Jan 12

Spamassassin

Software 4 Comments »
...is normally a very good toy. I use it extensively with Razor2 and Bayes hooked into it, it catches nearly everything. Today, however, I was suddenly inundated with Viagra spam. Odd, since any such spam usually sets off all sorts of SA alarms. And sure enough, the alarms were there:
X-Spam-Status: No, hits=0.9 required=5.0 tests=BAYES_99,BIZ_TLD,CLICK_BELOW, HABEAS_SWE,HTML_50_60,HTML_LINK_CLICK_HERE,HTML_MESSAGE, MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI
So what gives? I have my BAYES_99 rule cranked way up to 5.4, so that alone should have put it over the 5.0 spam requirement, never mind all the other ones it triggered. The answer is of course that there is a large negative rule in there. In this case it was this HABEAS_SWE thing. The default SpamAssAss scores file has:
score HABEAS_SWE -8.0 score HABEAS_VIOLATOR 16.0
And it turns out that Habeas is some sort of "good spam" company that you can pay to get yourself whitelisted if you really need to spam people. I can see how that could be useful if you have a newsletter or something that people subscribe to and then it can't get through because of filters, but then these Habeas people damn well better be on the ball and triple-check the intentions of everyone and also run a tight ship security-wise. Given the fact that I received at least 20 Viagra spams before I killed that -8 rule, they obviously weren't quite on the ball and I don't particularly appreciate that this rule was in the default SA config to begin with. I haven't tracked down exactly who put that rule in and what sort of compensation changed hands. If someone knows, I'd like to know. I would suggest that you find your local.cf file. Mine is in /etc/spamassassin/local.cf and add:
score HABEAS_SWE 0.0
Making it neutral.

Posted by Rasmus


Last modified on 2004-07-30 18:27

View as PDF: This entry | This month | Full blog

1 Trackbacks

Trackback specific URI for this entry
  1. FLAG BLOG
    01/12/04 16:40:27

    And where would we be if they did?
    What if AOL Yahoo and Microsoft allowed us to add to the web-based mail headers? Don't think so.The folks at Habeus who are supposed to be ?? good spam ?? want those three, that

4 Comments

Display comments as(Linear | Threaded)
  1. George Schlossnagle says:
    01/12/04 07:04:14

    Most likely this person is not whitelisted by Habeas. In theory (and to my knowledge, in practice as well), they have a good track record of affiliating themselves with reputable folks. Or at least more reputable than the trash you said you were getting.

    You should send the message w/headers to Habeas. They have successfully prosecuted people in the past for misuing their marks. Habeas is generally considered to be one of the good guys in the War on Spam.

  2. Jeremy Zawodny says:
    01/12/04 07:15:04

    It was a faked Habeas signature. This has been discussed on the SA lists recently. I'm tempted to also remove or neutralize that rule in my SA setup too.

  3. George Schlossnagle says:
    01/12/04 07:29:55

    The whole point of the Habeas signatures is that they can't be faked. They are copyrighted works, so inclusion is copyright infirngement, and the abuser can (and has been) sued.

    Not that neutralizing the rule isn't a good idea, just onfo on how Habeas is designed to work.

  4. Jeremy Zawodny says:
    01/12/04 07:36:17

    I don't think that most spammers really care. I suspect the rate of successful lawsuits is pretty low--but I haven't really looked.

  5. Rasmus Lerdorf says:
    01/12/04 14:35:54

    If the threat of a lawsuit is the only deterrant here, then I am even more amazed that this rule is in the default SA config. Assuming first that we can even identify a spammer, how many spammers operating out of Russia or China do you think we would be able to prosecute?

  6. Fred says:
    01/13/04 19:37:24

    Yep, I'm sure the threat of a copyright lawsuit hardly gives spammers a second thought. It'd likely require considerable effort to even track down their identities, then there's the time and expense of a lawsuit.

  7. James Manning says:
    01/14/04 06:50:06

    FWIW, when i reported a few of them on their web site, their auto-response says they're under a particular attacker from a spammer they're still trying to track down shrug Here's the paste I did into irc earlier:

    09:43 [ Flav] Habeas has recently come under attack from an as yet unidentified
    09:43 [ Flav] spammer. The spammer is illegally utilizing the Habeas Warrant Mark in
    09:43 [ Flav] emails which are promoting several pharmacy websites. The attack began
    09:43 [ Flav] on Sunday January 11, 2004 at about 11am PT.

  8. Jason Wong says:
    01/17/04 23:35:33

    The same thing happened to me. I set HABEAS_SWE to zero as well.

    I have never received real email with the habeas headers, and lots of spam with them.

    I think if Habeas wants to have a successful business, they should change to operating a paid whitelist that could be queried by DNS, or some kind of RSA signature that can't be faked.

    As it stands, it is so trivial to fake the headers that the system is useless.

  9. Kermit Tensmeyer says:
    01/19/04 11:44:24

    somebody is using Habeas's copyrighted material to send spam vis-a-vie The register http://www.theregister.co.uk/content/55/34969.html

    It seems that what ever method we use to iidentify spam can be worked around. It would seem that some of us are in fact the enemy who spams. Is there some way to identify who has faciliated spammers ability avoid detection?

  10. Justin says:
    01/30/04 15:18:02

    Yup - had a flood of those Habeas emails as well about a week or two ago. I also ramped the Habeas score in SA up to 0.0 and that killed this stone dead. I know of nobody who actually uses Habeas to email me, so i'm not bothered by it.

  11. frp says:
    03/09/04 10:39:11

    I got exactly the same problem, only spam with habeas are received, it is really mandatory to remove the negative score, or maybe to make it positif instead...

  12. Mikhail Entaltsev says:
    03/10/04 01:01:27

    Habeas Responds to Spammer Violation of Habeas Warrant Mark.

    PALO ALTO, CA - January 12, 2004 - Habeas, the leading provider of emailer reputation services, has recently come under attack from an as yet unidentified spammer. The spammer is illegally utilizing the Habeas Warrant Mark in emails which are promoting websites such as pharmawharehouse.biz, pharmacourt.biz and valuepointmeds.biz which are sites promoting or selling prescription drugs. The attack began on Sunday January 11, 2004 at about 11am PT.

    More details: http://www.habeas.com/companyPressPR.html#violation

  13. Chris says:
    03/10/04 20:51:24

    I had never received an email with the word 'habeas' in it until Monday 8th March, but since then I've received 8 of them.

    It turned out that I didn't have Net::DNS installed, and so SpamAssassin was unable to check with Habeas whether the warrant mark was invalid. I've since installed Net::DNS (just run "perl -MCPAN -e shell" and type "install Net::DNS" at the cpan> prompt) and re-checked the spam it previously missed, and now 2 of the 8 spams are caught. It has made SpamAssassin a lot slower, as it now connects to a bunch of sites.

Add Comment


E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.

Submitted comments will be subject to moderation before being displayed.