Wednesday, April 21, 2021

If You’re Going to Get SASE Then We Can’t Be Trusted

Don’t take it personal. I trust you with everything but the network, internet, computer, phone, web browser, or anything you can put in a USB jack except epoxy (USB lava lamps excepted), or anything else required to do your job. Those of you in the know are asking why it took 40 words to say zero trust. Simple, it was all a setup for the lava lamps.

SASE wasn’t a typo; I didn’t mean sassy. SASE stands for secure access service edge. SASE is a security model designed to address cloud security. The zero trust model is just one component of SASE. As I explain SASE I will devote a blog to each of the concepts that make up a SASE model. In my most recent blog at SecureIQLab I talk about zero trust. As I point out in the blog, zero trust means “trust but verify,”

Don’t trust that the blog actually exists, verify it for yourself!

Randy Abrams

The SPAMfighter Security Threat

While looking for a company or researcher who might want my spam samples to help train their AI systems, I stumbled across a product called SPAMfighter. I’m going to assume that the people behind SPAMfighter are not evil, just dangerously unqualified to touch anything related to security.

So, what’s wrong with SPAMfighter? SPAMfighter uses crowdsourcing and an untrained AI system to identify spam. Once a user flags an email as spam, all of the customers are protected... or are they? I mean, what could possibly go wrong? Here’s what.

If an email is incorrectly flagged as spam by a customer, there’s no undo. There is no mechanism to report false positives. The email address is forever blocked and the account owner doesn’t know that their email is being flagged as spam. Note, blocked is SPAMfighter’s terminology for sending email to the spam folder.

Let me describe a scenario. You and I have a falling out. I have email from you from the good old days when you still bought me beer. I dig up one of your emails, right-click and choose “Block.” Tada! Your email is block from all of SPAMfighter’s customers. The odds are that I’m the only person you know who uses SPAMfighter until after this blog is posted, so it’s not a big deal for you. But it can be seriously harmful to their userbase. But that’s not one of the more interesting scenarios.

Let’s say I’m mad at my bank… yeah, you see where this is going. Don’t worry, evidently somebody else was mad at my bank… SPAMFighter blocked my bank’s email. Here’s just one of the problems that it creates. I, and many other people get an email if there is an online credit card transaction. Obviously, time is of the essence if the charge was fraudulent, but it is likely to be quite awhile before most people would check their spam folder immediately unless they are expecting an email that hasn’t shown up.  

It does get better. Let’s say I’m mad at a massage spa chain (I won’t say which one). I get an email from them and I select block to get them classified as spam. Since the spas are franchised, they each have their own unique domain name. Whew, at least the rest of the franchises won’t become acceptable collateral damage. Well, you’d think not, but as it happens the spa chains emails don’t come from the franchises or from headquarters. Here’s what would happen if I flagged their email. Like 12,000+ other businesses in over 50 countries, the spa uses an industry specific service from Zenoti. The promotional emails are sent from a zenoti.com email address. Yep, one or two clicks, and 12,000+ other businesses are negatively impacted or potentially in harm’s way. This is truly as simple as attack tools get.

Shall we talk about the emails from .gov domains? Yep, .gov, bankofamerica.com, aarp.org, xfinity.com, linkedin.com, twitter.com, newyorker.com, nytimes.com, offcedepot.com, costco.com, homedepot.com, wordpress.com, gmail.com, amazon.com, uhc.com(healthcare), trinet.com(healthcare), virusbulletin.com, aavar.org, lastpass.com, eset.com, eccouncil.org, google.com, and some closed security lists that I am not at liberty to divulge. Note that google.com is not the same as gmail.com. Google sends very important security related emails from the google.com domain.

SPAMfighter claims to use AI in addition to their dangerously reckless crowd sourcing model. Some of the domains blocked were definitely from their “AI” implementation. False positives are very common when training AI systems and sometimes whitelisting is in order to compensate for dangerous system deficiencies. Unfortunately, SPAMfighter appears to have no intent to remediate the serious security flaws in their system. I have offered on multiple occasions to create a large whitelist for them. There has never been a reply to my emails.

Typically, I would not ask security companies to take action against a vendor for designing a product that the Oxford Dictionary uses as the definition of “gross incompetence,” but in this case the product can cause serious financial harm, create a threat to their customer’s health, and block security related information, but they have no interest in fixing their problems. This includes the inability to be able to have mis-detections remedied and a lack of commitment to remedy their dangerous system.

It should be noted that Twitter has suspended the SPAMfighter account.


It is due to these reasons, and the fact SPAMFighter, like Subseven, is a powerful attack tool that is far too easily abused to bring to harm to millions of users, I call upon the antimalware industry to detect SPAMfighter and SPAMfighter Pro as potentially dangerous or potentially unwanted applications.

Incidentally, if any of you, or someone you know wants my growing spam collection to improve anti-spam applications and research, just let me know. I will not publish comments concerning suggested contacts without explicit permission.

Randy Abrams
Opinions are my own, facts are facts.