Re: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)
From: LuKreme krem...@kreme.com Sent: Thursday, 2009/December/03 20:55 On Dec 3, 2009, at 13:43, rich...@buzzhost.co.uk rich...@buzzhost.co.uk wrote: On Thu, 2009-12-03 at 11:23 -0700, J.D. Falk wrote: On Dec 2, 2009, at 12:59 AM, rich...@buzzhost.co.uk wrote: Look, get a room. Or at least take this twisted courtship dance offlist and spare us, please. With all the animosity on this issue I decided to give the HABEAS rules a score, a negligible score to be sure, just to see what the state of HABEAS is for me today. In the last four days - nothing either spam or ham. Those seeing HABEAS hits: are the hits ancient haiku hits or are they the modern DNS test version? I imagine the haiku is still used by some spammers. The DNS tests should legitimately show a rather small percentage of spam. It appears (weasel word notice) ReturnPath puts its members through a wringer to get the approval levels. And how was the email determined to be unsolicited? (I believe in one case it was a never used spam trap address.) Let's lay some facts out on the table rather than heap a load of anecdotal poo on JD over various HABEAS hits. And JD, I don't see on your site what it costs people to get listed on your DNS approval lists other than some tests and documentation. Is it possible spammers simply submit some buttered up documentation, get approved, and accept getting it knocked back off your lists rapidly as a business time expense? Less shouting and more data and facts seems to be called for on both sides. And for the nonce I'll grant both sides the legitimacy of their frustrations on this HABEAS thing. I note that JD is quite willing to discuss (and seemed to recommend) a lowered default score. That seems quite reasonable. {^_^}(Another JD, Jolly Dirty Old Woman type.)
Re: Clear Database Question
On 03.12.09 20:58, Jason Carson wrote: Is it necessary to clear the database... sa-learn --clear ...before I run the following to train SpamAssassin's bayesian classifier... sa-learn --spam /home/jason/.maildir/.Spam/cur/ no, and don't do that unless you believe your database is really broken. Also remember to train enough of ham - bayes DB will help you DIFFER spam and ham, therefore it needs to know how the ham looks like. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
Re: SpamAssassin cpan install @INC lib issue on CentOS 5.4
Kris Deugau wrote: (Please keep the discussion on-list.) Sorry about that - just hit 'reply' without checking where the message was actually going. Edward Prendergast wrote: Kris Deugau wrote: Edward Prendergast wrote: @@INSTALLSITELIB@@ /opt/perl5/lib/5.10.1/x86_64-linux ^^ This looks a little fishy... I agree, I'm not sure where it's coming from. FWIW, nothing like that showed up in my brief test - missing substitutions like that are usually a sign of a build gone wrong from early on. That's a good question, but my qualms are mainly down wanting to perhaps use local::lib and have up to date CPAN modules as it seems to take a long time for these to filter down via redhat. Mmm. I use the RPMForge repo for more up-to-date Perl modules, but I've yet to run into any problems using the nominally outdated ones filtering down from RedHat/CentOS. Net::DNS is the only module I can think of where there are/were known issues (at least with respect to SA's usage) in the stock version. My motivations aren't purely SpamAssassin related - there are other programs that want current Perl modules (MailScanner) and I wanted to get SpamAssassin along side these. This is based around what I've seen from local::lib: http://search.cpan.org/~apeiron/local-lib-1.004009/lib/local/lib.pm#SYNOPSIS Ah, hm. I think you should be fine just setting your path to call your custom Perl ahead of the system Perl; that looks to be targetted at cherrypicking module updates alongside the packaged system Perl. Right you are! When I change my .bashrc to this: #export MODULEBUILDRC=/opt/perl5/.modulebuildrc #export PERL_MM_OPT=INSTALL_BASE=/opt/perl5 #export PERL5LIB=/opt/perl5/lib/perl5:/opt/perl5/lib/perl5/x86_64-linux:/opt/perl5/lib/5.10.1:/opt/perl5/lib/site_perl/5.10.1 export PATH=/opt/perl5/bin:$PATH SpamAssassin now installs OK. Essentially when I use perl from the command line (and install other modules from CPAN) everything seems to be OK, issues only appear to be arising with Mail::SpamAssassin. Yeah, that's the weird bit. You might try installing SA from the tarball instead of CPAN - I had some odd errors come up when I tried via CPAN, but I have a feeling some of that had to do with doing the whole test as non-root. Still unsure where that @@INSTALLSITELIB@@ stuff was coming from but it certainly looks like the issue is now resolved. Many thanks for all your help. -Edward The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer.
Re: SpamAssassin cpan install @INC lib issue on CentOS 5.4
Kris Deugau wrote: (Please keep the discussion on-list.) On 04.12.09 09:31, Edward Prendergast wrote: Sorry about that - just hit 'reply' without checking where the message was actually going. you seem to use ThunderBird - there is reply-to-list extension available for thunderbird that should solve this kind of problems. Yeah, that's the weird bit. You might try installing SA from the tarball instead of CPAN - I had some odd errors come up when I tried via CPAN, but I have a feeling some of that had to do with doing the whole test as non-root. Still unsure where that @@INSTALLSITELIB@@ stuff was coming from but it certainly looks like the issue is now resolved. Many thanks for all your help. afaik these kind of words appear in raw files before installing them on your system. the @@INSTALLSITELIB@@ should be replaced by path on your system, where you are going to install the package. It appears that you haven't installed it using the correct way (read the docs) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org)
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
On Fri, 2009-12-04 at 00:18 -0800, jdow wrote: From: LuKreme krem...@kreme.com Sent: Thursday, 2009/December/03 20:55 On Dec 3, 2009, at 13:43, rich...@buzzhost.co.uk rich...@buzzhost.co.uk wrote: On Thu, 2009-12-03 at 11:23 -0700, J.D. Falk wrote: On Dec 2, 2009, at 12:59 AM, rich...@buzzhost.co.uk wrote: Look, get a room. Or at least take this twisted courtship dance offlist and spare us, please. With all the animosity on this issue I decided to give the HABEAS rules a score, a negligible score to be sure, just to see what the state of HABEAS is for me today. In the last four days - nothing either spam or ham. Those seeing HABEAS hits: are the hits ancient haiku hits or are they the modern DNS test version? I imagine the haiku is still used by some spammers. The DNS tests should legitimately show a rather small percentage of spam. It appears (weasel word notice) ReturnPath puts its members through a wringer to get the approval levels. And how was the email determined to be unsolicited? (I believe in one case it was a never used spam trap address.) Let's lay some facts out on the table rather than heap a load of anecdotal poo on JD over various HABEAS hits. And JD, I don't see on your site what it costs people to get listed on your DNS approval lists other than some tests and documentation. Is it possible spammers simply submit some buttered up documentation, get approved, and accept getting it knocked back off your lists rapidly as a business time expense? Less shouting and more data and facts seems to be called for on both sides. And for the nonce I'll grant both sides the legitimacy of their frustrations on this HABEAS thing. I note that JD is quite willing to discuss (and seemed to recommend) a lowered default score. That seems quite reasonable. {^_^}(Another JD, Jolly Dirty Old Woman type.) PREAMBLE: It's simple for me - I'm not out to win friends or influence anyone and I find those that grease the wheels for the wholesale distribution of spam (be it they hold the view it is legitimate or not) in exchange for money - whilst claiming to be anti-spam - sick individuals that deserve a good kicking at the very least. That's just my personal view. RETURN PATH OFFER A PAID FACILITY TO ASSIST IN THE DELIVERY OF UBE. That's what they do - no matter how nicey nicey Mr Falk may appears to be. It's his job. SPAMASSASSIN is about assassinating spam - not facilitating it. Negative scores applied to a bulk mailing service without the users consent (the default for Spamassassin is to allow this rule at a minus score) has me wondering just who's in bed with who? There may be a reasonable argument that Spamassassin, as configured by default, gives unfair commercial advantage to HABEAS registered spammers and I'm more curious to find out WHY than anything else. It would be acceptable for me if it shipped with a zero score by default with notes in the readme for giving it a minus score at the users discretion. Although this is only a few points in the wrong direction, the implications this has for the integrity of Spamassassin as an anti-spam system is in question. Are Return Path making regular donations to Apache and wanting something in return? What possible plausible reason is there for a bulk mailing whitelist to appear with a favourable score in a program heavily used to block spam? Being well known companies that a person may have once done a very small amount of business with does not mean that their UBE habits are acceptable in any way. FACT For me, until I changed it to a positive +10 score for HABEAS, the only time I saw the name was in unwanted UBE - to me, that is SPAM. Making a fuss on this list (and nowhere else) suddenly had IP's disappear off the HABEAS list. {dark forces at work indeed}. The kind of people this has appeared in are not the expected MAINSLEAZE, but shabby bottom feeders. The kind that think registering with PaytoSpam services (be that a listing in emailreg.org or Habeas Accreditation) will make them in some way legitimate in their actions. FINAL This is not a social club, it's a question and issues list for Spamassassin. My question and issue is why, by default, does Spamassassin use the HABEAS white list, and why is it out of the box set with a score to favour delivery of their junk? It's a fair question. The answer 'just change the score' is not the correct answer. The correct answer will be precisely why this state of affairs exists.
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
On 12/4/2009 10:57 AM, rich...@buzzhost.co.uk wrote: FINAL This is not a social club, it's a question and issues list for Spamassassin. My question and issue is why, by default, does Spamassassin use the HABEAS white list, and why is it out of the box set with a score to favour delivery of their junk? It's a fair question. The answer 'just change the score' is not the correct answer. the answer is totally correct. SA is a framework, which luckily allows YOU do whatever you want with it, so please do, whatever YOU want (that does not include beating a dead horse on the list) and move on. The correct answer will be precisely why this state of affairs exists. - because developers think/have thought its a good idea. - because nobody other than you makes such a noise about it. And YOU who are so against, have you submitted a bug to have whatever reconsidered. EOT
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
From: rich...@buzzhost.co.uk Sent: Friday, 2009/December/04 01:57 On Fri, 2009-12-04 at 00:18 -0800, jdow wrote: From: LuKreme krem...@kreme.com Sent: Thursday, 2009/December/03 20:55 On Dec 3, 2009, at 13:43, rich...@buzzhost.co.uk rich...@buzzhost.co.uk wrote: On Thu, 2009-12-03 at 11:23 -0700, J.D. Falk wrote: On Dec 2, 2009, at 12:59 AM, rich...@buzzhost.co.uk wrote: Look, get a room. Or at least take this twisted courtship dance offlist and spare us, please. With all the animosity on this issue I decided to give the HABEAS rules a score, a negligible score to be sure, just to see what the state of HABEAS is for me today. In the last four days - nothing either spam or ham. Those seeing HABEAS hits: are the hits ancient haiku hits or are they the modern DNS test version? I imagine the haiku is still used by some spammers. The DNS tests should legitimately show a rather small percentage of spam. It appears (weasel word notice) ReturnPath puts its members through a wringer to get the approval levels. And how was the email determined to be unsolicited? (I believe in one case it was a never used spam trap address.) Let's lay some facts out on the table rather than heap a load of anecdotal poo on JD over various HABEAS hits. And JD, I don't see on your site what it costs people to get listed on your DNS approval lists other than some tests and documentation. Is it possible spammers simply submit some buttered up documentation, get approved, and accept getting it knocked back off your lists rapidly as a business time expense? Less shouting and more data and facts seems to be called for on both sides. And for the nonce I'll grant both sides the legitimacy of their frustrations on this HABEAS thing. I note that JD is quite willing to discuss (and seemed to recommend) a lowered default score. That seems quite reasonable. {^_^}(Another JD, Jolly Dirty Old Woman type.) PREAMBLE: It's simple for me - I'm not out to win friends or influence anyone and I find those that grease the wheels for the wholesale distribution of spam (be it they hold the view it is legitimate or not) in exchange for money - whilst claiming to be anti-spam - sick individuals that deserve a good kicking at the very least. That's just my personal view. RETURN PATH OFFER A PAID FACILITY TO ASSIST IN THE DELIVERY OF UBE. That's what they do - no matter how nicey nicey Mr Falk may appears to be. It's his job. SPAMASSASSIN is about assassinating spam - not facilitating it. Negative scores applied to a bulk mailing service without the users consent (the default for Spamassassin is to allow this rule at a minus score) has me wondering just who's in bed with who? There may be a reasonable argument that Spamassassin, as configured by default, gives unfair commercial advantage to HABEAS registered spammers and I'm more curious to find out WHY than anything else. It would be acceptable for me if it shipped with a zero score by default with notes in the readme for giving it a minus score at the users discretion. Although this is only a few points in the wrong direction, the implications this has for the integrity of Spamassassin as an anti-spam system is in question. Are Return Path making regular donations to Apache and wanting something in return? What possible plausible reason is there for a bulk mailing whitelist to appear with a favourable score in a program heavily used to block spam? Being well known companies that a person may have once done a very small amount of business with does not mean that their UBE habits are acceptable in any way. FACT For me, until I changed it to a positive +10 score for HABEAS, the only time I saw the name was in unwanted UBE - to me, that is SPAM. Making a fuss on this list (and nowhere else) suddenly had IP's disappear off the HABEAS list. {dark forces at work indeed}. The kind of people this has appeared in are not the expected MAINSLEAZE, but shabby bottom feeders. The kind that think registering with PaytoSpam services (be that a listing in emailreg.org or Habeas Accreditation) will make them in some way legitimate in their actions. FINAL This is not a social club, it's a question and issues list for Spamassassin. My question and issue is why, by default, does Spamassassin use the HABEAS white list, and why is it out of the box set with a score to favour delivery of their junk? It's a fair question. The answer 'just change the score' is not the correct answer. The correct answer will be precisely why this state of affairs exists. Color me smartassed but I want numbers not accusations. Can the rhetoric and in bland neutral terms describe what you see in terms of numbers, possible business relations, however loose, and so forth. I do note I also want a précis's of what ReturnPath insists upon for opting into receiving business emails. If it is double opt-in that is good. If it's I sent one inquiry, received an answer, and presumed that was the end of the affair but
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
From: Yet Another Ninja sa-l...@alexb.ch Sent: Friday, 2009/December/04 02:28 On 12/4/2009 10:57 AM, rich...@buzzhost.co.uk wrote: FINAL This is not a social club, it's a question and issues list for Spamassassin. My question and issue is why, by default, does Spamassassin use the HABEAS white list, and why is it out of the box set with a score to favour delivery of their junk? It's a fair question. The answer 'just change the score' is not the correct answer. the answer is totally correct. SA is a framework, which luckily allows YOU do whatever you want with it, so please do, whatever YOU want (that does not include beating a dead horse on the list) and move on. The correct answer will be precisely why this state of affairs exists. - because developers think/have thought its a good idea. - because nobody other than you makes such a noise about it. And YOU who are so against, have you submitted a bug to have whatever reconsidered. EOT Heh, at this site procaine sits in front of SA. It has a few email addresses, a very few, redirected to their own folders that I check any time I want some amusement of that kind. I want to find out just how much Richard qualifies for this dubious honor. {^_-}
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Outlook Express spell checker, that is Procmail not your stupid substitution however apt it might be. {+_+} - Original Message - From: jdow j...@earthlink.net Sent: Friday, 2009/December/04 04:16 Heh, at this site procaine sits in front of SA. It has a few email
Re: Clear Database Question
Jason Carson wrote: Hello everyone, Is it necessary to clear the database... sa-learn --clear ...before I run the following to train SpamAssassin's bayesian classifier... sa-learn --spam /home/jason/.maildir/.Spam/cur/ No. That would be ill advised. Running --clear deletes your entire bayes database, which can take a long time to recover from. I would only advise using it if you've decided all your previous training is worthless, or your database becomes corrupted. Also be sure to consider that once you clear the database SA will deactivate bayes until 200 spam and 200 nonspam messages get trained. SpamAssassin will automatically make room when it needs to by pushing out the least popular tokens through the expire process (which you can manually trigger via the sa-learn --force-expire command, but it normally checks during message processing twice a day)
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
On Fri, 2009-12-04 at 04:16 -0800, jdow wrote: From: Yet Another Ninja sa-l...@alexb.ch Sent: Friday, 2009/December/04 02:28 On 12/4/2009 10:57 AM, rich...@buzzhost.co.uk wrote: FINAL This is not a social club, it's a question and issues list for Spamassassin. My question and issue is why, by default, does Spamassassin use the HABEAS white list, and why is it out of the box set with a score to favour delivery of their junk? It's a fair question. The answer 'just change the score' is not the correct answer. the answer is totally correct. SA is a framework, which luckily allows YOU do whatever you want with it, so please do, whatever YOU want (that does not include beating a dead horse on the list) and move on. The correct answer will be precisely why this state of affairs exists. - because developers think/have thought its a good idea. - because nobody other than you makes such a noise about it. And YOU who are so against, have you submitted a bug to have whatever reconsidered. EOT Heh, at this site procaine sits in front of SA. It has a few email addresses, a very few, redirected to their own folders that I check any time I want some amusement of that kind. I want to find out just how much Richard qualifies for this dubious honor. {^_-} Qualifies what, that I get UBE that is Habeas Accredited? Should I start with the 40 from 'DateTheuk' in the last 8 days? That's 40 to many - would you like to talk in hundreds and thousands to justify removal or changing of a default white list score?
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
On Fri, 2009-12-04 at 11:28 +0100, Yet Another Ninja wrote: The correct answer will be precisely why this state of affairs exists. - because developers think/have thought its a good idea. - because nobody other than you makes such a noise about it. And YOU who are so against, have you submitted a bug to have whatever reconsidered. I don't recall that I was making much noise about it, I said my piece and others with to carry it on - but I'm more than happy to do that.
Re: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)
On 3-Dec-2009, at 23:06, R-Elists wrote: certainly we understand your point here, yet what about accountability for Return Path Inc (and other RPI companies) related rules in the default Spamassassin configs? My position on HABEAS is well-know by anyone who cares (I score it +0.5 and +2.0); that's not what I'm talking about: it's the constant whinging by richard and falk at each other. Obviously they WANT to be communicating since otherwise they could easily ignore/killfile each other. I'm just tired of them doing it on this mailinglist. -- 'They come back to the mountains to die,' said the King. 'They live in Ankh-Morpork.' --The Fifth Elephant
Re: HABEAS_ACCREDITED SPAMMER
On 4-Dec-2009, at 01:18, jdow wrote: With all the animosity on this issue I decided to give the HABEAS rules a score, a negligible score to be sure, just to see what the state of HABEAS is for me today. In the last four days - nothing either spam or ham. I tend to see little clusters of HABEAS scores, but they are rare. I might see only 10-20 a month. Those seeing HABEAS hits: are the hits ancient haiku hits or are they the modern DNS test version? I haven't seen the haiku in ages. But then again, I am very aggressive about dropping mail early vi helo checks and zen, etc. And how was the email determined to be unsolicited? (I believe in one case it was a never used spam trap address.) In my case I see them on THIS email address in non-list mail (I don't check list mail with SpamAssassin) and since this email address is exclusively 100% used for mailing lists… I also see it on a very old email address that hasn't been used for real mail in close to 10 years and simply sits there collecting spam for me. -- 'What shall we do?' said Twoflower. 'Panic?' said Rincewind hopefully. --The Light Fantastic
Re: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)
On Fri, 2009-12-04 at 06:55 -0700, LuKreme wrote: On 3-Dec-2009, at 23:06, R-Elists wrote: certainly we understand your point here, yet what about accountability for Return Path Inc (and other RPI companies) related rules in the default Spamassassin configs? My position on HABEAS is well-know by anyone who cares (I score it +0.5 and +2.0); that's not what I'm talking about: it's the constant whinging by richard and falk at each other. Obviously they WANT to be communicating since otherwise they could easily ignore/killfile each other. I'm just tired of them doing it on this mailinglist. Your idea of 'constant' amuses me and is stretching the truth exponentially. I'm curious why a commercial whitelist from a bulk mailing company has such a positive inroad in Spamassassin. It's a fair question. I'm not interested in your personal views of me, my question or my posting. You have a killfile? You able to ignore on subject? Skills you may find useful to learn yes?
Re: HABEAS_ACCREDITED SPAMMER
LuKreme wrote: On 4-Dec-2009, at 01:18, jdow wrote: With all the animosity on this issue I decided to give the HABEAS rules a score, a negligible score to be sure, just to see what the state of HABEAS is for me today. In the last four days - nothing either spam or ham. I tend to see little clusters of HABEAS scores, but they are rare. I might see only 10-20 a month. After following this thread for a while, I decided to take a look at my server. So here's one more data point: In the last month, I have seen 718 messages that hit one of the HABEAS rules. Of those, none of them had an overall score higher than 4, and there were only 12 that would have been scored as spam without the rule. Since I don't have access to look at the actual messages and I don't know what lists my customers may be signed up for, I can't say anything for sure, but it looks like it's working fine here based on the numbers. -- Bowie
Re: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)
On Fri, Dec 4, 2009 at 14:04, rich...@buzzhost.co.uk rich...@buzzhost.co.uk wrote: On Fri, 2009-12-04 at 06:55 -0700, LuKreme wrote: On 3-Dec-2009, at 23:06, R-Elists wrote: certainly we understand your point here, yet what about accountability for Return Path Inc (and other RPI companies) related rules in the default Spamassassin configs? My position on HABEAS is well-know by anyone who cares (I score it +0.5 and +2.0); that's not what I'm talking about: it's the constant whinging by richard and falk at each other. Obviously they WANT to be communicating since otherwise they could easily ignore/killfile each other. I'm just tired of them doing it on this mailinglist. Your idea of 'constant' amuses me and is stretching the truth exponentially. I'm curious why a commercial whitelist from a bulk mailing company has such a positive inroad in Spamassassin. It's a fair question. I'm not interested in your personal views of me, my question or my posting. You have a killfile? You able to ignore on subject? Skills you may find useful to learn yes? Richard, quit it. It's unreasonable to assume that all of the subscribers to this list should have to listen to, or need to set up a killfile just to avoid, your ranting. -- --j.
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
On Fri, 4 Dec 2009, Yet Another Ninja wrote: . 'just change the score' is not the correct answer. the answer is totally correct. No, it is not. No more than it is correct for a spammer to offer me a (working) 'unsubscribe' link. I don't want to discover I've been letting spam in the door and get complaints from users because of one (or more!) 'default' settings that are permitting spam. The 'correct' answer that is being sought is to judge the entire underlying 'policy' mechanism for spamassassin which results in the *category* of choices about negative scores of which the habeas rule is only ONE possible example! The correct answer will be precisely why this state of affairs exists. - because developers think/have thought its a good idea. SLAP! Don't restate the question like its an answer. He asked for reasoning behind the choice, not whether the developers *liked* their choice. Of course they liked it. WHY did they like it? - because nobody other than you makes such a noise about it. There's a good point. Why *does* this person see so much spam with the habeas rule in it? Which leads to the obvious corrolary, it seems likely that the habeas rule got a negative score because it only appears in ham in the SA 'master' test corpus. Why is THAT? What skews the messages contents so badly? What is different between the two? Anyone thought to sit down and question it? I'm not even blindly accepting his assertions. I used to devalue habeas back when it was the 'haiku' variety, but I haven't had a problem lately, even without a special score. So why is there a problem for him? - Charles
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
On Fri, 4 Dec 2009, rich...@buzzhost.co.uk wrote: Qualifies what, that I get UBE that is Habeas Accredited? Should I start with the 40 from 'DateTheuk' in the last 8 days? Okay, let's be methodical. Let us indeed start with those. Did anyone else get them? If, so, how did they score? If not, then why did only Richard get them? Keep in mind that a 'problem' may be buried by conditions where most of the spam still gets flagged, then blocked because of other positive scoring tests, so we don't *see* the habeas test firing I don't record hits on rules in mail that is flagged ham, but notice that I do see the habeas rule in a couple of cases where I have deliberately blacklisted a mail server like 'mailengine'. - Charles
Re: J.D. Falk Richard dispute (was J.D. Falk...)
I'm just changing the subject line because I find the previous subject line to be extremely offensive and out of line. - As long as we have some spam filters which block some legitimate confirmed opt-in senders (and/or legit organizations sending to their unquestionable members), then that makes Return Path's business model legitimate and helpful. If anyone believes that Return Path's execution of this business model ends up giving some spammers a pass, then they should shame Return Path by pointing out the most egregious examples that come along. But it is understandable that a few undesirable situations are going to happen every once in a while, no matter how good and ethical a job is done by Return Path. So an egregious example that comes up every once in a while is understandable. (just like it is understandable for a legit hoster to unknowingly and occasionally sign up a spammer who deceived the hoster--happens all the time!) As long as Return Path reacts appropriately to such spammers, and as long as they are not a constant revolving door for many spammers (or anything close to that), then I don't see any problems here. I do understand the argument that their business model might provide incentives for them to be unethical in the short run just to drum up extra sales, but this is balanced by the longer-term damage this does to their reputation. Amazingly, I deal with black- or dark gray-hat ESPs blacklistings on invaluement.com where the ESP is run by 20-something-year-old punk kids who don't understand the long-term negative repurcussions of their business practices and seem to think that they can spam with impunity as long as they are CAN-SPAM compliant. But, in contrast, Return Path is run by rational and mature adults who get it, imo. For the reasons stated, I reject the ridiculous argument that their business plan makes them unethical. But I do believe that it is helpful if/when the anti-spam community points out their most questionable clients, if/when deemed appropriate. That will only help inspire them to further tighten their standards and keep them accountable. (actually, I do NOT personally see any current deficiencies with them--but I'm just saying that this is a productive way of dealing with any problems anyone has with Return Path that will have a tangible good results for the industry as a whole.) So, instead of insults, if anyone has a grip with them, please just point out SPECIFIC examples. Over time, if you find many egregious ones, that will speak for itself. Otherwise, I'd prefer to not be bothered with this. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Smart Smoker spam sailing past SA scores
SA had a lot of trouble identifying this as spam. The IP (174.139.37.196) is not yet listed in a lot of the DNSBLs. So it only scored around a 1.0 on the spam meter. http://pastebin.com/m1d0a75b7 It uses a block of foreign language spam at the end to get past some SA checks. Such as HTML_IMAGE_RATIO. The text/plain section is complete empty (and doesn't match the text/html section).
Suggestion for use by ANY whitelist service....
All this debate about 'legitimate' mail services like 'returnpath' being abused by 'sneaky' spammers. How is that possible? There should be easy ways to prevent it. Here's a few ideas: As soon as any whitelist service like 'returnpath' accepts a client, they perform the following: 1) Review the client's address list - look for honeypot addresses. If any are found, clearly the client has not vetted their list. 2) Perform their OWN 'opt-in' mailout to that list. Hello, we at (company eg. Retunrpath) have contracted to operate a mailng list on behalf of (client name). They have provided your address as one that has *requested* advertising mailouts from their company. We respectfully request that you verify this subscription/request by replying to this e-mail. IF you do nothing, this will be your last mailing from this company. I'm sure we would all live with the occasional true 'opt-in' request, if we knew that the end result would be that it would stifle spam by giving the legitimate mailers, the ones whose mail we *want* anyway, a better chance to reach us. - Charles
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
On Fri, 2009-12-04 at 10:50 -0500, Charles Gregory wrote: On Fri, 4 Dec 2009, rich...@buzzhost.co.uk wrote: Qualifies what, that I get UBE that is Habeas Accredited? Should I start with the 40 from 'DateTheuk' in the last 8 days? Okay, let's be methodical. Let us indeed start with those. Did anyone else get them? If, so, how did they score? If not, then why did only Richard get them? Keep in mind that a 'problem' may be buried by conditions where most of the spam still gets flagged, then blocked because of other positive scoring tests, so we don't *see* the habeas test firing I don't record hits on rules in mail that is flagged ham, but notice that I do see the habeas rule in a couple of cases where I have deliberately blacklisted a mail server like 'mailengine'. - Charles Point 1 - The Subject that was changed on the other post. JD Falk made the original change to abuse me. Go back to the archive and take a look. I just inverted it. Point 2 - I've stated my opinions on organisations that are involved in bulk mailing, but that's all it is. An opinion. They are like axxholes, everyone has one. Point 3 - My Habeas issue is not about quantity. Most of the previous Habeas spam I did not log, and I regret that.I've set things up differently so I log each and everyone from now on. So other than my worthless word I can only cite the current ongoing issue with DateTheUk. A company that fished a watermarked address from a Facebook 'Farmville' group and then spammed it. This was raised as the IP appeared in HABEAS and for a few hours it 'vanished' from the list. It's back there now, but DateTheUk is now pumping out via an ip six decimal places up on the last octet. 80.75.69.195WHITELISTED:sa-accredit.habeas.com The customer concerned then hopped their output to:80.75.69.201 80.75.69.201WHITELISTED:sa-accredit.habeas.com The customer also hits on: list.dnswl.org, so they are clearly aware of the need to grease the wheels. Spamassassin was passing the stuff at -9. It's not about the listing of a Rogue Customer, it's why they are not delisted for doing it - this would give some kind of confidence back. My personal view is no blind eye should be turned to any spammer, especially one coming from a so called reputable source. Point 4 - All that is largely irrelevant to this list, but my point of interest is why a commercial white list appears in Spamassassin with the default scores set the way they are? It's perfectly reasonable to ask. It could be expanded to ask if there are any plans to include whitelists from other vendors in the default, such as Apache donator Barracuda? Perhaps emailreg.org with a -4 score in the next SA release? Much that the personality battles and offlist threats and abuse amuse me, my question is perfectly reasonable, has it's foundation in fact and is on topic.
Re: Suggestion for use by ANY whitelist service....
On Fri, 2009-12-04 at 11:08 -0500, Charles Gregory wrote: All this debate about 'legitimate' mail services like 'returnpath' being abused by 'sneaky' spammers. How is that possible? There should be easy ways to prevent it. Here's a few ideas: As soon as any whitelist service like 'returnpath' accepts a client, they perform the following: 1) Review the client's address list - look for honeypot addresses. If any are found, clearly the client has not vetted their list. 2) Perform their OWN 'opt-in' mailout to that list. Hello, we at (company eg. Retunrpath) have contracted to operate a mailng list on behalf of (client name). They have provided your address as one that has *requested* advertising mailouts from their company. We respectfully request that you verify this subscription/request by replying to this e-mail. IF you do nothing, this will be your last mailing from this company. I'm sure we would all live with the occasional true 'opt-in' request, if we knew that the end result would be that it would stifle spam by giving the legitimate mailers, the ones whose mail we *want* anyway, a better chance to reach us. - Charles Sensible. I would suggest that 2) forms a footer that the sender cannot remove and that the ESP was fully responsible for deleting unsubscribes or anything giving a 5xx error. That to one side, the default for a spam filter should not be to give any weight to a white list unless the user modifies the config themselves specifically. It can be seen to be suspicious and offering a pecuniary advantage to those involved and using it.
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
jdow wrote: Color me smartassed but I want numbers not accusations. Can the rhetoric and in bland neutral terms describe what you see in terms of numbers, possible business relations, however loose, and so forth. Here's some numbers to play with: ~500K messages delivered daily (as in, passed on to from Postfix to the program that actually writes the message to the customer's mailbox tree somewhere) ~16K of ~48K accounts have spam filtering enabled Since Jan 1 2009, hits on HABEAS* rules have resulted in an average of: rulename| spamperday | hamperday ---++--- HABEAS_ACCREDITED_COI | 0.04154302670623145401 | 161.4124629080118694 HABEAS_ACCREDITED_SOI | 6.4124629080118694 | 3887.0326409495548961 (I run a daily script to stuff yesterday's SA log data into a database; so far I haven't gotten around to doing anything with the data.) I can't attest to the accuracy of any of the hits because this is an ISP mail system. But even considering only a third of the accounts have filtering enabled, that's still somewhere in the neighbourhood of 1% of all mail hitting HABEAS_ACCREDITED_*. Checking the spam reporting account shows no actual spams reported with HABEAS hits, and one legitimate book fair travel ad from a publishing company hitting _SOI; about 8500 messages have been reported and confirmed. A further ~350 have been reported, but considered legit. Admittedly, I have to consider a broader range of mail to be legitimate... but I really haven't had to strain very hard in making that distinction in hand-confirming messages reported as spam. Checking my own personal account on my own server shows a newsletter for a rewards program with my bank, occasional messages from eBay, and a message from Adobe. All legitimate. I don't keep spam around all that long, but what's still sticking around doesn't show any HABEAS* hits. -kgd
Re: Suggestion for use by ANY whitelist service....
On Fri, 4 Dec 2009, Charles Gregory wrote: As soon as any whitelist service like 'returnpath' accepts a client, they perform the following: 1) Review the client's address list - look for honeypot addresses. If any are found, clearly the client has not vetted their list. 2) Perform their OWN 'opt-in' mailout to that list. Hello, we at (company eg. Retunrpath) have contracted to operate a mailng list on behalf of (client name). They have provided your address as one that has *requested* advertising mailouts from their company. We respectfully request that you verify this subscription/request by replying to this e-mail. IF you do nothing, this will be your last mailing from this company. Both would have to be done any time a new address was added to the mailing list. And there would have to be some watchdog ensuring the MSP doesn't relax the policy over time. It's a great idea. The problem is, how do you get mail service providers to do this? What causes them loss of revenue if they _don't_ do it? About the only leverage I can see is if the large ISPs and freemail providers (hotmail, comcast, MSN, etc.) start to outright block MSPs that don't auditably follow these guidelines. And I don't see that happening. I'm sure we would all live with the occasional true 'opt-in' request, Absolutely, particulary if it's the proper ignore means permission denied model. if we knew that the end result would be that it would stifle spam by giving the legitimate mailers, the ones whose mail we *want* anyway, a better chance to reach us. I don't think it would have that effect. Being able to force such a policy onto MSPs won't affect spambot networks. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- We have to realize that people who run the government can and do change. Our society and laws must assume that bad people - criminals even - will run the government, at least part of the time. -- John Gilmore --- 11 days until Bill of Rights day
Re: Suggestion for use by ANY whitelist service....
rich...@buzzhost.co.uk wrote: That to one side, the default for a spam filter should not be to give any weight to a white list unless the user modifies the config themselves specifically. It can be seen to be suspicious and offering a pecuniary advantage to those involved and using it. I disagree. I think a spam filter should do it's best to give a reasonable weight to both whitelists and blacklists. Obviously, a default SA install needs a bit of tweaking to get the best accuracy, but the default install should be as good as possible and that includes finding the best rules, blacklists, and whitelists to include in the default ruleset as well as generating reasonable scores for all of them. Any bad rules (regex rules, blacklists, or whitelists) should show up quickly enough as just about everyone would start seeing problems with them. In this case, there are a few people complaining about the Habeas rules, but just as many people who do not see any problems. -- Bowie
Re: Suggestion for use by ANY whitelist service....
On Fri, 2009-12-04 at 12:01 -0500, Bowie Bailey wrote: rich...@buzzhost.co.uk wrote: That to one side, the default for a spam filter should not be to give any weight to a white list unless the user modifies the config themselves specifically. It can be seen to be suspicious and offering a pecuniary advantage to those involved and using it. I disagree. I think a spam filter should do it's best to give a reasonable weight to both whitelists and blacklists. In which case how about including several other whitelists and not just giving advantage to one?
Re: Suggestion for use by ANY whitelist service....
John Hardin jhar...@impsec.org writes: On Fri, 4 Dec 2009, Charles Gregory wrote: 2) Perform their OWN 'opt-in' mailout to that list. Hello, we at (company eg. Retunrpath) have contracted to operate a mailng list on behalf of (client name). They have provided your address as one that has *requested* advertising mailouts from their company. We respectfully request that you verify this subscription/request by replying to this e-mail. IF you do nothing, this will be your last mailing from this company. Both would have to be done any time a new address was added to the mailing list. And there would have to be some watchdog ensuring the MSP doesn't relax the policy over time. It's a great idea. The problem is, how do you get mail service providers to do this? What causes them loss of revenue if they _don't_ do it? Perhaps SA could decline to offer negative points for other than actual COI? My own experience with HABEAS_ACCREDITED_SOI has been that it's caused spam to show up in my inbox instead of filtered like it should have been. Complaining in public seems to be the only thing that works. I somewhat understand the difficulties of running an accreditation service, but I think the expectation of the SA community should be that problems (accredited senders spamming) should be extremely rare. It's clearly not extremely rare. A problem with the spam%/ham% checking methodology is that it makes the accreditation look reasonable for corpuses that have lots of requested commercial mail. That's certainly fine for those people, but the outcomes seem very different for those that don't ask for such mail - they're left with only the spam. Whitelists that don't accept payment for listing should get treated as SA has done - estimate a proper score. Those that do accept payment are a more complicated case - I think it's reasonable to demand that infractions are highly rare and that non-public complaints are responded to promptly and appropriately. Probably SOI should be entirely dropped. pgpGSHpRWD8Hw.pgp Description: PGP signature
Re: Suggestion for use by ANY whitelist service....
Bowie Bailey wrote: In this case, there are a few people complaining about the Habeas rules, but just as many people who do not see any problems. Silence does not necessarily mean assent. I disabled the Habeas rules long ago and therefore have no useful data to add to the thread. If speaking up helps to rid myself of the free ride whitelists receive in the default install, then count my vote towards a more sane whitelist score.
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
rich...@buzzhost.co.uk wrote: This was raised as the IP appeared in HABEAS and for a few hours it 'vanished' from the list. It's back there now, but DateTheUk is now pumping out via an ip six decimal places up on the last octet. 80.75.69.195 WHITELISTED:sa-accredit.habeas.com The customer concerned then hopped their output to:80.75.69.201 80.75.69.201 WHITELISTED:sa-accredit.habeas.com FYI, 80.75.69.192 - 80.75.69.255 belongs to Easydate Ltd in Edinburgh. /Per Jessen, Zürich
Re: Suggestion for use by ANY whitelist service....
Jason Bertoch wrote: Bowie Bailey wrote: In this case, there are a few people complaining about the Habeas rules, but just as many people who do not see any problems. Silence does not necessarily mean assent. I disabled the Habeas rules long ago and therefore have no useful data to add to the thread. If speaking up helps to rid myself of the free ride whitelists receive in the default install, then count my vote towards a more sane whitelist score. No, but people with problems are more likely to speak out than people whose systems are working well. Besides, once everyone starts talking about something like this, more people will start checking into it on their own servers (as I did). If this were a major problem, I would expect that as this thread continues, more and more people would look at their servers and see a problem. Since I currently see about a 50/50 split (non-scientific guess) between people who have problems with Habeas and people who don't, and there are a fairly small number of people on either side of the issue, I would conclude that this is not a major problem, but rather a problem that affects a subset of users (possibly determined by their location and userbase). -- Bowie
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
On Fri, 2009-12-04 at 18:11 +0100, Per Jessen wrote: rich...@buzzhost.co.uk wrote: This was raised as the IP appeared in HABEAS and for a few hours it 'vanished' from the list. It's back there now, but DateTheUk is now pumping out via an ip six decimal places up on the last octet. 80.75.69.195 WHITELISTED:sa-accredit.habeas.com The customer concerned then hopped their output to:80.75.69.201 80.75.69.201 WHITELISTED:sa-accredit.habeas.com FYI, 80.75.69.192 - 80.75.69.255 belongs to Easydate Ltd in Edinburgh. /Per Jessen, Zürich Correct, and the hits in habeas are shown. The issue with RP is a side distraction to this.
Is there a list of all white lists being used by default rules?
I have been reading other threads about white list problems. In the past week this college has been phished very successfully two times. Each time the rules I added to increase the score of college specific phishing email were counter balanced. On Saturday night it was the white-list score from RCVD_IN_DNSWL_MED (-4.00) for a compromised government account. On Monday morning it was the white-list score from HABEAS_ACCREDITED_SOI (-4.30) for a compromised commercial account. In each of these cases, it was the first time I realized the rule used had an associated list being used of which I was previously unaware. How do I determine how many other such lists are being used without my knowledge? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
On Fri, 4 Dec 2009, rich...@buzzhost.co.uk wrote: Okay, let's be methodical. Let us indeed start with those. Did anyone else get them? No answer. If, so, how did they score? No answer. If not, then why did only Richard get them? No answer. Point 1 - The Subject that was changed on the other post. JD Falk made the original change to abuse me. Go back to the archive and take a look. I just inverted it. I don't care. You can each call the other all the names you want. But if there is a legitimate issue, it will be answered by addressing the questions I posed. Point 2 - I've stated my opinions on organisations that are involved in bulk mailing, but that's all it is. An opinion. They are like axxholes, everyone has one. I don't care. Spamassassin does not have an 'opinion'. It has a methodology. If that methodology requires review/correction, your opinion provides no quantitative feedback. Point 3 - My Habeas issue is not about quantity. If you read my post you would have grasped the simple idea that if ANY spam comes to your attention, it is very likely the tip of an unseen iceberg of missed spam. So we treat it seriously and investigate. I didn't ask how *much* anyone got. I asked whether there was something peculiar to your situation that prevented other people from seeing this problem. see *nay . I can only cite the current ongoing issue with DateTheUk. A company that fished a watermarked address from a Facebook 'Farmville' group and then spammed it. Good enough to work with. You've posted your data, now my next question is whether anyone else sees the same mail. Just because I don't see it over here in Canada doesn't mean you are the only one. But it may very well highlight a 'regional bias' in the main spamassassin test corpora. 80.75.69.195WHITELISTED:sa-accredit.habeas.com 80.75.69.201WHITELISTED:sa-accredit.habeas.com Which now leads back to questions about whether we're seeing *hacked* servers that just *happen* to be habeas accredited? The customer also hits on: list.dnswl.org, so they are clearly aware of the need to grease the wheels. Spamassassin was passing the stuff at -9. (nod) I've seen similar scores on (obvious) spam from 'mailengine'. It's not about the listing of a Rogue Customer, it's why they are not delisted for doing it - this would give some kind of confidence back. It may not be the 'customer' at all. Never attribute to malice that which can be ascribed to ignorance. My personal view is no blind eye should be turned to any spammer, especially one coming from a so called reputable source. So let's get back to defining the source. We've got a habeas representative on here? Let's trace this 'datetheul' stuff and see if it really is their legitimate business. By the by, I think I posted on this list a while ago on a similar question, as to whether we could really trust *any* whitelists, as they simply made for a *deliberate* target of botnet owners. No one made a fuss about it before, but what about now? Maybe, once again, the flaw is in having a whitelisting system that relies upon third party servers with unknown security. Point 4 - All that is largely irrelevant to this list, but my point of interest is why a commercial white list appears in Spamassassin with the default scores set the way they are? It's perfectly reasonable to ask. Well, the obvious 'startnig answer' (just to cut the pedants short) is that a whitelist *should* generally betoken increased trust in a source, and that it is 'permitted' to look a 'little' spammy because their business is advertisting, but not 'spam'. So with that category of mail in the 'ham' corpora, spamassassin score generation allows a generous negative score. The flaw, here, may be regional bias. Perhaps Spamassassin should get a bit more sophsiticated and attempt to generate corpora for different regions? It could be expanded to ask if there are any plans to include whitelists from other vendors in the default, such as Apache donator Barracuda? Perhaps emailreg.org with a -4 score in the next SA release? That is the most meaningful question. What is the policy for inclusion, and how reliable is it? The key to understanding is to verify whether the 'spam' you see is *actually* from the 'customer' who obtained the habeas accredit and then probe how we would deal with a 'yes' or a 'no'. Much that the personality battles and offlist threats and abuse amuse me, my question is perfectly reasonable, has it's foundation in fact and is on topic. Which is pretty much what I said. I just clarified the question because pedants were answering because the developers like it. But it might help to skip the personality/ad hominem crap. Prove that the mail you receive is the rightful mail of the legitimate IP address owner, and then ask the habeas people how they 'earned' that accredit - C
Re: [sa] Re: Suggestion for use by ANY whitelist service....
On Fri, 4 Dec 2009, rich...@buzzhost.co.uk wrote: . the default for a spam filter should not be to give any weight to a white list unless the user modifies the config themselves specifically. It can be seen to be suspicious and offering a pecuniary advantage to those involved and using it. If it turns out that the whitelists FAIL to deliver a sufficiently reliable 'standard' of only sending e-mails to confirmed double-opt-in recipients, then yes, SA should not 'favor' them. But if they offer a reliable way to judge mail as 'valid' (by which I mean that the recipient in their own sole judgement says I wanted that) then I see no problem with scoring. But based on current examples (datetheuk) I have serious reservations that the practical reality meets this standard - Charles
Re: [sa] Re: Suggestion for use by ANY whitelist service....
On Fri, 4 Dec 2009, John Hardin wrote: Both would have to be done any time a new address was added to the mailing list. And there would have to be some watchdog ensuring the MSP doesn't relax the policy over time. Uh-huh. For a -4 in my mail filter? They oughta! :) It's a great idea. The problem is, how do you get mail service providers to do this? What causes them loss of revenue if they _don't_ do it? The fact that recipients change their SA score from negative to positive (or better still, as argued here, the negative *default* is removed from the distribution, so that millions of mail servers immediately 'downgrade' the mail's acceptability). I'm sure we would all live with the occasional true 'opt-in' request, Absolutely, particulary if it's the proper ignore means permission denied model. That's my definition of 'true opt-in'. Yes. Also goes without saying that the opt-in request be *terse* and not be used as a 'carrier' for 'one quick sneaky ad'. Plain text. No logos. I don't think it would have that effect. Being able to force such a policy onto MSPs won't affect spambot networks. Which leads around to the other issue that seems to be building, which is whether spambot networks deliberately target whitelisted IP ranges to improve their chances of getting delivery. :( - C
Re: Suggestion for use by ANY whitelist service....
On Fri, 4 Dec 2009, rich...@buzzhost.co.uk wrote: I disagree. I think a spam filter should do it's best to give a reasonable weight to both whitelists and blacklists. In which case how about including several other whitelists and not just giving advantage to one? SA also scores negatively for various IADB rules (whoever they are) as well as 'DNSWL'. Not a lot, but really, how many organizations ever had a running start at being that reliable? But perhaps they should be reviewed and removed if they've been hacked too often - C
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Charles Gregory wrote: I don't care. Spamassassin does not have an 'opinion'. It has a methodology. Umm, it also has a set of rules which essentially make up the SA opinion. /Per Jessen, Zürich
Re: Suggestion for use by ANY whitelist service....
On Fri, 4 Dec 2009, Greg Troxel wrote: A problem with the spam%/ham% checking methodology is that it makes the accreditation look reasonable for corpuses that have lots of requested commercial mail. That's certainly fine for those people, but the outcomes seem very different for those that don't ask for such mail - they're left with only the spam. Agreed. Though reasonably speaking, the overall volume of 'accredited' spam should be the same as an overall percentage. So it should still raise a 'red flag' when it gets too large, regardless of how much ham benefits from the rule. - C
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
On Fri, 04 Dec 2009, rich...@buzzhost.co.uk wrote: Point 4 - All that is largely irrelevant to this list, but my point of interest is why a commercial white list appears in Spamassassin with the default scores set the way they are? It's perfectly reasonable to ask. It could be expanded to ask if there are any plans to include whitelists from other vendors in the default, such as Apache donator Barracuda? Perhaps emailreg.org with a -4 score in the next SA release? So if, after a while of wading through the debate, I understand this right, it boils down to 'are spammers buying out spamassassin rule-makers' or 'do we have to assume that spamassassin development was taken over by spammers' or some such theory? Wouldn't it be far easier to believe, that in long gone times when 'habeas' seemed to proof nonspam (I seem to remember it worked a while) somebody put that rule in. And a while later lots of people simply set their habeas rules to zero after noticing spam-with-habeas. (the oldest mails with 'Subject:.*habeas' I can find in my archive were about habeas haikus and these were beginning to be faked 2003/4). Then I personally simply forgot the whole thing ... til yesterday :-) AND if the spam-with-habeas is seldom seen it might simply vanish in the noise or hide below the other rules until somebody(!) notices. For me all this means - simply forget (zero out) the rules - and if need be file a bug/request/whatever to get them removed - but not that I'd assume that spamassassin was subverted to allow spammers? But even if it were so, it could not go on very long - somebody would(did?) wonder ... After all this debate about a negatively scored rule I'd disable it anyway, because the spammers on the list will target it specifically now, knowing it works well for them. Stucki -- Christoph von Stuckrad * * |nickname |Mail stu...@mi.fu-berlin.de \ Freie Universitaet Berlin |/_*|'stucki' |Tel(Mo.,Mi.):+49 30 838-75 459| Mathematik Informatik EDV |\ *|if online| (Di,Do,Fr):+49 30 77 39 6600| Takustr. 9 / 14195 Berlin * * |on IRCnet|Fax(home): +49 30 77 39 6601/
actual facts (was Re: HABEAS_ACCREDITED SPAMMER)
On Dec 4, 2009, at 1:18 AM, jdow wrote: And JD, I don't see on your site what it costs people to get listed on your DNS approval lists other than some tests and documentation. Is it possible spammers simply submit some buttered up documentation, get approved, and accept getting it knocked back off your lists rapidly as a business time expense? No, there's a lengthy application process and a lot of monitoring involved. I'd be happy to ask someone from the Certification team to join the list and explain further as soon as I can be certain they won't be harassed and insulted here. In the meantime I'll answer as well as I can, considering that I work on entirely different products at Return Path. I note that JD is quite willing to discuss (and seemed to recommend) a lowered default score. That seems quite reasonable. The current defaults for both the HABEAS and BSP rules were set long before Return Path operated either service, so we have no clue where they came from either. On Dec 4, 2009, at 9:08 AM, Charles Gregory wrote: As soon as any whitelist service like 'returnpath' accepts a client, they perform the following: 1) Review the client's address list - look for honeypot addresses. If any are found, clearly the client has not vetted their list. Our staff doesn't review their list, but we do operate a great many honeypots of our own -- and we receive feeds of honeypot messages from ISPs and other data partners. So, spammers can't hide that way. We also get feeds of complaints, where users click this is spam in a partner ISP's webmail interface. Spammers can't hide that way, either. (You can see the results of much of this data at senderscore.org.) I saw some other interesting ideas in the conversation, but they all assume the accreditor is able to change messages or otherwise interrupt the sender's mailstream. We don't have that ability, and don't want to. They have to police themselves, or else they get kicked off the list. Simple, neh? On Dec 4, 2009, at 10:06 AM, Greg Troxel wrote: Probably SOI should be entirely dropped. There's only one Safe list (which SA still calls Habeas.) In other words: no difference between the SOI and COI lists. Or at least, that's how it's supposed to be -- so Kris's results were somewhat surprising. On Dec 4, 2009, at 11:08 AM, Charles Gregory wrote: By the by, I think I posted on this list a while ago on a similar question, as to whether we could really trust *any* whitelists, as they simply made for a *deliberate* target of botnet owners. No one made a fuss about it before, but what about now? Maybe, once again, the flaw is in having a whitelisting system that relies upon third party servers with unknown security. We're EXTREMELY concerned about this as well, and we've got a 24x7 operations staff keeping an eye on things. That's one of the reasons we charge money for the service: it lets us buy hardware and software and hire staff to keep it running smoothly, and securely. -- J.D. Falk jdf...@returnpath.net Return Path Inc
Re: Suggestion for use by ANY whitelist service....
Charles Gregory wrote: All this debate about 'legitimate' mail services like 'returnpath' being abused by 'sneaky' spammers. How is that possible? There should be easy ways to prevent it. Here's a few ideas: As soon as any whitelist service like 'returnpath' accepts a client, they perform the following: 1) Review the client's address list - look for honeypot addresses. If any are found, clearly the client has not vetted their list. 2) Perform their OWN 'opt-in' mailout to that list. Hello, we at (company eg. Retunrpath) have contracted to operate a mailng list on behalf of (client name). They have provided your address as one that has *requested* advertising mailouts from their company. We respectfully request that you verify this subscription/request by replying to this e-mail. IF you do nothing, this will be your last mailing from this company. That wouldn't ever happen because the whole point of the CAN-SPAM act is to allow the spammers to send out the first mail. Direct e-mail mailers just setup fake company after fake company, so they can repeatedly spam the first time over and over again. I'm sure we would all live with the occasional true 'opt-in' request, if we knew that the end result would be that it would stifle spam by giving the legitimate mailers, the ones whose mail we *want* anyway, Who exactly are those mailers? Just curious since I've never in my life seen an unsolicited commercial e-mail from a list that I never opted in on in the first place, that I wanted Ted
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Chr. von Stuckrad wrote: After all this debate about a negatively scored rule I'd disable it anyway, because the spammers on the list will target it specifically now, knowing it works well for them. The other side of the argument is - why does any legitimate company need to employ a service such as Habeas/Returnpath/whatever? If their customer emails are getting caught as spam, surely they or SA is doing something wrong to begin with. There is not much spam that is getting caught purely based on content, most is getting caught on origin and its reputation. /Per Jessen, Zürich
Re: [sa] Re: Suggestion for use by ANY whitelist service....
On Fri, 4 Dec 2009, Charles Gregory wrote: On Fri, 4 Dec 2009, John Hardin wrote: Both would have to be done any time a new address was added to the mailing list. And there would have to be some watchdog ensuring the MSP doesn't relax the policy over time. Uh-huh. For a -4 in my mail filter? They oughta! :) It's a great idea. The problem is, how do you get mail service providers to do this? What causes them loss of revenue if they _don't_ do it? The fact that recipients change their SA score from negative to positive (or better still, as argued here, the negative *default* is removed from the distribution, so that millions of mail servers immediately 'downgrade' the mail's acceptability). I had thought about that, but I suppose I didn't give the SA community enough weight. Are there enough users of SA (including the customers of those who repackage it commercially) who _maintain their systems_ (i.e. keep up-to-date with new versions and run sa_update regularly) such that the SA devs adjusting the scores centrally for whitelists would have an aggregate effect across all those users similar to the Big Players doing what I suggested? If the majority of SA users install it and forget about it for five years (including not running sa-update) then SA probably can't effectively be a cattle prod with which to encourage proper behavior by MSPs. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You do not examine legislation in the light of the benefits it will convey if properly administered, but in the light of the wrongs it would do and the harms it would cause if improperly administered. -- Lyndon B. Johnson --- 11 days until Bill of Rights day
Re: actual facts (was Re: HABEAS_ACCREDITED SPAMMER)
On Fri, 4 Dec 2009, J.D. Falk wrote: The current defaults for both the HABEAS and BSP rules were set long before Return Path operated either service, so we have no clue where they came from either. J.D., may I suggest you open a SA Bugzilla ticket suggesting that the scores be reviewed in light of this large change in how HABEAS operates? 3.3.0 is in beta right now, it's still not too late to adjust the default scores for these rules for this major release. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You do not examine legislation in the light of the benefits it will convey if properly administered, but in the light of the wrongs it would do and the harms it would cause if improperly administered. -- Lyndon B. Johnson --- 11 days until Bill of Rights day
Re: HABEAS_ACCREDITED SPAMMER
On Fri, Dec 4, 2009 at 7:33 AM, Bowie Bailey bowie_bai...@buc.com wrote: LuKreme wrote: On 4-Dec-2009, at 01:18, jdow wrote: With all the animosity on this issue I decided to give the HABEAS rules a score, a negligible score to be sure, just to see what the state of HABEAS is for me today. In the last four days - nothing either spam or ham. I tend to see little clusters of HABEAS scores, but they are rare. I might see only 10-20 a month. After following this thread for a while, I decided to take a look at my server. So here's one more data point: In the last month, I have seen 718 messages that hit one of the HABEAS rules. Of those, none of them had an overall score higher than 4, and there were only 12 that would have been scored as spam without the rule. Since I don't have access to look at the actual messages and I don't know what lists my customers may be signed up for, I can't say anything for sure, but it looks like it's working fine here based on the numbers. -- Bowie Here is one more data point: Since October 18th I have seen HABEAS rules listed in Spamassassin score lines 496122 times. One such phishing email this week was successfully delivered to 387 in-boxes. Were it not for the HABEAS_ACCREDITED_SOI -4.30 other rules would have lead to successfully stopping the message. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: [sa] actual facts (was Re: HABEAS_ACCREDITED SPAMMER)
On Fri, 4 Dec 2009, J.D. Falk wrote: They have to police themselves, or else they get kicked off the list. Simple, neh? Neh. Definitely NEH. That is the logic of spambots. They get on there, abuse the heck out of it until someone files a complaint and then they get cut off, but not before millions of spams have gone out the door with your 'blessing'. The notion of waiting for complaints opens the doors to failure of systems through overburdening (gee, we got so many complaints we couldn't get to them all in a timely manner). For example, you've heard a complaint about 'thedateuk' being tossed around this list. Seems to me that if your above statement represented an effective policy, the comment from the original complainant should be I saw a flood of spam from these IP's and then it just stopped a few hours later. But that's not what I'm reading. And I don't want excuses. No claims that a certain reporting mechanism should have been used. There are enough people receiving spam that if any mechanism were reputable and worthwhile, *someone* would have used it and the spam would have stopped. At the very least, judging by the comments here, no attempt was made to 'group' the offending IP's and the offender just switched to another IP in their block? Anyway you look at it, there is a reliability issue here - Charles
Re: [sa] Re: Suggestion for use by ANY whitelist service....
On Fri, 4 Dec 2009, Ted Mittelstaedt wrote: That wouldn't ever happen because the whole point of the CAN-SPAM act is to allow the spammers to send out the first mail. Direct e-mail mailers just setup fake company after fake company, so they can repeatedly spam the first time over and over again. Well, if a company wants to sell a 'reputation', then it has to have more behind it than letting in 'first time' companies. any registration process should involve a clear investigation of whether a business is merely a 'front' for a spammer. Shouldn't be too hard to spot. Who exactly are those mailers? Just curious since I've never in my life seen an unsolicited commercial e-mail from a list that I never opted in on in the first place, that I wanted What are you asking? Obviously 'unsolicited' is NOT 'wanted', so therefore by using the word 'wanted' I am by definition meaning *solicited*. That means somone ASKED for the mail. REQUESTED it via an opt-in mechanism, with confirmation. Companies that apply for habeas accreditation send material that has similar *content* to spam (buzzwords like percentages off and the like) that might make a spam filter *mistake* their ad for an unsolicited spam, but which should NOT be blocked because the recipients HAVE requested and WANT the mail. It is SOLICITED. And yes, people *do* request notices of weekly specials at their computer store, and ads for the next event at the colliseum. There is a lot of legitimate e-mail advertising. None of it is (should be) 'unsolicited'. - Charles
Re: [sa] Re: HABEAS_ACCREDITED WHY BY DEFAULT?
On Fri, 4 Dec 2009, Per Jessen wrote: The other side of the argument is - why does any legitimate company need to employ a service such as Habeas/Returnpath/whatever? Any legitimate drug company that wants to send price lists to its legitimate distributors or end customers, upon request, even if not a mailing list mail, but specific, one-by-one request/response mails, would have trouble with spam filters that check for drug names and percentages and hot words like 'sale'. The preponderance of drug spams makes it very difficult for these companies. Help from a whitelist is a welcome thing. But it becomes useless if the spammers suborn the process. - Charles
Re: [sa] Re: HABEAS_ACCREDITED WHY BY DEFAULT?
I've just had another one to a honeypot - care of myspace. My dog does not have a myspace account. Again, this is a harvested email address. 204.16.33.75WHITELISTED:sa-accredit.habeas.com Whilst I appreciate that nobody would turn their noses up at taking $$$ from someone like myspace, there are some serious concerns about their data here. I'll check with my dog to make sure he has not subscribed whilst I turned my back . Received: from vmta12.myspace.com (vmta12.myspace.com [204.16.33.75]) by . with ESMTP id for .; Fri, 4 Dec 2009 19:48:32 + (GMT)
Re: actual facts (was Re: HABEAS_ACCREDITED SPAMMER)
J.D. Falk wrote: There's only one Safe list (which SA still calls Habeas.) In other words: no difference between the SOI and COI lists. Or at least, that's how it's supposed to be -- so Kris's results were somewhat surprising. *shrug* I haven't seen enough evidence in the mail flow here to bother messing with the stock scores in the installations here, but there *are* three different rules in the stock SA set (up to date via sa-update): # Habeas Accredited Senders #Last octet of the returned A record indicates the Habeas-assigned # Permission Level of the Sender. # 10 to 39Personal, transactional, and Confirmed Opt In # 40 to 59Secure referrals and Single Opt In # 60 to 99Checked but not accredited by Habeas. # # sa-accredit.habeas.com is for SpamAssassin use. # header HABEAS_ACCREDITED_COIeval:check_rbl('habeas-firsttrusted', 'sa-accredit.habeas.com.', '127\.\d+\.\d+\.[123]\d') describe HABEAS_ACCREDITED_COI Habeas Accredited Confirmed Opt-In or Better tflags HABEAS_ACCREDITED_COInet nice header HABEAS_ACCREDITED_SOI eval:check_rbl_sub('habeas-firsttrusted', '127\.\d+\.\d+\.[45]\d') describe HABEAS_ACCREDITED_SOI Habeas Accredited Opt-In or Better tflags HABEAS_ACCREDITED_SOInet nice header HABEAS_CHECKED eval:check_rbl_sub('habeas-firsttrusted', '127\.\d+\.\d+\.[6789]\d') describe HABEAS_CHECKED Habeas Checked tflags HABEAS_CHECKED net nice score HABEAS_ACCREDITED_COI 0 -8.0 0 -8.0 score HABEAS_ACCREDITED_SOI 0 -4.3 0 -4.3 score HABEAS_CHECKED 0 -0.2 0 -0.2 -kgd
Re: Smart Smoker spam sailing past SA scores
On 4.12.2009 18:00, Thomas Harold wrote: SA had a lot of trouble identifying this as spam. The IP (174.139.37.196) is not yet listed in a lot of the DNSBLs. So it only scored around a 1.0 on the spam meter. http://pastebin.com/m1d0a75b7 It uses a block of foreign language spam at the end to get past some SA checks. Such as HTML_IMAGE_RATIO. The text/plain section is complete empty (and doesn't match the text/html section). Content analysis details: (14.9 points, 5.0 required) pts rule name description -- -- 1.0 RCVD_IN_BRBL_LASTEXT RBL: Received via a relay in Barracuda BRBL [174.139.37.196 listed in bb.barracudacentral.org] 1.7 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list [174.139.37.196 listed in hostkarma.junkemailfilter.com] 0.8 RCVD_IN_SEMBLACK RBL: Received from an IP listed by SEM-BLACK [174.139.37.196 listed in bl.spameatingmonkey.net] 2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: globalsaveonlinepath.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record 4.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=174.139.37.196,rdns=host196.easysavingsusa.com,maildomain=globalsaveonlinepath.net,baddns] 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language 0.0 HTML_MESSAGE BODY: HTML included in message -2.5 BAYES_20 BODY: Bayesian spam probability is 5 to 20% [score: 0.0515] 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 0.6 SARE_HTML_HTML_TBL FULL: Message body has very strange HTML sequence 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 2.0 KHOP_DNSBL_BUMPHits a trusted non-overlapping DNSBL -- http://www.iki.fi/jarif/ Many pages make a thick book. signature.asc Description: OpenPGP digital signature
Re: actual facts (was Re: HABEAS_ACCREDITED SPAMMER)
On Dec 4, 2009, at 12:24 PM, John Hardin wrote: On Fri, 4 Dec 2009, J.D. Falk wrote: The current defaults for both the HABEAS and BSP rules were set long before Return Path operated either service, so we have no clue where they came from either. J.D., may I suggest you open a SA Bugzilla ticket suggesting that the scores be reviewed in light of this large change in how HABEAS operates? Glad to. -- J.D. Falk jdf...@returnpath.net Return Path Inc
Re: actual facts (was Re: HABEAS_ACCREDITED SPAMMER)
FYI, the original bug is here: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=3998 All the bitching about it, took me about 30 seconds to find it. Michael
Re: [sa] Re: Suggestion for use by ANY whitelist service....
Charles Gregory wrote: On Fri, 4 Dec 2009, Ted Mittelstaedt wrote: That wouldn't ever happen because the whole point of the CAN-SPAM act is to allow the spammers to send out the first mail. Direct e-mail mailers just setup fake company after fake company, so they can repeatedly spam the first time over and over again. Well, if a company wants to sell a 'reputation', then it has to have more behind it than letting in 'first time' companies. any registration process should involve a clear investigation of whether a business is merely a 'front' for a spammer. Shouldn't be too hard to spot. Who exactly are those mailers? Just curious since I've never in my life seen an unsolicited commercial e-mail from a list that I never opted in on in the first place, that I wanted What are you asking? Obviously 'unsolicited' is NOT 'wanted', so therefore by using the word 'wanted' I am by definition meaning *solicited*. That means somone ASKED for the mail. REQUESTED it via an opt-in mechanism, with confirmation. I will then have to REPEAT that this will NEVER fly. The devil is in the details, here. If you look at return path they aren't talking about opt-in mailing lists because that's NOT what they are whitelisting. They are whitelisting permission-based e-mail. What this means is for example I go to Redbox to rent a DVD, which requires me to put in my e-mail address, and the rental process has some boilerplate in it that in the small print says I will get e-mails from redbox. It does NOT mean that I deliberately e-mailed redbox to get on their list, then responded in the affirmative to a confirmation mail. THAT is a true opt-in Companies that do their mailing list that way, and there's many that do, don't need what a whitelist service provides because since the user was looking for a confirmation, they are going to know that when it doesn't come that it got in their spam folder, so they are going to look in there, pull it out, and whitelist the sender in their private whitelists. The companies that need a whitelist service are the ones like Redbox who are gathering e-mail addresses as part of some other function then using them to market. They need Habeas and friends because since the user who supplied them with their e-mail address didn't bother to read the fine print the company's first mail is going to be unexpected, as a result it will normally go into the users spam folder and never be seen and the user will never pull it out and put it in their own personal whitelist. Companies that apply for habeas accreditation send material that has similar *content* to spam (buzzwords like percentages off and the like) that might make a spam filter *mistake* their ad for an unsolicited spam, but which should NOT be blocked because the recipients HAVE requested and WANT the mail. It is SOLICITED. No, the recipients HAVE NOT explicitly requested an opt-in, they have merely NOT explicitly requested to opt-out when they provided their e-mail address for some other reason. And yes, people *do* request notices of weekly specials at their computer store, and ads for the next event at the colliseum. There is a lot of legitimate e-mail advertising. None of it is (should be) 'unsolicited'. Wrong. People fall into a bell-curve on this issue. There's a small number of consumers who go out of their way to sign up for all of the e-mail lists run by all the companies they buy from. There's a small number who go out of their way to unsubscribe from all the e-mail lists run by all the companies they buy from. But the majority don't care one way or another. They won't go out of their way to sign up for notices from the vendors they buy from, but if that vendor signs them up, they won't go out of their way to unsubscribe. What's happened in the commercial spamming business is that the spammers have figured this out, and managed to convince the legitimate companies out there that if their customer doesn't object if they start sending advertising e-mails to them, that the customer has given permission to be spammed So those companies create flimsy pretexts to obtain e-mail addresses from customers that are supposedly for other reasons than spamming them, and then they put in the fine print during that obtaining process a check box to uncheck being on the spam list, and the customers in the middle of the bell curve don't go out of their way to uncheck it and then Habeas considers this as having obtained permission to spam for that customer. That's why Habeas customers need a whitelist in the first place - because they are adopting a point of view of what spam is that is contrary to what most users hold. Ted
Re: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)
From: rich...@buzzhost.co.uk Sent: Friday, 2009/December/04 06:04 On Fri, 2009-12-04 at 06:55 -0700, LuKreme wrote: On 3-Dec-2009, at 23:06, R-Elists wrote: certainly we understand your point here, yet what about accountability for Return Path Inc (and other RPI companies) related rules in the default Spamassassin configs? My position on HABEAS is well-know by anyone who cares (I score it +0.5 and +2.0); that's not what I'm talking about: it's the constant whinging by richard and falk at each other. Obviously they WANT to be communicating since otherwise they could easily ignore/killfile each other. I'm just tired of them doing it on this mailinglist. Your idea of 'constant' amuses me and is stretching the truth exponentially. I'm curious why a commercial whitelist from a bulk mailing company has such a positive inroad in Spamassassin. It's a fair question. I'm not interested in your personal views of me, my question or my posting. You have a killfile? You able to ignore on subject? Skills you may find useful to learn yes? Have you two gentlemen reported these spammers to ReturnPath, Lukreme's long unused address might be a good source for scrubbing the ReturhPath lists. (So far I've not seen one either way here.) I presume you two gentlemen are telling me that you never see HABEAS on ham, right? {^_^}
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
From: Per Jessen p...@computer.org Sent: Friday, 2009/December/04 09:11 rich...@buzzhost.co.uk wrote: This was raised as the IP appeared in HABEAS and for a few hours it 'vanished' from the list. It's back there now, but DateTheUk is now pumping out via an ip six decimal places up on the last octet. 80.75.69.195 WHITELISTED:sa-accredit.habeas.com The customer concerned then hopped their output to:80.75.69.201 80.75.69.201 WHITELISTED:sa-accredit.habeas.com FYI, 80.75.69.192 - 80.75.69.255 belongs to Easydate Ltd in Edinburgh. jdow: And somehow I suspect Richard didn't bother to report. It is more fun to bitch instead. So far the only real metrics I've seen indicates it works. That's data from three people, one off this list. {^_^}
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
From: Per Jessen p...@computer.org Sent: Friday, 2009/December/04 11:19 Chr. von Stuckrad wrote: After all this debate about a negatively scored rule I'd disable it anyway, because the spammers on the list will target it specifically now, knowing it works well for them. The other side of the argument is - why does any legitimate company need to employ a service such as Habeas/Returnpath/whatever? If their customer emails are getting caught as spam, surely they or SA is doing something wrong to begin with. There is not much spam that is getting caught purely based on content, most is getting caught on origin and its reputation. jdow: I have several email sources with which I have a relationship as in signed up for that are not important enough to me to outright whitelist. I have fun watching them dance around the deadly 5.0 score. OK OK it is fun for the feeble minded or somebody needing a dose of graveyard humor, I suppose. But it illustrates the problem an ISP spam filter might have. JD's description indicates RP makes an honest attempt to scrub their lists when problems appear. And, if they do not hear of a problem their list does not get scrubbed. And if a user plays the 'report as spam' trick to unsubscribe to a list (something a legitimate friend of mine experiences too often) that can result in problems for everybody, JD, his customers, and the cut-off recipients. RP has taken on a job that is not trivial. {^_^}
Re: HABEAS_ACCREDITED SPAMMER
From: Robert Lopez rlopez...@gmail.com Sent: Friday, 2009/December/04 11:24 On Fri, Dec 4, 2009 at 7:33 AM, Bowie Bailey bowie_bai...@buc.com wrote: LuKreme wrote: On 4-Dec-2009, at 01:18, jdow wrote: With all the animosity on this issue I decided to give the HABEAS rules a score, a negligible score to be sure, just to see what the state of HABEAS is for me today. In the last four days - nothing either spam or ham. I tend to see little clusters of HABEAS scores, but they are rare. I might see only 10-20 a month. After following this thread for a while, I decided to take a look at my server. So here's one more data point: In the last month, I have seen 718 messages that hit one of the HABEAS rules. Of those, none of them had an overall score higher than 4, and there were only 12 that would have been scored as spam without the rule. Since I don't have access to look at the actual messages and I don't know what lists my customers may be signed up for, I can't say anything for sure, but it looks like it's working fine here based on the numbers. -- Bowie Here is one more data point: Since October 18th I have seen HABEAS rules listed in Spamassassin score lines 496122 times. One such phishing email this week was successfully delivered to 387 in-boxes. Were it not for the HABEAS_ACCREDITED_SOI -4.30 other rules would have lead to successfully stopping the message. jdow: OK a 0.07% failure rate is remarkably good, In My Pathetic Opinion. It ought to earn a fairly respectable negative score on that basis. How far off was your -4.30 score on that spam/phish? Was that the ONLY one that got through? {^_^}