Email “Protection Racket”?

April 28, 2009

Hal Pomeranz, Deer Run Associates

Today I received a rather alarmed email from one of my customers who’s on the faculty at a large research university here in the US.  Apparently, email originating from the server I’m maintaining for this customer is being bounced by the mail servers at the educational institutions that are users of our software.

Examining the bounce messages, I find that they’re originating from anti-spam appliances sold by Barracuda Networks, Inc.  Each bounce message contains a URL pointing you to an explanatory web page, which indicates that the messages are being bounced because the outgoing email servers for the Engineering department at this large university have been listed in Barracuda’s “bad reputation” blacklist.  There is a laundry list of reasons cited as to why these mail servers may have been listed, but no clear indication of the actual offense that caused these specific servers to be listed.

However, there is this little highlighted tidbit on the web page:

One way to get your email through spam filters even if you are listed on the BRBL is to register your domain and IPs at EmailReg.org. Email administrators can configure their systems to use EmailReg.org to apply policy to inbound email. Emails from domain names and IP addresses that are properly registered on EmailReg.org can be automatically exempted from spam filtering defense layers on Barracuda Spam Firewalls, preventing your email from being accidentally blocked.

Surfing on over to EmailReg.org I discover that getting your server address “properly registered” requires a $20 “administrative charge”– apparently per server.  Furthermore, it seems that EmailReg.org is at least receiving hosting equipment from Barracuda Networks.  There is little other information to be found regarding who exactly is behind EmailReg.org.

But let me tell you what it smells like to me– it smells like a “protection racket” being run by Barracuda Networks.  They can add arbitrary senders to their “bad reputation” blacklist and then prominently advertise the services of EmailReg.org as a mechanism for being removed from the blacklist.  Judging by the number of bounce messages my client is receiving, being blacklisted by Barracuda devices cuts you off from sending email to a significant number of organizations.  Many companies, even legitimate senders, will likely pay the $20 just to avoid the hassle.  If, as I suspect, Barracuda Networks is receiving some commercial gain from EmailReg.org, then this is conduct of the lowest order.

I have filed a complaint with the US Federal Trade Commission, asking them to investigate this matter.  I urge everybody who has had similar experiences to file similar complaints with the appropriate organization for your jurisdiction.

About these ads

12 Responses to “Email “Protection Racket”?”

  1. Barracuda, if I remember right, also donated a huge sum of money to emailreg. They are virtual owners likely. Barracuda also puts rules in their products to block emails that mention competitors. I’ve documented one of my experiences on my blog that was verified by Sunbelt CEO Alex Eckleberry.

  2. Nathaniel Hall said

    Prior to knowing that Barracuda automatically used the EmailReg.org system (or that they had anything to do with EmailReg.org) I considered adding the whitelist to my Barracuda system. I then found out Barracuda automatically uses the whitelist and AFAIK there is no way to stop using the whitelist. I love Barracuda devices, but this does seem questionable.

  3. Al said

    As an ex-Barracuda user who works in the email industry, I believe it pretty unlikely that Barracuda puts rules in their products to block emails that mention competitors. Almost all of my emails would match some sort of rule like that, and I never ran into any such issue.

    Specific to the actual topic, I do personally believe that Barracuda is behind EmailReg based on the data I’ve seen. I do agree that it raises a potential conflict of interest.

  4. @Al Yes, it is far-fetched, which is why I don’t bring it up much, but here is the link with the screen shot my customer sent me:

    http://jonsnetwork.com/2007/10/barracuda-blocking-sunbelt-software/

    Barracuda said the reason to block was *intent* (sunbelt-software.com).

    Another one happened to me about a month ago. The customer had been getting emails from me regularly, but an email that said nothing but “here is the link to download sophos” with the link was blocked.

  5. Abe said

    The problem is a lot more insidious than you have thought. Barracuda is apparently using the PBL ranges (those addresses listed as belonging to the major ISPs such as Verizon, SWB, etc. see: http://www.spamhaus.org/pbl/index.lasso regarding PBLs) which causes small business owners who send mail from their home PCs but use their hosted domains (username@mysmallbusiness.com) to get bounced by mail servers that reference zen.spamhaus.org, pbl.spamhaus.org, b.barracuda.org or any organizations that use barracuda appliances. This is a totally innappropriate use of PBLs. For a hosting provider to get ‘de-listed’, the fee of $20 for listing with EmailReg.org is per domain NOT per mail server, per year! If you check the IP address of EmailReg.org (64.235.146.64) you’ll find that it is none other than Barracuda Networks themselves:
    OrgName: Barracuda Networks, Inc.
    OrgID: BARRA-7
    Address: 3175 S. Winchester Blvd
    City: Campbell
    StateProv: CA
    PostalCode: 95008
    Country: US
    NetRange: 64.235.144.0 – 64.235.159.255
    CIDR: 64.235.144.0/20
    OriginAS: AS15324
    NetName: BARRAUCDA
    NetHandle: NET-64-235-144-0-1
    Parent: NET-64-0-0-0-0

    This is a total racket being put in place in order to extract annual fees from LEGITIMATE hosting providers. I can only hope that a class action suit gets started over this whole deal and that racketeering charges are pending. All I can say at this point is to pass the word that PBLs are NOT spam blocklists but rather ISP lists of user allocated IPs and PBLs (and default Barracuda appliance rules) should NEVER be used to control spam.

  6. [...] This, unfortunately, is quickly becoming another form of censorship thereby preventing some from sharing legitimite communications, all in the guise of keeping Spam away. Of course, you can use EmailReg for a fee of $20 per domain name in order not to be blacklisted, however; this just means companies like Barracuda are charging ransom for legitimate communications. Consider this article which further analyzes the situation: The Email Protection Racket. [...]

  7. Hank said

    It’s funny to see that Barracuda is telling people that registering with emailreg.org will remove them from the BRBL. Apparently, emailreg.org tends to disagree with that notion:

    “There appears to be some confusion that EMAILREG.ORG is a way to get off of some of the Barracuda IP Block lists (BRBL). This is not the case. Emailreg.org is primarily a whitelist of IP’s with domains. It does not have any impact on Barracuda Networks block lists such as the BRBL. If you want to be delisted from a Barracuda Block List please contact Barracuda Networks at their technical site: http://www.barracudacentral.org

    Source: http://www.emailreg.org/index.cgi?p=news&id=4

  8. Debbie said

    This seems so fraudulent! We are a small hosting company and Barracuda has blacklisted one of our servers 3 times in the past month – every time we contacts them we ask for DETAILS – never get any – but of course we see the green add for emailreg.org every time as well. Like we are going to pay 20 per DOMAIN???? with no way of setting up a feedback loop on our customers? AOL at least lets service providers work with them!

  9. Beau said

    Hal,

    Has there been any follow-up or response to your complaint that was filed with the FTC? I am interested in hearing how this starts to play out. Thanks.

  10. I never received a follow-up, but I wasn’t really expecting one. The way the FTC typically works, if they receive enough complaints about a particular company then they will investigate. So if anybody else is concerned about this issue, I would urge them to file their own complaints with the FTC. Perhaps then something will be done.

  11. Carl Nelson said

    can you post the address for the FTC you used? This is getting out of control

  12. I used the FTC’s on-line form at https://www.ftccomplaintassistant.gov/

    The more people that complain, the larger the documented “pattern of behavior”. This makes it more likely the FTC will investigate.

Comments are closed.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: