[unisog] Barracuda effectiveness (vs Puremessage)

shawnl at up.net shawnl at up.net
Mon Jul 16 19:47:33 GMT 2007

I'm an ISP lurker (used to be edu) and just had to respond to this....

We've had several barracuda devices in front of a high-volume mail
server for about the past 2 years  (~60 to 100k messages/hour).  I can
tell you how we've tuned our setup.  The barracuda is by no means
perfect, we've toasted 5 boxes so far, and have had several brain-dead
box issues (box forgets about all of it's users and configs and has to
be re-setup), but once tuned it does a fair job.  The barracuda SE's
seem to be ok, but it really depends on who you get.  We've had
numerous people contradict each other and several cases of the SE
deciding to do X on the box without realizing the volume of mail it was
processing (and killing it).

+ make it your MX.  Putting a box in front of it acting as an MX negates
a lot of the built-in filters.
+ lower all settings.  Our default level is 2/4/7 (tag/quar/block) and for
some we lower that quite a bit.
+ Don't try to do use ldap for user verification.  Really slowed things down
and killed our ldap servers.
+ erase "fake" accounts weekly (since we're not doing ldap verification)
+ setup our own black list. This was the biggest single thing we did to improve
the amount of spam being caught and box performance.  Unfortunately there's a 
time commitment there to keep the list updated.  

Things that don't seem to work...

+ marking things as spam or not spam.  Too many users, too much mail.
Several thousand entries in the Bayesian database with no real

Also remember that Barracuda Networks bases their spam figures on 99% of the 
incoming spam being caught at the black-list level _before_ it's scanned 
in any way.  If you're not getting a 99% catch rate, the estimates of how 
many messages/hour the box can scan need to be adjusted.

For comparison here's our stats so far today

Blocked		867,189
Blocked,Virus	388
Quarantined 	8,880
Allowed: Tagged	4,822
Allowed		38,357 
Total Received	919,636

(on a side note, we're looking at moving to a cluster of boxes running

If you want more info, feel free to contact me offline


Network Operations Staff
Baraga Telephone / up.net
(906) 353-6644

On Mon, Jul 16, 2007 at 11:25:41AM -0700, Kim Cary wrote:
> Hi all,
> We've been doing some tests and are quite disappointed with the  
> Barracuda's spam catch effectiveness. We find that at the recommended  
> settings about 20% of the things that would be caught by Puremessage  
> as spam, get missed by Barracuda.
> We have the Barracuda set to do the things their SE recommends. And  
> now they are recommending manual tuning involving keyword lists,  
> extra blacklists (beyond their own and xbl/sbl from spamhaus), bayes,  
> etc.
> We don't have 'tuning' with Puremessage. We have postgres  
> maintenance :-( but not tuning.
> Anyone have recommendations for a high-catch/no-tuning setup for  
> their Barracuda, before we re-crate these appliances for return?
> Dr. Kim Cary, CISSP
> Information Security Officer
> M-F 7-4 ~ 
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

More information about the unisog mailing list