Barracuda greylisting emails where sending domain uses cloudflare

I have Barracuda ESS with roughly 40 customers on it. Every domain uses cloudflare for its authoritative DNS.

When I send an email even though I am using Office365 and my outbound email goes through Barracuda itself, my client who also is on Barracuda ESS, has the email delayed and with O365 that can take hours.

When it stops the email it says: Messaged was deffered due to suspicious (nameserver for domain.com: aria.ns.cloudflare.com).

Barracuda has confirmed they do this behavior and I am making them turn it off, but as an FYI, even if you do nothing else, just having the domain using Cloudflare (paid or free) causes barracuda to greylist that email.

What I don’t understand is why isn’t anyone else posting about this? This has to effect more people.

Does cloudlfare even know about this? Would they like to weigh in?

To a certain extent, probably yes. But what should they do?

Cloudflare does not handle emails at all. If a third party decides to blacklist, block, suspend based on criteria completely unrelated to emails (nameservers and webservers) there is only so much that can be done. This third party will have to re-evaluate their approach and change their criteria.

2 Likes

I understand they don’t handle emails. I’m not saying that. They do DNS. The issue is, CF is the largest DNS provider or at least the top 3. They handle primarily businesses, and they are quite darn expensive to boot.

Barracuda is the top 5 of antispam providers, that is causing detriment to CF customers because Barracuda doesn’t like CF.

What should they do? Well they are a big corporation that has millions of dollars. Do what every other big corporation does, sue people. Or at least have their attorneys send over a very strongly worded cease and desist letter. Maybe open dialog and ask nicely, “hey Mr. Barracuda can you not block us?, what can we do to stop that?” I’m assuming barracuda will reply and provide a list of issues that could possibly cause more spam to come from fly by night domains that server no purpose except spew billions of spam messages per hour.

Normal stuff. If someone was blocking my customers for something I did, that’s what I would do and while my business may make a few million I don’t have millions to spend on attornys.

If Barracuda wants to block emails from Shopify, Zendesk, Montecito Bank & Trust, Quizlet, and 13% of the Fortune 1,000, then so be it. Their customer base will have to deal with this or change systems.

1 Like

Still, the issue is not the website that is proxied by Cloudflare but the emails and Cloudflare is not involved in that channel at all.

If you are concerned by that you would need to talk to either Barracuda and/or the recipients of your emails so that they stop using Barracuda.

Barracuda simply uses the wrong criteria and there is not much you can do except convince them to fix their assumptions or stop using them.

Even the mostest flightest by the nightest spam domains won’t send spam via Cloudflare. A webserver cannot send spam because of its very nature. The issue is not the site or whatever is hosted by the webhost or proxied by Cloudflare, the issue is the mail server which accepts and forwards these messages.

1 Like

I think there is a major misunderstanding: I run an MSP and I’m an engineer. I know how the internet works.

I provide cloudflare to my clients because netsol and godaddy have ■■■■ DNS. I also have DNSMadeEasy for people where I need DNS load balancing because $60/yr is cheaper than $20/month.

I also provide Barracuda ESS to provide email security because best practices.

Just changing Barracuda could cost thousands in work hours.It would actually be easier and quicker to change their DNS provider. For anyone that invests in CF or “cares” about CF that should be a “oh, that is not super good” moment.

What Barracuda is alleging, is that these “fly-by-night” domains are using Cloudflare’s DNS and that alone is a marker to greylist the email because those domains won’t waste the time to resend a message. Just most mail servers don’t retry messages in minutes, it is usually hours.

Clearly you don’t use Barracuda or even know who else uses barracudas engines. Its not just barracuda, its every system that uses barracudas threat engines. How soon to this move to their firewalls and emerging threat lists.

Barracuda is kind of a big deal and when they wage war on someone you would expect that someone to, oh I don’t know, do something?

I am not saying Barracuda isn’t being a bunch of morons. The private equity firm that also owns Barracuda is looking to buy F5 and others. Like how a Maserati can have Fiat parts, that PEF will use IP from one for use in the others. Things have a way to spread.

I understand your concern, but it does not change the fact that Barracuda simply uses wrong criteria. Can we at least agree on that?

I also understand that Barracuda might be established to a certain extent (and yes, I am no overly familiar with their services) but the only thing Cloudflare could do is give in to their ransom attempts and deactivate every domain Barracuda does not deem worthy to be online. That won’t be a reasonable approach either, don’t you agree.

The bottom line is, it is IP addresses which are involved in spam, not domains and particularly not webservers or any web proxies.

So again, what should Cloudflare do?

And yes, I did read your suggestion to “sue” but I do not think that would be all that easy. Plus, Cloudflare probably has better use for such resources than to enter the legal arena over such an issue. If not, they’d have probably already done so.

Overall I do not think posting here on the forum will achieve much. You can certainly contact their support team or via their Facebook and Twitter accounts, but I wouldn’t count on that being more effective than posting here. Maybe contacting Matthew Prince directly on Twitter would get you somewhere, but that is all just speculation of course :slight_smile:

We have no disagreement in part on that first point. In threat analytics there is a benefit to looking into unrelated criteria. Like when the CIA is tracking a bad guy, they may look into his/her favorite beverage or snack food and then look into where that company is shipping said product where they may have no real market presence. However, you use that only as a single piece in a larger equation. Barracuda is using that as the only part of an equation that takes a direct action based on it. That part is wrong. Just because my analytics says that xx% of spam emails are using domains with CF as the DNS provider, doesn’t mean one should use that as the only criteria. But should it be ignored? No, not quite.

Now, what can CF do? They have actually quite a few things. One would be to open a dialog with Barracuda and come to a resolution. For example if Barracuda starts reporting mass abusive domains to CF, then CF could disable DNS for those accounts until the owner responds. Also, CF could make it harder for people to have bots make massive amounts of accounts for free DNS.

Then of course there are the less peaceful ways and that is just throwing attorneys at barracuda until they stop. if they do so physically with a catapult, they should also totally put that on youtube.

but then there is the other side of that coin. If CF has an issue, and I would call that an issue with some sort of loophole or backdoor that allows evil spammers to create hundreds of fake accounts to register DNS for domains whose sole purpose is to send spam or do bad things with then maybe some people wouldn’t want their domain associated with that.

Not saying that is true. But at least CF looking into it, possibly have a blog post. They can reach out to Barracuda and try to resolve the issue. Post it all publicly.

Maybe, just maybe Barracuda has a legit reason. Maybe they sent abuse requests for maybe a small number accounts that have hundreds or thousands of spam domains. disabling those accounts could literally have a measurable effect on spam.

It does not appear as if this was a priority for the time being. No offence, just being honest :slight_smile:

I certainly hope they would not. There is a way to report abusive domains and Barracuda can follow that. I could imagine there are even way to automatically submit such reports, however nothing should be disabled just because a third party makes a claim.

And again, we are talking here about spam which is unrelated to domains and proxies. Just to be clear on that.

Agreed, but I am sure there are such tools in place already. Again, sending emails is something which is going entirely past Cloudflare.

Overall I would really suggest to take the steps I mentioned in my previous message. Posting on the forum won’t get you very far I am afraid.

I don’t use social media and CF’s support is well “highly specialized” and not very capable of issues that can’t be resolved with the CF knowledge-base. But it is good to know that CF literally doesn’t participate in their own community.

Snarky remarks are not really helpful either :wink:
Cloudflare does participate in the forums, but not the people who will call the lawyers at two in the morning.

You don’t need to become a Twitter aficionado in order to create an account and message Matthew Prince. Though, again, I’d be careful with the expecations I’d place in such a message.

I understand your concerns and I partially agree, but I am still not sure Cloudflare is the right place for this complaint to begin with.

Not looking for pitchforks or fanged lawyers. Was just seeing if a.) anyone else had this issue and b.) if CF watches this if they have any clue why. and c.) if they are aware, are they doing anything to mitigate it.

But CF is the right place for at least part of it. You even admitted you don’t know much about Barracuda. If you did truly understand the gravity of the situation you would really understand what I am explaining and then making CF aware would result in a big action.

Remember when Google started blocking Symantec SSL certs? Guess who no longer does SSL certs? Okay, sure, Barracuda isn’t Google. But Barracuda is leaps and bounds higher up the food chain than Joe’s Sandwich Shack. I would say the company that owns Barracuda is 1/3rd of Google. But 1/3rd the weight of a big rig will still crush a human.

The lawyer thing was merely because that is how big companies operate. I’ve dealt with a lot of companies. The second millions becomes billions, they use lawyers to wipe after using the restroom. It doesn’t matter how tight the skinny jeans, liberal the world views and thicker the millennial or Gen Z beard of the CEO. You need to break a few eggs to make an omelette, just saying. Even vegans, need to pulverize soy beans in vats of caustic chemicals to make a tofu omelette.

That and a person with a day old twitter account with zero other posts does a “hashtag” or whatever will make as much difference as a 6cm snowball chucked into the sun.

So basically, I make a support ticket and you get the obligatory “Hi because of the virus, it will take weeks or months to get even a response, don’t hold your breath.” And if I hear anything back it will usually be that I don’t spend enough money with them to get support ticket responses and go away or give them more money"

I guess then that means I just not use CF for DNS. Sure I don’t mean excrement to anyone at CF. Me stopping using CF makes literally zero difference. But what about the next person, and the one after that. And the one after that? I like CF. I want to keep using them. DNS hosts that don’t stink are few and far between. Remember Bind 9 and 2048 DKIM keys? A good DNS is a bad thing to waste.

I find your remark, concerning my “confession” of being only superficially familiar with them, interesting as that seems to be a classic case of using one’s words against him :wink:. I cannot and do not want to comment all that much on the company, but their annual revenue appears to be under $100 million. In comparison, Namecheap clocks in at more than 1.5 times that much and while they certainly are a popular registrar, they are not the deciding factor. So forgive me if I downgrade the alleged importance of Barracuda just a bit :wink:

Anyhow, as I said earlier I partially understand your concerns but the community here won’t be able to do much. You said it yourself, you are not looking for pitchforks, so you won’t expect “us” to show up like that, will you?

image

I understand your frustration of being almost blocked because you use certain nameservers, but that still is a subject you should primarily take to Barracuda. Many spam lists still block based on A records (which is ridiculous on its own) but if we now even add NS records to the mix, we really have to ask where the boundaries are. What’s next? Blocking the power company because they provide electricity to datacentres? Block registries because domains are registered with them?

An no, I am not kidding the latter actually happened in 2007 when Spamhaus arbitrarily blocked a registry because they refused to deactivate domains upon their request.

I wasn’t using your words against you. I like namecheap but 1.5x is only like $150MM. That’s not even a spare jet. Namecheap has a decent DNS, for a registrar.

I get the whole fight against spam. I know what spamhaus did, on many, many occasions. I remember when a certain blacklist blocked all of Comcast. But there comes a point where companies need to work together. Spamhaus blocked a registrar because they didn’t want to deactivate domains. This isn’t criminal courts. You can’t call the US Attorney and have them convene a grand jury trial to see if the domain holder is guilty. You can’t even sue in civil court because spamhaus or barracuda wouldn’t be the grieved party. It would get dismissed.

That is why you have cooperation. Just because CF has an abuse policy doesn’t mean it is any good. CF is all about “privacy” and that may translate to a more pro-defendant stance that may be just too much pro-defendant.

Lets put it this way, if you are sending viruses from your internet, sending spam through your domain or downloading adult movies from a torrent site you are either Guilty, Complacent or being taken advantage of. Either way, you are responsible. Sure, have mercy if you have a malware infection, but at least require the removal of the tumor. I’m sure if CF did that, Barracuda would back off.