Re: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)

[jdow]

From: LuKreme krem...@kreme.com
Sent: Thursday, 2009/December/03 20:55



On Dec 3, 2009, at 13:43, rich...@buzzhost.co.uk rich...@buzzhost.co.uk
 wrote:

On Thu, 2009-12-03 at 11:23 -0700, J.D. Falk wrote:

On Dec 2, 2009, at 12:59 AM, rich...@buzzhost.co.uk wrote:


Look, get a room. Or at least take this twisted courtship dance  offlist 
and spare us, please.


With all the animosity on this issue I decided to give the HABEAS
rules a score, a negligible score to be sure, just to see what the
state of HABEAS is for me today.

In the last four days - nothing either spam or ham.

Those seeing HABEAS hits: are the hits ancient haiku hits or are they
the modern DNS test version? I imagine the haiku is still used by
some spammers. The DNS tests should legitimately show a rather small
percentage of spam. It appears (weasel word notice) ReturnPath puts
its members through a wringer to get the approval levels.

And how was the email determined to be unsolicited? (I believe in one
case it was a never used spam trap address.)

Let's lay some facts out on the table rather than heap a load of
anecdotal poo on JD over various HABEAS hits.

And JD, I don't see on your site what it costs people to get listed
on your DNS approval lists other than some tests and documentation. Is
it possible spammers simply submit some buttered up documentation, get
approved, and accept getting it knocked back off your lists rapidly as
a business time expense?

Less shouting and more data and facts seems to be called for on both
sides. And for the nonce I'll grant both sides the legitimacy of their
frustrations on this HABEAS thing.

I note that JD is quite willing to discuss (and seemed to recommend)
a lowered default score. That seems quite reasonable.

{^_^}(Another JD, Jolly Dirty Old Woman type.) 

Re: Clear Database Question

[Matus UHLAR - fantomas]

On 03.12.09 20:58, Jason Carson wrote:
 Is it necessary to clear the database...
 
 sa-learn --clear
 
 ...before I run the following to train SpamAssassin's bayesian classifier...
 
 sa-learn --spam /home/jason/.maildir/.Spam/cur/

no, and don't do that unless you believe your database is really broken.

Also remember to train enough of ham - bayes DB will help you DIFFER spam
and ham, therefore it needs to know how the ham looks like.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.

Re: SpamAssassin cpan install @INC lib issue on CentOS 5.4

[Edward Prendergast]

Kris Deugau wrote:

(Please keep the discussion on-list.)


Sorry about that - just hit 'reply' without checking where the message 
was actually going.




Edward Prendergast wrote:

Kris Deugau wrote:

Edward Prendergast wrote:

@@INSTALLSITELIB@@ /opt/perl5/lib/5.10.1/x86_64-linux

  ^^
This looks a little fishy...


I agree, I'm not sure where it's coming from.


FWIW, nothing like that showed up in my brief test - missing 
substitutions like that are usually a sign of a build gone wrong from 
early on.


That's a good question, but my qualms are mainly down wanting to 
perhaps use local::lib and have up to date CPAN modules as it seems 
to take a long time for these to filter down via redhat.


Mmm.  I use the RPMForge repo for more up-to-date Perl modules, but 
I've yet to run into any problems using the nominally outdated ones 
filtering down from RedHat/CentOS.  Net::DNS is the only module I can 
think of where there are/were known issues (at least with respect to 
SA's usage) in the stock version.


My motivations aren't purely SpamAssassin related - there are other 
programs that want current Perl modules (MailScanner) and I wanted to 
get SpamAssassin along side these.





This is based around what I've seen from local::lib:

http://search.cpan.org/~apeiron/local-lib-1.004009/lib/local/lib.pm#SYNOPSIS 



Ah, hm.  I think you should be fine just setting your path to call 
your custom Perl ahead of the system Perl;  that looks to be targetted 
at cherrypicking module updates alongside the packaged system Perl.


Right you are! When I change my .bashrc to this:

#export MODULEBUILDRC=/opt/perl5/.modulebuildrc
#export PERL_MM_OPT=INSTALL_BASE=/opt/perl5
#export 
PERL5LIB=/opt/perl5/lib/perl5:/opt/perl5/lib/perl5/x86_64-linux:/opt/perl5/lib/5.10.1:/opt/perl5/lib/site_perl/5.10.1

export PATH=/opt/perl5/bin:$PATH

SpamAssassin now installs OK.



 Essentially when I use perl from the command
line (and install other modules from CPAN) everything seems to be OK, 
issues only appear to be arising with Mail::SpamAssassin.


Yeah, that's the weird bit.  You might try installing SA from the 
tarball instead of CPAN - I had some odd errors come up when I tried 
via CPAN, but I have a feeling some of that had to do with doing the 
whole test as non-root.


Still unsure where that @@INSTALLSITELIB@@ stuff was coming from but it 
certainly looks like the issue is now resolved. Many thanks for all your 
help.


-Edward


The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorised. If you are not the intended recipient, any action taken or
omitted to be taken in reliance on it, any form of reproduction,
dissemination, copying, disclosure, modification, distribution and/or
publication of this E-mail message is strictly prohibited and may be
unlawful. If you have received this E-mail message in error, please notify
us immediately. Please also destroy and delete the message from your
computer.

Re: SpamAssassin cpan install @INC lib issue on CentOS 5.4

[Matus UHLAR - fantomas]

 Kris Deugau wrote:
 (Please keep the discussion on-list.)

On 04.12.09 09:31, Edward Prendergast wrote:
 Sorry about that - just hit 'reply' without checking where the message  
 was actually going.

you seem to use ThunderBird - there is reply-to-list extension available
for thunderbird that should solve this kind of problems.

 Yeah, that's the weird bit.  You might try installing SA from the  
 tarball instead of CPAN - I had some odd errors come up when I tried  
 via CPAN, but I have a feeling some of that had to do with doing the  
 whole test as non-root.

 Still unsure where that @@INSTALLSITELIB@@ stuff was coming from but it  
 certainly looks like the issue is now resolved. Many thanks for all your  
 help.

afaik these kind of words appear in raw files before installing them on your
system. the @@INSTALLSITELIB@@ should be replaced by path on your system,
where you are going to install the package. It appears that you haven't
installed it using the correct way (read the docs)
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[rich...@buzzhost.co.uk]

On Fri, 2009-12-04 at 00:18 -0800, jdow wrote:
 From: LuKreme krem...@kreme.com
 Sent: Thursday, 2009/December/03 20:55
 
 
  On Dec 3, 2009, at 13:43, rich...@buzzhost.co.uk rich...@buzzhost.co.uk
   wrote:
  On Thu, 2009-12-03 at 11:23 -0700, J.D. Falk wrote:
  On Dec 2, 2009, at 12:59 AM, rich...@buzzhost.co.uk wrote:
 
  Look, get a room. Or at least take this twisted courtship dance  offlist 
  and spare us, please.
 
 With all the animosity on this issue I decided to give the HABEAS
 rules a score, a negligible score to be sure, just to see what the
 state of HABEAS is for me today.
 
 In the last four days - nothing either spam or ham.
 
 Those seeing HABEAS hits: are the hits ancient haiku hits or are they
 the modern DNS test version? I imagine the haiku is still used by
 some spammers. The DNS tests should legitimately show a rather small
 percentage of spam. It appears (weasel word notice) ReturnPath puts
 its members through a wringer to get the approval levels.
 
 And how was the email determined to be unsolicited? (I believe in one
 case it was a never used spam trap address.)
 
 Let's lay some facts out on the table rather than heap a load of
 anecdotal poo on JD over various HABEAS hits.
 
 And JD, I don't see on your site what it costs people to get listed
 on your DNS approval lists other than some tests and documentation. Is
 it possible spammers simply submit some buttered up documentation, get
 approved, and accept getting it knocked back off your lists rapidly as
 a business time expense?
 
 Less shouting and more data and facts seems to be called for on both
 sides. And for the nonce I'll grant both sides the legitimacy of their
 frustrations on this HABEAS thing.
 
 I note that JD is quite willing to discuss (and seemed to recommend)
 a lowered default score. That seems quite reasonable.
 
 {^_^}(Another JD, Jolly Dirty Old Woman type.) 
 
PREAMBLE:
It's simple for me - I'm not out to win friends or influence anyone and
I find those that grease the wheels for the wholesale distribution of
spam (be it they hold the view it is legitimate or not) in exchange for
money - whilst claiming to be anti-spam - sick individuals that deserve
a good kicking at the very least. That's just my personal view.

RETURN PATH OFFER A PAID FACILITY TO ASSIST IN THE DELIVERY OF UBE.
That's what they do - no matter how nicey nicey Mr Falk may appears to
be. It's his job.

SPAMASSASSIN is about assassinating spam - not facilitating it. Negative
scores applied to a bulk mailing service without the users consent (the
default for Spamassassin is to allow this rule at a minus score) has me
wondering just who's in bed with who? There may be a reasonable argument
that Spamassassin, as configured by default, gives unfair commercial
advantage to HABEAS registered spammers and I'm more curious to find out
WHY than anything else. It would be acceptable for me if it shipped with
a zero score by default with notes in the readme for giving it a minus
score at the users discretion. 

Although this is only a few points in the wrong direction, the
implications this has for the integrity of Spamassassin as an anti-spam
system is in question. Are Return Path making regular donations to
Apache and wanting something in return? What possible plausible reason
is there for a bulk mailing whitelist to appear with a favourable score
in a program heavily used to block spam?

Being well known companies that a person may have once done a very small
amount of business with does not mean that their UBE habits are
acceptable in any way.

FACT
For me, until I changed it to a positive +10 score for HABEAS, the only
time I saw the name was in unwanted UBE - to me, that is SPAM. Making a
fuss on this list (and nowhere else) suddenly had IP's disappear off the
HABEAS list. {dark forces at work indeed}. The kind of people this has
appeared in are not the expected MAINSLEAZE, but shabby bottom feeders.
The kind that think registering with PaytoSpam services (be that a
listing in emailreg.org or Habeas Accreditation) will make them in some
way legitimate in their actions.

FINAL
This is not a social club, it's a question and issues list for
Spamassassin. My question and issue is why, by default, does
Spamassassin use the HABEAS white list, and why is it out of the box set
with a score to favour delivery of their junk? It's a fair question. The
answer 'just change the score' is not the correct answer. The correct
answer will be precisely why this state of affairs exists.

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[Yet Another Ninja]

On 12/4/2009 10:57 AM, rich...@buzzhost.co.uk wrote:
  FINAL

This is not a social club, it's a question and issues list for
Spamassassin. My question and issue is why, by default, does
Spamassassin use the HABEAS white list, and why is it out of the box set
with a score to favour delivery of their junk? It's a fair question. The
answer 'just change the score' is not the correct answer. 


the answer is totally correct. SA is a framework, which luckily allows 
YOU do whatever you want with it, so please do, whatever YOU want (that 
does not include beating a dead horse on the list) and move on.



The correct answer will be precisely why this state of affairs exists.


- because developers think/have thought its a good idea.

- because nobody other than you makes such a noise about it. And YOU who 
are so against, have you submitted a bug to have whatever reconsidered.


EOT

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[jdow]

From: rich...@buzzhost.co.uk
Sent: Friday, 2009/December/04 01:57



On Fri, 2009-12-04 at 00:18 -0800, jdow wrote:

From: LuKreme krem...@kreme.com
Sent: Thursday, 2009/December/03 20:55


 On Dec 3, 2009, at 13:43, rich...@buzzhost.co.uk 
 rich...@buzzhost.co.uk

  wrote:
 On Thu, 2009-12-03 at 11:23 -0700, J.D. Falk wrote:
 On Dec 2, 2009, at 12:59 AM, rich...@buzzhost.co.uk wrote:

 Look, get a room. Or at least take this twisted courtship dance 
 offlist

 and spare us, please.

With all the animosity on this issue I decided to give the HABEAS
rules a score, a negligible score to be sure, just to see what the
state of HABEAS is for me today.

In the last four days - nothing either spam or ham.

Those seeing HABEAS hits: are the hits ancient haiku hits or are they
the modern DNS test version? I imagine the haiku is still used by
some spammers. The DNS tests should legitimately show a rather small
percentage of spam. It appears (weasel word notice) ReturnPath puts
its members through a wringer to get the approval levels.

And how was the email determined to be unsolicited? (I believe in one
case it was a never used spam trap address.)

Let's lay some facts out on the table rather than heap a load of
anecdotal poo on JD over various HABEAS hits.

And JD, I don't see on your site what it costs people to get listed
on your DNS approval lists other than some tests and documentation. Is
it possible spammers simply submit some buttered up documentation, get
approved, and accept getting it knocked back off your lists rapidly as
a business time expense?

Less shouting and more data and facts seems to be called for on both
sides. And for the nonce I'll grant both sides the legitimacy of their
frustrations on this HABEAS thing.

I note that JD is quite willing to discuss (and seemed to recommend)
a lowered default score. That seems quite reasonable.

{^_^}(Another JD, Jolly Dirty Old Woman type.)


PREAMBLE:
It's simple for me - I'm not out to win friends or influence anyone and
I find those that grease the wheels for the wholesale distribution of
spam (be it they hold the view it is legitimate or not) in exchange for
money - whilst claiming to be anti-spam - sick individuals that deserve
a good kicking at the very least. That's just my personal view.

RETURN PATH OFFER A PAID FACILITY TO ASSIST IN THE DELIVERY OF UBE.
That's what they do - no matter how nicey nicey Mr Falk may appears to
be. It's his job.

SPAMASSASSIN is about assassinating spam - not facilitating it. Negative
scores applied to a bulk mailing service without the users consent (the
default for Spamassassin is to allow this rule at a minus score) has me
wondering just who's in bed with who? There may be a reasonable argument
that Spamassassin, as configured by default, gives unfair commercial
advantage to HABEAS registered spammers and I'm more curious to find out
WHY than anything else. It would be acceptable for me if it shipped with
a zero score by default with notes in the readme for giving it a minus
score at the users discretion.

Although this is only a few points in the wrong direction, the
implications this has for the integrity of Spamassassin as an anti-spam
system is in question. Are Return Path making regular donations to
Apache and wanting something in return? What possible plausible reason
is there for a bulk mailing whitelist to appear with a favourable score
in a program heavily used to block spam?

Being well known companies that a person may have once done a very small
amount of business with does not mean that their UBE habits are
acceptable in any way.

FACT
For me, until I changed it to a positive +10 score for HABEAS, the only
time I saw the name was in unwanted UBE - to me, that is SPAM. Making a
fuss on this list (and nowhere else) suddenly had IP's disappear off the
HABEAS list. {dark forces at work indeed}. The kind of people this has
appeared in are not the expected MAINSLEAZE, but shabby bottom feeders.
The kind that think registering with PaytoSpam services (be that a
listing in emailreg.org or Habeas Accreditation) will make them in some
way legitimate in their actions.

FINAL
This is not a social club, it's a question and issues list for
Spamassassin. My question and issue is why, by default, does
Spamassassin use the HABEAS white list, and why is it out of the box set
with a score to favour delivery of their junk? It's a fair question. The
answer 'just change the score' is not the correct answer. The correct
answer will be precisely why this state of affairs exists.


Color me smartassed but I want numbers not accusations. Can the
rhetoric and in bland neutral terms describe what you see in terms of
numbers, possible business relations, however loose, and so forth.

I do note I also want a précis's of what ReturnPath insists upon for
opting into receiving business emails. If it is double opt-in that is
good. If it's I sent one inquiry, received an answer, and presumed
that was the end of the affair but 

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[jdow]

From: Yet Another Ninja sa-l...@alexb.ch
Sent: Friday, 2009/December/04 02:28



On 12/4/2009 10:57 AM, rich...@buzzhost.co.uk wrote:
  FINAL

This is not a social club, it's a question and issues list for
Spamassassin. My question and issue is why, by default, does
Spamassassin use the HABEAS white list, and why is it out of the box set
with a score to favour delivery of their junk? It's a fair question. The
answer 'just change the score' is not the correct answer. 


the answer is totally correct. SA is a framework, which luckily allows 
YOU do whatever you want with it, so please do, whatever YOU want (that 
does not include beating a dead horse on the list) and move on.



The correct answer will be precisely why this state of affairs exists.


- because developers think/have thought its a good idea.

- because nobody other than you makes such a noise about it. And YOU who 
are so against, have you submitted a bug to have whatever reconsidered.


EOT


Heh, at this site procaine sits in front of SA. It has a few email
addresses, a very few, redirected to their own folders that I check
any time I want some amusement of that kind. I want to find out just
how much Richard qualifies for this dubious honor.

{^_-}

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[jdow]

Outlook Express spell checker, that is Procmail not your stupid
substitution however apt it might be.

{+_+}
- Original Message - 
From: jdow j...@earthlink.net

Sent: Friday, 2009/December/04 04:16



Heh, at this site procaine sits in front of SA. It has a few email

Re: Clear Database Question

[Matt Kettler]

Jason Carson wrote:
 Hello everyone,

 Is it necessary to clear the database...

 sa-learn --clear

 ...before I run the following to train SpamAssassin's bayesian classifier...

 sa-learn --spam /home/jason/.maildir/.Spam/cur/

   
No. That would be ill advised.

Running --clear deletes your entire bayes database, which can take a
long time to recover from. I would only advise using it if you've
decided all your previous training is worthless, or your database
becomes corrupted.

Also be sure to consider that once you clear the database SA will
deactivate bayes until 200 spam and 200 nonspam messages get trained.

SpamAssassin will automatically make room when it needs to by pushing
out the least popular tokens through the expire process (which you can
manually trigger via the sa-learn --force-expire command, but it
normally checks during message processing twice a day)

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[rich...@buzzhost.co.uk]

On Fri, 2009-12-04 at 04:16 -0800, jdow wrote:
 From: Yet Another Ninja sa-l...@alexb.ch
 Sent: Friday, 2009/December/04 02:28
 
 
  On 12/4/2009 10:57 AM, rich...@buzzhost.co.uk wrote:
FINAL
  This is not a social club, it's a question and issues list for
  Spamassassin. My question and issue is why, by default, does
  Spamassassin use the HABEAS white list, and why is it out of the box set
  with a score to favour delivery of their junk? It's a fair question. The
  answer 'just change the score' is not the correct answer. 
  
  the answer is totally correct. SA is a framework, which luckily allows 
  YOU do whatever you want with it, so please do, whatever YOU want (that 
  does not include beating a dead horse on the list) and move on.
  
  The correct answer will be precisely why this state of affairs exists.
  
  - because developers think/have thought its a good idea.
  
  - because nobody other than you makes such a noise about it. And YOU who 
  are so against, have you submitted a bug to have whatever reconsidered.
  
  EOT
 
 Heh, at this site procaine sits in front of SA. It has a few email
 addresses, a very few, redirected to their own folders that I check
 any time I want some amusement of that kind. I want to find out just
 how much Richard qualifies for this dubious honor.
 
 {^_-}

Qualifies what, that I get UBE that is Habeas Accredited? Should I start
with the 40 from 'DateTheuk' in the last 8 days? 

That's 40 to many - would you like to talk in hundreds and thousands to
justify removal or changing of a default white list score?

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[rich...@buzzhost.co.uk]

On Fri, 2009-12-04 at 11:28 +0100, Yet Another Ninja wrote:

  The correct answer will be precisely why this state of affairs exists.
 
 - because developers think/have thought its a good idea.
 
 - because nobody other than you makes such a noise about it. And YOU who 
  are so against, have you submitted a bug to have whatever reconsidered.
I don't recall that I was making much noise about it, I said my piece
and others with to carry it on - but I'm more than happy to do that.

Re: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)

[LuKreme]

On 3-Dec-2009, at 23:06, R-Elists wrote:
 certainly we understand your point here, yet what about accountability for
 Return Path Inc (and other RPI companies) related rules in the default
 Spamassassin configs?


My position on HABEAS is well-know by anyone who cares (I score it +0.5 and 
+2.0); that's not what I'm talking about: it's the constant whinging by richard 
and falk at each other. Obviously they WANT to be communicating since otherwise 
they could easily ignore/killfile each other. I'm just tired of them doing it 
on this mailinglist.

-- 
'They come back to the mountains to die,' said the King.
'They live in Ankh-Morpork.' --The Fifth Elephant

Re: HABEAS_ACCREDITED SPAMMER

[LuKreme]

On 4-Dec-2009, at 01:18, jdow wrote:
 With all the animosity on this issue I decided to give the HABEAS
 rules a score, a negligible score to be sure, just to see what the
 state of HABEAS is for me today.
 
 In the last four days - nothing either spam or ham.

I tend to see little clusters of HABEAS scores, but they are rare. I might see 
only 10-20 a month.


 Those seeing HABEAS hits: are the hits ancient haiku hits or are they
 the modern DNS test version?

I haven't seen the haiku in ages. But then again, I am very aggressive about 
dropping mail early vi helo checks and zen, etc.

 And how was the email determined to be unsolicited? (I believe in one
 case it was a never used spam trap address.)


In my case I see them on THIS email address in non-list mail (I don't check 
list mail with SpamAssassin) and since this email address is exclusively 100% 
used for mailing lists… I also see it on a very old email address that hasn't 
been used for real mail in close to 10 years and simply sits there collecting 
spam for me.


-- 
'What shall we do?' said Twoflower.
'Panic?' said Rincewind hopefully. --The Light Fantastic

Re: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)

[rich...@buzzhost.co.uk]

On Fri, 2009-12-04 at 06:55 -0700, LuKreme wrote:
 On 3-Dec-2009, at 23:06, R-Elists wrote:
  certainly we understand your point here, yet what about accountability for
  Return Path Inc (and other RPI companies) related rules in the default
  Spamassassin configs?
 
 
 My position on HABEAS is well-know by anyone who cares (I score it +0.5 and 
 +2.0); that's not what I'm talking about: it's the constant whinging by 
 richard and falk at each other. Obviously they WANT to be communicating since 
 otherwise they could easily ignore/killfile each other. I'm just tired of 
 them doing it on this mailinglist.
 
Your idea of 'constant' amuses me and is stretching the truth
exponentially.

I'm curious why a commercial whitelist from a bulk mailing company has
such a positive inroad in Spamassassin. It's a fair question. I'm not
interested in your personal views of me, my question or my posting. You
have a killfile? You able to ignore on subject? Skills you may find
useful to learn yes? 

Re: HABEAS_ACCREDITED SPAMMER

[Bowie Bailey]

LuKreme wrote:
 On 4-Dec-2009, at 01:18, jdow wrote:
   
 With all the animosity on this issue I decided to give the HABEAS
 rules a score, a negligible score to be sure, just to see what the
 state of HABEAS is for me today.

 In the last four days - nothing either spam or ham.
 

 I tend to see little clusters of HABEAS scores, but they are rare. I might 
 see only 10-20 a month.

After following this thread for a while, I decided to take a look at my
server.  So here's one more data point:

In the last month, I have seen 718 messages that hit one of the HABEAS
rules.  Of those, none of them had an overall score higher than 4, and
there were only 12 that would have been scored as spam without the rule.

Since I don't have access to look at the actual messages and I don't
know what lists my customers may be signed up for, I can't say anything
for sure, but it looks like it's working fine here based on the numbers.

-- 
Bowie

Re: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)

[Justin Mason]

On Fri, Dec 4, 2009 at 14:04, rich...@buzzhost.co.uk rich...@buzzhost.co.uk
 wrote:

 On Fri, 2009-12-04 at 06:55 -0700, LuKreme wrote:
  On 3-Dec-2009, at 23:06, R-Elists wrote:
   certainly we understand your point here, yet what about accountability
 for
   Return Path Inc (and other RPI companies) related rules in the default
   Spamassassin configs?
 
 
  My position on HABEAS is well-know by anyone who cares (I score it +0.5
 and +2.0); that's not what I'm talking about: it's the constant whinging by
 richard and falk at each other. Obviously they WANT to be communicating
 since otherwise they could easily ignore/killfile each other. I'm just tired
 of them doing it on this mailinglist.
 
 Your idea of 'constant' amuses me and is stretching the truth
 exponentially.

 I'm curious why a commercial whitelist from a bulk mailing company has
 such a positive inroad in Spamassassin. It's a fair question. I'm not
 interested in your personal views of me, my question or my posting. You
 have a killfile? You able to ignore on subject? Skills you may find
 useful to learn yes?


Richard, quit it.

It's unreasonable to assume that all of the subscribers to this list should
have to listen to, or need to set up a killfile just to avoid, your ranting.


-- 
--j.

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[Charles Gregory]

On Fri, 4 Dec 2009, Yet Another Ninja wrote:
. 'just change the score' is not the correct answer. 

the answer is totally correct.


No, it is not. No more than it is correct for a spammer to offer me a 
(working) 'unsubscribe' link. I don't want to discover I've been letting 
spam in the door and get complaints from users because of one (or more!)

'default' settings that are permitting spam.

The 'correct' answer that is being sought is to judge the entire 
underlying 'policy' mechanism for spamassassin which results in the 
*category* of choices about negative scores of which the habeas rule is 
only ONE possible example!



 The correct answer will be precisely why this state of affairs exists.

- because developers think/have thought its a good idea.


SLAP! Don't restate the question like its an answer. He asked for 
reasoning behind the choice, not whether the developers *liked* their 
choice. Of course they liked it. WHY did they like it?



- because nobody other than you makes such a noise about it.


There's a good point. Why *does* this person see so much spam with the 
habeas rule in it? Which leads to the obvious corrolary, it seems likely 
that the habeas rule got a negative score because it only appears in ham 
in the SA 'master' test corpus. Why is THAT? What skews the messages 
contents so badly? What is different between the two? Anyone thought to 
sit down and question it?


I'm not even blindly accepting his assertions. I used to devalue habeas 
back when it was the 'haiku' variety, but I haven't had a problem lately, 
even without a special score. So why is there a problem for him?


- Charles

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[Charles Gregory]

On Fri, 4 Dec 2009, rich...@buzzhost.co.uk wrote:

Qualifies what, that I get UBE that is Habeas Accredited? Should I start
with the 40 from 'DateTheuk' in the last 8 days?


Okay, let's be methodical. Let us indeed start with those.

Did anyone else get them?
If, so, how did they score?
If not, then why did only Richard get them?

Keep in mind that a 'problem' may be buried by conditions where most of 
the spam still gets flagged, then blocked because of other positive 
scoring tests, so we don't *see* the habeas test firing
I don't record hits on rules in mail that is flagged ham, but notice that 
I do see the habeas rule in a couple of cases where I have deliberately 
blacklisted a mail server like 'mailengine'.


- Charles

Re: J.D. Falk Richard dispute (was J.D. Falk...)

[Rob McEwen]

I'm just changing the subject line because I find the previous subject
line to be extremely offensive and out of line.
-
As long as we have some spam filters which block some legitimate
confirmed opt-in senders (and/or legit organizations sending to their
unquestionable members), then that makes Return Path's business model
legitimate and helpful.

If anyone believes that Return Path's execution of this business model
ends up giving some spammers a pass, then they should shame Return
Path by pointing out the most egregious examples that come along. But it
is understandable that a few undesirable situations are going to happen
every once in a while, no matter how good and ethical a job is done by
Return Path. So an egregious example that comes up every once in a while
is understandable. (just like it is understandable for a legit hoster to
unknowingly and occasionally sign up a spammer who deceived the
hoster--happens all the time!)

As long as Return Path reacts appropriately to such spammers, and as
long as they are not a constant revolving door for many spammers (or
anything close to that), then I don't see any problems here. I do
understand the argument that their business model might provide
incentives for them to be unethical in the short run just to drum up
extra sales, but this is balanced by the longer-term damage this does to
their reputation.

Amazingly, I deal with black- or dark gray-hat ESPs blacklistings on
invaluement.com where the ESP is run by 20-something-year-old punk kids
who don't understand the long-term negative repurcussions of their
business practices and seem to think that they can spam with impunity as
long as they are CAN-SPAM compliant.

But, in contrast, Return Path is run by rational and mature adults who
get it, imo. For the reasons stated, I reject the ridiculous argument
that their business plan makes them unethical. But I do believe that it
is helpful if/when the anti-spam community points out their most
questionable clients, if/when deemed appropriate. That will only help
inspire them to further tighten their standards and keep them
accountable. (actually, I do NOT personally see any current deficiencies
with them--but I'm just saying that this is a productive way of dealing
with any problems anyone has with Return Path that will have a tangible
good results for the industry as a whole.)

So, instead of insults, if anyone has a grip with them, please just
point out SPECIFIC examples. Over time, if you find many egregious ones,
that will speak for itself. Otherwise, I'd prefer to not be bothered
with this.

-- 
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032

Smart Smoker spam sailing past SA scores

[Thomas Harold]

SA had a lot of trouble identifying this as spam.  The IP 
(174.139.37.196) is not yet listed in a lot of the DNSBLs.  So it only 
scored around a 1.0 on the spam meter.


http://pastebin.com/m1d0a75b7

It uses a block of foreign language spam at the end to get past some SA 
checks.  Such as HTML_IMAGE_RATIO.  The text/plain section is complete 
empty (and doesn't match the text/html section).

Suggestion for use by ANY whitelist service....

[Charles Gregory]

All this debate about 'legitimate' mail services like 'returnpath'
being abused by 'sneaky' spammers. How is that possible? There should be 
easy ways to prevent it. Here's a few ideas:


As soon as any whitelist service like 'returnpath' accepts 
a client, they perform the following:


1) Review the client's address list - look for honeypot addresses.
   If any are found, clearly the client has not vetted their list.

2) Perform their OWN 'opt-in' mailout to that list.
 Hello, we at (company eg. Retunrpath) have contracted to operate a
  mailng list on behalf of (client name). They have provided your
  address as one that has *requested* advertising mailouts from their
  company. We respectfully request that you verify this
  subscription/request by replying to this e-mail. IF you do nothing,
  this will be your last mailing from this company.

I'm sure we would all live with the occasional true 'opt-in' request, if 
we knew that the end result would be that it would stifle spam by giving 
the legitimate mailers, the ones whose mail we *want* anyway, a better 
chance to reach us.


- Charles

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[rich...@buzzhost.co.uk]

On Fri, 2009-12-04 at 10:50 -0500, Charles Gregory wrote:
 On Fri, 4 Dec 2009, rich...@buzzhost.co.uk wrote:
  Qualifies what, that I get UBE that is Habeas Accredited? Should I start
  with the 40 from 'DateTheuk' in the last 8 days?
 
 Okay, let's be methodical. Let us indeed start with those.
 
 Did anyone else get them?
 If, so, how did they score?
 If not, then why did only Richard get them?
 
 Keep in mind that a 'problem' may be buried by conditions where most of 
 the spam still gets flagged, then blocked because of other positive 
 scoring tests, so we don't *see* the habeas test firing
 I don't record hits on rules in mail that is flagged ham, but notice that 
 I do see the habeas rule in a couple of cases where I have deliberately 
 blacklisted a mail server like 'mailengine'.
 
 - Charles
Point 1 - The Subject that was changed on the other post. JD Falk made
the original change to abuse me. Go back to the archive and take a look.
I just inverted it. 

Point 2 -
I've stated my opinions on organisations that are involved in bulk
mailing, but that's all it is. An opinion. They are like axxholes,
everyone has one. 

Point 3 - My Habeas issue is not about quantity. Most of the previous
Habeas spam I did not log, and I regret that.I've set things up
differently so I log each and everyone from now on. So other than my
worthless word I can only cite the current ongoing issue with DateTheUk.
A company that fished a watermarked address from a Facebook 'Farmville'
group and then spammed it.

This was raised as the IP appeared in HABEAS and for a few hours it
'vanished' from the list. It's back there now, but DateTheUk is now
pumping out via an ip six decimal places up on the last octet.

80.75.69.195WHITELISTED:sa-accredit.habeas.com

The customer concerned then hopped their output to:80.75.69.201
80.75.69.201WHITELISTED:sa-accredit.habeas.com

The customer also hits on: list.dnswl.org, so they are clearly aware of
the need to grease the wheels. Spamassassin was passing the stuff at -9.

It's not about the listing of a Rogue Customer, it's why they are not
delisted for doing it - this would give some kind of confidence back.

My personal view is no blind eye should be turned to any spammer,
especially one coming from a so called reputable source.

Point 4 -
All that is largely irrelevant to this list, but my point of interest is
why a commercial white list appears in Spamassassin with the default
scores set the way they are? It's perfectly reasonable to ask. It could
be expanded to ask if there are any plans to include whitelists from
other vendors in the default, such as Apache donator Barracuda? Perhaps
emailreg.org with a -4 score in the next SA release?

Much that the personality battles and offlist threats and abuse amuse
me, my question is perfectly reasonable, has it's foundation in fact and
is on topic.

Re: Suggestion for use by ANY whitelist service....

[rich...@buzzhost.co.uk]

On Fri, 2009-12-04 at 11:08 -0500, Charles Gregory wrote:
 All this debate about 'legitimate' mail services like 'returnpath'
 being abused by 'sneaky' spammers. How is that possible? There should be 
 easy ways to prevent it. Here's a few ideas:
 
 As soon as any whitelist service like 'returnpath' accepts 
 a client, they perform the following:
 
 1) Review the client's address list - look for honeypot addresses.
 If any are found, clearly the client has not vetted their list.
 
 2) Perform their OWN 'opt-in' mailout to that list.
   Hello, we at (company eg. Retunrpath) have contracted to operate a
mailng list on behalf of (client name). They have provided your
address as one that has *requested* advertising mailouts from their
company. We respectfully request that you verify this
subscription/request by replying to this e-mail. IF you do nothing,
this will be your last mailing from this company.
 
 I'm sure we would all live with the occasional true 'opt-in' request, if 
 we knew that the end result would be that it would stifle spam by giving 
 the legitimate mailers, the ones whose mail we *want* anyway, a better 
 chance to reach us.
 
 - Charles
Sensible. I would suggest that 2) forms a footer that the sender cannot
remove and that the ESP was fully responsible for deleting unsubscribes
or anything giving a 5xx error.

That to one side, the default for a spam filter should not be to give
any weight to a white list unless the user modifies the config
themselves specifically. It can be seen to be suspicious and offering a
pecuniary advantage to those involved and using it.

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[Kris Deugau]

jdow wrote:

Color me smartassed but I want numbers not accusations. Can the
rhetoric and in bland neutral terms describe what you see in terms of
numbers, possible business relations, however loose, and so forth.


Here's some numbers to play with:

~500K messages delivered daily (as in, passed on to from Postfix to the 
program that actually writes the message to the customer's mailbox tree 
somewhere)


~16K of ~48K accounts have spam filtering enabled

Since Jan 1 2009, hits on HABEAS* rules have resulted in an average of:

   rulename|   spamperday   |   hamperday
---++---
 HABEAS_ACCREDITED_COI | 0.04154302670623145401 |  161.4124629080118694
 HABEAS_ACCREDITED_SOI | 6.4124629080118694 | 3887.0326409495548961

(I run a daily script to stuff yesterday's SA log data into a database; 
 so far I haven't gotten around to doing anything with the data.)


I can't attest to the accuracy of any of the hits because this is an ISP 
mail system.  But even considering only a third of the accounts have 
filtering enabled, that's still somewhere in the neighbourhood of 1% of 
all mail hitting HABEAS_ACCREDITED_*.


Checking the spam reporting account shows no actual spams reported with 
HABEAS hits, and one legitimate book fair travel ad from a publishing 
company hitting _SOI;  about 8500 messages have been reported and 
confirmed.  A further ~350 have been reported, but considered legit.


Admittedly, I have to consider a broader range of mail to be 
legitimate... but I really haven't had to strain very hard in making 
that distinction in hand-confirming messages reported as spam.


Checking my own personal account on my own server shows a newsletter for 
a rewards program with my bank, occasional messages from eBay, and a 
message from Adobe.  All legitimate.  I don't keep spam around all that 
long, but what's still sticking around doesn't show any HABEAS* hits.


-kgd

Re: Suggestion for use by ANY whitelist service....

[John Hardin]

On Fri, 4 Dec 2009, Charles Gregory wrote:

As soon as any whitelist service like 'returnpath' accepts a client, they 
perform the following:


1) Review the client's address list - look for honeypot addresses.
   If any are found, clearly the client has not vetted their list.

2) Perform their OWN 'opt-in' mailout to that list.
 Hello, we at (company eg. Retunrpath) have contracted to operate a
  mailng list on behalf of (client name). They have provided your
  address as one that has *requested* advertising mailouts from their
  company. We respectfully request that you verify this
  subscription/request by replying to this e-mail. IF you do nothing,
  this will be your last mailing from this company.


Both would have to be done any time a new address was added to the mailing 
list. And there would have to be some watchdog ensuring the MSP doesn't 
relax the policy over time.


It's a great idea. The problem is, how do you get mail service providers 
to do this? What causes them loss of revenue if they _don't_ do it?


About the only leverage I can see is if the large ISPs and freemail 
providers (hotmail, comcast, MSN, etc.) start to outright block MSPs that 
don't auditably follow these guidelines. And I don't see that happening.



I'm sure we would all live with the occasional true 'opt-in' request,


Absolutely, particulary if it's the proper ignore means permission 
denied model.


if we knew that the end result would be that it would stifle spam by 
giving the legitimate mailers, the ones whose mail we *want* anyway, a 
better chance to reach us.


I don't think it would have that effect. Being able to force such a policy 
onto MSPs won't affect spambot networks.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  We have to realize that people who run the government can and do
  change. Our society and laws must assume that bad people -
  criminals even - will run the government, at least part of the
  time.   -- John Gilmore
---
 11 days until Bill of Rights day

Re: Suggestion for use by ANY whitelist service....

[Bowie Bailey]

rich...@buzzhost.co.uk wrote:
 That to one side, the default for a spam filter should not be to give
 any weight to a white list unless the user modifies the config
 themselves specifically. It can be seen to be suspicious and offering a
 pecuniary advantage to those involved and using it.
   

I disagree.  I think a spam filter should do it's best to give a
reasonable weight to both whitelists and blacklists.  Obviously, a
default SA install needs a bit of tweaking to get the best accuracy, but
the default install should be as good as possible and that includes
finding the best rules, blacklists, and whitelists to include in the
default ruleset as well as generating reasonable scores for all of them.

Any bad rules (regex rules, blacklists, or whitelists) should show up
quickly enough as just about everyone would start seeing problems with
them.  In this case, there are a few people complaining about the Habeas
rules, but just as many people who do not see any problems.

-- 
Bowie

Re: Suggestion for use by ANY whitelist service....

[rich...@buzzhost.co.uk]

On Fri, 2009-12-04 at 12:01 -0500, Bowie Bailey wrote:
 rich...@buzzhost.co.uk wrote:
  That to one side, the default for a spam filter should not be to give
  any weight to a white list unless the user modifies the config
  themselves specifically. It can be seen to be suspicious and offering a
  pecuniary advantage to those involved and using it.

 
 I disagree.  I think a spam filter should do it's best to give a
 reasonable weight to both whitelists and blacklists.

In which case how about including several other whitelists and not just
giving advantage to one?

Re: Suggestion for use by ANY whitelist service....

[Greg Troxel]

John Hardin jhar...@impsec.org writes:

 On Fri, 4 Dec 2009, Charles Gregory wrote:

 2) Perform their OWN 'opt-in' mailout to that list.
  Hello, we at (company eg. Retunrpath) have contracted to operate a
   mailng list on behalf of (client name). They have provided your
   address as one that has *requested* advertising mailouts from their
   company. We respectfully request that you verify this
   subscription/request by replying to this e-mail. IF you do nothing,
   this will be your last mailing from this company.

 Both would have to be done any time a new address was added to the
 mailing list. And there would have to be some watchdog ensuring the
 MSP doesn't relax the policy over time.

 It's a great idea. The problem is, how do you get mail service
 providers to do this? What causes them loss of revenue if they _don't_
 do it?

Perhaps SA could decline to offer negative points for other than actual
COI?

My own experience with HABEAS_ACCREDITED_SOI has been that it's caused
spam to show up in my inbox instead of filtered like it should have
been.  Complaining in public seems to be the only thing that works.  I
somewhat understand the difficulties of running an accreditation
service, but I think the expectation of the SA community should be that
problems (accredited senders spamming) should be extremely rare.  It's
clearly not extremely rare.

A problem with the spam%/ham% checking methodology is that it makes the
accreditation look reasonable for corpuses that have lots of requested
commercial mail.  That's certainly fine for those people, but the
outcomes seem very different for those that don't ask for such mail -
they're left with only the spam.

Whitelists that don't accept payment for listing should get treated as
SA has done - estimate a proper score.  Those that do accept payment are
a more complicated case - I think it's reasonable to demand that
infractions are highly rare and that non-public complaints are responded
to promptly and appropriately.  Probably SOI should be entirely
dropped.


pgpGSHpRWD8Hw.pgp
Description: PGP signature

Re: Suggestion for use by ANY whitelist service....

[Jason Bertoch]

Bowie Bailey wrote:

In this case, there are a few people complaining about the Habeas
rules, but just as many people who do not see any problems.
  
Silence does not necessarily mean assent.  I disabled the Habeas rules 
long ago and therefore have no useful data to add to the thread.  If 
speaking up helps to rid myself of the free ride whitelists receive in 
the default install, then count my vote towards a more sane whitelist score.

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[Per Jessen]

rich...@buzzhost.co.uk wrote:

 This was raised as the IP appeared in HABEAS and for a few hours it
 'vanished' from the list. It's back there now, but DateTheUk is now
 pumping out via an ip six decimal places up on the last octet.
 
 80.75.69.195  WHITELISTED:sa-accredit.habeas.com
 
 The customer concerned then hopped their output to:80.75.69.201
 80.75.69.201  WHITELISTED:sa-accredit.habeas.com

FYI, 80.75.69.192 - 80.75.69.255 belongs to Easydate Ltd in Edinburgh. 


/Per Jessen, Zürich

Re: Suggestion for use by ANY whitelist service....

[Bowie Bailey]

Jason Bertoch wrote:
 Bowie Bailey wrote:
 In this case, there are a few people complaining about the Habeas
 rules, but just as many people who do not see any problems.
   
 Silence does not necessarily mean assent.  I disabled the Habeas rules
 long ago and therefore have no useful data to add to the thread.  If
 speaking up helps to rid myself of the free ride whitelists receive in
 the default install, then count my vote towards a more sane whitelist
 score.

No, but people with problems are more likely to speak out than people
whose systems are working well.  Besides, once everyone starts talking
about something like this, more people will start checking into it on
their own servers (as I did).  If this were a major problem, I would
expect that as this thread continues, more and more people would look at
their servers and see a problem.  Since I currently see about a 50/50
split (non-scientific guess) between people who have problems with
Habeas and people who don't, and there are a fairly small number of
people on either side of the issue, I would conclude that this is not a
major problem, but rather a problem that affects a subset of users
(possibly determined by their location and userbase).

-- 
Bowie

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[rich...@buzzhost.co.uk]

On Fri, 2009-12-04 at 18:11 +0100, Per Jessen wrote:
 rich...@buzzhost.co.uk wrote:
 
  This was raised as the IP appeared in HABEAS and for a few hours it
  'vanished' from the list. It's back there now, but DateTheUk is now
  pumping out via an ip six decimal places up on the last octet.
  
  80.75.69.195  WHITELISTED:sa-accredit.habeas.com
  
  The customer concerned then hopped their output to:80.75.69.201
  80.75.69.201  WHITELISTED:sa-accredit.habeas.com
 
 FYI, 80.75.69.192 - 80.75.69.255 belongs to Easydate Ltd in Edinburgh. 
 
 
 /Per Jessen, Zürich
 
Correct, and the hits in habeas are shown. The issue with RP is a side
distraction to this.

Is there a list of all white lists being used by default rules?

[Robert Lopez]

I have been reading other threads about white list problems.

In the past week this college has been phished very successfully two times.
Each time the rules I added to increase the score of college specific
phishing email were counter balanced.
On Saturday night it was the white-list score from RCVD_IN_DNSWL_MED
(-4.00) for a compromised government account.
On Monday morning it was the white-list score from
HABEAS_ACCREDITED_SOI (-4.30) for a compromised commercial account.

In each of these cases, it was the first time I realized the rule used
had an associated list being used of which I was previously unaware.

How do I determine how many other such lists are being used without my
knowledge?

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[Charles Gregory]

On Fri, 4 Dec 2009, rich...@buzzhost.co.uk wrote:

Okay, let's be methodical. Let us indeed start with those.
Did anyone else get them?


No answer.


If, so, how did they score?


No answer.


If not, then why did only Richard get them?


No answer.


Point 1 - The Subject that was changed on the other post. JD Falk made
the original change to abuse me. Go back to the archive and take a look.
I just inverted it.


I don't care. You can each call the other all the names you want.
But if there is a legitimate issue, it will be answered by addressing the 
questions I posed.



Point 2 -
I've stated my opinions on organisations that are involved in bulk
mailing, but that's all it is. An opinion. They are like axxholes,
everyone has one.


I don't care. Spamassassin does not have an 'opinion'. It has a
methodology. If that methodology requires review/correction, your opinion 
provides no quantitative feedback.



Point 3 - My Habeas issue is not about quantity.


If you read my post you would have grasped the simple idea that if ANY 
spam comes to your attention, it is very likely the tip of an unseen 
iceberg of missed spam. So we treat it seriously and investigate. I didn't 
ask how *much* anyone got. I asked whether there was something peculiar to 
your situation that prevented other people from seeing this problem.

see *nay


. I can only cite the current ongoing issue with DateTheUk.
A company that fished a watermarked address from a Facebook 'Farmville'
group and then spammed it.


Good enough to work with. You've posted your data, now my next question 
is whether anyone else sees the same mail. Just because I don't see it 
over here in Canada doesn't mean you are the only one. But it may very 
well highlight a 'regional bias' in the main spamassassin test corpora.



80.75.69.195WHITELISTED:sa-accredit.habeas.com
80.75.69.201WHITELISTED:sa-accredit.habeas.com


Which now leads back to questions about whether we're seeing *hacked* 
servers that just *happen* to be habeas accredited?



The customer also hits on: list.dnswl.org, so they are clearly aware of
the need to grease the wheels. Spamassassin was passing the stuff at -9.


(nod) I've seen similar scores on (obvious) spam from 'mailengine'.


It's not about the listing of a Rogue Customer, it's why they are not
delisted for doing it - this would give some kind of confidence back.


It may not be the 'customer' at all. Never attribute to malice that which 
can be ascribed to ignorance.



My personal view is no blind eye should be turned to any spammer,
especially one coming from a so called reputable source.


So let's get back to defining the source. We've got a habeas 
representative on here? Let's trace this 'datetheul' stuff and see if it 
really is their legitimate business.


By the by, I think I posted on this list a while ago on a similar 
question, as to whether we could really trust *any* whitelists, as they 
simply made for a *deliberate* target of botnet owners. No one made a fuss 
about it before, but what about now? Maybe, once again, the flaw is in 
having a whitelisting system that relies upon third party servers with 
unknown security.



Point 4 -
All that is largely irrelevant to this list, but my point of interest is
why a commercial white list appears in Spamassassin with the default
scores set the way they are? It's perfectly reasonable to ask.


Well, the obvious 'startnig answer' (just to cut the pedants short) is 
that a whitelist *should* generally betoken increased trust in a source, 
and that it is 'permitted' to look a 'little' spammy because their 
business is advertisting, but not 'spam'. So with that category of mail in 
the 'ham' corpora, spamassassin score generation allows a generous 
negative score. The flaw, here, may be regional bias. Perhaps Spamassassin 
should get a bit more sophsiticated and attempt to generate corpora for 
different regions?



It could be expanded to ask if there are any plans to include whitelists 
from other vendors in the default, such as Apache donator Barracuda? 
Perhaps emailreg.org with a -4 score in the next SA release?


That is the most meaningful question. What is the policy for inclusion, 
and how reliable is it? The key to understanding is to verify whether the 
'spam' you see is *actually* from the 'customer' who obtained the habeas 
accredit and then probe how we would deal with a 'yes' or a 'no'.



Much that the personality battles and offlist threats and abuse amuse
me, my question is perfectly reasonable, has it's foundation in fact and
is on topic.


Which is pretty much what I said. I just clarified the question because 
pedants were answering because the developers like it.


But it might help to skip the personality/ad hominem crap. Prove that the 
mail you receive is the rightful mail of the legitimate IP address owner, 
and then ask the habeas people how they 'earned' that accredit


- C

Re: [sa] Re: Suggestion for use by ANY whitelist service....

[Charles Gregory]

On Fri, 4 Dec 2009, rich...@buzzhost.co.uk wrote:

. the default for a spam filter should not be to give
any weight to a white list unless the user modifies the config
themselves specifically. It can be seen to be suspicious and offering a
pecuniary advantage to those involved and using it.


If it turns out that the whitelists FAIL to deliver a sufficiently 
reliable 'standard' of only sending e-mails to confirmed double-opt-in 
recipients, then yes, SA should not 'favor' them. But if they offer a 
reliable way to judge mail as 'valid' (by which I mean that the recipient 
in their own sole judgement says I wanted that) then I see no problem 
with scoring. But based on current examples (datetheuk) I have serious 
reservations that the practical reality meets this standard


- Charles

Re: [sa] Re: Suggestion for use by ANY whitelist service....

[Charles Gregory]

On Fri, 4 Dec 2009, John Hardin wrote:
Both would have to be done any time a new address was added to the 
mailing list. And there would have to be some watchdog ensuring the MSP 
doesn't relax the policy over time.


Uh-huh. For a -4 in my mail filter? They oughta! :)

It's a great idea. The problem is, how do you get mail service providers to 
do this? What causes them loss of revenue if they _don't_ do it?


The fact that recipients change their SA score from negative to positive
(or better still, as argued here, the negative *default* is removed from 
the distribution, so that millions of mail servers immediately 'downgrade' 
the mail's acceptability).



 I'm sure we would all live with the occasional true 'opt-in' request,
Absolutely, particulary if it's the proper ignore means permission denied 
model.


That's my definition of 'true opt-in'. Yes.
Also goes without saying that the opt-in request be *terse* and not be 
used as a 'carrier' for 'one quick sneaky ad'. Plain text. No logos.


I don't think it would have that effect. Being able to force such a policy 
onto MSPs won't affect spambot networks.


Which leads around to the other issue that seems to be building, which is 
whether spambot networks deliberately target whitelisted IP ranges to 
improve their chances of getting delivery. :(


- C

Re: Suggestion for use by ANY whitelist service....

[Charles Gregory]

On Fri, 4 Dec 2009, rich...@buzzhost.co.uk wrote:

I disagree.  I think a spam filter should do it's best to give a
reasonable weight to both whitelists and blacklists.

In which case how about including several other whitelists and not just
giving advantage to one?


SA also scores negatively for various IADB rules (whoever they are) as 
well as 'DNSWL'. Not a lot, but really, how many organizations ever had a 
running start at being that reliable? But perhaps they should be reviewed 
and removed if they've been hacked too often


- C

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[Per Jessen]

Charles Gregory wrote:

 I don't care. Spamassassin does not have an 'opinion'. It has a
 methodology. 

Umm, it also has a set of rules which essentially make up the
SA opinion. 


/Per Jessen, Zürich

Re: Suggestion for use by ANY whitelist service....

[Charles Gregory]

On Fri, 4 Dec 2009, Greg Troxel wrote:

A problem with the spam%/ham% checking methodology is that it makes the
accreditation look reasonable for corpuses that have lots of requested
commercial mail.  That's certainly fine for those people, but the
outcomes seem very different for those that don't ask for such mail -
they're left with only the spam.


Agreed. Though reasonably speaking, the overall volume of 'accredited' 
spam should be the same as an overall percentage. So it should still raise 
a 'red flag' when it gets too large, regardless of how much ham benefits 
from the rule.


- C

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[Chr. von Stuckrad]

On Fri, 04 Dec 2009, rich...@buzzhost.co.uk wrote:

 Point 4 -
 All that is largely irrelevant to this list, but my point of interest is
 why a commercial white list appears in Spamassassin with the default
 scores set the way they are? It's perfectly reasonable to ask. It could
 be expanded to ask if there are any plans to include whitelists from
 other vendors in the default, such as Apache donator Barracuda? Perhaps
 emailreg.org with a -4 score in the next SA release?

So if, after a while of wading through the debate, I understand this
right, it boils down to 'are spammers buying out spamassassin
rule-makers' or 'do we have to assume that spamassassin development
was taken over by spammers' or some such theory?

Wouldn't it be far easier to believe, that in long gone times when
'habeas' seemed to proof nonspam (I seem to remember it worked a
while) somebody put that rule in.  And a while later lots of people
simply set their habeas rules to zero after noticing spam-with-habeas.
(the oldest mails with 'Subject:.*habeas' I can find in my archive
were about habeas haikus and these were beginning to be faked 2003/4).

Then I personally simply forgot the whole thing ... til yesterday :-)
AND if the spam-with-habeas is seldom seen it might simply vanish
in the noise or hide below the other rules until somebody(!) notices.

For me all this means - simply forget (zero out) the rules - and if
need be file a bug/request/whatever to get them removed - but not that
I'd assume that spamassassin was subverted to allow spammers? But even
if it were so, it could not go on very long - somebody would(did?) wonder ...

After all this debate about a negatively scored rule I'd disable it
anyway, because the spammers on the list will target it specifically
now, knowing it works well for them.

Stucki

-- 
Christoph von Stuckrad  * * |nickname |Mail stu...@mi.fu-berlin.de \
Freie Universitaet Berlin   |/_*|'stucki' |Tel(Mo.,Mi.):+49 30 838-75 459|
Mathematik  Informatik EDV |\ *|if online|  (Di,Do,Fr):+49 30 77 39 6600|
Takustr. 9 / 14195 Berlin   * * |on IRCnet|Fax(home):   +49 30 77 39 6601/

actual facts (was Re: HABEAS_ACCREDITED SPAMMER)

[J.D. Falk]

On Dec 4, 2009, at 1:18 AM, jdow wrote:

 And JD, I don't see on your site what it costs people to get listed
 on your DNS approval lists other than some tests and documentation. Is
 it possible spammers simply submit some buttered up documentation, get
 approved, and accept getting it knocked back off your lists rapidly as
 a business time expense?

No, there's a lengthy application process and a lot of monitoring involved.  
I'd be happy to ask someone from the Certification team to join the list and 
explain further as soon as I can be certain they won't be harassed and insulted 
here.  In the meantime I'll answer as well as I can, considering that I work on 
entirely different products at Return Path.

 I note that JD is quite willing to discuss (and seemed to recommend)
 a lowered default score. That seems quite reasonable.

The current defaults for both the HABEAS and BSP rules were set long before 
Return Path operated either service, so we have no clue where they came from 
either.


On Dec 4, 2009, at 9:08 AM, Charles Gregory wrote:

 As soon as any whitelist service like 'returnpath' accepts a client, they 
 perform the following:
 
 1) Review the client's address list - look for honeypot addresses.
   If any are found, clearly the client has not vetted their list.

Our staff doesn't review their list, but we do operate a great many honeypots 
of our own -- and we receive feeds of honeypot messages from ISPs and other 
data partners.  So, spammers can't hide that way.

We also get feeds of complaints, where users click this is spam in a partner 
ISP's webmail interface.  Spammers can't hide that way, either.

(You can see the results of much of this data at senderscore.org.)

I saw some other interesting ideas in the conversation, but they all assume the 
accreditor is able to change messages or otherwise interrupt the sender's 
mailstream.  We don't have that ability, and don't want to.  They have to 
police themselves, or else they get kicked off the list.  Simple, neh?


On Dec 4, 2009, at 10:06 AM, Greg Troxel wrote:

 Probably SOI should be entirely dropped.

There's only one Safe list (which SA still calls Habeas.)  In other words: no 
difference between the SOI and COI lists.  Or at least, that's how it's 
supposed to be -- so Kris's results were somewhat surprising.


On Dec 4, 2009, at 11:08 AM, Charles Gregory wrote:

 By the by, I think I posted on this list a while ago on a similar question, 
 as to whether we could really trust *any* whitelists, as they simply made for 
 a *deliberate* target of botnet owners. No one made a fuss about it before, 
 but what about now? Maybe, once again, the flaw is in having a whitelisting 
 system that relies upon third party servers with unknown security.

We're EXTREMELY concerned about this as well, and we've got a 24x7 operations 
staff keeping an eye on things.  That's one of the reasons we charge money for 
the service: it lets us buy hardware and software and hire staff to keep it 
running smoothly, and securely.

--
J.D. Falk jdf...@returnpath.net
Return Path Inc

Re: Suggestion for use by ANY whitelist service....

[Ted Mittelstaedt]

Charles Gregory wrote:


All this debate about 'legitimate' mail services like 'returnpath'
being abused by 'sneaky' spammers. How is that possible? There should be 
easy ways to prevent it. Here's a few ideas:


As soon as any whitelist service like 'returnpath' accepts a client, 
they perform the following:


1) Review the client's address list - look for honeypot addresses.
   If any are found, clearly the client has not vetted their list.

2) Perform their OWN 'opt-in' mailout to that list.
 Hello, we at (company eg. Retunrpath) have contracted to operate a
  mailng list on behalf of (client name). They have provided your
  address as one that has *requested* advertising mailouts from their
  company. We respectfully request that you verify this
  subscription/request by replying to this e-mail. IF you do nothing,
  this will be your last mailing from this company.



That wouldn't ever happen because the whole point of the CAN-SPAM
act is to allow the spammers to send out the first mail.  Direct 
e-mail mailers just setup fake company after fake company, so they can

repeatedly spam the first time over and over again.

I'm sure we would all live with the occasional true 'opt-in' request, if 
we knew that the end result would be that it would stifle spam by giving 
the legitimate mailers, the ones whose mail we *want* anyway,


Who exactly are those mailers?  Just curious since I've never in my
life seen an unsolicited commercial e-mail from a list that I never 
opted in on in the first place, that I wanted


Ted

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[Per Jessen]

Chr. von Stuckrad wrote:

 After all this debate about a negatively scored rule I'd disable it
 anyway, because the spammers on the list will target it specifically
 now, knowing it works well for them.

The other side of the argument is - why does any legitimate company need
to employ a service such as Habeas/Returnpath/whatever? 
If their customer emails are getting caught as spam, surely they or SA
is doing something wrong to begin with.  There is not much spam that is
getting caught purely based on content, most is getting caught on
origin and its reputation. 


/Per Jessen, Zürich

Re: [sa] Re: Suggestion for use by ANY whitelist service....

[John Hardin]

On Fri, 4 Dec 2009, Charles Gregory wrote:


On Fri, 4 Dec 2009, John Hardin wrote:

 Both would have to be done any time a new address was added to the mailing
 list. And there would have to be some watchdog ensuring the MSP doesn't
 relax the policy over time.


Uh-huh. For a -4 in my mail filter? They oughta! :)


 It's a great idea. The problem is, how do you get mail service providers
 to do this? What causes them loss of revenue if they _don't_ do it?


The fact that recipients change their SA score from negative to positive 
(or better still, as argued here, the negative *default* is removed from 
the distribution, so that millions of mail servers immediately 
'downgrade' the mail's acceptability).


I had thought about that, but I suppose I didn't give the SA community 
enough weight. Are there enough users of SA (including the customers of 
those who repackage it commercially) who _maintain their systems_ (i.e. 
keep up-to-date with new versions and run sa_update regularly) such that 
the SA devs adjusting the scores centrally for whitelists would have an 
aggregate effect across all those users similar to the Big Players doing 
what I suggested?


If the majority of SA users install it and forget about it for five years 
(including not running sa-update) then SA probably can't effectively be a 
cattle prod with which to encourage proper behavior by MSPs.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You do not examine legislation in the light of the benefits it
  will convey if properly administered, but in the light of the
  wrongs it would do and the harms it would cause if improperly
  administered.  -- Lyndon B. Johnson
---
 11 days until Bill of Rights day

Re: actual facts (was Re: HABEAS_ACCREDITED SPAMMER)

[John Hardin]

On Fri, 4 Dec 2009, J.D. Falk wrote:

The current defaults for both the HABEAS and BSP rules were set long 
before Return Path operated either service, so we have no clue where 
they came from either.


J.D., may I suggest you open a SA Bugzilla ticket suggesting that the 
scores be reviewed in light of this large change in how HABEAS operates?


3.3.0 is in beta right now, it's still not too late to adjust the default 
scores for these rules for this major release.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You do not examine legislation in the light of the benefits it
  will convey if properly administered, but in the light of the
  wrongs it would do and the harms it would cause if improperly
  administered.  -- Lyndon B. Johnson
---
 11 days until Bill of Rights day

Re: HABEAS_ACCREDITED SPAMMER

[Robert Lopez]

On Fri, Dec 4, 2009 at 7:33 AM, Bowie Bailey bowie_bai...@buc.com wrote:
 LuKreme wrote:
 On 4-Dec-2009, at 01:18, jdow wrote:

 With all the animosity on this issue I decided to give the HABEAS
 rules a score, a negligible score to be sure, just to see what the
 state of HABEAS is for me today.

 In the last four days - nothing either spam or ham.


 I tend to see little clusters of HABEAS scores, but they are rare. I might 
 see only 10-20 a month.

 After following this thread for a while, I decided to take a look at my
 server.  So here's one more data point:

 In the last month, I have seen 718 messages that hit one of the HABEAS
 rules.  Of those, none of them had an overall score higher than 4, and
 there were only 12 that would have been scored as spam without the rule.

 Since I don't have access to look at the actual messages and I don't
 know what lists my customers may be signed up for, I can't say anything
 for sure, but it looks like it's working fine here based on the numbers.

 --
 Bowie


Here is one more data point:
Since October 18th I have seen HABEAS rules listed in Spamassassin
score lines 496122 times.
One such phishing email this week was successfully delivered to 387 in-boxes.
Were it not for the HABEAS_ACCREDITED_SOI -4.30 other rules would have
lead to successfully stopping the message.

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

Re: [sa] actual facts (was Re: HABEAS_ACCREDITED SPAMMER)

[Charles Gregory]

On Fri, 4 Dec 2009, J.D. Falk wrote:
They have to police themselves, or else they get kicked off the list. 
Simple, neh?


Neh. Definitely NEH. That is the logic of spambots. They get on there, 
abuse the heck out of it until someone files a complaint and then they get 
cut off, but not before millions of spams have gone out the door with your 
'blessing'. The notion of waiting for complaints opens the doors to
failure of systems through overburdening (gee, we got so many complaints 
we couldn't get to them all in a timely manner).


For example, you've heard a complaint about 'thedateuk' being tossed 
around this list. Seems to me that if your above statement represented an 
effective policy, the comment from the original complainant should be
I saw a flood of spam from these IP's and then it just stopped a few 
hours later. But that's not what I'm reading.


And I don't want excuses. No claims that a certain reporting mechanism 
should have been used. There are enough people receiving spam that if 
any mechanism were reputable and worthwhile, *someone* would have used it 
and the spam would have stopped. At the very least, judging by the 
comments here, no attempt was made to 'group' the offending IP's and the 
offender just switched to another IP in their block?


Anyway you look at it, there is a reliability issue here

- Charles

Re: [sa] Re: Suggestion for use by ANY whitelist service....

[Charles Gregory]

On Fri, 4 Dec 2009, Ted Mittelstaedt wrote:

That wouldn't ever happen because the whole point of the CAN-SPAM
act is to allow the spammers to send out the first mail.  Direct e-mail 
mailers just setup fake company after fake company, so they can

repeatedly spam the first time over and over again.


Well, if a company wants to sell a 'reputation', then it has to have more 
behind it than letting in 'first time' companies. any registration process 
should involve a clear investigation of whether a business is merely a 
'front' for a spammer. Shouldn't be too hard to spot.


Who exactly are those mailers?  Just curious since I've never in my life 
seen an unsolicited commercial e-mail from a list that I never opted in 
on in the first place, that I wanted


What are you asking? Obviously 'unsolicited' is NOT 'wanted', so therefore 
by using the word 'wanted' I am by definition meaning *solicited*. That 
means somone ASKED for the mail. REQUESTED it via an opt-in mechanism, 
with confirmation. Companies that apply for habeas accreditation send
material that has similar *content* to spam (buzzwords like percentages 
off and the like) that might make a spam filter *mistake* their ad for 
an unsolicited spam, but which should NOT be blocked because the 
recipients HAVE requested and WANT the mail. It is SOLICITED.


And yes, people *do* request notices of weekly specials at their computer 
store, and ads for the next event at the colliseum. There is a lot of 
legitimate e-mail advertising. None of it is (should be) 'unsolicited'.


- Charles

Re: [sa] Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[Charles Gregory]

On Fri, 4 Dec 2009, Per Jessen wrote:

The other side of the argument is - why does any legitimate company need
to employ a service such as Habeas/Returnpath/whatever?


Any legitimate drug company that wants to send price lists to its 
legitimate distributors or end customers, upon request, even if not a 
mailing list mail, but specific, one-by-one request/response mails, would 
have trouble with spam filters that check for drug names and percentages 
and hot words like 'sale'. The preponderance of drug spams makes it very 
difficult for these companies. Help from a whitelist is a welcome thing.

But it becomes useless if the spammers suborn the process.

- Charles

Re: [sa] Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[rich...@buzzhost.co.uk]

I've just had another one to a honeypot - care of myspace. My dog does
not have a myspace account. Again, this is a harvested email address.

204.16.33.75WHITELISTED:sa-accredit.habeas.com

Whilst I appreciate that nobody would turn their noses up at taking $$$
from someone like myspace, there are some serious concerns about their
data here.

I'll check with my dog to make sure he has not subscribed whilst I
turned my back .

Received: from vmta12.myspace.com (vmta12.myspace.com [204.16.33.75]) by
 . with ESMTP id  for
 .; Fri,  4 Dec 2009 19:48:32 + (GMT)

Re: actual facts (was Re: HABEAS_ACCREDITED SPAMMER)

[Kris Deugau]

J.D. Falk wrote:

There's only one Safe list (which SA still calls Habeas.)  In other words: no 
difference between the SOI and COI lists.  Or at least, that's how it's 
supposed to be -- so Kris's results were somewhat surprising.


*shrug*  I haven't seen enough evidence in the mail flow here to bother 
messing with the stock scores in the installations here, but there *are* 
three different rules in the stock SA set (up to date via sa-update):


# Habeas Accredited Senders
#Last octet of the returned A record indicates the Habeas-assigned
#   Permission Level of the Sender.
#   10 to 39Personal, transactional, and Confirmed 
Opt In

#   40 to 59Secure referrals and Single Opt In
#   60 to 99Checked but not accredited by Habeas.
#
# sa-accredit.habeas.com is for SpamAssassin use.
#
header HABEAS_ACCREDITED_COIeval:check_rbl('habeas-firsttrusted', 
'sa-accredit.habeas.com.', '127\.\d+\.\d+\.[123]\d')

describe HABEAS_ACCREDITED_COI  Habeas Accredited Confirmed Opt-In or Better
tflags HABEAS_ACCREDITED_COInet nice
header HABEAS_ACCREDITED_SOI 
eval:check_rbl_sub('habeas-firsttrusted', '127\.\d+\.\d+\.[45]\d')

describe HABEAS_ACCREDITED_SOI  Habeas Accredited Opt-In or Better
tflags HABEAS_ACCREDITED_SOInet nice
header HABEAS_CHECKED 
eval:check_rbl_sub('habeas-firsttrusted', '127\.\d+\.\d+\.[6789]\d')

describe HABEAS_CHECKED Habeas Checked
tflags HABEAS_CHECKED   net nice

score HABEAS_ACCREDITED_COI 0 -8.0 0 -8.0
score HABEAS_ACCREDITED_SOI 0 -4.3 0 -4.3
score HABEAS_CHECKED 0 -0.2 0 -0.2

-kgd

Re: Smart Smoker spam sailing past SA scores

[Jari Fredriksson]

On 4.12.2009 18:00, Thomas Harold wrote:
 SA had a lot of trouble identifying this as spam.  The IP
 (174.139.37.196) is not yet listed in a lot of the DNSBLs.  So it only
 scored around a 1.0 on the spam meter.
 
 http://pastebin.com/m1d0a75b7
 
 It uses a block of foreign language spam at the end to get past some SA
 checks.  Such as HTML_IMAGE_RATIO.  The text/plain section is complete
 empty (and doesn't match the text/html section).
 

Content analysis details:   (14.9 points, 5.0 required)

 pts rule name  description
 --
--
 1.0 RCVD_IN_BRBL_LASTEXT   RBL: Received via a relay in Barracuda BRBL
[174.139.37.196 listed in
bb.barracudacentral.org]
 1.7 RCVD_IN_HOSTKARMA_BL   RBL: HostKarma: relay in black list
  [174.139.37.196 listed in
hostkarma.junkemailfilter.com]
 0.8 RCVD_IN_SEMBLACK   RBL: Received from an IP listed by SEM-BLACK
[174.139.37.196 listed in
bl.spameatingmonkey.net]
 2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist
[URIs: globalsaveonlinepath.net]
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
-0.0 SPF_PASS   SPF: sender matches SPF record
 4.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=174.139.37.196,rdns=host196.easysavingsusa.com,maildomain=globalsaveonlinepath.net,baddns]
 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language
 0.0 HTML_MESSAGE   BODY: HTML included in message
-2.5 BAYES_20   BODY: Bayesian spam probability is 5 to 20%
[score: 0.0515]
 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
 0.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
 0.6 SARE_HTML_HTML_TBL FULL: Message body has very strange HTML
sequence
 0.1 RDNS_NONE  Delivered to trusted network by a host with
no rDNS
 2.0 KHOP_DNSBL_BUMPHits a trusted non-overlapping DNSBL



-- 
http://www.iki.fi/jarif/

Many pages make a thick book.



signature.asc
Description: OpenPGP digital signature

Re: actual facts (was Re: HABEAS_ACCREDITED SPAMMER)

[J.D. Falk]

On Dec 4, 2009, at 12:24 PM, John Hardin wrote:

 On Fri, 4 Dec 2009, J.D. Falk wrote:
 
 The current defaults for both the HABEAS and BSP rules were set long before 
 Return Path operated either service, so we have no clue where they came from 
 either.
 
 J.D., may I suggest you open a SA Bugzilla ticket suggesting that the scores 
 be reviewed in light of this large change in how HABEAS operates?

Glad to.

--
J.D. Falk jdf...@returnpath.net
Return Path Inc

Re: actual facts (was Re: HABEAS_ACCREDITED SPAMMER)

[Michael Parker]

FYI, the original bug is here: 
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=3998

All the bitching about it, took me about 30 seconds to find it.

Michael

Re: [sa] Re: Suggestion for use by ANY whitelist service....

[Ted Mittelstaedt]

Charles Gregory wrote:

On Fri, 4 Dec 2009, Ted Mittelstaedt wrote:

That wouldn't ever happen because the whole point of the CAN-SPAM
act is to allow the spammers to send out the first mail.  Direct 
e-mail mailers just setup fake company after fake company, so they can

repeatedly spam the first time over and over again.


Well, if a company wants to sell a 'reputation', then it has to have 
more behind it than letting in 'first time' companies. any registration 
process should involve a clear investigation of whether a business is 
merely a 'front' for a spammer. Shouldn't be too hard to spot.


Who exactly are those mailers?  Just curious since I've never in my 
life seen an unsolicited commercial e-mail from a list that I never 
opted in on in the first place, that I wanted


What are you asking? Obviously 'unsolicited' is NOT 'wanted', so 
therefore by using the word 'wanted' I am by definition meaning 
*solicited*. That means somone ASKED for the mail. REQUESTED it via an

opt-in mechanism, with confirmation.


I will then have to REPEAT that this will NEVER fly.  The devil is in
the details, here.

If you look at return path they aren't talking about opt-in mailing
lists because that's NOT what they are whitelisting.  They are 
whitelisting permission-based e-mail.


What this means is for example I go to Redbox to rent a DVD, which
requires me to put in my e-mail address, and the
rental process has some boilerplate in it that in the small print
says I will get e-mails from redbox.

It does NOT mean that I deliberately e-mailed redbox to get on their
list, then responded in the affirmative to a confirmation mail.  THAT
is a true opt-in  Companies that do their mailing list that way, and 
there's many that do, don't need what a whitelist service provides 
because since the user was looking for a confirmation, they are going to 
know that when it doesn't come that it got in their spam folder, so they 
are going to look in there, pull it out, and whitelist the sender in 
their private whitelists.


The companies that need a whitelist service are the ones like Redbox who 
are gathering e-mail addresses as part of some other function then using
them to market.  They need Habeas and friends because since the user who 
supplied them with their e-mail address didn't bother to read the fine

print the company's first mail is going to be unexpected, as a result
it will normally go into the users spam folder and never be seen and
the user will never pull it out and put it in their own personal whitelist.

Companies that apply for habeas 
accreditation send
material that has similar *content* to spam (buzzwords like percentages 
off and the like) that might make a spam filter *mistake* their ad for 
an unsolicited spam, but which should NOT be blocked because the 
recipients HAVE requested and WANT the mail. It is SOLICITED.




No, the recipients HAVE NOT explicitly requested an opt-in, they have
merely NOT explicitly requested to opt-out when they provided their
e-mail address for some other reason.

And yes, people *do* request notices of weekly specials at their 
computer store, and ads for the next event at the colliseum. There is a 
lot of legitimate e-mail advertising. None of it is (should be) 
'unsolicited'.




Wrong.

People fall into a bell-curve on this issue.

There's a small number of consumers who go out of their way to sign
up for all of the e-mail lists run by all the companies they buy from.

There's a small number who go out of their way to unsubscribe from
all the e-mail lists run by all the companies they buy from.

But the majority don't care one way or another.  They won't go out
of their way to sign up for notices from the vendors they buy from,
but if that vendor signs them up, they won't go out of their way
to unsubscribe.

What's happened in the commercial spamming business is that the
spammers have figured this out, and managed to convince the legitimate
companies out there that if their customer doesn't object if they
start sending advertising e-mails to them, that the customer has given 
permission to be spammed  So those companies create flimsy pretexts to 
obtain e-mail addresses from customers that are supposedly for other 
reasons than spamming them, and then they put in the fine print during 
that obtaining process a check box to uncheck being on the spam list,

and the customers in the middle of the bell curve don't go out of
their way to uncheck it and then Habeas considers this as having
obtained permission to spam for that customer.  That's why Habeas
customers need a whitelist in the first place - because they are 
adopting a point of view of what spam is that is contrary to what

most users hold.

Ted

Re: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)

[jdow]

From: rich...@buzzhost.co.uk
Sent: Friday, 2009/December/04 06:04



On Fri, 2009-12-04 at 06:55 -0700, LuKreme wrote:

On 3-Dec-2009, at 23:06, R-Elists wrote:
 certainly we understand your point here, yet what about accountability 
 for

 Return Path Inc (and other RPI companies) related rules in the default
 Spamassassin configs?


My position on HABEAS is well-know by anyone who cares (I score it +0.5 
and +2.0); that's not what I'm talking about: it's the constant whinging 
by richard and falk at each other. Obviously they WANT to be 
communicating since otherwise they could easily ignore/killfile each 
other. I'm just tired of them doing it on this mailinglist.



Your idea of 'constant' amuses me and is stretching the truth
exponentially.

I'm curious why a commercial whitelist from a bulk mailing company has
such a positive inroad in Spamassassin. It's a fair question. I'm not
interested in your personal views of me, my question or my posting. You
have a killfile? You able to ignore on subject? Skills you may find
useful to learn yes?


Have you two gentlemen reported these spammers to ReturnPath, Lukreme's
long unused address might be a good source for scrubbing the ReturhPath
lists. (So far I've not seen one either way here.) I presume you two
gentlemen are telling me that you never see HABEAS on ham, right?

{^_^} 

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[jdow]

From: Per Jessen p...@computer.org
Sent: Friday, 2009/December/04 09:11


rich...@buzzhost.co.uk wrote:


This was raised as the IP appeared in HABEAS and for a few hours it
'vanished' from the list. It's back there now, but DateTheUk is now
pumping out via an ip six decimal places up on the last octet.

80.75.69.195  WHITELISTED:sa-accredit.habeas.com

The customer concerned then hopped their output to:80.75.69.201
80.75.69.201  WHITELISTED:sa-accredit.habeas.com


FYI, 80.75.69.192 - 80.75.69.255 belongs to Easydate Ltd in Edinburgh. 


 jdow: And somehow I suspect Richard didn't bother to report. It
is more fun to bitch instead. So far the only real metrics I've seen 
indicates it works. That's data from three people, one off this list.


{^_^}

Re: HABEAS_ACCREDITED WHY BY DEFAULT?

[jdow]

From: Per Jessen p...@computer.org
Sent: Friday, 2009/December/04 11:19


Chr. von Stuckrad wrote:


After all this debate about a negatively scored rule I'd disable it
anyway, because the spammers on the list will target it specifically
now, knowing it works well for them.


The other side of the argument is - why does any legitimate company need
to employ a service such as Habeas/Returnpath/whatever? 
If their customer emails are getting caught as spam, surely they or SA

is doing something wrong to begin with.  There is not much spam that is
getting caught purely based on content, most is getting caught on
origin and its reputation. 


jdow: I have several email sources with which I have a relationship
as in signed up for that are not important enough to me to outright
whitelist. I have fun watching them dance around the deadly 5.0 score.
OK OK it is fun for the feeble minded or somebody needing a dose of
graveyard humor, I suppose. But it illustrates the problem an ISP spam
filter might have.

JD's description indicates RP makes an honest attempt to scrub their
lists when problems appear. And, if they do not hear of a problem their
list does not get scrubbed. And if a user plays the 'report as spam'
trick to unsubscribe to a list (something a legitimate friend of mine
experiences too often) that can result in problems for everybody, JD,
his customers, and the cut-off recipients. RP has taken on a job that
is not trivial.

{^_^}

Re: HABEAS_ACCREDITED SPAMMER

[jdow]

From: Robert Lopez rlopez...@gmail.com
Sent: Friday, 2009/December/04 11:24


On Fri, Dec 4, 2009 at 7:33 AM, Bowie Bailey bowie_bai...@buc.com wrote:

LuKreme wrote:

On 4-Dec-2009, at 01:18, jdow wrote:


With all the animosity on this issue I decided to give the HABEAS
rules a score, a negligible score to be sure, just to see what the
state of HABEAS is for me today.

In the last four days - nothing either spam or ham.



I tend to see little clusters of HABEAS scores, but they are rare. I 
might see only 10-20 a month.


After following this thread for a while, I decided to take a look at my
server. So here's one more data point:

In the last month, I have seen 718 messages that hit one of the HABEAS
rules. Of those, none of them had an overall score higher than 4, and
there were only 12 that would have been scored as spam without the rule.

Since I don't have access to look at the actual messages and I don't
know what lists my customers may be signed up for, I can't say anything
for sure, but it looks like it's working fine here based on the numbers.

--
Bowie



Here is one more data point:
Since October 18th I have seen HABEAS rules listed in Spamassassin
score lines 496122 times.
One such phishing email this week was successfully delivered to 387 
in-boxes.

Were it not for the HABEAS_ACCREDITED_SOI -4.30 other rules would have
lead to successfully stopping the message.

 jdow: OK a 0.07% failure rate is remarkably good, In My Pathetic
Opinion. It ought to earn a fairly respectable negative score on that
basis. How far off was your -4.30 score on that spam/phish? Was that
the ONLY one that got through?

{^_^}