[Owasp-leaders] Barracuda

Dirk Wetter dirk at owasp.org
Thu Feb 14 10:57:42 UTC 2019

Hi matth and all,

On 13.02.19 22:03, Matt Tesauro wrote:

>   * Considering the recent vocal complaints about how unreliable email sent to the lists, it's
>     surprising to see the same people argue for keeping this 'unreliable' service up and running 
>   * Barracuda;s licensing (the anti-SPAM gateway upstream of Mailman) has expired and Barracuda
>     has not renewed the donation of those services.  I'm honestly surprised every time I can
>     still log into their web control panel - apparently they've not turned off our account
>     (yet) but could at any time.  Rough numbers show 2/3rds of inbound email to Mailman is
>     SPAM.  I'd love to hand that problem off to Google or Discourse rather then spend staff
>     time (and money) as we do currently.  There's also no way I'd suggest either running email
>     without SPAM filtering or having staff spend time running it themselves.

This is a completely other topic. But again: we have Google as our hoster for all other
incoming mail. There should be no added benefit (experiment, see below) to pipe lists.owasp.org
through an appliance as Google does an excellent job on SPAM protection already. So your
statement as you outlined it at least "without SPAM filtering" is utter bs, sorry. You would
need to compare the numbers to another inbound service.

If I understand your logic correctly in turn the protection e.g. on my personal owasp mail
address and my private gmail addresses should be poor. Which I personally definitely can't confirm.

What concerns me with the Barracuda are the frequent false negatives. Often mails don't get
through. And it's definitely not only me.

If we want to use Barracuda despite their expired donation, here are more thoughts.

Even if there's a false negative the sender doesn't get a bounce with a reason. It's not strict
RFC (https://tools.ietf.org/html/rfc5321, Section 3.6.3:

   If an SMTP server has accepted the task of relaying the mail and
   later finds that the destination is incorrect or that the mail cannot
   be delivered for some other reason, then it MUST construct an
   "undeliverable mail" notification message and send it to the
   originator of the undeliverable mail

This became less common sometimes as spammers use forged Return-Paths (there's no
authentication in SMTP) and some folks don't want to bounce them to forged paths.

The least I expect here is though is for owasp.org mail addresses to consider not to silently
drop any message. And why not at least white listing all OWASP mail addresses at the
Barracuda?? There are anyway SPF records which prevent forged mails from other domains
other the ones mentioned.

Also I love to see how much the Barracuda in addition to the general Google MX protection
really pays us. Why don't we do an experiment for a limited time like e.g. add a higher
priority MX record (lower number) from our google MX to lists.owasp.org. Or same prio then you
have a 1:1 comparison.

Cheers, Dirk

OWASP Volunteer
Send me encrypted mails (Key ID 0xD0A74569)

More information about the OWASP-Leaders mailing list