Ok, I am little irritated as I write this. Over the last two days I have received the following rejection message from email that was sent out by one of my colleages, and delivered through one of my two Exim MTAs:
xxxxx@xxxx.xx.xx
SMTP error from remote mail server after RCPT TO:<xxxxx@xxxx.xx.xx>:
host xxxx.xxxxxxxxxxxx.xxx [xxx.xxx.xxx.xxx]: 554 Service unavailable; Client host [xxx.xxx.xxxxxxx.xxx] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=207.XXX.XXX.XXX
This surprised me, as the server in question is not an open relay, and we do all the obvious stuff, we publish SPF, SENDERID and we sign all our outbound messages with domain keys.
More ever, we do have a mailing list (with which we go to considerable lenths to ensure that is complies with the CAN-SPAM act), but that list we send to using Campaign Monitor (who by the way have an awesome product), so these MTAs are used purely to send mail that may be generated by our Exchange server and acknowledgments from our website when folks buy something from our shopping cart or make an online donation to support one of our programs.
Anyway, following the link to barracudacentral.com, and clearing their captcha protected lookup page — to ensure that I am indeed a human — I am presented with the information that this IP has a reputation of “poor” on the Barracuda Reputation System, and that I can request removal. It also goes on to say that Barracuda personally verifies all IP addresses that are marked as “poor” in the Barracuda Reputation System.
Sounds good so far right? I mean having to manually verify that you are indeed not a spammer, whilst not something I personally think is a really smart idea, is certainly not a new idea, and I guess it does work?
Just below that they however have this little brilliant little capitalistic masterpiece:
Many Barracuda Spam & Virus Firewalls are configured, as a policy, to automatically deliver email that comes from sources that are properly registered at EmailReg.org.
Sounds good, however EmailReg.ORG wants an “administration fee” for you to register your IPs with them. Now I am smelling a rat. So, who owns EmailReg.ORG.
[clementsm@ux1 ~]$ whois emailreg.org
…
Registrant ID:77b4c5687ae40560
Registrant Name:Whois Agent
Registrant Organization:Whois Privacy Protection Service, Inc.
Registrant Street1:PMB 368, 14150 NE 20th St - F1
Registrant Street2:
Registrant Street3:
Registrant City:Bellevue
Registrant State/Province:WA
Registrant Postal Code:98007
Registrant Country:US
Registrant Phone:+1.4252740657
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:tsbnwxhk@whoisprivacyprotect.com
…
Somebody has gone to considerable lenths to protect their identity, particularly when you are claiming to be a Good Guy, maintaining this universal list of Bad Guys, yet you yourself are hiding behind a veil of anonymity?
Lets turn to Google. Well, low and behold, seems from a multitude of reports that Barracuda are actually the guys behind EmailReg.ORG, so now I must ask “why do they try to hide their ownership of EmailReg.ORG”. Could it be the same reason why we humans usually try to hide or mislead others — because we know it is not above board?
What a brilliant way of drumming up some extra cash for your security organizaton. Have people register themselves on your service, and a couple of hours later, every one of your firewall devices magically starts to allow those IPs through…
{ 2 comments… read them below or add one }
I have seen a few of these in the past few days:
host scanner.tabletoptelephone.com [63.235.184.34]:
554 Service unavailable; Client host [mymailserver] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=myipaddress
So who are these email hosts who are using this company? I’m glad I found your post. I thought, “Well if $20 will help get my newsletter out to more of the subscribers, it’s worth it.” But, you’re right, this is extortion. I’m also very careful to comply with CAN-SPAM and don’t send newsletters to anyone who hasn’t signed up, that’s not to say people don’t get lazy and mark us as spam rather than clicking the “unsubscribe” link when they are no longer interested in getting the newsletter.
Just got a dose of this treatment this morning for one of my clients. Clearly, if you have a spam-bot behind your firewall (as they claim) transmitting SPAM, you deserve to be blacklisted. However, in this scenario, you might have a spam-bot, but you registered your domain and paid $20, so it’s going to be OK. This logically makes zero sense. A scam for sure.