Security Notice

Response to CVE-2019-20634

Advisory ID: PFPT-SN-2020-0001


On 3/30/2020 NIST published CVE-2019-20634 stating that:
"By collecting scores from Proofpoint email headers, it is possible to build a copy-cat Machine Learning Classification model and extract insights from this model. The insights gathered allow an attacker to craft emails that receive preferable scores, with a goal of delivering malicious emails."

The following document describes Proofpoint’s response to this publication, including critical clarifications, impact to customers, and mitigations customers can implement.

The specific detection engine cited in the research (MLX) is a spam detection engine that is commonly used in conjunction with Proofpoint’s Stateful Composite Scoring Service (SCSS) as part of Proofpoint Email Protection. The newer SCSS engine updates its scoring model in real-time and uniquely per recipient, and thus is not susceptible to the batch reverse-engineering technique described in the research. Proofpoint Targeted Attack Protection (TAP) is not impacted, nor are any other Proofpoint products. It is also important to note that the MLX scoring engine and scores modeled by this research are only used for spam detection, and are not used for detection or blocking of viruses or malware. Additionally, the “mlxlogscore” score which was modeled is an interim score in the MLX engine and is not used directly in the product for spam blocking.

To obtain favorable spam scores this tactic assumes the following:

Assumption Key Details
No active updating of spam rules by Proofpoint Proofpoint updates spam rules every 5 minutes
Allow for bounce messages to be created by (non-Proofpoint) downstream systems for invalid message recipients Best practice configurations recommend to configure the Recipient Verification feature of the Proofpoint Email Protection product to prevent this from occurring.
Are using the MLX engine as the only form of spam detection Proofpoint takes an ensembled detection approach to protect customers. The vast majority of Proofpoint customers leverage the real-time SCSS engine in addition for spam detection.

Revised CVSS Score

Base Score: 3.7 (Low)
Temporal Score: 3.5 (Low)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:T/RC:C

Affected versions / products

All Proofpoint Email Protection versions are impacted. Targeted Attack Protection (TAP) is not impacted.

Recommended mitigations

Ensure you have a recent health check to ensure optimal system performance. If you have concerns or questions on the following recommendations, please contact your Proofpoint representative to obtain a free health check of current configured products.

Recommended: Configure Recipient Verification

As noted above, properly configured Recipient Verification will ensure that messages to invalid recipients are not delivered to downstream mail servers and will not generate “bounce” messages with X-Proofpoint-Spam-Details headers. The following articles describe how to configure this feature, and Proofpoint Support and/or Professional Services can assist in configuration if desired.

Optional: Modify Spam Policies to not add X-Proofpoint-Spam-Details headers

Customers may also modify spam policies to not add the X-Proofpoint-Spam-Details header to any message. This header is predominantly used by customers for visibility into scoring results in downstream services, and removing it has no impact on product effectiveness or core functionality.