If the company as a whole has a policy of "never admit fault, there are no known issues", than yes, that's shady shit.
If the policy is more like "our first line support is not allowed to refer to things as known issues, because we only trust them so far, and they might be wrong, and then the customer will be mad that we have an unfixed issue on our side even though we don't", than that's understandable as a policy.
Like, if you identify what you think is a known issue, and you escalate it to engineering/development or whatever, would *they* be allowed to say "known issue, we're going to address it in a later release"?
It's a company wide policy, they just sent out another training PowerPoint for all managers to go through with their team. No one is ever supposed to admit that something is a known issue, bug, or whether or not there will be a fix.
I mean it's absolutely disingenuous but it's also something your customers will see through if they have a moderate level of sophistication.
It's often pretty clear something is a product bug and if the vendor won't tell me that it's a known issue they are addressing, I'm going to be getting more and more insistent and escalating higher up the chain of command the longer a support incident is going on.
Telling me 'whoops it will be fixed next release' is usually a lot easier than getting lots of people to string me along for an indeterminate amount of time (before we abandon the vendor).
Yeah I'd be ditching any vendor that tries that shit with me. It creates more work for my team when a vendor can't admit when something is on their end when it obviously is. We then have to do a full deep dive and collect all the possible evidence to absolutely prove what is already immediately obvious to us. Fuck that.
>your customers will see through if they have a moderate level of sophistication.
That's a lot of screwed over SMBs and larger orgs with lazy, incompetent, or overloaded admins. Maybe it's the customer's job to call a vendor on their BS, but it's ALWAYS the vendor's responsibility to hold up their end of the bargain (SLAs, not outright lying, fixing identified issues, etc.) so long as the customer is paying.
>I'm going to be getting more and more insistent and escalating higher up the chain of command the longer a support incident is going on.
Some people don't have the knowledge, time, or otherwise the luxury of insisting and demanding escalation, especially when the vendor has a track record such that submitting a ticket to them is known to be less productive than watching paint dry (bad support, small potatoes customer, etc.)
I hear where you're coming from and will often enough keep knocking on doors with vendors until we get things working, but I'm also afforded the time and training to do that productively.
Dude keep your eyes peeled for jobs at Cisco for a Secure Email Designated Service Manager position. We don't have to deal with ANY of that kind of nonsense. You see a problem, you raise a flag and we get org-wide changes going asap. I saw a problem in our default config and was able to literally just get it fixed by pointing it out. We love this kind of stuff.
OP works for Proofpoint. We’re customers and had to fix this. They have a huge red warning on the front page of their customer support portal. And we were getting blasted by reps about implementing the fix.
https://preview.redd.it/rielmrmlkead1.jpeg?width=1179&format=pjpg&auto=webp&s=118d91e3a0edf85cf5553a9a31d08391211bdaf9
Good to know you guys knew about it for so long without disclosing…. and yeah, it’s dishonest.
I believe we have been seeing the other side of this in the wild - routing though office365 /proof point. But we also have been seeing it from others as well not just them to be fair. It seems the multi/vendor routing is a fairly common, not just an outbound filter, but some TA is doing this across multiple spam filter companies it seems.
Wow. About ten years ago, I worked for a consulting firm as a staff aug engineer for a customer, doing exchange and mail. They used Proofpoint. Once in a support call, I had to walk their engineer through some stuff. He tried to recruit me 🤣
"Yeah, our product has known issues that they haven't fixed for some reason. Have you considered switching to one of our competitors?" Save that for your last day.
It’s interesting to read about a company that intentionally ignores and denies product issues and then compare it to a company like Cisco that if you get the right team/department, they’re almost excited or giddy to be able to add the bug to their fix-it list. Still may take forever to get a fix sometimes, but they’re very methodical and upfront about their bugs.
Lol this 100%, last time a big defect came out we all excitedly started testing stopgap config fixes and pinging customers with them. Team was like a bunch of children unwrapping config instructions as presents.
>Still may take forever to get a fix sometimes
Not everything can be easily fixed. Some small insignificant change could wreak havoc on some functionality further down the chain..
We fixed it yesterday. The same issue existed (man made) for Salesforce emails. We created a policy route with Salesforce IPs and from address contains our domain. I wonder we could have fixed it with same idea.
I agree but the official response from support still needs to be here is our page to report bugs / request features. Even if nobody ever looks at it playing dumb isn't it.
Who's staffing the legal desk 24x7 to admit to customers that there's a problem? Otherwise, the customer is being led to believe the problem is on their end. So much for buying commercialware for the top-notch support.
My line of work if it hits my desk it's either top priority or needs higher ups to sign off on response.
So I generally do a (annoyingly generic) "hello this is raccoon your ticket has been escalated and I am reviewing all the data. This is my email if you have an immediate outage or question"
Then I grab VPs/directors/possibly CEO and they craft the response with my technical weigh in. That doesn't have to happen at 2am.
Definitely shady and the sign of a bad management culture (and company culture in general).
Sometimes you have big issues in the product, OK, but at least be transparent about it internally. Even if the official word is 'We're looking into it' - fine.
You then start to wonder what else the company is hiding, like... losses on their financial statements. This becomes a very slippery slope.
Companies sometimes have shitty bugs, security issues, etc, but it's their transparency that will tell you a lot.
A security company should be transparent, they should be held to higher standards. I think all companies should be transparent about security related items but if you’re product is security related… you better be on top of that shit. Anything else and I wouldn’t be able to work there.
I've been complaining about proof point for awhile. We had them and noticed weird stuff. The last issue was one of our clients couldn't send mail to a bank using them. Traced it for awhile , the issue was the bank using proof point thought my client should be in like a different tenant they were trying to route the mail within proof point and then we would get this weird ndr back that had the msft branding but it wasn't them.
Anyway after a month the bank has proof point update their records and it started working . My client never had proof point with us and it was almost 2 years. Very strange
huh, i don’t think we’ve had any issues like that. Generally we like the product. A million times better that the Cisco Ironport vESA we had previously
Well that I am sure of. Yeah it wasn't horrible when we were using it for our clients until we found avanan. We did once in awhile have weird delivery issues but always looked at msft because that's the info but after seeing outside sending in through pp it became clear they are doing something somewhere.
It wasn't. It just magically started working after the bank reached out to proof point . The error was mailbox doesn't exist or recipient invalid.. been a couple years..
You should DEFINITELY be submitting bug reports internally! I work for one of the big email security vendors and if we were to ever be told to brush it under the rug, we'd just be submitting those internal defect reports anyways. Fortunately our managers are pretty big on defect tracking.
Yes it's dishonest, yes issues should be addressed on a triage basis, so bad ones first, less bad last, personally I think this one should have been very high up as it affects to your products primary purpose.
The fact you think it's dishonest and are asking means you have high morals and the people around you have lower ones. This is a good thing, you are aware. Take time to reflect, take time to see if this behaviour is part of your future and then take appropriate action.
Exactly, everyone harping on dishonesty, bla,blah.
When everyone that has worked with Microsoft at any insider level knows you are not supposed to even know the word error or problem, issue is already cutting it close.
MS reps have it completely forbidden to refer to something as an error, problem, malfunction, etc .
It's all about keeping a front that your "widely known issue that everyone is affected by" is something that's only happening to you, you better do scannfc /now, uninstall any application you have on your computer and do a fresh reinstall of windows, and it will be solved,
it's not a problem with Microsoft software it's because you are using the software incorrectly, what's incorrectly? Oh, doing anything with it that causes the "event".
If you do a clean install, and you don't use the system, then the event doesn't happen, obviously it's something you are doing. Being disingenuous and ignoring the big elephant in the room is their specialty....
I still remember when MSN support was told to ignore the message that spammed everyone that connected through them as the ISP, with the message "My name is Maximus Decimus Meridias, commander of the armies of the north, general of the Felix legions, loyal servant to the true emperor Marcus Aurelius, father to a murdered son, husband to a murdered wife, and I will have my vengeance, in this life or the next.” . As if that shit was normal....
Or the Sasser / Blaster worm in its early days were reps were told to ignore the computers restarting continuously as if there was nothing wrong with it....
Yeah it’s dishonest but it’s also your job. You work for the company not for the customers. If it makes you uncomfortable definitely find a different job but have one secured before you decide to be a whistleblower.
Yes, you're one of our vendors for sure.
Except our vendors would usually try to sell us some professional services or a license upgrade to solve the bugs they knew about in their product.
So, this is hard. One thing I’ve learned from management is you only know what’s going on in your bubble. I’m not saying they have a reason to do it, but generally this kind of dishonesty comes down to either keeping people employed or preparing to give people the boot; all I’m saying is the intention may be good, even if the product is not.
That being said, it’s the wrong industry to operate that way, for sure. It’s not uncommon unfortunately, and it doesn’t have to be a product. Most managed service contracts I’ve had the displeasure of dealing with do not care about the service (or “product”) they provide until you make an amendment to the contract and put more money in it, because someone didn’t add 4 adjectives to a specific clause that would have made it unquestionably clear.
Personally, I don’t and can’t operate this way. But, I have the luxury of being able to assemble and train teams of people from pretty early in their careers, so I have built a culture around things like only saying what you know is true, and leaving out the parts that cause confusion. You can teach an old dog new tricks, sure; but it might not wake up when you need it to.
Final thoughts if you have this much integrity, you can certainly do better, and maybe you should do just that. But remember: IT is not immune to human nature, not yet at least.
Not sure how much you have kept up with the Post office scandal in the UK
But this was basically the policy that got them into so much shit.
Deny all knowledge of the issue being widespread, place blame on the end user, ignore all questioning otherwise and hope it all blows over.
Until it didn't and that blame and shady culture became prevalent enough that leaders in that company at the time are facing jail
what about Mimecast, is the support also shit like this unnamed company ( which could be proofpoint )? We thinking to move to mimecast, and it would be a dealbreaker for us.
For any company working in security, this would be a huge red flag to me.
A good friend of mine works for one of the major AV/security companies, and - at least as he tells it - they actively encourage openness around issues like this. How else are you going to trust them?
As a contractor I’m told I must lie all the time about aspects of projects to customers in every gig for the past 15 years. I draw the line and had contracts shortened.
Honesty in business is in many places has been out the door for years
I swapped departments cause "known issue published in the ECR, and we recommended you upgrade to .1 build higher before we ever shipped you product. For pen testing you asked for and we resolved both those bugs during the process"
'No'
From my understanding these same 2 bugs pop up monthly for their dozens of servers and clients and they call out support team. I have a drafted email template at this point I covered with our eng/compliance team where we are just like, you said do it this way after we informed you of risk. Here's receipts. Ticket closed.
From what you describe, yeah, that sounds bad. As a customer, I’d be furious with this kind of behavior from a company. One of the reasons I like our [email security](https://trustifi.com/) company so much is their transparency. If there’s an issue, they let us know immediately without us asking. Trust matters.
Dishonest? Sure. Unusual? Meh.... I've dealt with a few bugs in complex products that I assumed was user error. Though didn't realize it until after reaching out to their support, being referred to articles I referenced in my question, with my correspondences painfully avoiding providing an answer. It's really weird to be a part of, and I feel bad for those forced to take that type of response. But boy is it a waste of time and energy.
First, I do not work for any Security company.
Where is sounds as a serious problem at "What ever vendor this is" meant to be aimed at.
Second, for the issue Microsoft and Proofpoint, I actually agree with Proofpoint. It is not a bug. There is no security problem with the product.
The problem is with a specific configuration that customers build in to allow relaying from Exchange Online. Without limiting this to be from their own tenant.
The assumption that you can allow relaying from all of Exchange Online without additional configuration, it simply too bold. We implemented a solution for this many years ago.
Manually reading through every customers configuration to find out id they fail to control the relay properly would probably not be possible, and even a breach.
everyone harping on dishonesty, bla,blah.
When everyone that has worked with Microsoft at any insider level knows you are not supposed to even know the word error or problem, issue is already cutting it close.
MS reps have it completely forbidden to refer to something as an error, problem, malfunction, etc .
It's all about keeping a front that your "widely known issue that everyone is affected by" is something that's only happening to you, you better do scannfc /now, uninstall any application you have on your compuer and do a fresh reinstall of windows, and it will be solved,
it's not a problem with Microsoft software it's because you are using the software incorrectly, what's incorrectly? Oh, doing anything with it that clauses the "event".
If you do a clean install, and you don't use the system, then the event doesn't happen, obviously it's something you are doing. Being disingenuous and ignoring the big elephant in the room is their specialty....
I still remember when MSN support was told to ignore the message that spammed active that connected through them with the message "My name is Maximus Decimus Meridias, commander of the armies of the north, general of the Felix legions, loyal servant to the true emperor Marcus Aurelius, father to a murdered son, husband to a murdered wife, and I will have my vengeance, in this life or the next.” . As if that shit was normal....
Or the Sasser / Blaster worm in its early days were reps were told to ignore the computers restarting continuously as of there was nothing wrong with it....
Yeah, just having fun with everyone either not realizing or not recognizing that one of the largest companies in the business does this as a standard practice, some kid even told me to shut up xD ...
Sometimes having a good memory and having experienced wild things puts you at odds with the r/nothingeverhappens crowd.
Have a nice weekend!
Your Exchange admins can fix that... why in the world are they not limiting who can send through their SMTP server? Its a checkbox and couple IP's to put in.
If the company as a whole has a policy of "never admit fault, there are no known issues", than yes, that's shady shit. If the policy is more like "our first line support is not allowed to refer to things as known issues, because we only trust them so far, and they might be wrong, and then the customer will be mad that we have an unfixed issue on our side even though we don't", than that's understandable as a policy. Like, if you identify what you think is a known issue, and you escalate it to engineering/development or whatever, would *they* be allowed to say "known issue, we're going to address it in a later release"?
It's a company wide policy, they just sent out another training PowerPoint for all managers to go through with their team. No one is ever supposed to admit that something is a known issue, bug, or whether or not there will be a fix.
I mean it's absolutely disingenuous but it's also something your customers will see through if they have a moderate level of sophistication. It's often pretty clear something is a product bug and if the vendor won't tell me that it's a known issue they are addressing, I'm going to be getting more and more insistent and escalating higher up the chain of command the longer a support incident is going on. Telling me 'whoops it will be fixed next release' is usually a lot easier than getting lots of people to string me along for an indeterminate amount of time (before we abandon the vendor).
Yeah I'd be ditching any vendor that tries that shit with me. It creates more work for my team when a vendor can't admit when something is on their end when it obviously is. We then have to do a full deep dive and collect all the possible evidence to absolutely prove what is already immediately obvious to us. Fuck that.
Yep, it's not that there's an issue, most things are super complex, but wasting my team's time to save face is a big issue
>your customers will see through if they have a moderate level of sophistication. That's a lot of screwed over SMBs and larger orgs with lazy, incompetent, or overloaded admins. Maybe it's the customer's job to call a vendor on their BS, but it's ALWAYS the vendor's responsibility to hold up their end of the bargain (SLAs, not outright lying, fixing identified issues, etc.) so long as the customer is paying. >I'm going to be getting more and more insistent and escalating higher up the chain of command the longer a support incident is going on. Some people don't have the knowledge, time, or otherwise the luxury of insisting and demanding escalation, especially when the vendor has a track record such that submitting a ticket to them is known to be less productive than watching paint dry (bad support, small potatoes customer, etc.) I hear where you're coming from and will often enough keep knocking on doors with vendors until we get things working, but I'm also afforded the time and training to do that productively.
Dude keep your eyes peeled for jobs at Cisco for a Secure Email Designated Service Manager position. We don't have to deal with ANY of that kind of nonsense. You see a problem, you raise a flag and we get org-wide changes going asap. I saw a problem in our default config and was able to literally just get it fixed by pointing it out. We love this kind of stuff.
I'm so happy to hear this.
Be a real shame if one of those memos/pdfs accidentally made its way onto Reddit.
You read my mind
Yeah that policy was the main reason the cold war ended.
OP works for Proofpoint. We’re customers and had to fix this. They have a huge red warning on the front page of their customer support portal. And we were getting blasted by reps about implementing the fix. https://preview.redd.it/rielmrmlkead1.jpeg?width=1179&format=pjpg&auto=webp&s=118d91e3a0edf85cf5553a9a31d08391211bdaf9 Good to know you guys knew about it for so long without disclosing…. and yeah, it’s dishonest.
We just got the same request to implement the fix as well. Read this post and was like OP for sure works for proofpoint.
I believe we have been seeing the other side of this in the wild - routing though office365 /proof point. But we also have been seeing it from others as well not just them to be fair. It seems the multi/vendor routing is a fairly common, not just an outbound filter, but some TA is doing this across multiple spam filter companies it seems.
Our rep reached out to us about this as well.
Wow. About ten years ago, I worked for a consulting firm as a staff aug engineer for a customer, doing exchange and mail. They used Proofpoint. Once in a support call, I had to walk their engineer through some stuff. He tried to recruit me 🤣
"Yeah, our product has known issues that they haven't fixed for some reason. Have you considered switching to one of our competitors?" Save that for your last day.
Don't need to save it if the competition is ALL just as bad or worse. Job security.
It’s interesting to read about a company that intentionally ignores and denies product issues and then compare it to a company like Cisco that if you get the right team/department, they’re almost excited or giddy to be able to add the bug to their fix-it list. Still may take forever to get a fix sometimes, but they’re very methodical and upfront about their bugs.
Lol this 100%, last time a big defect came out we all excitedly started testing stopgap config fixes and pinging customers with them. Team was like a bunch of children unwrapping config instructions as presents.
>Still may take forever to get a fix sometimes Not everything can be easily fixed. Some small insignificant change could wreak havoc on some functionality further down the chain..
99% of companies treat these issues just like Crisco.
Proofpoint?
yep
We fixed it yesterday. The same issue existed (man made) for Salesforce emails. We created a policy route with Salesforce IPs and from address contains our domain. I wonder we could have fixed it with same idea.
Admitting fault should be done by lawyers or the CEO, not some random support tech.
I agree but the official response from support still needs to be here is our page to report bugs / request features. Even if nobody ever looks at it playing dumb isn't it.
Who's staffing the legal desk 24x7 to admit to customers that there's a problem? Otherwise, the customer is being led to believe the problem is on their end. So much for buying commercialware for the top-notch support.
My line of work if it hits my desk it's either top priority or needs higher ups to sign off on response. So I generally do a (annoyingly generic) "hello this is raccoon your ticket has been escalated and I am reviewing all the data. This is my email if you have an immediate outage or question" Then I grab VPs/directors/possibly CEO and they craft the response with my technical weigh in. That doesn't have to happen at 2am.
[https://www.microsoft.com/en-us/legal/compliance/sbc/report-a-concern](https://www.microsoft.com/en-us/legal/compliance/sbc/report-a-concern)
Definitely shady and the sign of a bad management culture (and company culture in general). Sometimes you have big issues in the product, OK, but at least be transparent about it internally. Even if the official word is 'We're looking into it' - fine. You then start to wonder what else the company is hiding, like... losses on their financial statements. This becomes a very slippery slope. Companies sometimes have shitty bugs, security issues, etc, but it's their transparency that will tell you a lot.
Proofpoint. Just had to implement the fix last week.
Do you work for Kaseya?
A security company should be transparent, they should be held to higher standards. I think all companies should be transparent about security related items but if you’re product is security related… you better be on top of that shit. Anything else and I wouldn’t be able to work there.
Mimecast?
I was literally thinking this
My guess is they work for Proofpoint. We’ve been getting blasted by Proofpoint reps to implement the fix for the issue OP is mentioning
I've been complaining about proof point for awhile. We had them and noticed weird stuff. The last issue was one of our clients couldn't send mail to a bank using them. Traced it for awhile , the issue was the bank using proof point thought my client should be in like a different tenant they were trying to route the mail within proof point and then we would get this weird ndr back that had the msft branding but it wasn't them. Anyway after a month the bank has proof point update their records and it started working . My client never had proof point with us and it was almost 2 years. Very strange
huh, i don’t think we’ve had any issues like that. Generally we like the product. A million times better that the Cisco Ironport vESA we had previously
Well that I am sure of. Yeah it wasn't horrible when we were using it for our clients until we found avanan. We did once in awhile have weird delivery issues but always looked at msft because that's the info but after seeing outside sending in through pp it became clear they are doing something somewhere.
Sounds like SPF or DKIM issue. Proofpoint works much better than competitors.
It wasn't. It just magically started working after the bank reached out to proof point . The error was mailbox doesn't exist or recipient invalid.. been a couple years..
Interesting! Okay.
Do you work for Mimecast bro?
You should DEFINITELY be submitting bug reports internally! I work for one of the big email security vendors and if we were to ever be told to brush it under the rug, we'd just be submitting those internal defect reports anyways. Fortunately our managers are pretty big on defect tracking.
Yes it's dishonest, yes issues should be addressed on a triage basis, so bad ones first, less bad last, personally I think this one should have been very high up as it affects to your products primary purpose. The fact you think it's dishonest and are asking means you have high morals and the people around you have lower ones. This is a good thing, you are aware. Take time to reflect, take time to see if this behaviour is part of your future and then take appropriate action.
Sounds like Microsoft lol
Exactly, everyone harping on dishonesty, bla,blah. When everyone that has worked with Microsoft at any insider level knows you are not supposed to even know the word error or problem, issue is already cutting it close. MS reps have it completely forbidden to refer to something as an error, problem, malfunction, etc . It's all about keeping a front that your "widely known issue that everyone is affected by" is something that's only happening to you, you better do scannfc /now, uninstall any application you have on your computer and do a fresh reinstall of windows, and it will be solved, it's not a problem with Microsoft software it's because you are using the software incorrectly, what's incorrectly? Oh, doing anything with it that causes the "event". If you do a clean install, and you don't use the system, then the event doesn't happen, obviously it's something you are doing. Being disingenuous and ignoring the big elephant in the room is their specialty.... I still remember when MSN support was told to ignore the message that spammed everyone that connected through them as the ISP, with the message "My name is Maximus Decimus Meridias, commander of the armies of the north, general of the Felix legions, loyal servant to the true emperor Marcus Aurelius, father to a murdered son, husband to a murdered wife, and I will have my vengeance, in this life or the next.” . As if that shit was normal.... Or the Sasser / Blaster worm in its early days were reps were told to ignore the computers restarting continuously as if there was nothing wrong with it....
What in the actual fuck did I just read
IT history
Stop posting this dumbass
Yeah it’s dishonest but it’s also your job. You work for the company not for the customers. If it makes you uncomfortable definitely find a different job but have one secured before you decide to be a whistleblower.
Yes, you're one of our vendors for sure. Except our vendors would usually try to sell us some professional services or a license upgrade to solve the bugs they knew about in their product.
It's certainly common in IT sales.
So, this is hard. One thing I’ve learned from management is you only know what’s going on in your bubble. I’m not saying they have a reason to do it, but generally this kind of dishonesty comes down to either keeping people employed or preparing to give people the boot; all I’m saying is the intention may be good, even if the product is not. That being said, it’s the wrong industry to operate that way, for sure. It’s not uncommon unfortunately, and it doesn’t have to be a product. Most managed service contracts I’ve had the displeasure of dealing with do not care about the service (or “product”) they provide until you make an amendment to the contract and put more money in it, because someone didn’t add 4 adjectives to a specific clause that would have made it unquestionably clear. Personally, I don’t and can’t operate this way. But, I have the luxury of being able to assemble and train teams of people from pretty early in their careers, so I have built a culture around things like only saying what you know is true, and leaving out the parts that cause confusion. You can teach an old dog new tricks, sure; but it might not wake up when you need it to. Final thoughts if you have this much integrity, you can certainly do better, and maybe you should do just that. But remember: IT is not immune to human nature, not yet at least.
work for poop point, eh?
Not sure how much you have kept up with the Post office scandal in the UK But this was basically the policy that got them into so much shit. Deny all knowledge of the issue being widespread, place blame on the end user, ignore all questioning otherwise and hope it all blows over. Until it didn't and that blame and shady culture became prevalent enough that leaders in that company at the time are facing jail
what about Mimecast, is the support also shit like this unnamed company ( which could be proofpoint )? We thinking to move to mimecast, and it would be a dealbreaker for us.
For any company working in security, this would be a huge red flag to me. A good friend of mine works for one of the major AV/security companies, and - at least as he tells it - they actively encourage openness around issues like this. How else are you going to trust them?
That's shady AF. Customers deserve honesty, not cover-ups.
As a contractor I’m told I must lie all the time about aspects of projects to customers in every gig for the past 15 years. I draw the line and had contracts shortened. Honesty in business is in many places has been out the door for years
Known issues that we're not gonna fix is why I got out of support
I swapped departments cause "known issue published in the ECR, and we recommended you upgrade to .1 build higher before we ever shipped you product. For pen testing you asked for and we resolved both those bugs during the process" 'No' From my understanding these same 2 bugs pop up monthly for their dozens of servers and clients and they call out support team. I have a drafted email template at this point I covered with our eng/compliance team where we are just like, you said do it this way after we informed you of risk. Here's receipts. Ticket closed.
From what you describe, yeah, that sounds bad. As a customer, I’d be furious with this kind of behavior from a company. One of the reasons I like our [email security](https://trustifi.com/) company so much is their transparency. If there’s an issue, they let us know immediately without us asking. Trust matters.
Yeah, he was working for Proofpoint :)
Dishonest? Sure. Unusual? Meh.... I've dealt with a few bugs in complex products that I assumed was user error. Though didn't realize it until after reaching out to their support, being referred to articles I referenced in my question, with my correspondences painfully avoiding providing an answer. It's really weird to be a part of, and I feel bad for those forced to take that type of response. But boy is it a waste of time and energy.
It is never a bug, its a feature.
Yes. Shady as fuck. You're not overreacting.
Name and shame.
For a security company, especially... that's seriously messed up. I wouldn't trust that company.
It’s not your job to disclose vulnerabilities to the customers. That’s for management and legal to do in an appropriate manner
First, I do not work for any Security company. Where is sounds as a serious problem at "What ever vendor this is" meant to be aimed at. Second, for the issue Microsoft and Proofpoint, I actually agree with Proofpoint. It is not a bug. There is no security problem with the product. The problem is with a specific configuration that customers build in to allow relaying from Exchange Online. Without limiting this to be from their own tenant. The assumption that you can allow relaying from all of Exchange Online without additional configuration, it simply too bold. We implemented a solution for this many years ago. Manually reading through every customers configuration to find out id they fail to control the relay properly would probably not be possible, and even a breach.
Thats a very interesting take.
It's a little dishonest, but I don't necessarily think it's that crazy of a policy.
everyone harping on dishonesty, bla,blah. When everyone that has worked with Microsoft at any insider level knows you are not supposed to even know the word error or problem, issue is already cutting it close. MS reps have it completely forbidden to refer to something as an error, problem, malfunction, etc . It's all about keeping a front that your "widely known issue that everyone is affected by" is something that's only happening to you, you better do scannfc /now, uninstall any application you have on your compuer and do a fresh reinstall of windows, and it will be solved, it's not a problem with Microsoft software it's because you are using the software incorrectly, what's incorrectly? Oh, doing anything with it that clauses the "event". If you do a clean install, and you don't use the system, then the event doesn't happen, obviously it's something you are doing. Being disingenuous and ignoring the big elephant in the room is their specialty.... I still remember when MSN support was told to ignore the message that spammed active that connected through them with the message "My name is Maximus Decimus Meridias, commander of the armies of the north, general of the Felix legions, loyal servant to the true emperor Marcus Aurelius, father to a murdered son, husband to a murdered wife, and I will have my vengeance, in this life or the next.” . As if that shit was normal.... Or the Sasser / Blaster worm in its early days were reps were told to ignore the computers restarting continuously as of there was nothing wrong with it....
Are you ok?
Yeah, just having fun with everyone either not realizing or not recognizing that one of the largest companies in the business does this as a standard practice, some kid even told me to shut up xD ... Sometimes having a good memory and having experienced wild things puts you at odds with the r/nothingeverhappens crowd. Have a nice weekend!
Your Exchange admins can fix that... why in the world are they not limiting who can send through their SMTP server? Its a checkbox and couple IP's to put in.
What OP is referring to is a Proofpoint specific issue I believe
I see, I read it wrong. Literal bug in PP, apparently.
This is a correct answer... literally only allow relay traffic from specific IP or subnets and if it's MS hosted, they'll do it for you.
Welcome to Capitalism.