Travel Technology - Barracuda spam scam

I rec'd an inquiry from a potential client who visited my site, and I tried to reply; my reply was blocked by their barracuda spam filters. I followed the link to the barracuda site, entered my IP and requested removal.

That site then referred me to emailreg.org where I could enter my IP for whitelisting. Turns out they charge $20 per domain for whitelisting, and it gets sleazy when you dig under the surface. Barracuda owns emailreg.org. They first sell their appliances to customers, and then blacklist legit email addresses. To get removed you have to pay them. Any spammer can pay them $20 and then will be free to spam the barracuda customers, those same customers who are paying barracuda for protection. Meantime, they're blackmailing me, asking me to pay them for the right to reply to a legit e-mail.

A little googling found a lot of threads elsewhere on this crap, here's one example:
http://www.debian-administration.org/users/simonw/weblog/295

I hope there is a class action lawsuit underway somewhere, and in the meantime, I hope lots of barracuda customers are canceling their contracts.

The other big RBL that runs this blacklist "extortion" is SORBS. I do a good deal of work around email and spam filtering systems. My recommendation has always been: RBLs are great resources to fight spam, BUT one should never use an RBL that requires payment to be removed.

I would recommend that you talk to your client and recommend they stop using that RBL and switch to other ones that have far better removal polices (such as Spamhaus and SpamCop).

Also, it is worth noting that most of these "extortion" RBLs are not listing IPs randomly (as one would imagine a regular extortion ring would operate). Rather, they are generally based on receiving email that was flagged as spam from your IP or a nearby IP. So it is also worth verifying with your email administrator that your email server is not configured as an open relay and that none of the systems sharing that outbound IP are infected with spam sending malware.

So it is also worth verifying with your email administrator that your email server is not configured as an open relay and that none of the systems sharing that outbound IP are infected with spam sending malware.I'm using an AT&T 3G connection (card is plugged into a router), the IP remains static as long as I don't remove the card or reboot. I was traveling last week and took the card with, so it's possible that the IP I'm assigned (which is the IP Barracuda is flagging) belonged to another AT&T customer two or three weeks ago. However, they don't configure their system for relaying, and I'd guess 99.8% of their customers are just using iphones or other smart phones, not routers to PC's.

I'm using an AT&T 3G connection (card is plugged into a router), the IP remains static as long as I don't remove the card or reboot. I was traveling last week and took the card with, so it's possible that the IP I'm assigned (which is the IP Barracuda is flagging) belonged to another AT&T customer two or three weeks ago. However, they don't configure their system for relaying, and I'd guess 99.8% of their customers are just using iphones or other smart phones, not routers to PC's.
Most folks configure their email client to send via an SMTP server. Are you actually connecting directly from your computer to the client's email system, or relaying via your email hosting provider / employer?

Most folks configure their email client to send via an SMTP server. Are you actually connecting directly from your computer to the client's email system, or relaying via your email hosting provider / employer?
I've got my own domain hosted by someone who has been hosting it for 10 or 12 years, and who keeps his stuff whitelisted. I use Eudora/popmail with cwmx.com (AT&T/cingular) as the smtp server. The IP flagged in the barracuda response is what I get when I check with http://whatismyip.com/ so it's the AT&T 3G IP.

I've got my own domain hosted by someone who has been hosting it for 10 or 12 years, and who keeps his stuff whitelisted. I use Eudora/popmail with cwmx.com (AT&T/cingular) as the smtp server. The IP flagged in the barracuda response is what I get when I check with http://whatismyip.com/ so it's the AT&T 3G IP.

Ah yes, Barracuda does that evil trick that it deep scans the header for IPs to run RBL checks. Yeah... that setting is evil, and should be turned off. The setting is off by default, but some folks turn it on; only to realize their false postive rate sky rockets.

Otherwise, you can ask your SMTP host to strip out your client IP from the email header before relaying the message.

Found a nice screenshot of the setting:

http://www.iti.net/spam/screenshots/screenshot09.jpg

It is the bottom option. Note how the GUI even recommends the setting be kept off...

I reset my router and got a new IP address, eliminating the one that barracuda didn't like and getting one that they like.

Ultimately though what it comes down to is, Barracuda is selling spam filtering to corporations and selling white listing who anyone who wants to pay. IMHO that makes them dirty.

It also proves that it is easy to bypass their filters.

Ultimately though what it comes down to is, Barracuda is selling spam filtering to corporations and selling white listing who anyone who wants to pay. IMHO that makes them dirty.
Agreed. I have no issue with Barracuda operating its own RBL (it serves as a legit value-add to their product), but the problem is when they start charging money.

It also proves that it is easy to bypass their filters.
Well, that is more a function of the client's email admin being an idiot, rather than any l33t h@X0r!ing skills on your part...
But at least you were able to get your email sent :D

The ATT IP I'd been using for the past week (since returning from my trip) was listed at "poor" by barracuda. The new IP I got today with my reset is listed as "good".

The ATT IP I'd been using for the past week (since returning from my trip) was listed at "poor" by barracuda. The new IP I got today with my reset is listed as "good".
Yeah, that is why your client really needs to turn off the "Blacklist using full headers" setting. It results in a lot of legit people being blocked, and the simple act of getting a new dynamic IP can allow/block traffic (i.e. if you reset you modem again and get a different IP, you might get an IP that the RBL now thinks is bad).

You're lucky that some IPs in the ATT DHCP pool are considered acceptable to them. Most of those services have issued blanket bans on large swaths of the internet - like /16 subnets used by various DSL and Cable Modem ISPs - as spam sources. The theory is that so few people run legit email systems from those sites that it isn't worth the headache that all the unpatched and unprotected systems on those nets will cause. So they are all blocked.

The easy solution is to always relay through your actual mail host. Yes, that adds an extra hop to the traffic but an ISP has a compelling reason to ensure that their service is not black-listed and the staff to pursue it. You have, well, you.

The easy solution is to always relay through your actual mail host. Yes, that adds an extra hop to the traffic but an ISP has a compelling reason to ensure that their service is not black-listed and the staff to pursue it. You have, well, you.

The trick here is that even though/if the OP is routing through a non-blacklisted SMTP server, the Barracuda scans the email header looking for IPs. That way the Barracuda runs RBL checks on not only the SMTP server's IP, but the client as well.

The easy solution is to always relay through your actual mail host. Yes, that adds an extra hop to the traffic but an ISP has a compelling reason to ensure that their service is not black-listed and the staff to pursue it. You have, well, you.

I can do that as a backup, although as Janus points out it's not a full solution. Reason I don't is, every time my IP changes (which is only the once every two months that the router locks up and I reboot, and also when I travel domestically and pull the card to use in my laptop as I travel) I have to have my mail admin enter the new IP in the system. Fortunately he's on skype 17 hours a day, and it only takes him 45 seconds to do it, but still it's inconvenient. (and, the one time I need it, he'll probably be away)

Back to my original point, I still think it's blackmail on the part of Barracuda to charge $20/year to whitelist domains- they're telling people, if you want your mail to be delivered you have to pay us. (with the subtext that, "if you're a spammer but you pay us, we'll deliver your mail to our clients")