On June 6, 2009, a client sent a mailing. After it was sent, their (static, only-used-by-them) IP was listed by a particular list that is generated by the creator of a large, well-known anti-spam appliance and seems to be used by default in that appliance.
I didn’t notice the issue until I started checking all of our IP space against this list some time around the 17th of this month. A delisting request was duly entered with the maintainer. It was processed the same day and I got a reply:
Thank you for contacting Barracuda Networks regarding the block of IP address: [redacted]
The Barracuda Spam Firewall has rules that apply to email sent from an IP address known to Barracuda Central with a “poor” rating. The Barracuda Spam Firewall has an option to decline email from these IPs. This is an option that the Administrator of the Barracuda Spam Firewall may enable. If the Administrator chooses to enable this option it may block email from your IP address.
This IP has been seen by Barracuda Central to transmit spam email in the past 30 days.
We have removed your “poor” rating The IP will be automatically rechecked several times each day and may be adjusted again if issues are observed.
Please allow between 12 and 24 hours for changes to propagate around the world to all Barracuda Spam Firewalls — at which time you will be able to send email from the IP address. This is the last email you should receive about this issue.
Thank you for your time and understanding.
Good enough. Within 24 hours, I wasn’t seeing the IP listed anymore.
That is, until today. Now the client is listed again, so a new request goes in. And a new response comes back:
Thank you for contacting Barracuda Networks regarding IP address: [redacted]
The Barracuda Spam Firewall has rules that apply to email sent from an IP address known to Barracuda Central with a “poor” rating. The Barracuda Spam Firewall has an option to decline email from these IPs. This is an option that the Administrator of the Barracuda Spam Firewall may enable. If the Administrator chooses to enable this option it may block email from your IP address.
This IP has been seen by Barracuda Central to transmit spam email in the past 30 days.
We have removed your “poor” rating The IP will be automatically rechecked several times each day and may be adjusted again if issues are observed.
Please allow between 12 and 24 hours for changes to propagate around the world to all Barracuda Spam Firewalls — at which time you will be able to send email from the IP address. This is the last email you should receive about this issue.
Thank you for your time and understanding.
Now, ordinarily you look at this and you say “well, they didn’t like your mail stream and so you got relisted.” And, ordinarily you might be right.
However, this client is the only one using this IP, and they haven’t sent any more mail since 6/5. That means that the IP was listed, seemingly, on the strength of no evidence.
A couple of possibilities have been suggested as to why the IP might have been relisted, but neither really says anything good about Barracuda.
The first is that Barracuda didn’t like the IP’s rDNS entry. But, that would mean that they are out scanning hosts randomly for rDNS. Since no mail has gone out since 6/5, there would have been no reason for Barracuda to check rDNS since the delisting request was granted on 6/17.
The other is that they based the relisting on older evidence. Certainly the “within the last 30 days” bit of their mail comes into play here and there doesn’t appear to be any mail other than the 6/5 mailing that fits the bill. But, even if there were, this would indicate sloppiness on the part of the DNSBL operations staff. They had an opportunity with the 6/17 delisting request to address any concerns about older mailings, but decided not to. Instead, they wait a week and relist it anyway?
Not good.
So, to summarize:
| June 5 | Objectionable (and last) Mailing Sent |
| June 17 | Delist request |
| June 17 | Correspondence Indicating Delisting with continued monitoring |
| June 25 | IP Shows Up Again on the BBL |
| 0 | Number of pieces sent since June 5 |
Not only do I believe they used old information to list the IP and that they do random rDNS checks, I also believe their staff maliciously sign up to lists just to report senders as spammers.
And what's up with having to pay them to keep your domain from being on their blacklist??
[...] documents a problem he encountered with the Barracuda blocklist and relisting happening after a delisting even when [...]
It might be worth checking any of the domains that get included in the content of the email (and the header) to see if thiers a particular domain that barracuda does not like. It might be one that your esp uses across many clients.
That has been done, as I work for the ESP. The tracking domain is not on the list.
I've gone through a similar cycle of de-listings with a client. Ironically, the Barracuda product was used by their own ISP where the client had a few e-mail addresses hosted (companydepartname@ispname.com), and the site listed with a "poor rating" was their main domain (department@companyname.com), which had the effect that they couldn't send emails within their own department. After the second re-listing to the poor ratings list (which is odd, this is a Mac shop with professionally hosted e-mail and web services), I instead approached the ISP and had them white list us (which wasn't that easy). Of course, they communicate with other domains that also use Barracuda products, but at least now they could communicate internally. Sucks for the client who had to use my resources doing network administrative detective work instead of checking backups and taking care of the LAN. What a pain.
We've detected millions of messages being returned from Barracuda appliances on clients with SPF and proper rDNS/best practices. They need to disable this feature, as our networks didn't send the original message. These messages always caught because they return the spammy text/URL with it. It's pointless and wastes everyone's resources. As for listing we've seen wrongfully listed IP's, happens in every reputation database, however paying to stay OFF a list or to be removed is racketeering/extortion in my opinion, and I hope someone sues to set a precedent over it.
[...] IP relisted despite no more mail being sent. It seems like I blogged about Barracuda a lot. Truth be told, I probably had more problems out of Barracuda in 2009 than I did anyone else. This post was about them relisting an IP address even though they could not have had any fresh complaints since there had been no mail going out over it in more than 30 days. [...]