The Barracuda Email Security Gateway Rate Control feature protects the system from spammers or spam-programs (also known as "spam-bots") that send large amounts of email to the server in a small amount of time. Rate Control is configured on the BLOCK/ACCEPT > Rate Control page.
As part of the Connection Management Layer, the Rate Control mechanism counts the number of connections to the Barracuda Email Security Gateway in a half hour period and compares that number to the Rate Control threshold, which is the maximum number of connections allowed from any one IP address in this half-hour time frame. If the number of connections from a single IP address exceeds the Rate Control threshold within the half hour period, the Barracuda Email Security Gateway defers any further connection attempts from that particular IP address until the next half hour time frame, and logs each attempt as deferred in the Message Log with a Reason of Rate Control.
In this case, for each message deferred, the sender will receive a 4xx level error message instructing the mail server to retry after a predefined time interval. Well-behaving mail servers act upon the defer message and will try sending the message again later, while email from large volume spammers will not retry sending the email again.
When Rate Control Takes Effect
When Rate Control is first enabled on the Barracuda Email Security Gateway, or after a change is made to the Rate Control threshold, five (5) unique IP addresses must connect before Rate Control is invoked. This is to take into account that you may have another appliance receiving email (i.e., a front-end Mail Transfer Agent (MTA) or a known forwarder) before the Barracuda Email Security Gateway. Once 5 or more IP addresses have made connections to the Barracuda Email Security Gateway, it indicates that mail is also coming in from other outside sources and rate control should be applied.
Exemptions from Rate Control
You can exempt trusted IP addresses from Rate Control by:
- Adding a trusted IP address to the Rate Control Exemption/IP range list, – OR –
- Adding the IP address to the Allow List on the BLOCK/ACCEPT > IP Filters page under Allowed IP/Range.
Also, any IP address that you enter as a known forwarder on the BASIC > IP Configuration page will be exempted from Rate Control.
When configuring Rate Control, keep in mind the following
- A rate of 50 is conservative
- Some customers can lower this safely
- Caution – False positives can be hard to diagnose
- Common setting is for 20-30 emails/ half hour
- High volume recipients may need to either set the Rate Control Threshold above 50 and/or list IP addresses from which they expect to receive a high volume of email in the Rate Control Exemption/IP Range list.