[unisog] Barracuda effectiveness (vs Puremessage)

Sheil,Sean M Sean at nwmissouri.edu
Mon Jul 16 20:03:41 GMT 2007

	I would have to agree with several items below.  LDAP timed out
and caused many messages to not get delivered.  Our ISP blocks
approximately 80% of the messages before it hits us.  The Barracuda
blocks about 65% of the remaining messages.  Our default level is set to
2.5/3/5 (tag/quar/block).

Mgr. Network/Server Services
Northwest Missouri State Univ.

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of shawnl at up.net
Sent: Monday, July 16, 2007 2:48 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Barracuda effectiveness (vs Puremessage)

I'm an ISP lurker (used to be edu) and just had to respond to this....

We've had several barracuda devices in front of a high-volume mail
server for about the past 2 years  (~60 to 100k messages/hour).  I can
tell you how we've tuned our setup.  The barracuda is by no means
perfect, we've toasted 5 boxes so far, and have had several brain-dead
box issues (box forgets about all of it's users and configs and has to
be re-setup), but once tuned it does a fair job.  The barracuda SE's
seem to be ok, but it really depends on who you get.  We've had numerous
people contradict each other and several cases of the SE deciding to do
X on the box without realizing the volume of mail it was processing (and
killing it).

+ make it your MX.  Putting a box in front of it acting as an MX negates
a lot of the built-in filters.
+ lower all settings.  Our default level is 2/4/7 (tag/quar/block) and 
+ for
some we lower that quite a bit.
+ Don't try to do use ldap for user verification.  Really slowed things 
+ down
and killed our ldap servers.
+ erase "fake" accounts weekly (since we're not doing ldap verification)

+ setup our own black list. This was the biggest single thing we did to 
+ improve
the amount of spam being caught and box performance.  Unfortunately
there's a time commitment there to keep the list updated.  

Things that don't seem to work...

+ marking things as spam or not spam.  Too many users, too much mail.
Several thousand entries in the Bayesian database with no real

Also remember that Barracuda Networks bases their spam figures on 99% of
the incoming spam being caught at the black-list level _before_ it's
scanned in any way.  If you're not getting a 99% catch rate, the
estimates of how many messages/hour the box can scan need to be

For comparison here's our stats so far today

Blocked		867,189
Blocked,Virus	388
Quarantined 	8,880
Allowed: Tagged	4,822
Allowed		38,357 
Total Received	919,636

(on a side note, we're looking at moving to a cluster of boxes running

If you want more info, feel free to contact me offline


Network Operations Staff
Baraga Telephone / up.net
(906) 353-6644

On Mon, Jul 16, 2007 at 11:25:41AM -0700, Kim Cary wrote:
> Hi all,
> We've been doing some tests and are quite disappointed with the 
> Barracuda's spam catch effectiveness. We find that at the recommended 
> settings about 20% of the things that would be caught by Puremessage 
> as spam, get missed by Barracuda.
> We have the Barracuda set to do the things their SE recommends. And 
> now they are recommending manual tuning involving keyword lists, extra

> blacklists (beyond their own and xbl/sbl from spamhaus), bayes, etc.
> We don't have 'tuning' with Puremessage. We have postgres maintenance 
> :-( but not tuning.
> Anyone have recommendations for a high-catch/no-tuning setup for their

> Barracuda, before we re-crate these appliances for return?
> Dr. Kim Cary, CISSP
> Information Security Officer
> M-F 7-4 ~
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
unisog mailing list
unisog at lists.dshield.org

More information about the unisog mailing list