Barracuda are morons

[fanf]

Try learning about SpamAssassin's notfirsthop DNS blacklist option, and why it might be a sensible idea, you utter cretins.

 This message was created automatically by mail delivery software.

 A message that you sent could not be delivered to one or more of its
 recipients. This is a permanent error. The following address(es) failed:

 zzzzzzzz@pts.edu
   SMTP error from remote mail server after end of data:
   host smtp.pts.edu [72.22.0.101]:
   554 Service unavailable; Client host [ppsw-5.csi.cam.ac.uk]
       blocked using Barracuda Reputation;
       http://bbl.barracudacentral.com/q.cgi?ip=86.165.170.59

 ------ This is a copy of the message, including all the headers. ------

 Return-path: <zzz99@cam.ac.uk>
 X-Cam-SpamDetails: Not scanned
 X-Cam-AntiVirus: No virus found
 X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
 Received: from [86.165.170.59] (port=51166 helo=[192.168.1.2])
           by ppsw-5.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.155]:587)
           with esmtpsa (PLAIN:zzz99) (TLSv1:AES128-SHA:128)
           id 1JHf30-0003CD-Il (Exim 4.67)
           (return-path <zzz99@cam.ac.uk>); Wed, 23 Jan 2008 12:49:42 +0000
 Mime-Version: 1.0 (Apple Message framework v752.3)
 Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
 ...

Comments

[hobnobs.livejournal.com]

Couldn't happen to nicer people... Anyone who installs a backdoor on the SMTP port of an email appliance unit deserves all they get.

[ronebofh.livejournal.com]

Whoa. Has this been discussed somewhere on the Web that i can read?

[hobnobs.livejournal.com]

I've not seen any back-and-forth discussions, but one write-up can be found at http://packetstormsecurity.org/papers/evaluation/Barracuda_Evil.txt .
I can personally confirm that the iptables entries are in there. (or "were" in my case, as they are no longer there now.)

It's not a universal backdoor, as it's limited to access from Barracuda Central, but as the person who defines and maintains our network security policies on the firewall, and also sets policy for email services, I find that kind of thing abhorrent.

(The link also shows a way to login via the Barracuda console, however I think Barracuda may have updated the main image at some point to not allow it to work. However, the "Failsafe" lilo entry still allowed it last time I needed to use it, so if you want to try it use that instead.)