Proofpoint: How to make email miserable to use

Apologies to the non-technical readers. Some parts of this rant are a bit technical. But most of it should make sense to most readers.

This past fall, Grinnell College decided to install the Proofpoint spam protection service on our email system. Now, I certainly understand the need for spam protection. There is way too much spam. But the goal of a spam protection service should be to make your life easier, not harder. And Proofpoint clearly makes my life harder. Why? Let’s look at some reasons.

First, and most importantly, Proofpoint protects URLs. That is, it takes any URL that appears in an email message you receive and makes it direct to one of their servers, where they check to see whether or not it’s valid and then redirects to the appropriate location. For example, suppose Amazon sends me a message like the following.

Dear Amazon.com Customer,

See this week's new music!

http://www.amazon.com/gp/browse.html/ref=pe_supersubjectlink/?ie=UTF8&node=307026011

Instead of that message, I get something more like the following.

Dear https://urldefense.proofpoint.com/v2/url?u=http-3A__Amazon.com&d=DQIFAg&c=HUrdOLg_tCr0UMeDjWLBOM9lLDRpsndbROGxEKQRFzk&r=6rcUljFJZnpk5uomPd3v3WCzboqh0RuwO-BZyxMfi0U&m=fo458hhJrF87dIYyHwDAWZkegyOy6sGJVAGrntX1mP0&s=2r8EJkvOhZj1zr2Emwwgjav6t4vvg-O42jL_dHQUDkk&e= Customer,

See this week's new music!

https://urldefense.proofpoint.com/v2/url?u=http-3A__www.amazon.com_gp_browse.html_ref-3Dpe-5Fsupersubjectlink_-3Fie-3DUTF8-26node-3D307026011&d=DQICaQ&c=HUrdOLg_tCr0UMeDjWLBOM9lLDRpsndbROGxEKQRFzk&r=6rcUljFJZnpk5uomPd3v3WCzboqh0RuwO-BZyxMfi0U&m=WQlZQItScdT7feAdRWA96BPThpNgqjCFcXEDdMoYBTk&s=vYDegbEPK2TILjuGa8Nb7qxaFDk7cwzl1lOkD52e_KA&e=

That’s right. Not only did it change the URL in the message to something that I can’t read, it also changed Amazon.com to something I can’t read. Who cares if people can read their email? At least it’s safe.

Proofpoint is also aggressive about changing things that might by site names to protected URLs. For example, if someone writes to me about Web services and says

Have you tried haml.rb on a Node.js server?

The message I get says

Have you tried https://urldefense.proofpoint.com/v2/url?u=http-3A__haml.rb&d=DQICAg&c=HUrdOLg_tCr0UMeDjWLBOM9lLDRpsndbROGxEKQRFzk&r=6rcUljFJZnpk5uomPd3v3WCzboqh0RuwO-BZyxMfi0U&m=DmoxnEjN2hRl9XiigsgXIg_9HROvObWYCLCX-aYhZCo&s=a-NQAgTh9ladcMIlklxm1FnXIFambZJaXoF_x4z6s2E&e= on a https://urldefense.proofpoint.com/v2/url?u=http-3A__Node.js&d=DQICAg&c=HUrdOLg_tCr0UMeDjWLBOM9lLDRpsndbROGxEKQRFzk&r=6rcUljFJZnpk5uomPd3v3WCzboqh0RuwO-BZyxMfi0U&m=DmoxnEjN2hRl9XiigsgXIg_9HROvObWYCLCX-aYhZCo&s=3gVxYxxmljpf7wphNFOjxu0Ll06JH1yLOEZ6BAm2VtA&e= server?

I dare you to read that!

They also seem to think that any four numbers with dots between them should be protected. Suppose a German phisher writes me the following message.

Our client has left you 500.000.000.000 Euros!

Instead, I get this much safer request.

Our client has left you https://urldefense.proofpoint.com/v2/url?u=http-3A__500.000.000.000&d=DQICAg&c=HUrdOLg_tCr0UMeDjWLBOM9lLDRpsndbROGxEKQRFzk&r=6rcUljFJZnpk5uomPd3v3WCzboqh0RuwO-BZyxMfi0U&m=vppZ9BGkRx0OQXQ5bvasdGB8rHyHdO-cRar5WvbqGdQ&s=WL0NaP3yYZv23KsMRUmmF0izq90Glwd5GxpeY6E6JVI&e= Euros!

Of course, when I click on the link, it leads nowhere (because 500.000.000.000 is not a valid address).

It wouldn’t be so bad if they provided a way to retrieve the original message. But that’s not part of their strategy. I’ve hacked something together (ah, the joys of knowing programming, particularly regular expressions), but as far as I can tell, they protect the terms amazon.com and http://amazon.com identically. That means that there is no way to go back to the original message. (They also add some extra spaces and other things.)

It also means that I can’t readily forward email to colleagues outside of Grinnell. What computer scientist would trust someone who provides links that clearly go to the wrong site? (So yes, almost every time that I need to forward a message, I have to run it through my script or manually change the links. Our ITS department seems to think this is acceptable.)

I also think that URL rewriting leads to bad habits. Sensible people read URLs. Proofpoint defended URLs are unreadable, so it’s impossible to read them, and you just click them and hope for the best.

And, as Grinnell talks about accessibility, it’s clear that these defended URLs are not accessible. Just think about the joy of having to listen to one of those URLs!

The obtrusive and incompetent URL rewriting alone is enough to make me despise Proofpoint, but it gets worse!

They clearly monitor the links we click. Our ITS department tells us to trust them that they don’t use the information except for appropriate purposes, but they clearly keep the information for awhile, because it sometimes takes a few hours for them to determine that a link you click is dangerous. Are we sure that they don’t do anything else with our data? I’m told, Trust us. It’s difficult.

They break some of the links. I haven’t been able to come up with a particular characteristic for those links, but every once in a while I get something that should have been a valid link and is instead invalid.

Proofpoint also delays messages as it thinks about URLs. I’ve clicked reset my password links on credit cards and it’s taken so long for the message to get to me that the company times out the password reset opportunity.

And they store some of our email on their servers. These are messages that are quarantined; not quite spam, but things that they don’t think we’d like to read. I think keeping email on a non-Grinnell server is a FERPA violation. (I’m told that our lawyers don’t think so. But we had to make Microsoft an officer of the college in order to let them store our messages on their servers without violating FERPA.)

To make matters worse, the software was broken for the first six months or so that we had it, so things ended up in the quarantine, but Proofpoint did not notify you that they had quarantined anything. Who knows how much mail got lost? I know that I missed a few student questions that came from their Gmail accounts.

And, as you’d expect, Proofpoint customer service is a black hole. The known issues go in. Nothing changes. When I ask about updates, I’m told that they know about the problems I reported, and that they have provided us with no estimate as to when those problems will be fixed.

It’s lovely to see how software makes our lives better.

I do understand that too many people on campus fall victim to phishing links and that we need to increase protection. However, we should be choosing software that is sensible and that provides mechanisms for people to read their email in its original form.

My favorite email to get urldefended is the regular Risks in Computing Systems digest, which is filled with URLs and whose subject matter includes the danger of using systems that can track your actions.

While using Proofpoint frustrates me, at least I don’t have a broken $20,000 computer that ITS refuses to ship back to the manufacturer while it’s still under warranty [1].

[1] Followup from a few months after I wrote the essay. Yes, ITS shipped it back. But I still think it took the faculty member six months to convince them to do so, and we even had SNAFUs when the computer came back to campus.

Version 1.0.1 of 2016-10-02.