Wednesday, August 4, 2010

Lotus Protector compared to Barracuda - DNSBL differences

Barracuda uses it's own DNS block list or DNSBL or BRBL  (Barracuda reputation block list). This BRBL is a great resource for filtering unwanted spam. The great thing about Barracuda's RBL is that they offer it free of use within reason.


Disclaimer: You need to look up Barracuda Central's policy before considering the use of their RBL.


To get to the website, click on http://www.barracudacentral.org/

So in theory you can setup Lotus Protector to use Barracuda's RBL. I have done exactly that. Lotus protector provides some cool advantages over Barracuda though. The biggest advantage is how and when the DNSBL is used.

A little background on how Barracuda executes DNSBL: When you are using the BRBL in Barracuda, each connecting host is checked. If that host is contained in the BRBL, the host is dropped, not even an HELO or EHLO command is received. For this reason when you look at the message log you only see the connecting IP/domain server and that the connection was denied. You will never know what that message might have said. I understand the reasoning behind this which is to reduce the amount of bandwidth and traffic.

Lotus Protector has the same option. You click on SMTP -> Configuration, Receiving SMTP, DNSBL Settings and you can 'enable' DNSBL and customize the error message and error code that is sent to the connecting server when the connection is dropped.



This next paragraph does not apply to the above method of filtering with respect to threshold and matching. Note the disclaimer in the screen shot next to the enable check box. it states:
(uses DNSBL servers defined in Policy / Spam Settings, threshold and match scores are ignored!)
I am guessing that when a DNSBL server returns a known spam address, it is dropped but I can't verify that.

Once DNSBL is enabled, go to Mail Security -> Policy, Spam Settings. You will see a threshold number and a list of DNSBL servers. Each DNSBL server has a number associated called 'Match Score'. This basically means if the DNSBL server returns an address meaning the IP has a spam reputation, that score is compared to the threshold. If the score is greater then the threshold, the email is not accepted. If you have more than one server listed and enabled and the connecting host IP is listed in more then one DNSBL, the match score is added then compared to the Threshold.



Where Lotus Protector is different from Barracuda is that you can turn this DNSBL option off, and configure an analysis module to check the connecting IP in the policy rule! This allows me to submit a piece of email that is blocked by DNSBL to a person's spam quarantine or any other rule I decide to do! However if you are trying to reduce the amount of bandwidth, this policy rule might not be the best option for you. However this is great for testing purposes and that occasional person that sends an email to upper management using their local outlook client or that person that has an open relay but also has legitimate email too. Here are the screen shots of the DNSBL policy rule:


This screen shot shows the Analysis Module that checks for DNSBL


This screen shows the rule in place. The action is set to block since we do not want the email to continue being checked by the rest of the rules. The response is to store the email in the Quarantine where the individual user can look at it ( NOTE: make sure virus scanning is the first rule, you do not want to quarantine an email with a virus! ). Last, this rule is ran before the 'tag spam' rule and therefore reducing the amount of overhead.

On a side note, when configuring the Barracuda RBL in protector, the address is
b.barracudacentral.org
not
2.0.0.127.b.barracudacentral.org.
There is a link to 'how to use' the BRBL and it doesn't display b.barracuda.org as the DNSBL server name.  For a noob like me it threw me off because of the example used was 2.0.0.127.b.barracudacentral.org.
http://www.barracudacentral.org/rbl/how-to-use ) Also before you enable this you must register your Lotus Protector IP address to gain access:

5 comments:

  1. Hello Chris
    Be careful with the order of this (DNSBL) rule, because if the incoming e-Mail which is blocked and stored into the quarantine folder contains also a virus, the e-Mail can be retrieved by every person by deliver the mail within the Quarantine Report.
    I think it is better that there is no Store-Rule into folders which can accessed by your users with a higher priority than the Antivirus rule.

    -jk

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. jk, great point about the order in which the rules need to be configured. The screen shots on this post are from a trial download and is not being used. At work I have the virus rule first, then user's block list, then porn url, Phishing, DNSBL, Tag Spam. I will update the screen shots and put a disclaimer to have virus checking above all rules

    ReplyDelete
  4. Hi Chris,

    This is a great blog entry. It is good to know that we can use the Barracuda DNSBL for Protector which will further help with reducing spam. The screen shots and explanation are easy to follow as well. I have only one comment about the screen shot for the Rules section. The DNSBL Rule you are showing is missing the Analysis Module entry in the Rule. If you omit this entry and save the Rule then all email will be blocked coming in because there is no Analysis Module for Protector to check against. It would be helpful to your readers to show that "Spam DNSBL" is the Analyis Module to be used here so that users are not confused.

    ReplyDelete
  5. Really trustworthy blog entry I have ever found.. Its also informative information.

    ReplyDelete