Proofpoint? Proof against what, exactly?

[unixronin]

My current ISP uses a product called Proofpoint to filter spam.  And it is without a doubt the most useless spam-filtering product EVER.

How doth it suck?  Let me begin to count the ways...

• Let's start with the fact that its false positive rate, in my experience so far, has exceeded its hit rate.  (Granted, on the email addresses subject to its whims, I get very little spam.)
• Only two actions are possible on a message quarantined as spam:  release it for delivery as non-spam, or safelist it for delivery for all time as non-spam.  Even if you're 100% certain it's spam, you can't delete it from quarantine — all you can do is wait until the system deletes it automatically (after 30 days, I think).
• There is no way to inspect a message in quarantine.  So if you aren't sure whether a message it has quarantined is spam or not, you have three choices:  Release it and pray it's not a virus, safelist it and pray it's not a virus, or leave it in the quarantine and hope it really is spam.
• It frequently seems to munge the originating domain of quarantined messages, further confusing the issue.
• You can't even set it to tell you in real time when it's quarantined something.  It automatically generates a report every night (by default, only if it blocked something during the previous 24 hours).  If you want to go and check during the day, you have to go and manually tell it to generate a new report.  And that report will list EVERYTHING ... so, if you get a lot of spam, expect to do a lot of wading through reports looking to see what's new, because at any given time there's going to be 30 days' worth of spam in your quarantine.  What, you say "But 30 days of spam is several thousand messages"?  Sucks to be you, if you have to deal with Proofpoint.
• Speaking of settings, there is a management interface, but navigation through it is bloody horrible.  There isn't even any way to look at your quarantine online and see what's in there.  You can manage your settings, to a limited extent, but there's zero online help, and the management interface is unintuitive and leaves you guessing as to what the controls do.
• Even as useless as it is, you can't even turn it off.

Proofpoint, at least as deployed by Metrocast, isn't an anti-spam solution.  It's just this sort of ... trollish, passive-aggressive THING ... that sits astride your connection and periodically quarantines inbound mail for no visible or apparent reason whatsoever, won't tell you until the next day, refuses to explain why or even let you check its decision, and offers no way to confirm its actions other than to huffily say "Well, alright then, here, have it, payload and all, but don't say I didn't warn you.  Here I am, brain the size of a planet..."

Comments

[metahacker.livejournal.com]

That seems to be the standard level of service. We have Postini, which is similarly dreadful, having every single one of those same problems, except if you go through the web interface you can eventually inspect messages before delivering them.

[perspicuity.livejournal.com]

so how many extra routes is your mail taking now? and strictly speaking, from a slight privacy point of view, is this a 3rd party service or something your ISP controls? i might be slightly irate if all my mail was filtered through a service that might "value add" my information.

me? i'd switch ISPs if i had the option, and encryption is looking better everyday.

#

[unixronin.livejournal.com]

It's something Metrocast has on all metrocast.net mailboxes, no opt-out available. (I've already asked; even they can't turn it off on my three metrocast.net mailboxes.) And it only affects mail to the metrocast.net mailboxes, caerllewys.net mail never goes through it at all. Fortunately, I get very little spam on those accounts.

Switching ISPs isn't an option; Metrocast is the only non-dialup ISP in Gilford/Laconia/Belknap. The day FiOS becomes available here, we'll drop Metrocast like a wet dishrag. 20M symmetric for $60? Oh YEAH. I'm in there like swimwear.

[suzilem.livejournal.com]

(please excuse if this is a really nonintelligent question)

Why does your ISP have to be your mail host? I understand that it would be annoying to pay somewhere else for that service, but yearly rates aren't that bad (I'm thinking of Brother Blaze at www.geekniche.com here). I "POP" to a couple other places in addition to my ISP to retrieve mail, and it isn't excessively onerous.

[unixronin.livejournal.com]

They don't. And my "canonical" email address is on my own domain (caerllewys.net). It's convenient to point, for example, my LJ mail at an address I read through Thunderbird ... but there's no reason that couldn't be a local account. I've tended to use externally-hosted accounts for most utility and online-shopping type things just out of past paranoia about having important mail coming to a domain that may get blackholed because it's in a netblock owned by an ISP that serves residential customers.

When we've been established here for a while with no problems, I may migrate the three metrocast.net accounts back onsite.

[genuine-snark.livejournal.com]

I never understood the proliferation of proprietary anti-spam tools.

SpamAssassin works -really- well when it's set up intelligently, has interfaces to allow individual users to override just about anything (which can be web-exposed), etc.

SpamAssassin + Client-side Bayesian (Thunderbird) has kept me damned near 100% spam-free for years, and I leave my email unobfuscated on the web in all kinds of places.

And it's free.

So why do companies roll out crap like this?

[unixronin.livejournal.com]

On the seller's side, because if it's open-sourced and GPL, they can't charge typically outrageous enterprise-software rates for it. On the buyer's side, because if you're a drooling corporate executive with a business degree, surely nothing that's free can POSSIBLY be any good, and if it costs ten times as much, well that automatically means it must be ten times better.

Besides, Thunderbird doesn't come with a shiny glossy sales brochure, and the Mozilla Foundation doesn't take you to lunch.

(Non-technical managers should NOT BE FUCKING ALLOWED to make hardware and software decisions.)

[genuine-snark.livejournal.com]

Outlook has Bayesian filtering too (most clients do now) but I take your point.

Still, I'm pretty sure a company sells commercialized, supported SpamAssassin. I just hate rampant NIHism.

[unixronin.livejournal.com]

Yup. Barracuda. Ang is there, and Chris and Tobin are going there.

[genuine-snark.livejournal.com]

Heh. I wonder if companies know that when they hire a bitminer, they're getting a package deal.

[unixronin.livejournal.com]

"But wait! There's more!" :)

[johno.livejournal.com]

Every single point you make is configuration choice by Metrocast.

There is a web interface to the quarantine.
Digests can be generated multiple times a day.
The quarantine threshold can be tuned to lower false positives.

I'm a corporate customer of PP and we're very happy with it. Of course it's my job to keep an eye on it and keep it tuned to avoid the issues you point out.

[unixronin.livejournal.com]

Digests can be automatically generated multiple times per day? Can it send notifications whenever something is quarantined?

If there's a Web interface to browse the quarantine, Metrocast has either disabled it, hidden it, or simply isn't telling anyone about how to get to it. It would be a stupid thing to do; but I suppose "a cable-TV-carrier-turned-ISP being stupid" is no news.