Barracuda Spam Firewall Review
A cure that is worse than the problem
The Barracuda Spam
Firewall is an extra piece of hardware, not just a program
you run on an existing computer.
The Barracuda unit comes in several different models,
most of which are provided in a 1U rack mount server form.
Most of us do not operate our
own email servers, and so are limited in what we can do to
control and reduce the flood of spam into our email in-box.
But if you do have your own
email server, there are additional ways you can attack spam
'further up the food chain' so as to more effectively reduce its
impact on your day to day email experience.
The Barracuda Spam Firewall is
one such example of a product that can filter out spam
before it even reaches your email server. In theory this
should save you time, hassle, and bandwidth. But in practice
our testing showed the unit to be limited in function, clumsy to
manage, and terribly terribly slow to administer.
The Theory of Why a Barracuda
Spam Firewall Should be Good
(See also our earlier article
on preventing and managing spam.)
The underlying idea of the
Barracuda Spam Firewall is excellent. It uses a series of
methods to identify spam email, and then either discards it
entirely or puts it in a special area for you to review and
decide if it is real or not. Best of all, it does this
before the email reaches your main email server, and way before
it floods into your email in box.
It has some reasonably
sophisticated ways of testing if an email is spam or not.
It looks at both who is sending the email, and what IP address the
mail server is located at. Some senders and some mail
servers are known to be prime sources for spam, and so email
from these sources tends to be immediately discarded.
It looks at what is in the
email message headers to look for telltale signs of spam.
Spammers will sometimes try and trick email servers by mis-forming
some elements of the email header, and whereas some email
servers can indeed be fooled, the very action of changing the
email headers provides a clear example of probable spam for a
very spam-aware device like the Barracuda unit.
It looks at the content of
the email. If there are lots of probable spam terms like 'Cialis' and
'Viagra', then that ups the
probability the email is spam as well, and with enough of
these telltale signs, the Barracuda box will again decide, on balance of
probabilities, that the email is spam and take appropriate
It also compares the email
to whitelists and blacklists you've created yourself - senders
and mailservers who you always want to get email from, no matter
what the content, and senders/mailservers who you never want to
get email from.
It also adds virus
protection, making sure the email doesn't have any known virus
In total, Barracuda claims
to offer 12 different steps or 'layers' of spam protection in
its Spam Firewalls. You can see their graphic illustration
of this Twelve Step Method
here; and while one could challenge whether some of these
steps are worthy of being counted separately or not, the
indisputable fact is that Barracuda offers very thorough anti-spam
testing and detection.
It also regularly and
automatically updates its definitions of what spam and viruses
are so as to be on top of the latest spam techniques and
Do You Need a Spam Firewall?
I noticed an interesting
thing after deploying the Barracuda box. The good news was
it started proudly telling me about the thousands of spams it
was intercepting each day. The puzzling news was that my
volume of incoming spam seemed only mildly reduced, and I hadn't
realized I'd earlier been getting as many thousands of daily
spams as it was now reporting as having intercepted.
The answer to this puzzle is
that most half-way decent mail servers already do at least some
email filtering. Indeed, as part of your evaluation of the
need for a separate 'box' standalone solution, you should first
make sure that your current email server is fully optimized to
manage spam as best it can.
And also refer to our (not
yet released) article on other ways of controlling spam.
Maybe you don't need a
separate spam firewall at all.
A Hardware Solution rather than
The Barracuda Spam Firewall
is a hardware based solution that is built on its own free
standing hardware platform.
It isn't just an extra program that you can run on one of your
This is a good and a bad
thing, but in our opinion, the bad outweighs the good.
The good aspects of this
relate to allowing the Spam Firewall to be a slot-in turnkey
solution that is fast and easy to install, with little to go
wrong. Because it is provided to you pre-installed on its
own dedicated server, its hardware environment is very quality
controlled, which should allow for very reliable uptime and
The bad aspects of this
relate to the appreciable extra cost you'll incur. Instead
of paying just for a piece of software that will run 'for free'
on an existing server, you have to pay for the
hardware as well as the software, and its transportation.
And that is just the upfront
cost. Once you've received and installed it, you now have
another piece of hardware to manage and maintain (and eventually
repair and replace). Plus, if you're remotely siting your
equipment at a co-location facility, you're going to have to pay
for more rack space, more power, and more of whatever other
things the co-location service charges for as well.
The smaller model boxes take
1U of space and 1 Amp of power. The larger ones take 2U of
space and up to 5.4 Amps of power. So you'll probably be
paying $75 or more a month for a smaller box to be colocated,
and substantially more as the model increases in size and power
requirements. $75 a month might sound trivial, but that
comes to $900 every year, compared to probably no extra hardware
cost at all if the program was available to be installed on any
Having to accept Barracuda's
hardware choice also means that you're at their mercy for the
price of the hardware they supply you, and its
power/appropriateness for the tasking allocated it. This
was to become the prime problem in my installation, and
Barracuda basically took almost six weeks of delay,
non-response, excuse and prevarication to decide to refuse to
help resolve the problems they acknowledged were due to
inadequate underpowered hardware (or, if you prefer the flip
side of this, inelegant inefficient software that is
ridiculously demanding of hardware resource - my words, of
course, not theirs!).
I had offered to pay
Barracuda a reduced amount to upgrade to a more responsive
hardware box, but they refused anything other than to charge
They also said they were
looking into addressing the hardware problem, and when I asked
how quickly that would be done, the answer was
is on the road map for future 100’s but I couldn’t say when
this decision would be made. Most likely early 09.
Hardly a responsive attitude
to a known problem that, at least in this case, cost them a
sale, and which could be solved in a few minutes by simply
upgrading the hardware the software runs on.
It seems their box is
powered by some type of Linux/Unix OS.
It is interesting to see
Barracuda pursuing this hardware model - these days most of the
development is in the concept of distributed service models
rather than local hardware models, and for something as
'virtual' as email processing, this is clearly something that
lends itself to remote distributed management. But, with
the prices they charge up front for their hardware solutions, I
guess they are reluctant to 'leave this money on the table'.
Which Model is Right for You
Barracuda offer their
product in seven different configurations. Depending on
the configuration you choose, there's a related impact on the
upfront purchase price and the annual maintenance fee for the
regular updating of their virus and spam definition databases.
You can see the current configuration options on Barracuda's
site at the bottom of this
datasheet. The pricing implications of your choice -
both in terms of upfront purchase and then annual maintenance
fee - can be seen
You should choose the most
appropriate unit based on several measures :
Number of Email Users
This can be a much
larger number than you think. For
example, with my own mail server that largely serves just me
alone, I have about 20 different email addresses. In
addition to my main email address, I have older now 'retired'
email addresses that stay semi-active for a while, I have
various system default email boxes (such as postmaster, abuse,
webmaster, etc), and different addresses to presort and help
manage incoming mail.
So don't just count users on
your system, count all the email boxes; this number might be
considerably larger than you think.
Number of Domains
This too can be larger than
you might at first think. Again, in my case, I've got one
main domain - TheTravelInsider.info. But I've also got
some domain aliases such as TheTravelInsider.com, and then I've
various other domains that have come my way for one reason or
another (eg DavidMRowell.com).
So again, make sure to track
down all the domain aliases that might be being incorporated
into your current mail server.
Extra Features Needed
Barracuda provide another
enticement to encourage you to choose a more expensive solution
- they successively add extra features to their larger model
The Models 100 & 200 are
functionally identical other than the limit on the number of
users and domains served.
The Model 300 starts to add
extra features which most companies will find almost essential (ie
per user settings rather than system wide settings).
The Model 400 adds some
extra management tools, and the three top of the line units
(Models 600, 800 & 900) are all identical in terms of
capabilities, varying only in the hardware configurations.
I was comfortable with the
limited capabilities of the Model 100 so that is the unit I
CPU Power and Configuration
This is a somewhat hidden
but vital consideration, and underscored the colossal
disappointment of the Barracuda server I trialed and then
subsequently was forced to return.
Barracuda's specification sheet shows some aspects of the
different hardware configuration for each model, but is silent
on a surprisingly vital issue - the CPU used, its processing
power/speed, and the amount of memory it has to work with.
I had assumed (shame on me!)
that these units would have adequately powered CPUs to drive
them at a good speed. After all, in a dedicated unit that
is lightly loaded, doing nothing other than filtering email, how
much CPU power would be needed? Not much, I thought.
How wrong could I have been?
With my Model 100 taking up to 30 seconds to respond to
requests, and with Support staff at Barracuda uniformly
acknowledging that this was not a configuration issue or an
over-tasked system, but rather nothing more or less than an underpowered processor, the hardware is
sadly inadequate for the task intended. More on that below.
There seemed to be an
admission by Barracuda that both the Models 100 & 200 have
similar CPU power, and a suggestion that the Model 300 has a
more powerful processor. They also have a public
demonstration server that is a Model 600, and assuming this is
not a 'tricked out' unit with extra processing power, it
presumably gives you a realistic feeling of how responsive you
could expect the Model 600 to be in your environment. I'd
first thought that a heavier loaded Model 600, doing more things
and handling more emails, would work slower than a lightly
loaded less featured Model 100, but that proved to not be valid
in actual testing.
Easy to Install (but....)
Adding a Barracuda Spam
Firewall to your mail server is very simple. Put the
server unit into your rack, give it an IP address, and turn it
you're looking at hosting anything - a
Barracuda Spam Firewall, an email
server, a web server, or whatever - it
makes no difference where in the world
it is located, other than that the unit
be located close to the 'center' of your
part of the internet.
Hosting services vary widely in cost and
in value, and the service they provide
is also a very mixed bag.
After extensive research, I've settled
on one company that is head and
shoulders above all its competitors.
Adhost, in Seattle, have an
extraordinarily positive customer
service attitude, and combine
instantaneous 24/7 support with
excellent competent staff and very fair
rates. They're directly connected
to several major internet backbones, and
have a wonderfully anally retentive
approach to security and data protection
that extends even to the point of having
a specially strengthened roof for
helicopters to land on with fuel loads
for their standby diesel generators (in
case some street obstruction/disaster
prevented getting fuel trucked in, and
always assuming their main power feed
Highly recommended. No matter
where in the country, or even in the
world, you are, you should try them next
time you're needing co-location services
for your internet servers.
all their wonderful help, there's never
a need for you to physically be at their
You need to make some simple
changes to the MX records in your DNS configuration, run through a quick and simple configuration utility on the
Barracuda box itself, then you're pretty much done.
The MX change is to switch
the MX record for your domain to point to the Barracuda box so
that all mail gets sent there first, and then to create a second
lower priority MX record for your main mail server, to which the
Barracuda box can then forward the spam-filtered remaining
emails, and which will also give you 'fail-over' capabilities so
if the Barracuda unit goes offline for any reason, mail has an
alternate path to get to you.
Two comments about this part
of the process. First, make sure, if you are having either
or both of these two boxes (Barracuda and Mail server) at a
co-located server farm, that you don't get charged double
bandwidth. You should have the bandwidth into the Barracuda
box measured, and the bandwidth out of the Mail server box
measured, but the data flows between the Barracuda and Mail
server boxes should be internal within the LAN and not charged
for by your ISP/Host provider. I had mine mis-configured to
start with and suddenly discovered a huge jump in GB usage.
Fortunately my host company (Adhost
- highly recommended, see box on right, above) quickly resolved both the issue and the
Second, I had some clever spammers sending direct to
the mail server's IP address and MX record(ie instead of sending
mail to email@example.com they would send it to
firstname.lastname@example.org) and thereby bypass
the Barracuda filtering step entirely. The solution there
is to give your old mail server name to the new Barracuda box,
and to create a new mail server name for your main mail server.
For example, if your
earlier, pre-Barracuda setup had a single MX entry, priority of
20, pointing to mail.yourcompany.com, with an IP address of
22.214.171.124, you should either point this entry to the new
IP address of your Barracuda box, and/or give the Barracuda box
this IP. You then would create a different record, say
mailtwo.yourcompany.com, which points to your main server
a priority of, say, 30. That way any mail directed to
email@example.com will now go to the Barracuda box
rather than shortcircuit it.
To make the install and
changeover work smoothly, it is a good idea to massively reduce
the TTL setting on the DNS entries a week or more prior to
installing the Barracuda server, so that when you make the
changes they will quickly flow out and into the general
internet. Once you have the new system all working and
you've decided to keep rather than return the Barracuda box,
don't forget to push up the TTL settings back to the 1 week
At this point, you're
probably feeling somewhat pleased with yourself and your new
Barracuda Spam Firewall. But now comes the sting in the
tail of the Barracuda - its ongoing administration.
Does the Barracuda Catch Spam?
Yes, the Barracuda does a
good job of catching spam, with perhaps 95% or so of spam being
trapped by the Barracuda unit. But note my earlier comment
- much of this spam should be caught by any half-way decent
email server anyway, so in terms of how much more spam it
catches, and how much better a job it does than your already in
place solutions, that becomes more difficult to evaluate.
Unfortunately, like most
other spam filtering systems, it also scores 'false positives' -
it will on occasion trap bona fide emails and label them as
A particularly annoying
example of false positiving was its tendency to label my own
weekly newsletters as spam. How stupid is that? And
while I could whitelist myself, I also see other company's
Barracuda spam firewalls bouncing back my newsletter to me each
week too. Poorly adjusted spam filters are a modern age
curse, and Barracuda's inability to correctly perceive my 100%
bona fide newsletter has to be a downcheck against it.
These issues are what
require you to regularly 'check under the hood' of the Barracuda
software and manage what it believes to be spam and not spam.
Administering the Barracuda
The good news is that much
of what the Barracuda does is automatic and 'behind the scenes',
and you can leave it to its own devices most of the time.
But you can't totally ignore
it. You really should check through its email message log
and confirm that emails which are being intercepted as spam
really truly are spam. Some of these you'll need to mark
as not being spam, and similarly, to get the best results,
you'll want to mark spams that slipped through the system as
being spam not bona fide. You'll be wanting to add senders
to your white list and generally tweak the system on a continual
but minor basis.
Administration is done
through a web interface. The interface is moderately well
designed and acceptably intuitive, and with good help material
One weakness is that some
things require item by item entry (eg whitelisting) rather than
allowing multiple entries to be added simultaneously.
Normally this would be a minor annoyance, but in the Barracuda's
case, it becomes a major problem, due to the massive weakness of
the entire system.
It is slow. No, not
just slow. It is * S * L * O * W * . It
is so slow that I found myself spending more time managing spam
through the Barracuda firewall than doing it 'the old fashioned
way' through Outlook. And there's absolutely no sense in
that whatsoever. Why pay thousands of dollars for
something that makes your life more complicated and less
Here is a table showing some
of the typical actions you'd want to be doing with the
Barracuda, and how long it takes to wait for the system to
complete its response on each occasion, with timings for both my
trial system and their own demo system.
Note that these unacceptably
long delays can not be explained by poor internet connectivity
at my end. I have tested in two different locations - one
with a fast fiber connection, the other with a fast DSL
connection, and have confirmed the multi-Megabit bandwidth by
using DSL Speed Tests on the line before and after the testing.
These delays are 99% due to the slow platforms on which the
Barracuda is based, and you are as likely to experience them as
in seconds, timed until screen completely
Multiple test results shown to indicate
spread of results
Barracuda demo server
2% - 22%
1% - 5%
Latency (time from receiving an incoming
email until passing it on to the main
39 - 80
<1 - 33
from Status to Message Log tab on main menu
next page of message log
35, 7, 9
person to whitelist
message as not spam
Basically, most of the time, whenever you click to send an
entry/command to the server, you're going to be waiting up to 30
seconds for the response on a lightly loaded Model 100, and
maybe 20 seconds on a very lightly loaded Model 600.
These are appalling response
times, and are completely unacceptable. Studies show that
people consider generally acceptable responses to be in the 2 -
5 second time range, anything much longer than that and the
whole feeling of interactivity is lost, and your concentration
breaks during the long interval between sending off an entry and
receiving its response.
What is particularly
perturbing is that the high powered Model 600, which sells for
$8,999 (wow!), and which usually showed a CPU utilization of only 1%, was
only slightly faster than the entry level Model 100 (which sells
for $700) and in one very frequent activity (moving through the
message log) it was often twice as slow! Would you be happy spending $9000 for a unit
that gave this sort of performance? And, just in case the
$8,999 cost of the Model 600 didn't surprise you, there is also
an annual update fee of $2,3999 - and, no you don't get the
first year of updates free as part of the purchase price.
So you're actually writing out a check for $11,398 (or even more
if you want their hardware replacement program for another
$1,999 too) for this underperforming box.
While the latency delays in
processing emails are not so important - it seldom matters
whether an email is received a minute or so faster or slower
than 'normal' - the administration delays for the poor person
tasked with managing the server are terrible and costly (at,
say, a $75/hr total cost of employment, it is costing 50c or
more in dead waiting time each time an entry is sent to the
server), and will massively detract from the job satisfaction
experienced by that person.
What is Barracuda thinking
when it tries to foist such terrible performance off on its
Price - Upfront and Ongoing
The units range in price,
with there being three cost components to each of the different
models - an initial purchase price, an annual updating fee, and
a hardware replacement fee.
The initial purchase price
does not include any 'free' period of updates, so the check you
cut to Barracuda will necessary include both the hardware and
also at least one year of updates.
The hardware replacement fee
is optional, and while there's a great convenience in this
service, there's definitely a matching cost premium to pay for
And don't forget to add - if
applicable - the extra costs of having this unit sited at your
co-lo facility. Even a very reasonable $75/month fee
represents another $900 a year in overall operating cost.
Pricing can be seen on
this page of the Barracuda site.
The Barracuda Spam Firewall
was probably an excellent product, some years ago. But the
state of the art has moved forward, and there are now better
solutions and at lower prices, and indeed the chances are your
current mail server may already have many of the Barracuda box's
capabilities built in to it.
The biggest weakness of the
Barracuda units are their inexplicably slow response times while
you're administering them. This makes what should be a
short and 'happy making' experience into a long slow and very
unhappy making experience.
The Barracuda units are
expensive, both in absolute terms and in relation to other
If you're wavering and
curious about these units, they do offer a 30 day free trial
where you either keep the unit after 30 days and pay for it, or
Related Articles, etc
If so, please donate to keep the website free and fund the addition of more articles like this. Any help is most appreciated - simply click below to securely send a contribution through a credit card and Paypal.
16 May 2008, last update
21 Jul 2020
You may freely reproduce or distribute this article for noncommercial purposes as long as you give credit to me as original writer.