domain that fails DKIM verification. Email Categorization Per settings on the INBOUND SETTINGS > Anti-spam/Antivirus page, email from this sender is categorized as not necessarily spam, but rather something that the user may have subscribed to at one time and may no longer wish to receive. For example, newsletters and memberships, or marketing information. Categories supported appear in the Message Log Reason as: Email Categorization (corporate) Emails sent by a user at an authenticated organization from an MS Exchange Server that involves general corporate communications. Does not include marketing newsletters Email Categorization (transactional) Emails related to order confirmations, bills, invoices, bank statements, delivery/shipping notices, and service-related surveys Email Categorization (marketing) Promotional emails from companies such as Constant Contact. Email Categorization (mailing lists) Emails from mailing lists, newsgroups, and other subscription-based services such as Google and Yahoo! Groups. Email Categorization (social media) Notifications and other emails from social media sites such as Facebook and LinkedIn. From Address A sender or content rule for From Address was encountered. Header Content Content in the message header matched a Message Content Filter rule specified on the INBOUND SETTINGS > Content Policies p age. 44 Email Categorization assigns some of these emails to specific categories which the admin can set to allow, block, or quarantine on the I NBOUND SETTINGS > Anti-spam/Antivirus page. IP Address Policies The sending IP address is listed as Blocked or Exempt on the INBOUND Settings > IP Address Policies page. Image Analysis Image Analysis identified this message as a bulk/spam message. Intent Analysis Intention Analysis identified this message as a bulk/spam message. Invalid Recipient The To address does not exist on the mail server. Malformed The message did not conform to the SMTP protocol; for example, the Sender, From, Da te, or other required fields may be empty. Message Too Large The message exceeded the maximum message size allowed by the destination mail server, which rejected the message. No PTR Record Action was taken because: (1) The Block on No PTR Records setting on the INBOUND SETTINGS > Sender Authentication page was set to Yes, and Because of (1), the Barracuda Email Security Service queried DNS for the SPF record of the sending domain, and no PTR record was found. Pending Scan When ATD is enabled with the Scan First, Then Deliver option, the message is deferred because attachment scanning is pending. Possible Mail Loop IP address for the destination mail server is not correctly configured in the Barracuda Email Security Service, and may instead contain the IP address for the Barracuda Email Security Service, causing a mail loop. Predefined Attachment Content An attachment contained content that matched a Predefined filter based on data leakage patterns (specific to United States). See the OUTBOUND SETTINGS > Content Policies page. Predefined Body Content The message body contained content that matched a predefined filter based on data leakage patterns (specific to United States). See the OUTBOUND SETTINGS > Content Policies page. Predefined Filter Exceptions The message body contained content that matched a predefined filter exception to HIPAA or Privacy content filters. See the OUTBOUND SETTINGS > Content Policies page. Predefined From Address The message From address contained content that matched a predefined filter based on data leakage patterns (specific to United States). See the OUTBOUND SETTINGS > Content Policies page. Predefined Header Content The message header contained content that matched a predefined filter based on data leakage patterns (specific to United States). See the OUTBOUND SETTINGS > Content Policies page. 45 The Barracuda Email Security Service allows messages of up to 300 MB. The mail server retries later to check if the scan is complete and, if it is, delivers the message. Predefined Subject Content The message subject contained content that matched a predefined filter based on data leakage patterns (specific to United States). See the OUTBOUND SETTINGS > Content Policies page. Predefined To/CC Address The message To/CC address contained content that matched a predefined filter based on data leakage patterns (specific to United States). See the OUTBOUND SETTINGS > Content Policies page. Rate Control Sender IP address exceeded maximum number of allowed connections in a half-hour period. The message is deferred unless the client continues to make connections. Realtime Blocklist IP Reputation Analysis determined that the sending IP address is listed on a real-time blocklist (RBL) or DNS blocklist (DNSBL). Recipient Action was taken because of a rule for the T o address. Score The message score exceeded the Cloudsca n Scoring setting on the INBOUND SETTINGS > Anti-Spam/Antivirus page. Sender Policies Action was taken because settings configured on the INBOUND SETTINGS > Sender Policies page. Sender Policy Framework The Sender IP address is not listed as an allowed sender for the specified domain using the SPF protocol. Subject Content Content in the subject line matched a Message Content Filter rule specified on the INBOUND SETTINGS > Content Policies p age. Suspicious Message deferred or blocked due to multi-level intent checks or Barracuda Anti-Fraud Intelligence checks, as configured on the INBOUND SETTINGS > Anti-spam/Antivirus page. System Sender Policies The sender has been blocked per policy set by Barracuda Networks; this action prevents the Barracuda Email Security Service IP address from being blacklisted. Contact your email administrator if you have questions. 46 A subject line of Message Has No Content i ndicates an incomplete SMTP transaction due to a failed connection. The log entry shows the from/to data, but has no header or body content. This mail includes messages that are malformed or are addressed to invalid recipients. Applies to outbound mail. TLS Required If the message is: Inbound On the DOMAINS > Settings page, the SMTP over TLS option is set to Yes, meaning that inbound messages must be sent over a TLS connection. If, however, the mail server does not support TLS connections, the inbound message is blocked with a reason of TL S Required. Outbound On the OUTBOUND SETTINGS > DLP/Encryption page, the recipient domain is listed, requiring all outbound messages to that domain to be transmitted across a TLS connection. If a TLS connection cannot be established, then the mail is not delivered and is blocked, with a reason of TLS required. To/CC Address Action was taken because of a recipient or content rule for To/CC Address. UI Delivered For emails blocked or quarantined in the Message Log, the admin can manually deliver those messages. Once the message is delivered, the reason code for that message displays as Allowed with a reason of UI Delivered. When searching for messages in the Message Log, you can use the filters listed in Table 2. Table 2. Search Filters. Filter Description Inbound Mail Allowed Search for delivered messages. Not Allowed Search for undelivered messages. To further refine your search, select Blocked, Deferred, or Quarantined. Blocked Search for blocked messages. Messages are blocked due to a policy specified on the INBOUND SETTINGS and OUTBOUND SETTINGS pages. 47 Search for deferred messages. Indicates that the Barracuda Email Security Service returned a 4xx response to the sending mail server. There are several reasons for deferring messages: Deferred The destination mail server was offline. For inbound email, if Spooling is enabled, then the messages would be spooled and n ot deferred, until the server is reachable. See Email Spooling bel ow for more information. The recipient was not valid. The destination mail server returned a 4xx response (try later). Rate control. See Rate Control Inbound for how rate control is applied to inbound email. The administrator can decide to defer messages per policy regarding Content Intent on the INBOUND SETTINGS > Anti-Spam/Antivirus page. When a message is deferred due to intent, if the sender retries the message, it is allowed and delivered to the recipient. Search for quarantined messages. Messages are quarantined due to policies specified on the INBOUND SETTINGS and OUTBOUND SETTINGS pages. Quarantined Outbound Mail Allowed Search for delivered messages. Not Allowed Search for undelivered messages. To further refine your search, select Blocked, Deferred, or Quarantined. Blocked Search for blocked messages. Messages are blocked due to policies specified on the INBOUND SETTINGS and OUTBOUND SETTINGS pages. Deferred Search for deferred messages. Indicates that the Barracuda Email Security Service returned a 4xx response to the sending mail server. There are several reasons for deferring messages: The destination mail server was offline. The recipient was not valid. The destination mail server returned a 4xx response (try later). Rate control. See Rate Control Inbound for how rate control is applied to outbound email. The administrator can decide to defer messages per policy regarding Content Intent on the INBOUND SETTINGS > Anti-Spam/Antivirus page. When a message is deferred due to intent, if the sender retries the message, it is allowed and delivered to the recipient. Quarantined Search for quarantined messages. Messages are quarantined due to policies specified on the INBOUND SETTINGS and OUTBOUND SETTINGS pages. Encrypted Search for encrypted messages. The Barracuda Email Encryption Service encrypts messages due to policy as specified in the INBOUN D SETTINGS and OUTBOUND SETTINGS pages. The Barracuda Email Security Service sends the message recipient(s) a notification email directing them to visit the Barracuda Message Center to retrieve the encrypted message. Rejected Search for rejected messages. Email Spooling 48 You can enable Spooling if you want the Barracuda Email Security Service to retain all of your email for up to 96 hours if your mail server goes down. Select On to enable or Off to disable. If Spooling is Off and the service cannot connect to your mail server, the mail is deferred and the Del ivery Status in the Message Log displays as Not Delivered. The sending mail server, depending on its configuration, has the option of retrying the message or notifying the sender that the mail was deferred or failed. – Advanced Threat Detection Reports The Advanced Threat Detection (ATD) service analyzes inbound email attachments in a separate, secured cloud environment, detecting new threats and determining whether to block such messages. When ATD determines an attachment contains a threat and blocks the message, Barracuda highly recommends that you review each infected ATD Report before determining whether to deliver the message. For more information, see Understanding Advanced Threat Detection Reports. Determine Whether to Deliver Message 1. 2. 3. 4. 5. 6. 7. 8. 9. Log in to Barracuda Email Security Service as the administrator, and go to MESSAGE LOG > Message Log. Set message filters and search criteria as needed, and click Search. Messages blocked by ATD display as Not Delivered. Click on the message, and in the reading pane, click ATD Reports. The Email Delivery Warning dialog box displays a list of attachments, one or more of which is suspected of being Infected. If you want to deliver the email and the associated attachments, first review the report for each attachment. Click View Report for the suspicious attachment, and review the report details. Repeat step 6 for each attachment. Once you review all attachments, and if you determine you want to deliver the email and the associated attachments, review and accept the disclaimer, and click Deliver in the Email Delivery Warning dialog box. If the message is delivered successfully, the Delivery Status changes to Delivered. If the mail cannot be delivered, this is reflected as a notice in your browser window and the Delivery Status does not change. Understanding Advanced Threat Detection Reports The Advanced Threat Detection (ATD) service scans files for malware, zero-day exploits, and targeted attacks not detected by the Barracuda Email Security Service virus scanning features or intrusion prevention system. ATD analyzes files in a separate, secured cloud environment, and once scanning is complete, determines the risk level for each scan (determination), and then assigns a verdict. ATD Classifications Malicious – File classified as high risk. File is highly likely to be malware. Suspicious – File classified as medium risk. File may pose a potential risk. Clean – File classified as low risk. No malicious indicators were detected. 49 Exercise caution even with files marked CLEAN as malware authors are continually finding new ways to evade detection. Terminology Determination versus Verdict – When a scan is complete and the risk potential is classified, that scan displays a Determination. For example, if the file is determined to have medium risk, the determination is Suspicious, After all scans are complete, a Verdict displays based on the determination of all scans. Reclassified – If a scan determination is Malicious or Suspicious, but the file is reviewed by the Barracuda Analyst Team and determined to be Clean, the Verdict displays as Clean and Reclassified by Analyst displays. ATD Report Sections The ATD report is divided into the following sections: Scan Description This section provides a short description of the ATD report and how the scan verdict is reached. Overall Determination This section displays the scan verdict and reason for this file. The verdict is based on the outcome, or determination, of each scan. File Metadata This section lists file-specific details including file extension, file size, meta-data, and when the file was first submitted. Threat Analysis This section lists the outcome of each scan: Enhanced Antivirus detection scans the file through a comprehensive system of traditional antivirus signatures. Behavioral Heuristics analyzes through a heuristics engine utilizing behavioral indicators. Sandboxing executes the file in an isolated environment where its behavior is analyzed and assigned a risk level. Configure Outbound Filtering Policy By scanning all outbound messages, you can ensure that all email leaving your organization is legitimate, virus free and does not leak private or sensitive information from inside the organization. In this section: How to Use DLP and Encryption of Outbound Mail Content Analysis - Outbound Mail Abuse Monitoring and Notifications Outbound Quarantine Outbound Filtering Policies Applied by the Barracuda Email Security Service Outbound Filtering Policy Settings Outbound filtering options are configured on the OUTBOUND SETTINGS pages of the Barracuda Email Security Service and are different from those for inbound filtering, including: Optional encryption for secure message transmission. Data Leak Prevention (DLP) filtering using pre-defined patterns such as credit card number, social security number, driver's license or HIPAA medical terms, to block, quarantine or encrypt outbound messages. Exceptions to DLP block/quarantine policy can be created for emails containing phone numbers and/or street addresses. See the OUTBOUND SETTINGS > Content Policies page for details. Outbound Quarantine and quarantine notifications, enabling administrators to deliver, reject, delete or export outbound messages from senders within the organization. 50 See also Outbound Filtering Policies Applied by the Barracuda Email Security Service. How to Use DLP and Encryption of Outbound Mail For health care providers, governmental agencies and other entities who need to protect private, sensitive and valuable information communicated via email, the Barracuda Email Security Service provides Data Leak Prevention (DLP) features using email encryption. DLP enables your organization to satisfy email compliance filtering for corporate policies and government regulations such as HIPAA and Sarbanes-Oxley (SOX). Advanced content scanning is applied for keywords inside commonly used text attachments, as well as email encryption. You can configure email encryption policies per domain. Using Encryption for Outbound Mail Encryption is performed by the Barracuda Email Encryption Service, which also provides a web interface, the Barracuda Message Center, for recipients to retrieve encrypted messages. Figure 1: Mail Flow for Encrypted messages sent through the Barracuda Email Security Service. Encryption Privacy When the Barracuda Email Encryption Service encrypts the contents of a message, the message body will not be displayed in the Mes sage Log. Only the sender of the encrypted message(s) and the recipient can view the body of an encrypted message. For more information about privacy, please see the Barracuda Networks Privacy Policy. How to Secure Transmission of Sensitive Messages TLS provides secure transmission of email content, both inbound and outbound, over an encrypted channel using the Secure Sockets Layer (SSL) - also known as TLS. For DLP, you should require mail to be sent outbound from the Barracuda Email Security Service over a TLS connection. To do so, enable Force TLS for each domain on the OUTBOUND SETTINGS > DLP/Encryption page. Mail sent to these domains must be transmitted across a TLS connection. If a TLS connection can not be established, then the mail will not be delivered. See also Secured Message Transmission. How to Create Policies For When to Encrypt Messages Use the OUTBOUND SETTINGS > Content Policies page to create policies for encryption of outbound message in one or both sections: Message Content Filters: You can select the Encrypt action for outbound email based on characteristics of the message's subject, header or body. You can specify simple words or phrases, or use Regular Expressions. Note: Content filtering is case sensitive. Predefined Filters: You can select the Encrypt action for outbound email messages that contain matches to pre-made patterns in the subject line, message body or attachment. Use the following pre-defined data leakage patterns (specific to U.S. - see Note below) to meet HIPAA and other email security regulations: Credit Cards - Messages sent through the Barracuda Email Security Service containing recognizable Master Card, Visa, American Express, Diners Club or Discover card numbers will be subject to the action you choose. Social Security - Messages sent with valid social security numbers will be subject to the action you choose. U.S. Social Security Numbers (SSN) must be entered in the format nnn-nn-nnnn. Privacy - Messages will be subject to the action you choose if they contain two or more of the following data types, using common U.S. data patterns only: credit cards (including Japanese Credit Bureau), expiration date, date of birth, Social Security number, driver's license number, street address, or phone number. Phone numbers must be entered in the format nnn-nnn-nnnn or (nnn)nnn-nnnn or nnn.nnn.nnnn . HIPAA - Messages will be subject to the action you choose if they contain TWO of the types of items as described in 51 Privacy above and ONE medical term, or ONE Privacy item, ONE Address and ONE medical term. A street address can take the place of Privacy patterns. So, for example, a U.S. Social Security Number (SSN), an address, and one medical term is enough to trigger the HIPAA filter. The format of this data varies depending on the country, and these filters are more commonly used in the U.S.; they do not apply to other locales. Because of the millions of ways that any of the above information can be formatted, a determined person will likely be able to find a way to defeat the patterns used. These filter options are no match for educating employees about what is and is not permissible to transmit via unencrypted email. See the OUTBOUND SETTINGS > Content Policies page of the Barracuda Email Security Service web interface for more details in the online H elp. How to Send and Receive Encrypted Messages The Barracuda Message Center is a web-based email client for receiving and managing encrypted email sent by the Barracuda Email Security Service. The email client looks and behaves much like any web-based email program (see Figure 2). For a user's guide, please see Barracuda Message Center User's Guide. The workflow for sending and receiving encrypted messages is as follows: 1. Outbound messages that meet the filtering criteria and policies configured as described above are encrypted and appear in the Message Log, but the message body does not appear in the log for security purposes. 2. The Barracuda Message Center sends a notification to the recipient of the email message that includes a link the recipient can click to view and retrieve the message from the Barracuda Message Center. 3. The first time the recipient clicks this link, the Barracuda Message Center will prompt for creation of a password. Thereafter the recipient can re-use that password to pick up subsequent encrypted messages. 4. The recipient logs into the Barracuda Message Center and is presented with a list of email messages, much like any web-based email program. All encrypted messages received will appear in this list for a finite retention period or until deleted by the recipient. Figure 2: Barracuda Message Center web interface When the recipient replies to the encrypted email message, the response will also be encrypted and the sender will receive a notification that includes a link to view and retrieve the message from the Barracuda Message Center. Medical Dictionary Source for DLP HIPAA Compliance The DLP/HIPAA compliance engine is powered by the UMLS Metathesaurus, version 2013AA, created by the U.S. National Library of Medicine, National Institutes of Health. Within the UMLS Metathesaurus, it uses medical vocabulary from: COSTAR, by Massachusetts General Hospital, Harvard Medical School DXplain, by Massachusetts General Hospital, Harvard Medical School FMA*, by Structural Informatics Group, University of Washington HCPCS, by Centers for Medicare and Medicaid Services ICD-9-CM, by U.S. Department of Health and Human Services MTHICD0, by U.S. National Library of Medicine, National Institutes of Health NCI Thesaurus, by National Cancer Institute, National Institutes of Health 52 VANDF, by U.S. Department of Veteran's Affairs The compliance engine uses only portions of each of the above vocabularies. It also uses vocabulary which is not a part of the UMLS Metathesaurus, developed by the Barracuda Networks research team. Some material in the UMLS Metathesaurus is from copyrighted sources of the respective copyright holders. Users of the UMLS Metathesaurus are solely responsible for compliance with any copyright, patent or trademark restrictions and are referred to the copyright, patent or trademark notices appearing in the original sources, all of which are hereby incorporated by reference. *FMA is the intellectual property of the University of Washington and was developed at the University of Washington by the Structural Informatics Group. Content Analysis - Outbound Mail See Regular Expressions for advanced filtering text patterns. HTML comments and tags in message HTML source are filtered out so that content filtering applies to the actual words as they appear when viewed in a web browser. See Outbound Quarantine for more information on messages can then be viewed, delivered, rejected, deleted, or exported from the OU TBOUND QUARANTINE page. Custom Content Filters Custom content filtering can be based on any combination of subject, headers, body, attachments, sender, or recipient and can be applied to outbound mail just as it can be to inbound mail. See the OUTBOUND SETTINGS > Content Policies page for settings. Filter actions for outbound mail include Block, Allow, Quarantine, and Encrypt. Messages that meet the Quarantine criteria are sent to the outbound quarantine for the administrator to evaluate. Messages can then be viewed, delivered, rejected, deleted, or exported from the OUTBOUND QUARANTINE page. Attachment Content Filtering All outbound messages, including those from exempt senders, go through attachment filtering. You can allow, block, quarantine, or encrypt outbound messages that contain attachments which include text matching the patterns you enter here. Attachment Content Filtering is limited to text files. See the OUTBOUND SETTINGS > Content Policies page for settings. Image Analysis Image Analysis techniques protect against new image variants. Image Analysis is automatically configured in the Barracuda Email Security Service. Abuse Monitoring and Notifications Outbound email traffic is automatically monitored for Rate Control by the Barracuda Email Security Service. If the volume of outbound mail messages from the service exceeds normal levels during a 30 minute time frame, the Rate Control feature will take effect and outbound mail will be deferred until the end of the 30 minute time frame. IP addresses of senders of outbound mail who consistently trigger Rate Control will be logged on the OUTBOUND SETTINGS > Abuse Monitor page in the IP Addresses With Recent Abuse table (see below). What Triggers Abuse Notifications An abuse notification email may be sent to the administrator of your Barracuda Email Security Service for various reasons. These include but are not limited to: Sending mail to more recipients per 30 minute period then allowed by the Barracuda Email Security Service. Sending out mail to more invalid recipients than allowed by the Barracuda Email Security Service. Sending out mail that has been classified by the Barracuda Email Security Service as spam or as containing a virus. If your network sends out a large email blast, this may trigger an abuse notice from the Barracuda Email Security Service. This notice informs you that you are sending out mail to more recipients per 30 minute period then the Barracuda Email Security Service allows. This is not a block of your mail, but rather delays the delivery of the messages. The mail will eventually go out, but at a much slower rate over a longer period of time. 53 To prevent generation of an abuse notice, it is recommended that you spread out the delivery of email blasts over a longer period of time or to smaller groups of recipients, and to make sure that the addresses you are sending to are legitimate. The limits set by the Barracuda Email Security Service on the number of recipients that can be sent mail per 30 minutes protects against an outbound spam attack from a customer's network. IP Addresses With Recent Abuse The owner of an IP address that appears in this table on the OUTBOUND SETTINGS > Abuse Monitor page for consistently exceeding Rate Controls may use the Request Increased Limit button to request Barracuda Networks to allow a higher volume of outbound mail so that Rate Control does not take effect. Suspended IP Addresses IP addresses that send very high volumes of email, consistently triggering Rate Controls, may be suspended from sending outbound mail through the Barracuda Email Security Service. Please contact Barracuda Networks Technical Support if your IP address appears in this list. Outbound Quarantine How Outbound Quarantine Works You can configure policies on the OUTBOUND SETTINGS pages to quarantine outgoing messages that meet certain criteria. The OUTBOUND QUARANTINE page enables the administrator to view all quarantined outbound messages from senders within the organization, and to take action - delete, reject, deliver or export those messages. The administrator receives a notification email about quarantined messages as described below. For rejected messages, the sender will receive a non-delivery report (NDR) indicating that their message will not be sent to the recipient. Outbound Quarantine Notifications The following notifications and NDRs (non-delivery reports) can be configured for administrators and senders of quarantined mail from the OUTB OUND SETTING S > Notifications page. Admin Quarantine Notification The domain administrator receives a quarantine summary report at a specified interval, listing outbound quarantined messages since the last report. Settings include: Frequency (Immediately, Daily, Weekly or Never) Start time Email address. Sender Quarantine Notification When a message ends up in the outbound quarantine, the sender receives an NDR (non-delivery report) email if the administrator enables Quarantine Sender Notification on the OUTBOUND SETTINGS > Notifications page. The email template is configurable. Sender Notification of Rejected Mail If the administrator rejects an email in the outbound quarantine, then an NDR is sent to the sender of the email. The email template is configurable. Outbound Filtering Policies Applied by the Barracuda Email Security Service The following policies are applied to all outbound mail by the Barracuda Email Security Service by default: Scanning for viruses and intent. Scanning and scoring for spam content. If a virus or spam is discovered in an outbound message, the message will not be delivered; however, mail caught for spam can be manually delivered by the administrator. 54 Important It is not possible to bypass the virus or spam filtering of outbound mail. For information about configuring other outbound policy settings, including DLP and encryption, see Configure Outbound Filtering Policy. Or see the pages on the OUTBOUND SETTINGS tab in the Barracuda Email Security Service web interface. Advanced Configuration In this Section Secured Message Transmission Sender Authentication How to Configure Sender Policy Framework How to Configure Recipient Verification Using LDAP How to Configure Hosted Email Services Secured Message Transmission To prevent data leakage and ensure compliance with financial, health care and other federally-regulated agency information policies, the Barracuda Email Security Service provides several types of encryption for inbound and outbound message traffic. Sending Messages Over an Encrypted Channel TLS provides secure transmission of email content, both inbound and outbound, over an encrypted channel using the Secure Sockets Layer (SSL) - also known as TLS. To require mail to be sent outbound from the Barracuda Email Security Service over a TLS connection, you can enable Force TLS for each domain on the OUTBOUND SETTINGS > DLP/Encryption page. Mail sent to these domains must be transmitted across a TLS connection. If a TLS connection can not be established, then the mail will not be delivered. To require mail coming inbound to the Barracuda Email Security Service to use a TLS connection, use the SMTP Over TLS setting on the DOMAI NS > Settings page for each domain. If you enable SMTP over TLS, then if TLS is available on your organization's mail server, inbound mail is sent over a TLS channel. If not, mail is sent in cleartext. Encryption of Outbound Mail For guaranteed message encryption and ensured delivery of outbound messages, use the Barracuda Message Center to encrypt the contents of certain outbound messages. You can create policies for when to encrypt outbound messages on the OUTBOUND SETTINGS > Content Policies page for a domain. For details about using encryption with the Barracuda Message Center, see How to Use Encryption of Outbound Mail . For end-users, see the Barracuda Message Center User's Guide. Sender Authentication Sender Authentication mechanisms enable the Barracuda Email Security Service to protect your network and users from spammers who might "spoof" a domain or otherwise hide the identity of the true sender. This article describes the techniques used to verify the "from" address of a message. Sender Policy Framework Important! If you have Sender Policy Framework (SPF) checking enabled on your mail server or network, it is critical when using the Barracuda Email Security Service that you either disable SPF checking in the service OR add the Barracuda Email Security Service IP range (64.235.144.0/20) to your SPF exemptions. If this is not done, your SPF checker will block mail from domains with an SPF record set to Block. This is because the mail will be coming from a Barracuda Email Security Service IP address which is not in the sender's SPF record. 55 Sender Policy Framework (SPF) is an open standard specifying a method to prevent sender address forgery. The current version of SPF protects the envelope sender address, which is used for the delivery of messages. SPF works by having domains publish reverse MX records to display which machines are designated as mail sending machines for that domain. When receiving a message from a domain, the recipient can check those records to make sure mail is coming from a designated sending machine. If the message fails the SPF check, it is assumed to be spam. For more information on SPF, visit http://www.openspf.org. Messages that fail SPF check can be blocked and will be logged as such. Enable or disable the Sender Policy Framework feature for checking inbound mail from the INBOUND SETTINGS > Sender Authentication page. To configure, see How to Configure Sender Policy Framework. Note that if you enable SPF, you might also want to enable the Sender Rewriting Scheme (SRS). This option is configurable from the Advanced Configuration section of the DOMAINS > Domain Settings page and, if enabled, the Barracuda Email Security Service will make the IP address of your sending mail server visible to the agent doing Sender Policy Framework (SPF) verification on the recipient's end. Blocking No PTR Records While the A record for a domain points to an IP address, the PTR record resolves the IP address to a domain/hostname; PTR records are used for reverse DNS lookup. Enabling this feature means that the Barracuda Email Security Service will query DNS for the SPF record of the sending domain and, if there is no entry for the sending IP address, i.e. no PTR record, the message will be blocked. Configure on the INBOUND SETTINGS > Sender Authentication page. Custom Policies and Sender Spoof Protection For inbound email, organizations can define their own allowed sender domains, users or email addresses for sender authentication using the INB OUND SETTINGS > Sender Policies page. However, the safest way to indicate valid senders on the Barracuda Email Security Service is to exempt the IP addresses of trusted email servers from being scanned on the INBOUND SETTINGS > IP Address Policies page, then blocklist (block) their domain names on the INBOUND SETTINGS > Sender Policies page to prevent domain name spoofing. See Content Analysis Outbound Mail, to configure sender policies for outbound email. How to Configure Sender Policy Framework Use the steps in this article to configure Sender Policy Framework (SPF) checking for the Barracuda Email Security Service. Important If you have SPF checking enabled on your mail server or network, it is critical when using the Barracuda Email Security Service that you either disable SPF checking in the service or add the Barracuda Email Security Service IP range 64.235.144.0/20 to your SPF exemptions. Otherwise, your SPF checker blocks mail from domains with an SPF record set to Block because the mail is coming from a Barracuda Email Security Service IP address not in the sender's SPF record. For more information, see the Sender Policy Framework Project Overview. Configure SPF for Inbound Mail 1. Log in to your Barracuda Cloud Control account using your Essentials for Office 365 credentials, and click Email Security in the left pane. 2. Go to the INBOUND SETTINGS > Sender Authentication page, and in the Use Sender Policy Framework section, select the desired option: BLOCK FAIL – When selected, indicates the IP address of the message sender does not match the IP address or range of IP addresses specified in the sending domain name's SPF record, and that the real owner of the domain has specifically indicated that such messages should be rejected (blocked) as spoofed. BLOCK Fail, SOFTFAIL – When selected, indicates the message sender's IP address does not match the IP address or range of IP addresses specified in the sending domain name's SPF record and the domain owner did not specify how such messages are to be handled. Messages in either the SPF SOFTFAIL or FAIL state are blocked. You can optionally enable Sender Rewriting Scheme (SRS) for a specific domain on the DOMAINS > Domain Manager > Settings page. When enabled, the sending mail server IP address is visible to the SPF verification agent on the recipient's end. The recipient's SPF agent checks the reverse MX records for your domain and verifies your IP address as an authorized sender to ensure message delivery to the recipient. 3. Click Save Changes. 56 Exempt Trusted IP Addresses from SPF Checks You can exempt mail relay servers and other machines from SPF checks that are set up specifically to forward mail to the Barracuda Email Security Service from outside sources. Mail from these IP addresses is still scanned for spam. 1. Log in to your Barracuda Cloud Control account using your Essentials for Office 365 credentials, and click Email Security in the left pane. 2. Go to the INBOUND SETTINGS > Sender Authentication page, and in the Use Sender Policy Framework section, enter the IP Address and Netmask and optional Comment. 3. Click Add in the Actions column, and click Save Changes. Configure SPF for Outbound Mail To assure outbound mail from your Barracuda Email Security Service that Barracuda Networks is the authorized sending mail service, add the following to the INCLUDE line of the SPF record for each domain sending outbound mail: include:spf.ess.barracudanetworks.com How to Configure Recipient Verification Using LDAP Sender authentication and recipient verification are a critical part of maintaining security of email flowing into and out of your organization. By identifying known trusted senders and recipients of email, you can block a large percentage of spam, viruses and malware from your network. Once you have entered information about your LDAP server per instructions below, click the Test Settings button on the DOMAINS > Domain Settings page to ensure that the Barracuda Email Security Service can communicate with the server. LDAP server types supported include Active Directory, Novell eDirectory, Domino Directory and OpenLDAP. LDAP Lookup You can 'synchronize' the Barracuda Email Security Service with your existing LDAP server to automatically create accounts for all users in the domain. For more information about user accounts, see Managing User Accounts. LDAP lookup configuration and LDAP authentication of user logins is done by domain from the DOMAINS > Domain Settings page. From the D OMAINS > Domain Manager page, click Settings in the Actions column to the right of the domain name. Once you configure your LDAP settings on the DOMAINS > Domain Settings page as described below, click Synchronize Now to create user accounts for all users in your LDAP server. Important The Barracuda Email Security Service connects with your network from various IP addresses including performing LDAP lookups. To ensure the service can connect with your network, allow traffic originating from the following range of network addresses: 64.235.144.0/20 The following variables must be configured: LDAP Host, Port – The server utilized for LDAP lookups. If this setting is a hostname, and is contained in multiple A records, then fail-over capabilities are available if the Barracuda Email Security Service is unable to connect to one of the machines listed here. Port – Port used to connect to the LDAP service on the specified LDAP Server. Typically port 389 is used for regular LDAP and LDAP using the STARTTLS mode for privacy. Port 636 is assigned to the LDAPS service (LDAP over SSL/TLS). Use SSL (LDAPS) – By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology by selecting Yes for this option. Bind DN (Username) – Username used to connect to the LDAP service on the specified LDAP Server. If of the form accountname@dom ain.com, the username is transformed into a proper LDAP bind DN like CN=accountname,CN=users,DC=domain,DC=com when accessing the LDAP server. Sometimes the default transformation does not generate a proper bind DN. In such cases, a fully formed and valid bind DN must be entered. Bind Password – Password used to connect to the LDAP service on the specified LDAP Server. Base DN – Base DN for your directory. This is the starting search point in the LDAP tree. The default value will look up the 'defaultNamingContext' top-level attribute and use it as the search base. For example, if your domain is test.com, your Base DN might be dc=test,dc=com. Authentication Filter – Filter used to look up an email address and determine if it is valid for this domain. The filter consists of a series of 57 attributes that might contain the email address. If the email address is found in any of those attributes, then the account is valid and is allowed by the Barracuda Email Security Service. User Filter – Filter used to limit the accounts that the Barracuda Email Security Service will create when an LDAP query is made. For example, you could limit the LDAP synchronization to just users in certain sub-domains using the mail= parameter, or only synchronize user-objects in a certain organizational unit (OU) using the ou= parameter. Each type of LDAP server has specific query syntax, so consult the documentation for your LDAP server. For Microsoft Exchange syntax and examples, see the TechNet article LDAP Query Basics. Example: Your list of valid users on your directory server includes 'User1', 'User2', 'User3', 'BJones', 'RWong', and 'JDoe', and you create the User Filter (name=*User*). In this case, the service only creates accounts for 'User1', 'User2', and 'User3'. Mail Attributes – Attribute in your LDAP directory that contains the user's email address. Testing Email Address – Enter a valid email address for use in testing LDAP settings. If this field is left blank, LDAP settings are only tested for connection. Synchronize Automatically – Set to Yes if you are using LDAP and want the Barracuda Email Security Service to automatically synchronize your LDAP users to its database on a regular basis for recipient verification. With Microsoft Exchange server, the synchronization is incremental. Select No if you want to synchronize manually in case your LDAP server is not always available. To synchronize manually, click Synchronize Now. Use LDAP for Authentication – Set to Yes to enable LDAP for user login authentication. You can disable this setting if your LDAP server will be unavailable for a period of time. How to Configure Hosted Email Services In This Section How to Configure Google Apps for Inbound and Outbound Mail How to Configure Office 365 for Inbound and Outbound Mail How to Configure Google Apps for Inbound and Outbound Mail This article addresses configuring Google Apps Business and Education editions with the Barracuda Email Security Service as your inbound and/or outbound mail gateway. You can specify the Barracuda Email Security Service as an inbound mail gateway through which all incoming mail for your domain passes before reaching your Google Apps account. The Barracuda Email Security Service filters out spam and viruses, and then passes the mail on to the Google Apps mail servers. Use the Inbound Configuration instructions below to configure. You can likewise specify the Barracuda Email Security Service as the outbound mail gateway through which all mail is sent from your domain via your Google Apps account to the recipient. As the outbound gateway, the Barracuda Email Security Service processes the mail by filtering out spam and viruses before final delivery. By using the configuration described in Outbound Configuration below, you instruct the Google Apps mail servers to pass all outgoing mail from your domain to the Barracuda Email Security Service (the gateway server). Google Apps IP addresses and user interfaces can change; refer to the Google Apps Administrator Help Center for updates and configuration details. Step 1. Allow Only Barracuda Access to Google Apps 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Sign in to the Google Admin console. From the dashboard, go to Apps > Google Apps > Gmail > Advanced settings. Open Content compliance. Type the following as the rule name: Barracuda ESS Under Email messages to affect, select Inbound. From the menu, select If ALL of the following match the message. In the Expressions section, click Add. From the menu, click Metadata match. From the Attribute menu, click Source IP. From the Match type menu, click is not within the following range. In the field under the menu, type: 64.235.144.0/20 12. Click Save. 13. Select Reject Message for the expression match. 14. Optional. Enter a rejection notice. 58 14. 15. Click Add Setting, and click Save in the bottom right of the window. Step 2. Launch the Barracuda Email Security Service Setup Wizard Alternatively, you can manually set up the Barracuda Email Security Service using the web interface. Click here to expand... Configure Domain 1. Log in to Barracuda Email Security Service, and go to the DOMAINS page. 2. Under Domain Name, enter the primary email domain to be filtered 3. 59 3. Enter the primary Google Apps destination mail server: ASPMX.L.GOOGLE.COM 4. Click Add. 5. Click Add Mail Server to continue adding the remaining Google Apps destination servers and their respective priority: Priority Google Apps Destination mail Server 5 ALT1.ASPMX.L.GOOGLE.COM 5 ALT2.ASPMX.L.GOOGLE.COM 10 ASPMX2.GOOGLEMAIL.COM 10 ASPMX3.GOOGLEMAIL.COM 1 ASPMX.L.GOOGLE.COM 6. Click Save Changes. 1. Log in to Barracuda Email Security Service, and click the link to launch the Email Security Service Setup wizard. 2. Click Get Started; the Specify Primary Email Domain page displays. Enter the primary email domain to be filtered. You can add additional domains later. 3. Click Next. The Specify Email Servers page displays. Enter the hostname/IP address of the mail server for the entered domain. Emails will be sent to this server after being scanned by the Barracuda Email Security Service. If the servers do not pre-populate, enter the primary Google Apps destination mail servers as follows: Priority Google Apps Destination mail Server 5 ALT1.ASPMX.L.GOOGLE.COM 5 ALT2.ASPMX.L.GOOGLE.COM 10 ASPMX2.GOOGLEMAIL.COM 10 ASPMX3.GOOGLEMAIL.COM 1 ASPMX.L.GOOGLE.COM After completing the setup, you must manually edit the priorities for each server from the Domain Settings page. 4. Enter an email address to test the server configuration, and click Test All Mail Servers . 5. Once the mail server is verified, the Verified ( ) icon displays in the Status column and a confirmation message displays at the top of the page. 6. Click Next. The Configure Settings page displays. Select from the following options: a. Virus Protection – Set to On to direct the Barracuda Email Security Service to detect and block viruses on inbound email. b. Spam Protection – Set to On to direct the Barracuda Email Security Service to evaluate inbound mail for spam based on a score assigned to each processed message. When set to Off inbound mail is not scanned for spam. c. Spam Scoring – Set Spam Protection to On to enable Spam Scoring. Scoring ranges from 1 (definitely not spam) to 10 (definitely spam). Setting a score of '1' will likely block legitimate messages while setting a score of '10' will allow more messages through the system. Based on this score the Barracuda Email Security Service blocks messages that appear to be spam and logs these messages in the user's Message Log with Score as the reason for the block. The following features, configured on the INBOUND SETTINGS > Anti-Spam/Antivirus page, are enabled when Spa m Protection is set to On: • Barracuda Reputation Block List (BRBL) – Database of IP addresses manually verified to be a noted source of spam. • Barracuda Real-Time System (BRTS) – Advanced service to detect zero-hour spam and virus outbreaks even where traditional heuristics and signatures to detect such messages do not yet exist. Each quarantined message has a reason of BRTS in the Message Log. • Sender Policy Framework (SPF) – Block Fail is disabled. 60 • Barracuda Anti-Fraud Intelligence – Barracuda Networks anti-phishing detection which uses a special Bayesian database for detecting Phishing scams. • Intent Analysis – Blocking based on intent analysis. • CloudScan Scoring – A cloud-based spam scanning engine which assigns a score to each message processed ranging from 0 (definitely not spam) to 10 (definitely spam). 7. Click Next. The Route Email Through Barracuda page displays. 8. To verify your domain, replace your current MX records with the Barracuda Email Security Service Primary and Backup MX records displayed on the page. During the evaluation period, to complete the verification process but allow your legitimate mail to continue using your current mail server, you can add the MX records with a low priority, for example, 99. Some mail may appear in the Message Log after making this MX record change as spammers routinely send mail to all MX records for a domain. Once you have made the change to your MX records, return to the Route Email Through Barracuda page and click Verify MX Records. The Barracuda Email Security Service should see the changes made and verify your domain. If the domain does not verify correctly, verify that your MX changes are live. You can do this by using the following sites that return your MX information: http://mxtoolbox.com/ https://toolbox.googleapps.com/apps/dig/ (select the MX option) If your domain's MX records do not display in the Barracuda Email Security Service MX records, you must wait until they display before your domain can be verified. 9. If you do not want to route your email through Barracuda Email Security, select I do not want to route my e-mail through Barracuda at this time, and select the verification option: Click here to expand... a. CNAME Records – To use the CNAME records method to verify the domain ownership: i. Log in to your DNS Server and, under this domain, create a subdomain whose name is created by concatenating 'barracuda' and the CNAME token shown in the Route Email Through Barracuda page. For example: barracuda30929916985.corpdomain.com ii. Point the CNAME record of that subdomain to ess.barracuda.com Allow the DNS propagation to take effect before proceeding. iii. Click Confirm Validation in the Route Email Through Barracuda page. b. Email to the postmaster – This method sends a verification email to the postmaster email address for your domain. The confirmation email includes a link that the recipient must click to verify the domain. c. Email to Technical Contact – This method sends a verification email to the technical contact email address, if it exists, listed on your domain's WHOIS entry. This verification option is not available if the Barracuda Email Security Service cannot find your domain's WHOIS entry. If there is not a technical contact, then only the MX Records and Email to the Postmaster options displays on this page. 10. Click Next. 11. The Confirmation page displays. Confirm domain ownership, and then click Done. 12. Go to the DOMAINS page and verify your settings. Step 3. (Optional) Configure Outbound Mail Flow To ensure outbound mail delivery, contact Barracuda Technical Support to have Hosted Outbound Relay enabled on your account. Failure to do so will result in undeliverable messages. 1. In the Routing section, locate Outbound gateway. 2. Enter the Outbound Hostname provided to you in the settings for your domain within the Email Security interface: 61 3. Click Save in the bottom right corner. Step 4. Configure Sender Policy Framework for Outbound Mail To assure Barracuda Networks is the authorized sending mail service for outbound mail recipients, review your domain's SPF record. See Sender Authentication for more information. If you have an SPF record set up for your domain, edit the existing record and add the following to the INCLUDE line for each domain sending outbound mail: include:spf.ess.barracudanetworks.com If you do not have an SPF record set up for your domain, use the following value to create a TXT record that creates a SOFTFAIL SPF for your domain: v=spf1 include:spf.ess.barracudanetworks.com ~all ESS, host name, hosted GApps How to Configure Office 365 for Inbound and Outbound Mail You can configure Microsoft Office 365 with the Barracuda Email Security Service as your inbound and/or outbound mail gateway. Use this article to prepare your Barracuda Email Security Service deployment to connect with Office 365. For information on basic configuration of outbound mail scanning with the Barracuda Email Security Service, refer to Step 3 Configure Outbound Mail Scanning. Important Office 365 IP addresses and user interfaces can change, so please refer to Microsoft documentation for details on configuration. This article is current with Microsoft procedures as of May, 2016. Before getting started, contact Barracuda Technical Support and request that Outbound Groups be enabled on your Barracuda Email Security Service account. You can specify the Barracuda Email Security Service as an inbound mail gateway through which all incoming mail for your domain is filtered before reaching your Office 365 account. The Barracuda Email Security Service filters out spam and viruses, then passes the mail on to the Office 365 mail servers. Use the Configure Inbound Mail Flow instructions below to configure. You can also specify the Barracuda Email Security Service as the outbound mail gateway through which all mail is sent from your domain via your Office 365 account to the recipient. As the outbound gateway, the Barracuda Email Security Service processes the mail by filtering out spam and viruses before final delivery. By configuring Office 365 as described in Configure Outbound Mail Flow below, you instruct the Office 365 mail servers to pass all outgoing mail from your domain to the Barracuda Email Security Service (the gateway server). 1. In the login screen, enter your Barracuda Cloud Control credentials, and click Sign In. 2. The Barracuda Email Security Service Dashboard displays. Click the Wizard link at the top of the page to use the setup wizard. Alternatively, you can click the Domains tab to use the web interface to manually configure domains and settings. 3. In the Setup Wizard, click Get Started. The Specify Primary Email Domain page displays. Enter the primary email domain you want to filter, for example: cudaware.com 4. Click Next. The Specify Email Servers page displays. Enter the mail server hostname (FQDN) or IP address for the domain entered in the previous step, for example: cudaware-com.mail.protection.outlook.com If the Barracuda Email Security Service Setup wizard has already identified your mail server IP based on the MX record, the M ail Server field pre-populates. 5. 62 5. Click Add. Enter an email address to test the server configuration, and click Test All Mail Servers. 6. Once the mail server is verified, the Verified ( ) icon displays in the status column and a confirmation message displays at the top of the page. 7. Click Next. The Configure Settings page displays. Select from the following options: a. Virus Protection – Set to On to direct the Barracuda Email Security Service to detect and block viruses on inbound email. b. Spam Protection – Set to On to direct the Barracuda Email Security Service to evaluate inbound mail for spam based on a score assigned to each processed message. When set to Off inbound mail is not scanned for spam. c. Spam Scoring – Set Spam Protection to On to enable Spam Scoring. Scoring ranges from 1 (definitely not spam) to 10 (definitely spam). Setting a score of '1' blocks most legitimate messages while setting a score of '10' allows more messages through the system. Based on this score the Barracuda Email Security Service blocks messages that appear to be spam and logs these messages in the user's Message Log with Score as the reason for the block. The following features, configured on the INBOUND SETTINGS > Anti-Spam/Antivirus page, are enabled when Spa m Protection is set to On: • Barracuda Reputation Block List (BRBL) – Database of IP addresses manually verified to be a noted source of spam. • Barracuda Real-Time System (BRTS) – Advanced service to detect zero-hour spam and virus outbreaks even where traditional heuristics and signatures to detect such messages do not yet exist. • Sender Policy Framework (SPF) – Block Fail is disabled. • Barracuda Anti-Fraud Intelligence – Barracuda Networks anti-phishing detection which uses a special Bayesian database for detecting Phishing scams. • Intent Analysis – Blocking based on intent analysis. • CloudScan Scoring – A cloud-based spam scanning engine which assigns a score to each message processed ranging from 0 (definitely not spam) to 10 (definitely spam). 8. Click Next. The Route Email Through Barracuda page displays. 9. To verify your domain, replace your current MX records with the Barracuda Email Security Service Primary and Backup MX records displayed on the page. During the evaluation period, to complete the verification process but allow your legitimate mail to continue using your current mail server, you can add the MX records with a low priority, for example, 99. Some mail may appear in the Message Log after making this MX record change as spammers routinely send mail to all MX records for a domain. Once you have made the change to your MX records, return to the Route Email Through Barracuda page and click Verify MX Records. The Barracuda Email Security Service should see the changes made and verify your domain. If the domain does not verify correctly, verify that your MX changes are live. You can do this by using the following sites that return your MX information: http://mxtoolbox.com/ https://toolbox.googleapps.com/apps/dig/ (select the MX option) If your domain's MX records do not display in the Barracuda Email Security Service MX records, you must wait until they display before your domain can be verified. 10. If you only want to route your inbound mail through the Barracuda Email Security Service and not your outbound mail, select I do not want to route my e-mail through Barracuda at this time , and select the verification option: a. CNAME Records – To use the CNAME records method to verify the domain ownership: i. Log in to your DNS Server and, under this domain, create a subdomain whose name is created by concatenating 'barracuda' and the CNAME token shown in the Route Email Through Barracuda page. For example: barracuda30929916985.corpdomain.com ii. Point the CNAME record of that subdomain to ess.barracuda.com Allow the DNS propagation to take effect before proceeding. iii. Click Confirm Validation in the Route Email Through Barracuda page. b. Email to Postmaster – This method sends a verification email to the postmaster email address for your domain. The confirmation email includes a link that the recipient must click to verify the domain. Click Send Email. c. Email to Technical Contact – This method sends a verification email to the technical contact email address, if it exists, listed on your domain's WHOIS entry. This verification option is not available if the Barracuda Email Security Service cannot find your 63 c. domain's WHOIS entry. Click Send Email. If there is not a technical contact, only the MX Records and Email to the Postmaster options display on this page. 11. Click Next. 12. The Confirmation page displays. Confirm domain ownership, and then click Done. Step 4. Add Additional Email Domains (Optional) Use the steps in this section only if you wish to manually add additional email domains, otherwise, go to Step 5. Create Transport Rule. Obtain the hostname: 1. 2. 3. 4. Log in to the Office 365 admin center. In the left pane, click Settings >Domains. In the Domains table, click on your domain. Take note of the hostname. This is the address of your destination mail server, for example, cudaware-com.mail.protection.outlook.com Enter the hostname: Barracuda recommends using a hostname rather than an IP address so that you can move the destination mail server and update DNS records without making changes to the Barracuda Email Security Service configuration. This address indicates where the Barracuda Email Security Service should direct inbound mail from the Internet to your Office 365 Exchange server. For example, your domain displays to the Internet as: bess-domain.mail.protection.outlook.com 1. Log in to the Barracuda Email Security Service as administrator, and click DOMAINS. 2. Enter the domain name and destination mail server hostname obtained from your Office 365 account: 3. Click Add; the Domain Settings page displays. Step 5. Create Transport Rule 1. If you have not already done so, contact Barracuda Technical Support and request that Outbound Groups be enabled on your Barracuda Email Security Service account. 2. Log in to the Office 365 admin center, and go to Admin centers > Exchange. 3. In the left pane, click mail flow, and click rules. 4. Click the + symbol, and click Bypass spam filtering: 64 5. In the new rule page, enter a Name to represent the rule. 6. From the Apply this rule drop-down menu, select The sender > IP address is in any of these ranges or exactly matches: 65 7. In the specify IP address ranges page, type 64.235.144.0/20 as the IP address/range for the Sender (Barracuda Email Security Service), and click the + symbol: 8. Click OK, and click Save to create the transport rule. Step 6. Configure Outbound Mail 1. Log in to the Barracuda Email Security Service, and click DOMAINS; make note of the Outbound Hostname: 66 1. 2. 3. 4. 5. Log in to the Office 365 admin center, and go to Admin centers > Exchange. In the left pane, click mail flow, and click connectors. Click the + symbol, and use the wizard to create a new connector. From the From drop-down menu, select Office 365, and from the To drop-down menu, select Partner organization: 6. Enter a Name and (optional) Description to identify the connector: 67 7. Click Next. Select Only when email messages are sent to these domains, click the + symbol, and enter an asterisk ( * ) in the add domain field: 68 8. Click OK, and click Next. Select Route email through these smart hosts, and click the + symbol. 9. Go to the Barracuda Email Security Service, and click the DOMAINS tab. Copy your outbound hostname from the MX records, and enter it in the add smart host page: 69 10. Click Save, and click Next. Use the default setting, Always use Transport Layer Security (TLS) to secure the connection (recommended) > Issues by Trusted certificate authority (CA): 70 11. Click Next. In the confirmation page, verify your settings and click Next. Office 365 runs a test to verify your settings: 71 12. When the verification page displays, enter a test email address, and click Validate. Once the verification is complete, your mail flow settings are added. Barracuda Email Security Service will now accept outbound traffic from Outlook 365. For additional configuration options and features, log in to the web interface and click Help. O365 Managing Domains Your Barracuda Email Security Service only accepts emails addressed to domains that it is configured to recognize. After adding and verifying all domains you want the service to manage (see the Configure Your Mail Servers and Domains section of Step 2 - Initial Service Setup), you can select to manage each domain individually so that you can configure different policies and settings. Configure Policy for Individual Domains To configure a policy for an individual domains, in the Domains Manager, click Manage in the Actions column to view the Message Log, view Statistics, and manage all per-domain settings for the selected domain. Domain Level Settings Domains you add and verify are initially configured with the specified default global settings. Once you are managing an individual domain, the 72 same Message Log, Inbound Settings, and other tabs display, but the DOMAINS tab is not visible. At the top of the DASHBOARD page, the following message displays: You are now managing settings for <domain name>. Return to account management. Click Return to account management to manage global settings for all domains, or to manage settings and policies for another domain. Important When managing a particular domain, the settings you change apply to that domain specifically and override global settings for that domain. If the administrator deletes a domain, a dialog box prompts for confirmation of deletion. For details about domain settings, see the DOMAINS > Domain Manager > Settings page and click the Help button. Designate Domain Administrators You can assign certain users to manage one or more domains in the Barracuda Email Security Service. These users can add mail servers, edit domain settings, view the DASHBOARD page, and manage all policies for those domains. To designate a domain administrator: 1. 2. 3. 4. Go to the USERS > User List page. Select a user, and click Edit in the Actions column. In the Managed Domains list, select one or more domains that this user can manage. Click Save. This user is now a Domain Administrator for the selected domains, and can now manage inbound and outbound email policies for these domains in the Barracuda Email Security Service. Managing User Accounts User-level documentation: Barracuda Email Security Service User Guide From the USERS > Users List page an administrator can: Search for users Sort the user list Reset a user password (if the user was added manually) Add new users (based on how user accounts were initially set up) Set an account as a domain owner Log in as a user Edit user settings Delete users User Roles User roles determine Barracuda Email Security Service access privileges: Administrator – An administrator can view and modify all aspects of all domains, and configure global and domain-level settings. Domain administrator – A domain administrator can configure domain-level settings and view all domain settings and users for the assigned domains. User – A user can configure user-level settings on their own account. Search for Users Enter all or part of a username or email address, and click Search to display all matching results. Sort Users 73 Click the column titles to sort by user account, user type, or notification status. Manually Add Users You can manually add and update users one at a time or in bulk as a list in the USERS > Users List page. Once a user is added manually, the U ser Type field displays as Manual. When you click Add/Update Users, the USERS > Add/Update Users page displays where you can: User Accounts – Enter each user email address for the domain on a separate line Enable User Quarantine – When set to Yes, all email for all users in the User Accounts field which meet the configured block policy go to the user's quarantine account. When a user receives their first quarantined email in their quarantine inbox (Message Log), a second email is generated as the first quarantine notification, and goes to the user's email account. This email is only generated if there is a notification interval set and that recipient has received at least one message marked with the Action of Quarantine. Notify New Users – When set to Yes, each user in the User Accounts field receives a welcome email when the account is created. Once you add users, click Save Changes to add the users and return to the USERS > Users List page. Add LDAP Users If the user accounts are set up through LDAP authentication, you can automatically add users through LDAP synchronization: Synchronize Now – To manually synchronize LDAP users on a domain, set Synchronize Automatically to No on the DOMAINS > Domain Settings page, and click Synchronize Now whenever you want to sync users. If you have numerous LDAP users (over 300 hundred), and you click Synchronize Now in the DOMAINS > Domain Settings page, your LDAP server may time-out before LDAP synchronization is complete. To resolve this issue, go to the DOMAINS > Domain Settings page, and set Synchronize Automatically to Yes. Synchronize Automatically – To automatically synchronize LDAP users on a domain, set Synchronize Automatically to Yes on the D OMAINS > Domain Settings page. Barracuda Email Security Service automatically synchronizes your LDA users to its database incrementally for recipient verification. Set an Account as Domain Administrator You can set an account as a domain owner, and select verified domains you want the user to manage to set up delegated administration: 1. Go to the USERS > Users List page, and click Edit in the Actions column to the right of an Enabled user. 2. In the Edit User page, click All to select all available domains, or select domains individually: 3. Click Save. Log in as a User An administrator can click Log in as this user to: View or change user settings View and manage the domains the user manages View, search, and manage the user's Message Log 74 Edit Users You can edit the following user settings: Click Edit to add or remove domain administration privileges; Click Reset to reset the selected user's password; when clicked, an email is sent to the user with a link to reset their password. Delete Users You can select to delete a single user or click Bulk Delete to delete all users. Default User Settings Set the default scan/block/allow policies for both managed users and unmanaged users on the USERS > Default Policy page: Managed Users – Users display on the USERS > Users List page and are configured either manually or by synchronizing with your LDAP server. Unmanaged Users – Senders and recipients of email for the configured domains not in the USERS > Users List. By default, all email is scanned as opposed to blocked or allowed unless changed in the Default Policy page. Select the Default Time Zone for all users from the drop-down menu. User Actions Users can view their quarantine inbox (Message Log) and set some account preferences, depending on what is enabled on their account. Available permissions include: Quarantine Notification reports – Modify individual settings for quarantine notification reports. Manage quarantine inbox – Deliver or delete quarantined messages. Password – Change their password. Link Accounts – Select to use the current account as an alias. From the SETTINGS > Linked Accounts page, the user can add additional email addresses they have in the same domain for which quarantined email is to be forwarded to this account. Exempt – Create exempt and blocklists for email addresses, users, and domains in the SETTINGS > Sender Policy page. Office 365 Managed Accounts Delegated Administration O365 Quarantine Notifications The Barracuda Email Security Service can send notifications (quarantine digest) at predefined intervals. The administrator can set the notification interval for all users on the USERS > Quarantine Notification page, or set Allow users to specify interval to Yes so that users can set their own notification interval on the SETTINGS > Quarantine Notification page when logged into their user account. The Default interval for user quarantine notifications is Daily. You can select to set notifications to Weekly or None, or select Custom to select the days and time of the week to send notifications. The Quarantine Digest The quarantine digest (summary) is sent when new quarantined mail is saved in the user's account (inbox) since the last notification cycle. Each day the quarantine notification service runs for all users. If there is no new quarantined mail for a user since the last notification interval, no quarantine digest is generated and sent to that user for that same 24 hour period. 75 The links in the quarantine notification email allow the user to access their Barracuda Email Security Service user account without entering their username and password. The link is valid for seven days. After that, the user must manually log in to https://ess.barracudanetworks.com. The links in the Action column allow the user to: Deliver – Click to deliver the message to regular inbox. Whitelist – Click to whitelist the sender. All future messages from the sender are allowed and go directly to the user's regular inbox. Figure 1. Sample Quarantined Notification Email. Reporting Use the REPORTS tab to choose from Inbound or Outbound email traffic. Reports cover global activity across all domains for which you have mail filtered, with up to a maximum history of 30 days of data. Select the Start Date and End Date using the calendar controls. Note that you cannot run a report that covers more than a 7 day period. Reports can be anchored on: Message filtering statistics, including number of messages rate controlled, encrypted, blocked due to policy, blocked due to spam, etc. Select Inbound or Outbound in the Report Type control. User activity – Top senders of messages, top recipients of messages, top spam senders, top virus senders, etc. Select a report title, start and end dates, and indicate how many of the Top senders or recipients to show in the report. Barracuda Email Security Service User Guide The Barracuda Email Security Service is a cloud-based email security service that protects both inbound and outbound email against the latest spam, viruses, worms, phishing, and denial of service attacks. The Barracuda Email Security Service web interface includes the Message Log from which you can manage your quarantined messages. Additionally, you can set account preferences based on features enabled for your account by the administrator. Permissions may include: Modify quarantine notification report settings. Set email receipt frequency with a list of messages in your quarantine account. Once 76 received, you can select whether to delete or deliver these messages to your email address. Create exemption (accept mail from), block, or quarantine policies for email addresses, domains, and users. Manage quarantine inbox delivery or delete quarantined messages. Change password. Link Accounts. Use the current account as an alias and add additional email addresses in the same domain for which quarantined email is to be forwarded to this account. Welcome Email Once your system administrator creates your account, the Barracuda Email Security Service sends you a welcome email including a login link. Note that the link expires after seven days. Quarantined Mail You are notified on a regular interval when you have quarantined messages. The quarantine notification interval (daily, weekly, etc.) is set either by your administrator or, if you have permissions, you. Figure 1. Quarantined Email Notification. Manage Quarantined Mail Use the Message Log to manage quarantined mail. The Message Log page displays all email messages that come through the Barracuda Email Security Service to your account. You can filter the view by All, Allowed, Not Allowed, Blocked, Deferred, or Quarantined using the drop-down menu. Figure 2. Filter Messages in the Message Log. 77 Messages are blocked due to the following: Spam and virus policies set by your administrator for the domain; and Email address or domain block policies, as well as email from other users, set by your administrator for the domain. Messages are deferred for various reasons. Click the Help searching for and filtering messages. icon on the Message Log page for more information as well as details on From the Message Log page you can select one or more messages, and then click on an action, as illustrated in Figure 3. To select all messages, select the check box at the top of the Message List. Figure 3. Message Actions. Once you select one or more messages, you can take the following actions: Spam – Selected messages are sent to Barracuda Central for analysis. Not Spam – Selected messages are sent to Barracuda Central for analysis. Export – Selected messages are exported to a CSV file. When prompted, enter a file name and select whether to save to your local desktop or network. Deliver – Attempts to deliver the selected message(s) to your mailbox. If a message is successfully delivered, the Delivery Status chang es to Delivered. The mail remains in the log until you select the message and click Delete. If the mail cannot be delivered, a notice displays in your browser window and the Delivery Status does not change. If delivered messages are not delivered to the recipient's mailbox, it may be due to a filter on the mail server or a service on your network catching the mail as spam. Check with your system administrator for more information. Additionally, check your local trash/spam folder for the mail. Delete – Selected messages are removed from the Message Log. Whitelist – Always accept mail from the selected email addresses, domains, and/or users. Recategorize – When one or more categorized emails are selected, allows you to change the category. For example, if the message is categorized as Corporate but you believe it should be categorized as Marketing Materials, you can change the category via the Recate gorize drop-down. This action submits this email message for recategorization to your selected category. If you select Other and enter a custom category, the category updates for that particular email message. For more information, see Email Categorization below. Email Categorization If the Reason for a message in your Message Log displays as Email Categorization, the email from this sender is categorized as not necessarily spam, but something that you may have subscribed to at one time but no longer want to receive. For example, newsletters and memberships, or 78 marketing information. Email Categorization assigns some of these emails to specific categories, which the administrator can decide to allow, block, or quarantine. Supported categories display in the Message Log Reason field as: Email Categorization (corporate) – Emails sent by a user at an authenticated organization that involves general corporate communications; this does not include marketing newsletters. Email Categorization (transactional) – Emails related to order confirmations, bills, invoices, bank statements, delivery/shipping notices, and service-related surveys. Email Categorization (marketing) – Promotional emails from companies such as Constant Contact. View Message To view the message source, headers, and available options, double-click the message; the message content displays. You can take the following options: Click Source to view all headers Click Deliver to deliver the email to your regular mailbox Click Download to download the message to your local system or network Click Whitelist to exempt the sender, that is, specify that all future mail from the sender is not quarantined and instead goes directly to your regular mailbox Alternatively, you can use the SETTINGS > Sender Policy page to exempt or block senders. See Set Exempt and Blocklist Policies later in this article for additional information. Click Block and select whether to block the message Domain or Email Click Delete to remove the message Click Download to download and open the email Figure 4. Message Source with Headers. Set Quarantine Notification Interval 79 You can direct the Barracuda Email Security Service to notify you by email when you have quarantined messages. On the SETTINGS > Quarantine Notifications page, select Never, Daily, Weekly, or select Custom and set the time of day for quarantine notification email delivery for any or all days of the week. Clear a day if you do not want to send quarantine notifications for that day. Click Save Changes to save your settings. Figure 5. Set Quarantine Notification Interval. Set Exempt and Blocklist Policies Use the Sender Policy page to specify whether to block, allow, or quarantine messages from a specific sender or domain. These are called exempt/blocklist policies. To create a new policy: 1. Go to SETTINGS > Sender Policy, and enter the email address or domain: 2. From the Policy drop-down menu, select whether to Block, Exempt, or Quarantine the Sender. 3. Optionally, you can add a comment to indicate why you created the policy. 4. Click Add to save the policy. Link Quarantine Accounts You can add additional email addresses in the same domain for which quarantined email is to be forwarded to this account. From the SETTINGS > Linked Accounts page, click Link an Account, fill in the email address to link, select whether to Link account without verification, and then click Add. Change Your Password Use the SETTINGS > Change Password page to change your password. Click Save Changes to change your password. 80 How to Re-Enable a Suspended or Disabled Account If your trial period expires before you purchase a subscription, or if you do not renew your subscription, a warning message displays at the top of every page indicating that your account has expired and is either suspended or disabled, and an email notification is sent to you: Dear Administrator, Thank you for using the Barracuda Email Security Service. Your Barracuda Email Security Service trial will expire in 15 day(s) and your account will be suspended in 75 day(s). In order to continue your service, please visit: http://www.barracudanetworks.com/ns/purchase/. For questions, please visit http://www.barracudanetworks.com/ns/support/ or call 408-342-5300. Thank you, Barracuda Email Security Service Team Suspended – If your account is suspended, the service continues to scan viruses only; configured policies are no longer applied, spam is not blocked, and spooling is disabled. Disabled – If your account is disabled, all mail to your domains is rejected by the service. Troubleshooting and Error Messages Issue Description Message Log entries with subject: Message has no content Indicates an incomplete SMTP transaction due to a failed connection. Disabled or suspended account If your trial period expires before you purchase a subscription, or if you do not renew your subscription, a warning message displays at the top of every page indicating that your account has expired and is either suspended or disabled. The Barracuda Email Security Service logs all failed connections and the log entry for the message shows the from/to data, but does not have any header or body content. This mail includes messages that are malformed or are addressed to invalid recipients. See How to Re-Enable a Suspended or Disabled Account. Mail incorrectly blocked for the reason: Score Message Log displays Score as the reason a message is blocked. If a message is incorrectly blocked, select the message and click NO T SPAM. The message is then sent to Barracuda Networks where scoring is reviewed and any necessary modifications are made. Messages marked Delivered from Message Log are not delivered to recipient account. When you click Deliver for one or more selected messages in the Message Log, if the message is successfully delivered, the Delivery Status displays as Delivered. The mail remains in the log unless you select the message again and click Delete. If the mail cannot be delivered, a notice displays in your browser and the Delivery Status does not change. If delivered messages are not making it to the recipient's mailbox, it may be due to a filter on your mail server or a service on your network catching the mail as spam. Check your local trash/spam folder for the missing mail. How To Videos Initial Configuration 81 Watch this video for a look at domain settings and MX record configuration: Videos are not visible in the PDF export. Dashboard Watch this video for a look at the dashboard: Videos are not visible in the PDF export. Configuring Inbound Email Watch this video for an overview of configuring inbound email: Videos are not visible in the PDF export. Configuring Outbound Email Watch this video for an overview of configuring outbound email: Videos are not visible in the PDF export. Outbound Quarantine, User Management, Reports, and Message Log Watch this video for a look at the outbound quarantine, user management, reports, and message log features: Videos are not visible in the PDF export. Online Service Terms Cloud Service Terms "Cloud Service" means a Barracuda-hosted service to which Customer subscribes or uses at any time. Cloud Service Term Updates & International Availability At all times, use of the Cloud Services is subject to the then-current Cloud Service Terms. Barracuda may make changes to each Cloud Service from time to time. Barracuda may terminate a Cloud Service in any country where Barracuda is subject to a government regulation, obligation or other requirement that is not generally applicable to businesses operating there. Availability, functionality, and language versions for each Cloud Service may vary by country. Data Retention At all times during the term of Customer’s subscription, and subject to data retention configurations, Customer will have the ability to access and extract Customer Data stored in each Cloud Service. "Customer Data" means all data, including all text, sound, video, or image files, and software, that are provided to Barracuda by, or on behalf of, Customer through use of the Cloud Service. Except for free trials, Barracuda will retain Customer Data stored in the Cloud Service in a limited function account for 30 days after expiration or termination of Customer’s subscription so that Customer may extract the data. After the 30-day retention period ends, Barracuda will disable Customer’s account and may delete the Customer Data at its discretion. The Cloud Service may not support retention or extraction of software provided by Customer. Barracuda has no liability for the deletion of Customer Data as described in this section. Use of Software with the Cloud Service Cloud Services contain software. Use of the software by customer is subject to the following terms: Barracuda Software License Terms Customer may install and use the software only for use with the Cloud Service. The Cloud Service may limit the number of copies of the software Customer may use or the number of devices on which Customer may use it. Customer’s right to use the software begins when the Cloud Service is activated and ends when Customer’s right to use the Cloud Service ends. Customer must uninstall the software when 82 Customer’s right to use it ends. Barracuda may disable it at that time. Validation, Automatic Updates, and Collection for Software Barracuda may automatically check the version of any of its software. Devices on which the software is installed may periodically provide information to enable Barracuda to verify that the software is properly licensed. This information includes the software version, the end user’s user account, product ID information, a machine ID, and the internet protocol address of the device. If the software is not properly licensed, its functionality will be affected. Customer may only obtain updates or upgrades for the software from Barracuda or authorized sources. By using the software, Customer consents to the transmission of the information described in this section. Barracuda may, at its discretion, recommend or download to Customer’s devices updates or supplements to this software, with or without notice. Some Cloud Services may require, or may be enhanced by, the installation of local software (e.g., agents, device management applications) ("Apps"). The Apps may collect data about the use and performance of the Apps, which may be transmitted to Barracuda and used for the purposes described in this Cloud Service Terms . Third-party Software Components The software may contain third party software components. Unless otherwise disclosed in that software, Barracuda, not the third party, licenses these components to Customer under Barracuda’s license terms and notices. Non-Barracuda Products "Non-Barracuda Product" means any third-party-branded software, data, service, website or product. Barracuda may make Non-Barracuda Products available to Customer through Customer’s use of the Cloud Services. If Customer installs or uses any Non-Barracuda Product with a Cloud Service, Customer’s use is subject to third party license terms only and customer may not do so in any way that would subject Barracuda’s intellectual property or technology to obligations. For Customer’s convenience, Barracuda may include charges for the Non-Barracuda Product as part of Customer’s bill for Cloud Services. Barracuda, however, assumes no responsibility or liability whatsoever for the Non-Barracuda Product. Customer is solely responsible for any Non-Barracuda Product that it installs or uses with a Cloud Service. Acceptable Use Policy Neither Customer, nor those that access a Cloud Service through Customer, may use a Cloud Service: in a way prohibited by law, regulation, governmental order or decree; to violate the rights of others; to try to gain unauthorized access to or disrupt any service, device, data, account or network; to spam or distribute malware; in a way that could harm the Cloud Service or impair anyone else’s use of it; or in any application or situation where failure of the Cloud Service could lead to the death or serious bodily injury of any person, or to severe physical or environmental damage. Violation of the terms in this section may result in suspension or cancellation of the Cloud Service. Barracuda may provide reasonable notice before suspending a Cloud Service. Technical Limitations Customer must comply with, and may not work around, any technical limitations in a Cloud Service that only allow Customer to use it in certain ways. Customer may not download or otherwise remove copies of software or source code from a Cloud Service except as explicitly authorized. Compliance with Laws Barracuda will comply with all laws and regulations applicable to its provision of the Cloud Services, including security breach notification law. However, Barracuda is not responsible for compliance with any laws or regulations applicable to Customer or Customer’s industry. Barracuda does not determine whether Customer Data includes information subject to any specific law or regulation. Customer must comply with all laws and regulations applicable to its use of Cloud Services, including laws related to privacy, data protection and confidentiality of communications. Customer is responsible for implementing and maintaining privacy protections and security measures for components that Customer provides or controls, and for determining whether the Cloud Services are appropriate for storage and processing of information subject to any specific law or regulation. Customer is responsible for responding to any request from a third party regarding Customer’s use of a Cloud Service, such as a request to take down content under the U.S. Digital Millennium Copyright Act or other applicable laws. Import/Export Services Customer’s use of any tools provided in the cloud services which allows for the import or export of data is conditioned upon its compliance with all instructions provided by Barracuda regarding the preparation, treatment and shipment of physical media containing its data ("storage media"). 83 Customer is solely responsible for ensuring the storage media and data are provided in compliance with all laws and regulations. Barracuda has no duty with respect to the storage media and no liability for lost, damaged or destroyed storage media. Electronic Notices Barracuda may provide Customer with information and notices about Cloud Services electronically, including via email, through the portal for the Cloud Service, or through a web site that Barracuda identifies. Notice is given as of the date it is made available by Barracuda. Privacy and Security Terms General Privacy and Security Terms Scope The terms in this section apply to all Barracuda Cloud Services. Use of Customer Data Customer Data will be used only to provide Customer the Cloud Services including purposes compatible with providing those services. Barracuda will not use Customer Data or derive information from it for any advertising or similar commercial purposes. In addition to providing the service and day-to-day operations, Barracuda may use your data for the following: Troubleshooting aimed at preventing, detecting, and repairing problems affecting the operation of services. Ongoing improvement of features, such as those that improve the reliability of our services, or involve the detection of, and protection against, threats to the services or customer data (such as malware or spam). Providing personalized customer experiences. Contacting you about new products and services. As between the parties, Customer retains all right, title and interest in and to Customer Data. Barracuda acquires no rights in Customer Data, other than the rights Customer grants to Barracuda for the uses set forth above. This paragraph does not affect Barracuda’s rights in software or services Barracuda licenses to Customer. Disclosure of Customer Data Barracuda will not voluntarily disclose Customer Data outside of Barracuda or its controlled subsidiaries and affiliates except (1) as Customer directs, (2) as described in the Cloud Service Terms , or (3) as required by law. Barracuda does not disclose Customer Data to law enforcement or third parties and when required to disclose Customer Data to law enforcement or a third party, Barracuda will do so only to the extent necessary. In support of the above, Barracuda may provide Customer’s basic contact information to the third party. Educational Institutions If Customer is an educational agency or institution to which regulations under the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA) apply, Customer understands that Barracuda may possess limited or no contact information for Customer’s students and students’ parents. Consequently, Customer will be responsible for obtaining any parental consent for any end user’s use of the Cloud Service that may be required by applicable law and to convey notification on behalf of Barracuda to students (or, with respect to a student under 18 years of age and not in attendance at a postsecondary institution, to the student’s parent) of any judicial order or lawfully-issued subpoena requiring the disclosure of Customer Data in Barracuda’s possession as may be required under applicable law. HIPAA Business Associate Barracuda complies with any portions of HIPAA or the HITECH Act that are directly applicable to Barracuda. In particular, the Barracuda Cloud safeguards data in such a way as to satisfy HIPAA’s Security Rule. Customers wishing to establish a Business Associate relationship with Barracuda per 45 CFR 164.502(e) and 164.504(e) should request a Business Associate Agreement from Barracuda. The Business Associate Agreement defines commitments that Barracuda will make to maintain HIPAA and HITECH compliance as required. Security Barracuda is committed to helping protect the security of Customer’s information. Barracuda has implemented and will maintain and follow appropriate technical and organizational measures intended to protect Customer Data against accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction. Security Incident Notification 84 If Barracuda becomes aware of any unlawful access to any Customer Data stored on Barracuda’s equipment or in Barracuda’s facilities resulting in loss, disclosure, or alteration of Customer Data (each a "Security Incident"), Barracuda will promptly (1) notify Customer of the Security Incident; (2) investigate the Security Incident; and (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident. Notification(s) of Security Incidents will be delivered to one or more of Customer’s administrators by any means Barracuda selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on each applicable Cloud Services portal. Barracuda’s obligation to report or respond to a Security Incident under this section is not an acknowledgement by Barracuda of any fault or liability with respect to the Security Incident. Customer must notify Barracuda promptly about any possible misuse of its accounts or authentication credentials or any security incident related to a Cloud Service. Location of Data Processing Except as described elsewhere in the Cloud Service Terms, Customer Data that Barracuda processes on Customer’s behalf may be transferred to, and stored and processed in, the United States or any other country in which Barracuda or its affiliates or subcontractors maintain facilities. Customer appoints Barracuda to perform any such transfer of Customer Data to any such country and to store and process Customer Data in order to provide the Cloud Services. Preview Releases Barracuda may offer preview, beta or other pre-release features, data center locations, and services ("Previews") for optional evaluation. Previews may employ lesser or different privacy and security measures than those typically present in the Cloud Services. Use of Subcontractors Barracuda may hire subcontractors to provide services on its behalf. Any such subcontractors will be permitted to obtain Customer Data only to deliver the services Barracuda has retained them to provide and will be prohibited from using Customer Data for any other purpose. Barracuda remains responsible for its subcontractors’ compliance with Barracuda’s obligations in the Cloud Service Terms. Customer consents to Barracuda’s transfer of Customer Data to subcontractors. How to Contact Barracuda If Customer believes that Barracuda is not adhering to its privacy or security commitments, Customer may contact customer support or use Barracuda’s Privacy web form, located at https://www.barracuda.com/company/contact Data Processing Location of Customer Data at Rest Barracuda will store Customer Data at rest within secure data centers in the United States, Canada, Europe and APAC. Barracuda does not control or limit the regions from which Customer or Customer’s end users may access or move Customer Data. Privacy Customer Data Deletion or Return. We aim to maintain our services in a manner that protects information from accidental or malicious destruction. We are not obligated to immediately delete residual copies from our active servers and may not remove information from our backup systems. Barracuda Personnel. Barracuda personnel are granted access to confidential information only when necessary under management oversight. Barracuda personnel will use customer data only for purposes compatible with providing you the services, which can include customer support and troubleshooting the service and are obligated to maintain the security and confidentiality of any Customer Data. This obligation continues even after their engagements end. Subcontractor Transfer. Barracuda may hire subcontractors to provide certain limited or ancillary services on its behalf. Any subcontractors to whom Barracuda transfers Customer Data, even those used for storage purposes, will have entered into confidential written agreements with Barracuda. Customer has previously consented to Barracuda’s transfer of Customer Data to subcontractors as described in the Cloud Service Terms. Security General Practices. Barracuda has implemented and follows for the Cloud Services the following security measures. Domain Practices 85 Organization of Information Security Security Ownership. Barracuda has appointed one or more managers responsible for coordinating and monitoring the security rules and procedures. Security Roles and Responsibilities. Barracuda personnel with access to Customer Data are subject to confidentiality obligations. Asset Management Barracuda treats all Customer Data as confidential to allow for access to it to be appropriately restricted. Barracuda imposes restrictions on printing Customer Data Human Resources Security Barracuda informs its personnel about relevant security procedures and their respective roles. Barracuda also informs its personnel of possible consequences of breaching the security rules and procedures. Physical and Environmental Security Physical Access to Facilities. Barracuda limits access to facilities where information systems that process Customer Data are located to identified authorized individuals. Protection from Disruptions. Barracuda uses a variety of industry standard systems to protect against loss of data due to power supply failure or line interference. Component Disposal. Barracuda uses industry standard processes to delete Customer. Communications and Operations Management Operational Policy. Barracuda maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data. Data Recovery Procedures Barracuda has specific procedures in place governing access to copies of Customer Data. Barracuda reviews data recovery procedures at least every twelve months. Barracuda logs data restoration efforts, including the person responsible, the description of the restored data and where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process. Malicious Software. Barracuda has anti-malware controls to help avoid malicious software gaining unauthorized access to Customer Data, including malicious software originating from public networks. Data Beyond Boundaries - Barracuda encrypts, or enables Customer to encrypt, Customer Data that is transmitted over public networks. Event Logging. Barracuda logs, or enables Customer to log, access and use of information systems containing Customer Data, registering the access ID, time, authorization granted or denied, and relevant activity. 86 Access Control Access Policy. Barracuda maintains a record of security privileges of individuals having access to Customer Data. Access Authorization Barracuda maintains and updates a record of personnel authorized to access Barracuda systems that contain Customer Data. Barracuda deactivates authentication credentials that have not been used for a period of time. Barracuda identifies those personnel who may grant, alter or cancel authorized access to data and resources. Barracuda ensures that where more than one individual has access to systems containing Customer Data, the individuals have separate identifiers/log-ins. Least Privilege Barracuda restricts access to Customer Data to only those individuals who require such access to perform their job function. Integrity and Confidentiality Barracuda instructs Barracuda personnel to disable administrative sessions when leaving premises Barracuda controls or when computers are otherwise left unattended. Barracuda stores passwords in a way that makes them unintelligible while they are in force. Authentication Barracuda uses industry standard practices to identify and authenticate users who attempt to access information systems. Where authentication mechanisms are based on passwords, Barracuda requires that the passwords are renewed regularly. Where authentication mechanisms are based on passwords, Barracuda sets rules requiring password complexity. Barracuda ensures that de-activated or expired identifiers are not granted to other individuals. Barracuda monitors, or enables Customer to monitor, repeated attempts to gain access to the information system using an invalid password. Barracuda maintains industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed. Barracuda uses industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage. Business Continuity Management Barracuda’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct Customer Data in its original or last-replicated state from before the time it was lost or destroyed. Cloud Services Information Security Policy The following services are certified as follows Cloud Service Audit Type CudaSign SSAE 16 SOC 2 Type II 87 Backup SSAE 16 SOC 2 Type II Intronis SSAE 16 SOC 1 Type II Subject to non-disclosure obligations, Barracuda will make product specific security overviews available to Customer. Customer is solely responsible for reviewing each Security Overview and making an independent determination as to whether it meets Customer’s requirements. Barracuda Review of Cloud Services Barracuda will review the security of the computers, computing environment and physical data centers that it uses in processing Customer Data (including personal data), as follows: Where a standard or framework provides for audits or reviews, a review of such control standard or framework will be initiated at least annually for each Cloud Service. Each review will be performed according to the standards and rules of the regulatory or accreditation body for each applicable control standard or framework. Barracuda will promptly remediate issues raised in any Barracuda review. 88