Hi SA Community - A lot of you have been asking us for an update on Habeas' response to the current spammer spoofing attack on Habeas Sender Warranted Email. Here's what's going on:
a. Legal action. A full legal and technical investigation of the matter has been underway since January 12, 2004 (the day after this all began) and legal action is expected to begin shortly. The support from the email community to date has been phenomenal and has been instrumental in our investigation. Any examples of the spam should be emailed, with full header and body, to [EMAIL PROTECTED] Any additional information regarding this matter may be reported to habeas at [EMAIL PROTECTED] The legal model can be very effective against spammers, but it is a slow process. b. Implementation of whitelist reference in SpamAssassin. Spam Assassin 3.0, scheduled for release in 6-8 weeks (I believe) will incorporate an improved Habeas ruleset that will automatically refer to the Habeas Whitelist (aka the HUL or Habeas Users List) in addition to the Warrant Mark. Use of this version of SpamAssassin should defeat these Habeas Warrant Mark spoofing attacks. c. Enhancements to SpamAssassin 2.6x. Habeas is working with the SA community to implement a software patch that will augment the Habeas ruleset of SpamAssassin 2.6x with the SA 3.0 functionality for Habeas mentioned in b. above (i.e., checking whitelist). Details on the ruleset will be released shortly as soon as we complete testing. I should add that some interesting ideas for additional future ruleset enhancements have been floated to Habeas from the SA community - we are intrigued and will be taking a look into them. [ed. note -- see below for my suggestion in this regard] We appreciate your support as we transition fully away from the header plus blacklist model to header plus whitelist model in SA. We're already using header plus whitelist in our ISP relationships. Clearly the tactics of spammer/hackers (i.e., zombie PCs) have rendered the header plus blacklist combination ineffective. We appreciate the difficulties this has given all of you and we hope for your continued support as we transition (quickly!) to a more secure Habeas implementation in SA. thanks - Des Cahill CEO Habeas, Inc. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Nels > Lindquist > Sent: Wednesday, March 17, 2004 4:46 PM > To: [EMAIL PROTECTED] > Subject: [Technical-discussion] Some suggestions on behalf of > SpamAssassinusers > > > Hi there. > > There's been quite a bit of discussion about Habeas on the SA list of > late due to the recent rash of spammers utilizing the Habeas SWE to > cut through content filters. > > A lot of people are growing impatient and setting their HABEAS_SWE > scores to zero, and some misguided folk are actually assigning it a > positive score based on the belief that they receive no legitimate > mail with the Habeas SWE! While I understand the legal process can > take a while (grinding slow but exceedingly fine, etc.) it might be > nice for you guys to provide a status update on your website (or even > a post to the SA list!) a little more often so people at least > understand that the process is ongoing. > > In the interim, though, I'd like to make a more technical suggestion. > Since the Pharmacourt infringers have been using hijacked open relays > (perhaps infected with some MyDoom or Beagle variant?) merely putting > IP addresses into the HIL is something of an excercise in closing the > barn door after the horse has gone (though certainly not a waste of > time, since there are other horses). > > It's been my observation that the URLs referenced in the Pharmacourt > spam are far less variable than the relays they use (makes sense-- > domains do have to be registered and that costs money), and that > lends itself to the creation of a custom SpamAssassin ruleset which > is demonstrably quite effective. Working on the suggestions of SA > list participants, I've been building the following based on URLs > referenced within infringing e-mails I've received: > > uri PHARMACOURT_BIZ /\b(?:affiliatedrugs|affiliateddgrugs| \ > charterdrugs|fifthdimensionrx|firstassist| \ > majesticdrugs|moderndrugstore|pharmacourt| \ > pharmawarehouse|valuepointmeds)\.biz\b/i > describe PHARMACOURT_BIZ Includes a link to spammer > www.pharmacourt.biz > score PHARMACOURT_BIZ 3.0 > > meta HABEAS_VIOLATOR_LOCAL (!HABEAS_VIOLATOR && > HABEAS_SWE && \ > PHARMACOURT_BIZ) > describe HABEAS_VIOLATOR_LOCAL Spammer known to abuse Habeas mark > score HABEAS_VIOLATOR_LOCAL 16.0 > > Over the past few weeks, these local rules have been catching > infringing e-mails about twice as often as HABEAS_VIOLATOR (which is > triggered by an infringer on the HIL) and very few infringing > messages have made it to my Inbox. > > So here's what I propose: Habeas should create (or contribute to) a > custom SpamAssassin ruleset! (see > http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm for > examples of other rulesets in common usage.) > > Since Habeas receives lots of reports of infringing mail, you could > pull out URLs used by the infringers and generate a more > comprehensive ruleset along the lines of what I've outlined above. > > By updating such a ruleset as new URLs are discovered and making it > available for download, SA users can be better protected from > infringing spam while still retaining the benefit of properly scoring > legitimate Habeas SWE users. Additionally, by posting notices of > updates to the SA discussion list, Habeas would be seen to be > actively participating in the community which can't help but incur > goodwill for the company. I wouldn't be surprised if more people > were encouranged to report their infringing mail, too, if they > perceive a direct benefit to themselves by doing so. > > So there you have it. Food for thought, anyway! Nels Lindquist <*> ---- Quidquid latine dictum sit altum viditur. Whatever is said in Latin, sounds profound.
