Thursday, December 27, 2007

Barracuda Networks and their customers could to do more to stop the backscatter



Here's my latest tally of backscatter received from Barracuda firewalls since 2007-09-16:
1940 messages
According to the press releases, Barracuda says 95% of email being sent is spam. According to most people's experiences, 100% of spams have forged "from" addresses. The success of their firewall product, and the continual increase in spam are probably the reasons for an increase in email backscatter. Sadly, too many Barracuda Spam Firewall customers still enable auto-replies for spams that get blocked.

When I get such backscatter, it's easy to fight back with an auto-reply of my own (thanks to Thunderbird's filters). Several Barracuda Spam Firewall customers have replied to me when I (automatically) contacted them about their firewalls creating backscatter.

Here are a few of those relatively rare, yet encouraging replies. I have left out the names of the individuals involved for privacy reasons:
date: Dec 21, 2007 6:02 AM
subject: RE: Please configure your spam firewall to stop bouncing spams to me

First of all, sorry for the inconvenience and we thank you your advice.

We have changed the wrong configuration parameter.

Please, let us know if you receive still bouncing spams in the next days.

Date: Dec 3, 2007 8:17 AM
Subject: RE: Please configure your spam firewall to stop bouncing spams to me (was: **Message you sent blocked by our bulk email filter**)

Sir –

Thank you for the information. I would have never known about this problem without your email. I have made the recommend changes on my Barracuda filter.

date: Nov 28, 2007 12:11 AM
subject: RE: Please configure your spam firewall

The suggested changes have been made. Thanks for the heads up.

date: Oct 31, 2007 1:48 PM
subject: RE: Please configure your spam firewall to stop bouncing spams to me (was: **Message you sent blocked by our bulk email filter**)

Sorry for the inconvenience, I disabled the feature

Thanks, there is enough crap going around, no use having it bounce around on top of that

date: Oct 29, 2007 7:22 PM
subject: RE: Please configure your spam firewall to stop bouncing spams to me (was: **Message you sent blocked by our bulk email filter**)

Please accept our apologies for any trouble caused by backscatter originating from our Barracuda. We have disabled the notifications that were causing the messages to be sent.

Thanks!
Next is an example of a depressing response, which shows an administrator who is clueless about the damage she is causing the rest of the users on the internet. Her suggestion is that I just block her bounces...
date Dec 7, 2007 7:31 AM
subject RE: Please configure your spam firewall to stop bouncing spams to me (was: **Message you sent blocked by our bulk email filter**)

Thanks for your email. We understand your frustration with receiving notifications of spoofed emails forged with your address. However, the notifications serve a purpose to alert you that: 1) someone is using your address to send spam; 2) alert you that you might be infected and are sending potentially infected emails.

If you feel that you are receiving too many false positives from our Barracuda, please feel free to add our domain to your blocking list.
Don't you like how she turned it around as doing us all a service! My response to this nonsense got escalated to the VP of IT in her company, who wrote me a message that was very defensive, to which I replied below:
Hello,

On Dec 7, 2007 9:20 AM, (Anonymized) wrote:
The next time you want to criticize someone, slap some credentials behind your name.
Who says credentials are necessary to say that your Barracuda is spamming me?!

I'm complaining about the spam your Barracuda is sending to me because you've enabled the feature that most people recognize as abusive. Just Google it! I won't be the only person who is upset about this. If you want credentials to back up what I'm saying, you're just being ignorant and not listening. Again, if you don't trust me, try Google:

http://www.google.ca/search?hl=en&q=barracuda+backscatter&btnG=Google+Search&meta=

I have sent many, many, many complaints to Barracuda owners about this problem. When I get a response, it's one of the following:

1) Thank you for pointing this out to us, we are correcting the problem.
2) Backscatter isn't my fault. Too bad for you.
3) postmaster does not exist.

Since you're a VP, I trust you know which one is the more professional and customer-oriented. Yes, I'm holding you to your credentials!
I assure you we have better things to do with our time than pick on someone like yourself, and send them bogus emails telling them that they might be infected. Gmail supports an outlook interface which is a commonly targeted service for spammers, have you considered the fact that someone, yes someone malicious may have in fact cracked your password and might be using your account.
This is a possible explanation, but there are no facts to support my Gmail has been hacked.

I have already more than 30,000 backscatter emails, and I found out how it works. I am not the only one who's a victim of this kind of spamming problem. If you check your Barracuda logs, I'm willing to bet you'll find it's bouncing spams to other people.
Funny, this "VP" never wrote back. Perhaps he's still trying to figure out how to turn off the auto-reply feature of their Barracuda Spam Firewall - maybe he's asking his underlings what a log file is?...

Finally, here's the most common response I get when I reply to Barracuda backscatter (the domain example.com is used below, but it will be something else depending on the Barracuda box that sends it out):
This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

postmaster@example.com

Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 13): 550 <postmaster@example.com>: Recipient address rejected: No such user (postmaster@example.com)
This shows that Barracuda Networks are not doing a great job at having customers set up their boxes properly. Pert near all of these domains end up getting a listing for being RFC-ignorant with respect to postmaster. I don't have a count yet, but it's got to be over 100 domains that I've reported there, "thanks" to the Barracuda backscatter from their poorly configured appliances.

p.s. A more rare event is that sometimes a Barracuda Spam Firewall actually blocks my automated response to its backscatter, claiming my request for them to stop bouncing spams to me is itself a spam! Although telling me that my request was blocked isn't backscatter, it will get them listed as being RFC-ignorant. They're blocking requests to the postmaster address.

1 comment:

Sebby said...

Agreed, being a several-hundred-a-day backscatter victim is worse than death. Apparently, I'm a Russian lady looking for love (probably not so very far from the truth except that I'm not Russian and not a lady, so if it weren't for the backscatter, CR notices, vacation notices and everything else, maybe I should be thanking the spammer ;-) ). My address seems to be continuously picked on for this purpose. So far nobody has actually responded, which hopefully says something bad about the campaign.

I'd look into BATV and see if you can use it. I can't because I don't yet want to upgrade my Sendmail. Still, it depresses me how some people just don't get SMTP enough to do something about unwanted crap pre-accept phase.

Just one thing, though - isn't autoresponding to postmaster itself kind of a bit evil? I mean, you do check you're sending valid mail to valid recipients before you do it, don't you? Presumably, it's a template you get your MUA to submit for you. I'd not go setting up completely automated systems - you might one day classify a legitimate bounce as spam, and that'd be bad, to be pissing off a real postmaster. And besides, remember, it's falsely being accused we're complaining about, not getting DSNs in the first place. DSNs are great in and of themselves and tell us stuff we want to know (and, in fact, I even ask for success DSNs when the remote MTA will do them in many instances where I want interactive confirmation that now it's there problem for my mail to be delivered).

While I think on here ... There are only two further problems needing a solution: smarthosts and backup MXs. I'm a backup, my reasonable compromise solution is a script which probes forward MXs. If they're up, I'll tempfail mail; if they're down, I'll take it in for later. I can't and don't maintain user lists at the primary because that'd be inconvenient, so I only generate backscatter when the primaries are actually down which they are very occasionally. Smarthosts are a different problem: there is a conflict between port 25 blocking and a picky smarthost. A smarthost should only accept mail from senders inside the domain, yet a portblock on tCP 25 makes the ISP mail service essentially unusable for anything serious. This means, I think, that the only solution is to portblock by default and enforce strict per-user sender lists, but then to allow port 25 on a customer request basis. Then they can run their own MTA if they wish, assuming anybody will listen to what they have to say, what with being a second-class citizen because they're on a dynamic IP and all. I even get backscatter from Hotmail because they'll actually let you forge as long as you're authenticated to them! And then there's orange.fr - they don't even try to validate - they tank absolutely everything, without fail.

Anyway, great post, and thanks for that. I shall point it out to others who need any coroboration.

Cheers,

Sabahattin

SP@MTR@P - NO REAL MAIL HERE, PLEASE: feedme@yamta.org

My homepage for real address