We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Email Whitelisting and Best Practices

  • Last updated on

Whitelisting Campaign Emails

When you run a Barracuda PhishLine email campaign, emails are sent to your domain. These emails might be classified as suspicious by email security systems. Unless your intent is to test your email security system, you must allow or whitelist the Barracuda PhishLine campaign email domains to ensure they are not blocked and instead reach their intended recipients.

Work with your email security system vendor or administrator to allow the Barracuda PhishLine campaign email domains or the IP addresses for the Barracuda PhishLine mail servers. If you decide to whitelist by domain, include the email server domain you select when you configure the domain.

Emails coming from standard Barracuda PhishLine servers to your organization will originate from one or more of these IP addresses. Allow these IP addresses for the Barracuda PhishLine email servers on your email security system or service:

  • 64.132.201.82
  • 64.132.201.93
  • 74.203.211.2
  • 74.203.211.13
  • 207.67.44.178
  • 207.67.44.189

All SMTP servers sending emails for the Barracuda PhishLine-supplied domains identify themselves as mail.spearphish.com via their SMTP banner. The email envelope MAIL FROM command and the message RETURN-PATH header will be set to reply_xxxxxxxxxx@spearphish.com, where xxxxxxxxx is replaced with a random identifier.

IMPORTANT: Barracuda PhishLine will make updates, on or around 3/15/2019, to address changes in the Google and Outlook mail clients that now expose this information. The MAIL FROM command and the RETURN-PATH header will be set to an email address with the same domain as specified in the email template. The SMTP banner may also be subject to the similar changes as the MAIL FROM command and RETURN-PATH header. If you are using the MAIL FROM command or RETURN-PATH header to whitelist email messages from the Barracuda PhishLine system, you will need to whitelist based on the from email address or the from email domain. 

 

The SMTP domains are configured with both the Sender ID Framework (SPF) and the DomainKeys Identified Mail (DKIM) DNS TXT record types. The Barracuda PhishLine inbound SMTP servers identified by DNS MX records are used for receiving replies, delivery notifications, and out-of-office messages from your email system to Barracuda PhishLine:

  • 10 mail.spearphish.com (IP will be set to be identical to one of the IPs used below for mail1, mail2, or mail3)
  • 20 mail1.spearphish.com 64.132.201.93
  • 30 mail2.spearphish.com 74.203.211.13
  • 40 mail3.spearphish.com 207.67.44.189

Note: You can also configure the system to use third-party SMTP email servers for some campaigns. This is a non-standard option that requires additional whitelisting details.

Preventing Emails from Going to Junk Email

Office 365

To prevent emails from going to the junk email in Office 365:

  1. In Office 365, open the Exchange Online Admin Center. Navigate to Protection > Spam Filter.
  2. Create a new spam filter. Name it something like Allow <campaign_name> domain email.
  3. In the Allow Lists area, locate the Allowed Sender area. Enter the From email address(es) that you use in each of your campaigns (e.g., noreply@endtrust.net).
  4. In the Applied to area, add your domain information.
  5. Save this filter and make it a higher priority than the default spam filter provided with Office 365.

Note that you must perform these steps again for future campaigns that use different emails and domains.

Office 2010/2013

There are two ways to prevent emails from going to the junk email in Office 2010 or Office 2013.

Method 1: Safe Sender

Create a Safe Sender list and deploy it using Group Policy. Refer to this document for details: https://support.microsoft.com/en-us/help/2252421/how-to-deploy-junk-email-settings-such-as-the-safe-senders-list-by-usi

Method 2: Completely Disable the Junk Email Folder

Use a Group Policy to set the following registry settings to completely disable the Junk email folder in each user's Outlook client:

  • HKEY_CURRENT_USER\Software\Policies\Microsoft\office\14.0\outlook
  • DWORD: Disable Antispam
  • Value of 1 disables the junk filter

The Outlook Email client determines which content goes into the Junk email folder, and it is not controlled by Exchange.

Note that the Group Policy setting does not apply if your users use web mail to check their email. Refer to the next section, Disabling the Junk Email Folder in Office 365, for more information.

Disabling the Junk Email Folder in Office 365

You can disable the Junk email folder for all mailboxes by using PowerShell.

This technique is provided as an alternative method for handling junk and spam emails.  Your organization must determine if it is appropriate to remove Junk folders for all inboxes.

To disable the Junk email folder:

  1. Connect to your Office 365 instance with PowerShell.
  2. Run this command to get the current setting for all users:
    Get-Mailbox | get-mailboxjunkemailconfiguration
    When you initially run this script, the Enabled attribute (the status of Office 365's built-in junk email processing) is reported as True for all users.
  3. Run this command to disable junk processing on each mailbox:
    get-mailbox|set-mailboxjunkemailconfiguration -enabled $false
    This command sets the Office Junk Mail folder to False for all of the user mailboxes, including shared and service mailboxes. 

Office 365 Partner Connector Setup

To prevent IP addresses from being graylisted during campaigns, all clients using Office 365 must create a partner connector that includes IP addresses from Barracuda PhishLine’s whitelisting document.

For your Office 365 partner connector:

  1. Select Use the sender’s IP address and enter the following IPs:
    • 64.132.201.82
    • 64.132.201.93
    • 74.203.211.2
    • 74.203.211.13
    • 207.67.44.178
    • 207.67.44.189
  2. Ensure that Reject email messages if they aren’t sent over TLS is selected.
  3. Save the partner connector.

Additional Best Practices

The following sections describe additional methods of optimizing your setup of Barracuda PhishLine, but they are not required.

Landing Page Server Whitelisting

When users click a link within a campaign message, they are directed to an HTTP or HTTPS Landing Page server. The IP addresses of the Landing Page servers include:

  • 64.132.201.82
  • 64.132.201.92
  • 74.203.211.2
  • 74.203.211.12
  • 207.67.44.178
  • 207.67.44.188

You can also whitelist based on the domain name used for each campaign.

Administrative Web Application Whitelisting

Administrative functions are available using encrypted SSL/TLS at https://phishline.com hosted at one of the following IP addresses:

  • 64.132.201.82
  • 74.203.211.2
  • 207.67.44.178

We strongly recommend you use PhishLine’s multifactor authentication option for all administrative users.

Educational Content and Survey / Content Delivery Network Whitelisting

The Barracuda PhishLine servers are located in the Midwest region of the United States. With our worldwide customers, there is always a concern about reducing latency and bandwidth delays when showing educational videos. To solve that, PhishLine can distribute the read-only multimedia content using a reputable Content Delivery Network (CDN). While your users engage with educational content or surveys using HTTP or HTTPS, the servers can instruct your browser to download read-only multimedia content from the nearest CDN server. This allows the high-bandwidth components to be sent worldwide from local servers without transmitting, processing, or storing application data on those servers. You can choose to deliver educational content and surveys using HTTP or HTTPS (recommended). The HTTP option is generally only used to allow local caching of content to reduce bandwidth requirements.
To whitelist educational content and surveys, use the following:

  • https://phishline.com for TLS-encrypted sessions
  • http://phishline.com – for port 80 unencrypted sessions
  • http://*.phishline.com
  • https://*.phishline.com
  • https://fonts.googleapis.com
  • https://fonts.gstatic.com
  • Note: The CDN option is only used to distribute the Image Gallery components including MP4, WEBM, JPG, GIF, and similar file types. Barracuda PhishLine recommends you whitelist requests and responses for static multimedia content only. The web application and data collection are exclusively performed on the Barracuda PhishLine servers even with the CDN option.
Landing Page “Enable Local IP Detection”

There are two methods to enable detection of the local/non‐natted IP address of a browser.

Enable Local IP Detection

To enable JavaScript/Java Local IP Detection Logic, navigate to Campaigns > Landing Pages > Landing Page Manager, and select the Enable Local IP Detection check box. Note that this setting is disabled by default to minimize the chances that users would receive JavaScript, Java, or other errors/warnings on landing pages.  

When you enable local IP detection, each web page might attempt to create a WebRTC connection using stun:stun.services.mozilla.com. Be advised that Barracuda PhishLine does not control this server. Upon request, Barracuda can provide firewalled access to our hosted stun/RFC 3489 service. If you choose to block access to any/all stun services, the other techniques will be attempted, such as using a custom Java applet. This technique can help augment the data collected for Portable Media Campaigns, where no user information can be associated with the Smart Attachment.

X_FORWARDED_FOR Headers 

If you do not want to Enable Local IP Detection on a landing page, you can use industry-standard X_FORWARDED_FOR headers. Configure your proxy/NAT firewall to provide these headers. Depending on your network and risk environment, you might be able to configure it to selectively send those headers to the Barracuda PhishLine web servers rather than sharing with all sites.

Mail Transport Routing

Barracuda PhishLine strongly recommends a direct mail connection to your email server. This eliminates issues with antivirus/antispam filtering services. These filtering services can cause false clicks or block mock phishing emails entirely if they are not configured properly to whitelist the emails coming from the Barracuda PhishLine email servers. Using a mail transport to directly route emails from the PhishLine email servers to your mail server eliminates these issues. To implement mail transport routing, Barracuda needs direct access to TCP port 25 on your email server's external IP. This usually requires a new firewall rule on your company firewall that allows this direct connection. The only other requirement is to provide Barracuda PhishLine with your mail server’s public host name or public IP address.

Email Address Whitelisting

You might also combine the above whitelisting techniques with email account-specific rules based on the addresses used to send out each campaign. For example, you might choose to add noreply@neverclick.net to your safe senders list using Group Policy to facilitate delivery of campaign emails directly to user inboxes. Be sure to combine this type of whitelisting with IP/DKIM/SPF whitelisting. You do not want to whitelist a domain or account only to open the door to real attackers. It is also a best practice to disable all whitelist settings upon campaign completion.

Barracuda Customers

Access the following Barracuda links for whitelisting information for Barracuda Essentials - Email Security Service:

Gmail Customers

Refer to this support link.

As a G Suite administrator, you can help ensure that messages received from specific sending IP addresses do not get marked as spam. Do this by adding the addresses to an email whitelist in your Google Admin console. When you create an email whitelist for your G Suite account, it affects your entire domain. You cannot create email whitelists that apply to specific organizational units. See other settings you might use instead.

Other Usage Considerations
  • Malicious Code: Barracuda PhishLine will never intentionally send you malware. Therefore, there is no reason to ever whitelist antivirus or other malicious code filters. It is an important layer of protection you should keep in place.
  • Timing: If you are using domain-based or email-account‐based whitelisting, you will likely want to limit those to the duration of your campaign. Otherwise, you could enable real attackers to misuse your whitelist in the future.
  • Domain Name: Each campaign lists the domain names that will be used to deliver your campaign content. Some customers prefer to whitelist by domain instead of IP. Be sure to take measures to prevent real attackers from exploiting those whitelisted domain names for real attacks.
  • Email Accounts: Each campaign lists all of the email accounts that will be used to deliver your campaign content.
  • Web Pages: Each campaign lists the web page servers. If you choose to use the Content Delivery Network acceleration for Multimedia Content, you must add media.phishline.com as a domain name.
  • Message Content: Many filters examine actual message content. Within the message template editor, Barracuda PhishLine also provides a spam filtering score based on a popular antispam solution. To ensure delivery of messages, each campaign allows you to send test emails, so you can test the delivery of the messages and replies, while also confirming that the landing page links work.
Additional Help

If you have any questions about whitelisting, contact Barracuda Technical Support.

You can also whitelist Barracuda PhishLine for all of the following Barracuda email security systems and services:

 

Last updated on