Barracuda Spam Firewall Review

Most of us do not operate our own email servers, and so are limited in what we can do to control and reduce the flood of spam into our email in-box.

But if you do have your own email server, there are additional ways you can attack spam 'further up the food chain' so as to more effectively reduce its impact on your day to day email experience.

The Barracuda Spam Firewall is one such example of a product that can filter out spam before it even reaches your email server. In theory this should save you time, hassle, and bandwidth. But in practice our testing showed the unit to be limited in function, clumsy to manage, and terribly terribly slow to administer.

The underlying idea of the Barracuda Spam Firewall is excellent. It uses a series of methods to identify spam email, and then either discards it entirely or puts it in a special area for you to review and decide if it is real or not. Best of all, it does this before the email reaches your main email server, and way before it floods into your email in box.

It has some reasonably sophisticated ways of testing if an email is spam or not. It looks at both who is sending the email, and what IP address the mail server is located at. Some senders and some mail servers are known to be prime sources for spam, and so email from these sources tends to be immediately discarded.

It looks at what is in the email message headers to look for telltale signs of spam. Spammers will sometimes try and trick email servers by mis-forming some elements of the email header, and whereas some email servers can indeed be fooled, the very action of changing the email headers provides a clear example of probable spam for a very spam-aware device like the Barracuda unit.

It looks at the content of the email. If there are lots of probable spam terms like 'Cialis' and 'Viagra', then that ups the probability the email is spam as well, and with enough of these telltale signs, the Barracuda box will again decide, on balance of probabilities, that the email is spam and take appropriate action.

It also compares the email to whitelists and blacklists you've created yourself - senders and mailservers who you always want to get email from, no matter what the content, and senders/mailservers who you never want to get email from.

It also adds virus protection, making sure the email doesn't have any known virus attachments.

In total, Barracuda claims to offer 12 different steps or 'layers' of spam protection in its Spam Firewalls. You can see their graphic illustration of this Twelve Step Method here; and while one could challenge whether some of these steps are worthy of being counted separately or not, the indisputable fact is that Barracuda offers very thorough anti-spam testing and detection.

It also regularly and automatically updates its definitions of what spam and viruses are so as to be on top of the latest spam techniques and viruses.

I noticed an interesting thing after deploying the Barracuda box. The good news was it started proudly telling me about the thousands of spams it was intercepting each day. The puzzling news was that my volume of incoming spam seemed only mildly reduced, and I hadn't realized I'd earlier been getting as many thousands of daily spams as it was now reporting as having intercepted.

The answer to this puzzle is that most half-way decent mail servers already do at least some email filtering. Indeed, as part of your evaluation of the need for a separate 'box' standalone solution, you should first make sure that your current email server is fully optimized to manage spam as best it can.

And also refer to our (not yet released) article on other ways of controlling spam.

The Barracuda Spam Firewall is a hardware based solution that is built on its own free standing hardware platform. It isn't just an extra program that you can run on one of your existing servers.

The good aspects of this relate to allowing the Spam Firewall to be a slot-in turnkey solution that is fast and easy to install, with little to go wrong. Because it is provided to you pre-installed on its own dedicated server, its hardware environment is very quality controlled, which should allow for very reliable uptime and operation.

The bad aspects of this relate to the appreciable extra cost you'll incur. Instead of paying just for a piece of software that will run 'for free' on an existing server, you have to pay for the hardware as well as the software, and its transportation.

And that is just the upfront cost. Once you've received and installed it, you now have another piece of hardware to manage and maintain (and eventually repair and replace). Plus, if you're remotely siting your equipment at a co-location facility, you're going to have to pay for more rack space, more power, and more of whatever other things the co-location service charges for as well.

The smaller model boxes take 1U of space and 1 Amp of power. The larger ones take 2U of space and up to 5.4 Amps of power. So you'll probably be paying $75 or more a month for a smaller box to be colocated, and substantially more as the model increases in size and power requirements. $75 a month might sound trivial, but that comes to $900 every year, compared to probably no extra hardware cost at all if the program was available to be installed on any existing server.

Having to accept Barracuda's hardware choice also means that you're at their mercy for the price of the hardware they supply you, and its power/appropriateness for the tasking allocated it. This was to become the prime problem in my installation, and Barracuda basically took almost six weeks of delay, non-response, excuse and prevarication to decide to refuse to help resolve the problems they acknowledged were due to inadequate underpowered hardware (or, if you prefer the flip side of this, inelegant inefficient software that is ridiculously demanding of hardware resource - my words, of course, not theirs!).

I had offered to pay Barracuda a reduced amount to upgrade to a more responsive hardware box, but they refused anything other than to charge full price.

They also said they were looking into addressing the hardware problem, and when I asked how quickly that would be done, the answer was

Hardly a responsive attitude to a known problem that, at least in this case, cost them a sale, and which could be solved in a few minutes by simply upgrading the hardware the software runs on.

It is interesting to see Barracuda pursuing this hardware model - these days most of the development is in the concept of distributed service models rather than local hardware models, and for something as 'virtual' as email processing, this is clearly something that lends itself to remote distributed management. But, with the prices they charge up front for their hardware solutions, I guess they are reluctant to 'leave this money on the table'.

Barracuda offer their product in seven different configurations. Depending on the configuration you choose, there's a related impact on the upfront purchase price and the annual maintenance fee for the regular updating of their virus and spam definition databases. You can see the current configuration options on Barracuda's site at the bottom of this datasheet. The pricing implications of your choice - both in terms of upfront purchase and then annual maintenance fee - can be seen here.

This can be a much larger number than you think. For example, with my own mail server that largely serves just me alone, I have about 20 different email addresses. In addition to my main email address, I have older now 'retired' email addresses that stay semi-active for a while, I have various system default email boxes (such as postmaster, abuse, webmaster, etc), and different addresses to presort and help manage incoming mail.

So don't just count users on your system, count all the email boxes; this number might be considerably larger than you think.

This too can be larger than you might at first think. Again, in my case, I've got one main domain - TheTravelInsider.info. But I've also got some domain aliases such as TheTravelInsider.com, and then I've various other domains that have come my way for one reason or another (eg DavidMRowell.com).

So again, make sure to track down all the domain aliases that might be being incorporated into your current mail server.

Barracuda provide another enticement to encourage you to choose a more expensive solution - they successively add extra features to their larger model units.

The Models 100 & 200 are functionally identical other than the limit on the number of users and domains served.

The Model 300 starts to add extra features which most companies will find almost essential (ie per user settings rather than system wide settings).

The Model 400 adds some extra management tools, and the three top of the line units (Models 600, 800 & 900) are all identical in terms of capabilities, varying only in the hardware configurations.

I was comfortable with the limited capabilities of the Model 100 so that is the unit I tested.

This is a somewhat hidden but vital consideration, and underscored the colossal disappointment of the Barracuda server I trialed and then subsequently was forced to return.

Barracuda's specification sheet shows some aspects of the different hardware configuration for each model, but is silent on a surprisingly vital issue - the CPU used, its processing power/speed, and the amount of memory it has to work with.

I had assumed (shame on me!) that these units would have adequately powered CPUs to drive them at a good speed. After all, in a dedicated unit that is lightly loaded, doing nothing other than filtering email, how much CPU power would be needed? Not much, I thought.

How wrong could I have been? With my Model 100 taking up to 30 seconds to respond to requests, and with Support staff at Barracuda uniformly acknowledging that this was not a configuration issue or an over-tasked system, but rather nothing more or less than an underpowered processor, the hardware is sadly inadequate for the task intended. More on that below.

There seemed to be an admission by Barracuda that both the Models 100 & 200 have similar CPU power, and a suggestion that the Model 300 has a more powerful processor. They also have a public demonstration server that is a Model 600, and assuming this is not a 'tricked out' unit with extra processing power, it presumably gives you a realistic feeling of how responsive you could expect the Model 600 to be in your environment. I'd first thought that a heavier loaded Model 600, doing more things and handling more emails, would work slower than a lightly loaded less featured Model 100, but that proved to not be valid in actual testing.

Adding a Barracuda Spam Firewall to your mail server is very simple. Put the server unit into your rack, give it an IP address, and turn it on.

A Word about Hosting

If you're looking at hosting anything - a Barracuda Spam Firewall, an email server, a web server, or whatever - it makes no difference where in the world it is located, other than that the unit be located close to the 'center' of your part of the internet.

Hosting services vary widely in cost and in value, and the service they provide is also a very mixed bag.

After extensive research, I've settled on one company that is head and shoulders above all its competitors. Adhost, in Seattle, have an extraordinarily positive customer service attitude, and combine instantaneous 24/7 support with excellent competent staff and very fair rates. They're directly connected to several major internet backbones, and have a wonderfully anally retentive approach to security and data protection that extends even to the point of having a specially strengthened roof for helicopters to land on with fuel loads for their standby diesel generators (in case some street obstruction/disaster prevented getting fuel trucked in, and always assuming their main power feed was lost)!

Highly recommended. No matter where in the country, or even in the world, you are, you should try them next time you're needing co-location services for your internet servers.

With all their wonderful help, there's never a need for you to physically be at their premises yourself.

You need to make some simple changes to the MX records in your DNS configuration, run through a quick and simple configuration utility on the Barracuda box itself, then you're pretty much done.

The MX change is to switch the MX record for your domain to point to the Barracuda box so that all mail gets sent there first, and then to create a second lower priority MX record for your main mail server, to which the Barracuda box can then forward the spam-filtered remaining emails, and which will also give you 'fail-over' capabilities so if the Barracuda unit goes offline for any reason, mail has an alternate path to get to you.

Two comments about this part of the process. First, make sure, if you are having either or both of these two boxes (Barracuda and Mail server) at a co-located server farm, that you don't get charged double bandwidth. You should have the bandwidth into the Barracuda box measured, and the bandwidth out of the Mail server box measured, but the data flows between the Barracuda and Mail server boxes should be internal within the LAN and not charged for by your ISP/Host provider. I had mine mis-configured to start with and suddenly discovered a huge jump in GB usage. Fortunately my host company (Adhost - highly recommended, see box on right, above) quickly resolved both the issue and the charging.

Second, I had some clever spammers sending direct to the mail server's IP address and MX record(ie instead of sending mail to [email protected] they would send it to [email protected]) and thereby bypass the Barracuda filtering step entirely. The solution there is to give your old mail server name to the new Barracuda box, and to create a new mail server name for your main mail server.

For example, if your earlier, pre-Barracuda setup had a single MX entry, priority of 20, pointing to mail.yourcompany.com, with an IP address of 125.126.127.128, you should either point this entry to the new IP address of your Barracuda box, and/or give the Barracuda box this IP. You then would create a different record, say mailtwo.yourcompany.com, which points to your main server (original), with a priority of, say, 30. That way any mail directed to [email protected] will now go to the Barracuda box rather than shortcircuit it.

To make the install and changeover work smoothly, it is a good idea to massively reduce the TTL setting on the DNS entries a week or more prior to installing the Barracuda server, so that when you make the changes they will quickly flow out and into the general internet. Once you have the new system all working and you've decided to keep rather than return the Barracuda box, don't forget to push up the TTL settings back to the 1 week maximum.

At this point, you're probably feeling somewhat pleased with yourself and your new Barracuda Spam Firewall. But now comes the sting in the tail of the Barracuda - its ongoing administration.

Yes, the Barracuda does a good job of catching spam, with perhaps 95% or so of spam being trapped by the Barracuda unit. But note my earlier comment - much of this spam should be caught by any half-way decent email server anyway, so in terms of how much more spam it catches, and how much better a job it does than your already in place solutions, that becomes more difficult to evaluate.

Unfortunately, like most other spam filtering systems, it also scores 'false positives' - it will on occasion trap bona fide emails and label them as spam.

A particularly annoying example of false positiving was its tendency to label my own weekly newsletters as spam. How stupid is that? And while I could whitelist myself, I also see other company's Barracuda spam firewalls bouncing back my newsletter to me each week too. Poorly adjusted spam filters are a modern age curse, and Barracuda's inability to correctly perceive my 100% bona fide newsletter has to be a downcheck against it.

These issues are what require you to regularly 'check under the hood' of the Barracuda software and manage what it believes to be spam and not spam.

The good news is that much of what the Barracuda does is automatic and 'behind the scenes', and you can leave it to its own devices most of the time.

But you can't totally ignore it. You really should check through its email message log and confirm that emails which are being intercepted as spam really truly are spam. Some of these you'll need to mark as not being spam, and similarly, to get the best results, you'll want to mark spams that slipped through the system as being spam not bona fide. You'll be wanting to add senders to your white list and generally tweak the system on a continual but minor basis.

Administration is done through a web interface. The interface is moderately well designed and acceptably intuitive, and with good help material available too.

One weakness is that some things require item by item entry (eg whitelisting) rather than allowing multiple entries to be added simultaneously. Normally this would be a minor annoyance, but in the Barracuda's case, it becomes a major problem, due to the massive weakness of the entire system.

It is slow. No, not just slow. It is * S * L * O * W * . It is so slow that I found myself spending more time managing spam through the Barracuda firewall than doing it 'the old fashioned way' through Outlook. And there's absolutely no sense in that whatsoever. Why pay thousands of dollars for something that makes your life more complicated and less efficient?

Here is a table showing some of the typical actions you'd want to be doing with the Barracuda, and how long it takes to wait for the system to complete its response on each occasion, with timings for both my trial system and their own demo system.

Note that these unacceptably long delays can not be explained by poor internet connectivity at my end. I have tested in two different locations - one with a fast fiber connection, the other with a fast DSL connection, and have confirmed the multi-Megabit bandwidth by using DSL Speed Tests on the line before and after the testing. These delays are 99% due to the slow platforms on which the Barracuda is based, and you are as likely to experience them as I was.

Action Times in seconds, timed until screen completely loaded Multiple test results shown to indicate spread of results	Model 100 My live server	Model 600 Barracuda demo server
Average messages/hour Average messages/day	125 2,600	1,000 20,000
CPU utilization	2% - 22%	1% - 5%
Message Latency (time from receiving an incoming email until passing it on to the main server)	39 - 80	<1 - 33
Log on	18, 20, 25	5, 5
Change from Status to Message Log tab on main menu	39, 11, 24	25, 25
Move to next page of message log	17, 12, 12	25, 25, 25
Refresh Status Screen	25, 31, 38	35, 7, 9
Add a person to whitelist	8, 12, 30	n/a
Flag a message as not spam	25, 30	24, 24

Basically, most of the time, whenever you click to send an entry/command to the server, you're going to be waiting up to 30 seconds for the response on a lightly loaded Model 100, and maybe 20 seconds on a very lightly loaded Model 600.

These are appalling response times, and are completely unacceptable. Studies show that people consider generally acceptable responses to be in the 2 - 5 second time range, anything much longer than that and the whole feeling of interactivity is lost, and your concentration breaks during the long interval between sending off an entry and receiving its response.

What is particularly perturbing is that the high powered Model 600, which sells for $8,999 (wow!), and which usually showed a CPU utilization of only 1%, was only slightly faster than the entry level Model 100 (which sells for $700) and in one very frequent activity (moving through the message log) it was often twice as slow! Would you be happy spending $9000 for a unit that gave this sort of performance? And, just in case the $8,999 cost of the Model 600 didn't surprise you, there is also an annual update fee of $2,3999 - and, no you don't get the first year of updates free as part of the purchase price. So you're actually writing out a check for $11,398 (or even more if you want their hardware replacement program for another $1,999 too) for this underperforming box.

While the latency delays in processing emails are not so important - it seldom matters whether an email is received a minute or so faster or slower than 'normal' - the administration delays for the poor person tasked with managing the server are terrible and costly (at, say, a $75/hr total cost of employment, it is costing 50c or more in dead waiting time each time an entry is sent to the server), and will massively detract from the job satisfaction experienced by that person.

What is Barracuda thinking when it tries to foist such terrible performance off on its users?

The units range in price, with there being three cost components to each of the different models - an initial purchase price, an annual updating fee, and a hardware replacement fee.

The initial purchase price does not include any 'free' period of updates, so the check you cut to Barracuda will necessary include both the hardware and also at least one year of updates.

The hardware replacement fee is optional, and while there's a great convenience in this service, there's definitely a matching cost premium to pay for it.

And don't forget to add - if applicable - the extra costs of having this unit sited at your co-lo facility. Even a very reasonable $75/month fee represents another $900 a year in overall operating cost.

The Barracuda Spam Firewall was probably an excellent product, some years ago. But the state of the art has moved forward, and there are now better solutions and at lower prices, and indeed the chances are your current mail server may already have many of the Barracuda box's capabilities built in to it.

The biggest weakness of the Barracuda units are their inexplicably slow response times while you're administering them. This makes what should be a short and 'happy making' experience into a long slow and very unhappy making experience.

The Barracuda units are expensive, both in absolute terms and in relation to other solutions available.

If you're wavering and curious about these units, they do offer a 30 day free trial where you either keep the unit after 30 days and pay for it, or return it.

You may freely reproduce or distribute this article for noncommercial purposes as long as you give credit to me as original writer.