I noticed that too, then I looked at the headers: X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>
I went to their site and it seems they partner with a lot of people that do spam blocking (including spam assassin) and if these headers are in the email then the email gets through. If you look around the habeas site you'll see that the first three lines of those headers are a copyrighted poem and a registered trademark. So, if a spammer, like the one sending that viagra spam, uses the headers to get around spam filters they get sued for copyright and trademark infringement. Since I saw no use for anything Habeas would send me, I just made a rule to block stuff with those headers in it as well :) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Brian > Sent: Wednesday, January 14, 2004 6:42 AM > To: Greater NH Linux User Group > Subject: SPAM and procmail > > > For anyone interested... It seems that a lot of spam is starting to slip > through Spam Assassin again. The majority of the messages seem to > either have "obvious" subject lines, or have ----ALT-- in the message > body to try to hide dummy words to throw off the weighting. I came up > with these two procmail recipes the other day that have done a good job > of catching what SA doesn't. The first looks for various forms of drug > keywords in the subject line, and the second just dumps any message with > the ALT stuff in the body to an altinmessage mailbox (I have yet to see > a valid use of the ALT stuff in the message body (for that matter I've > yet to see a valid use of HTML in an email message, but that is another > story)). > > Anyway, I thought I would share in case anyone else found these useful, > or wanted to build off of them. > > :0: > * > ^Subject:.*([EMAIL PROTECTED]@])|([Ss5].?[oO0]. > [EMAIL PROTECTED])|([EMAIL PROTECTED]@].?[xX]) > meds > > :0B: > * ^----ALT--* > altinmessage > > > Another common technique that is foiling SA is hiding bogus tags in > words (ie "vi</house>agra"). They always seem to be closing tags in the > messages I've looked at. If I get the time, I want to pre-parse all > email before it gets sent to SA and remove all non-real HTML tags, which > should allow SA to better read and score the message. This is more of a > job for piping the message to an external script/program (much like > filtering it through SA). > > And for those that are wondering, yes this *can* get a little processor > intensive on a busy mailserver with a lot of users, but for the price of > hardware these days, it's been affordable to provide effective spam > scanning. > -- > Brian <[EMAIL PROTECTED]> > > _______________________________________________ > gnhlug-discuss mailing list > [EMAIL PROTECTED] > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss > > _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
