We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Can I block invalid bounce or NDR messages on my Barracuda Spam Firewall? How?

  • Type: Knowledgebase
  • Date changed: 4 years ago

Solution #00003619

Scope:
All Barracuda Spam Firewalls, firmware versions 3.5.12 and above.

Answer:
Starting with firmware versions 3.5.12, the Barracuda Spam Firewall is able to tag outgoing messages so that if they are blocked by a recipient, the corresponding bounce messages will be distinguishable from invalid bounce messages. The Barracuda Spam Firewall will then be able to allow the legitimate bounce messages and block the backscatter (for more information on backscatter, see Solution #00001720). This feature is called Invalid Bounce Suppression, and can be configured at the bottom of the Block/Accept > Sender Authentication page. Invalid Bounce Suppression is designed to reduce the number of bounce messages delivered to forged return addresses. Any bounce notice that does not include this tag will be blocked and recorded on the Basic > Message Log with a reason of Invalid Bounce.


In order to use Invalid Bounce Suppression, your Barracuda Spam Firewalls must filter all of your incoming and outgoing email. You can accomplish this in one of three ways:

  • If you have just one inbound Barracuda Spam Firewall, configure Outbound Relay (for setup instructions, see Solution #00002087). Once this is enabled, the Barracuda Spam Firewall should see all mail traffic in both directions. This will allow it to tag outgoing emails and evaluate incoming bounce messages appropriately when Invalid Bounce Suppression has been enabled. Please note that this has the potential to significantly increase the load on your Barracuda Spam Firewall, and if the Barracuda Spam Firewall is already near its limit (depending on traffic volume and model number), directing new traffic through it may degrade performance. If you would like to upgrade your Barracuda Spam Firewall to take advantage of Invalid Bounce Suppression, please contact your Barracuda sales representative.
  • Use both inbound and outbound Barracuda Spam Firewalls. If at least one dedicated outbound Barracuda Spam Firewall is filtering all outgoing mail (for more information on outbound Barracuda Spam Firewalls, click here), it can be configured to work with inbound Barracuda Spam Firewalls so bounce messages for outgoing messages will be recognized as legitimate by the incoming Barracuda Spam Firewalls.
  • Configure Invalid Bounce Suppression for each of multiple clustered Barracuda Spam Firewalls. If you are using only clustered inbound Barracuda Spam Firewalls, you will need to configure Outbound Relay for at least one of them. If you are using a group of clustered inbound Barracuda Spam Firewalls with one or more outbound Barracuda Spam Firewalls, the Invalid Bounce Suppression settings must be the same for all of them.
After ensuring that your Barracuda Spam Firewall(s) will filter all of your mail traffic in both directions, follow these instructions for each Barracuda Spam Firewall to configure Invalid Bounce Suppression:
  • Navigate to the Block/Accept > Sender Authentication page of the Barracuda Spam Firewall's web interface.
  • Under the Invalid Bounce Suppression heading, set the Suppress Invalid Bounces option to Yes.
  • Enter a Bounce Suppression Shared Secret. A non-null password is required for Invalid Bounce Suppression to be active. Changing this password will cause bounce messages that were tagged with the old password to be rejected. Because of this, once it is set, changing this password is not recommended. This string should be alphanumeric, and if you are using multiple Barracuda Spam Firewalls, it must be exactly the same for each Barracuda Spam Firewall. In a clustered environment, the Bounce Suppression Shared Secret will be synchronized across all Barracuda Spam Firewalls in the cluster.
Additional Notes:
Barracuda Spam Firewall model 100s can be configured to use Outbound Relay (and Invalid Bounce Suppression), but in accordance with the limits of the model 100, only those users present under the Users tab will have their outgoing messages tagged (and thus be protected from invalid bounce messages).Barracuda Spam Firewall 100s cannot be used as dedicated outbound Barracuda Spam Firewalls.

Link to This Page:
https://campus.barracuda.com/solution/50160000000HN7VAAW