Spamassassin

Monday, January 12. 2004

Posted by Rasmus in Software at 03:47 | Comments (4) | Trackback (1)

...is normally a very good toy. I use it extensively with Razor2 and Bayes hooked into it, it catches nearly everything. Today, however, I was suddenly inundated with Viagra spam. Odd, since any such spam usually sets off all sorts of SA alarms. And sure enough, the alarms were there:

X-Spam-Status: No, hits=0.9 required=5.0 tests=BAYES_99,BIZ_TLD,CLICK_BELOW, HABEAS_SWE,HTML_50_60,HTML_LINK_CLICK_HERE,HTML_MESSAGE, MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI

So what gives? I have my BAYES_99 rule cranked way up to 5.4, so that alone should have put it over the 5.0 spam requirement, never mind all the other ones it triggered. The answer is of course that there is a large negative rule in there. In this case it was this HABEAS_SWE thing. The default SpamAssAss scores file has:

score HABEAS_SWE -8.0 score HABEAS_VIOLATOR 16.0

And it turns out that Habeas is some sort of "good spam" company that you can pay to get yourself whitelisted if you really need to spam people. I can see how that could be useful if you have a newsletter or something that people subscribe to and then it can't get through because of filters, but then these Habeas people damn well better be on the ball and triple-check the intentions of everyone and also run a tight ship security-wise. Given the fact that I received at least 20 Viagra spams before I killed that -8 rule, they obviously weren't quite on the ball and I don't particularly appreciate that this rule was in the default SA config to begin with. I haven't tracked down exactly who put that rule in and what sort of compensation changed hands. If someone knows, I'd like to know. I would suggest that you find your local.cf file. Mine is in /etc/spamassassin/local.cf and add:

score HABEAS_SWE 0.0

Making it neutral.

Last modified on 2004-07-30 18:27

View as PDF: This entry | This month | Full blog

Trackbacks

Trackback specific URI for this entry

And where would we be if they did?
What if AOL Yahoo and Microsoft allowed us to add to the web-based mail headers? Don't think so.The folks at Habeus who are supposed to be ?? good spam ?? want those three, that

Weblog: FLAG BLOG
Tracked: Jan 12, 16:40

Comments

Display comments as (Linear | Threaded)

Most likely this person is not whitelisted by Habeas. In theory (and to my knowledge, in practice as well), they have a good track record of affiliating themselves with reputable folks. Or at least more reputable than the trash you said you were getting.

You should send the message w/headers to Habeas. They have successfully prosecuted people in the past for misuing their marks. Habeas is generally considered to be one of the good guys in the War on Spam.

#1 George Schlossnagle on 2004-01-12 07:04 (Reply)

It was a faked Habeas signature. This has been discussed on the SA lists recently. I'm tempted to also remove or neutralize that rule in my SA setup too.

#2 Jeremy Zawodny (Homepage) on 2004-01-12 07:15 (Reply)

The whole point of the Habeas signatures is that they can't be faked. They are copyrighted works, so inclusion is copyright infirngement, and the abuser can (and has been) sued.

Not that neutralizing the rule isn't a good idea, just onfo on how Habeas is designed to work.

#3 George Schlossnagle on 2004-01-12 07:29 (Reply)

I don't think that most spammers really care. I suspect the rate of successful lawsuits is pretty low--but I haven't really looked.

#4 Jeremy Zawodny (Homepage) on 2004-01-12 07:36 (Reply)

If the threat of a lawsuit is the only deterrant here, then I am even more amazed that this rule is in the default SA config. Assuming first that we can even identify a spammer, how many spammers operating out of Russia or China do you think we would be able to prosecute?

#5 Rasmus Lerdorf (Homepage) on 2004-01-12 14:35 (Reply)

Yep, I'm sure the threat of a copyright lawsuit hardly gives spammers a second thought. It'd likely require considerable effort to even track down their identities, then there's the time and expense of a lawsuit.

#6 Fred on 2004-01-13 19:37 (Reply)

FWIW, when i reported a few of them on their web site, their auto-response says they're under a particular attacker from a spammer they're still trying to track down shrug Here's the paste I did into irc earlier:

09:43 [ Flav] Habeas has recently come under attack from an as yet unidentified
09:43 [ Flav] spammer. The spammer is illegally utilizing the Habeas Warrant Mark in
09:43 [ Flav] emails which are promoting several pharmacy websites. The attack began
09:43 [ Flav] on Sunday January 11, 2004 at about 11am PT.

#7 James Manning (Homepage) on 2004-01-14 06:50 (Reply)

The same thing happened to me. I set HABEAS_SWE to zero as well.

I have never received real email with the habeas headers, and lots of spam with them.

I think if Habeas wants to have a successful business, they should change to operating a paid whitelist that could be queried by DNS, or some kind of RSA signature that can't be faked.

As it stands, it is so trivial to fake the headers that the system is useless.

#8 Jason Wong on 2004-01-17 23:35 (Reply)

somebody is using Habeas's copyrighted material to send spam vis-a-vie The register http://www.theregister.co.uk/content/55/34969.html

It seems that what ever method we use to iidentify spam can be worked around. It would seem that some of us are in fact the enemy who spams. Is there some way to identify who has faciliated spammers ability avoid detection?

#9 Kermit Tensmeyer on 2004-01-19 11:44 (Reply)

Yup - had a flood of those Habeas emails as well about a week or two ago. I also ramped the Habeas score in SA up to 0.0 and that killed this stone dead. I know of nobody who actually uses Habeas to email me, so i'm not bothered by it.

#10 Justin (Homepage) on 2004-01-30 15:18 (Reply)

I got exactly the same problem, only spam with habeas are received, it is really mandatory to remove the negative score, or maybe to make it positif instead...

#11 frp on 2004-03-09 10:39 (Reply)

Habeas Responds to Spammer Violation of Habeas Warrant Mark.

PALO ALTO, CA - January 12, 2004 - Habeas, the leading provider of emailer reputation services, has recently come under attack from an as yet unidentified spammer. The spammer is illegally utilizing the Habeas Warrant Mark in emails which are promoting websites such as pharmawharehouse.biz, pharmacourt.biz and valuepointmeds.biz which are sites promoting or selling prescription drugs. The attack began on Sunday January 11, 2004 at about 11am PT.

More details: http://www.habeas.com/companyPressPR.html#violation

#12 Mikhail Entaltsev on 2004-03-10 01:01 (Reply)

I had never received an email with the word 'habeas' in it until Monday 8th March, but since then I've received 8 of them.

It turned out that I didn't have Net::DNS installed, and so SpamAssassin was unable to check with Habeas whether the warrant mark was invalid. I've since installed Net::DNS (just run "perl -MCPAN -e shell" and type "install Net::DNS" at the cpan> prompt) and re-checked the spam it previously missed, and now 2 of the 8 spams are caught. It has made SpamAssassin a lot slower, as it now connects to a bunch of sites.

#13 Chris on 2004-03-10 20:51 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	E-Mail addresses will not be displayed and will only be used for E-Mail notifications To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above: Enclosing asterisks marks text as bold (word), underscore are made via _word_.
	Remember Information? Subscribe to this entry
Submitted comments will be subject to moderation before being displayed.