You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "J.D. Falk" <jd...@cybernothing.org> on 2009/12/03 19:23:47 UTC
Richard's baseless insults (Re: HABEAS_ACCREDITED SPAMMER)
On Dec 2, 2009, at 12:59 AM, richard@buzzhost.co.uk wrote:
> As for
> insulting you - grow up. You work in the business of sending unwanted
> junk email.
You haven't done any research at all, have you?
http://www.cauce.org/about/bod.html
http://www.circleid.com/members/3217/
I expect an apology.
--
J.D. Falk <jd...@returnpath.net>
Return Path Inc
Re: [sa] Re: Suggestion for use by ANY whitelist service....
Posted by John Hardin <jh...@impsec.org>.
On Fri, 4 Dec 2009, Charles Gregory wrote:
> On Fri, 4 Dec 2009, John Hardin wrote:
>> Both would have to be done any time a new address was added to the mailing
>> list. And there would have to be some watchdog ensuring the MSP doesn't
>> relax the policy over time.
>
> Uh-huh. For a -4 in my mail filter? They oughta! :)
>
>> It's a great idea. The problem is, how do you get mail service providers
>> to do this? What causes them loss of revenue if they _don't_ do it?
>
> The fact that recipients change their SA score from negative to positive
> (or better still, as argued here, the negative *default* is removed from
> the distribution, so that millions of mail servers immediately
> 'downgrade' the mail's acceptability).
I had thought about that, but I suppose I didn't give the SA community
enough weight. Are there enough users of SA (including the customers of
those who repackage it commercially) who _maintain their systems_ (i.e.
keep up-to-date with new versions and run sa_update regularly) such that
the SA devs adjusting the scores centrally for whitelists would have an
aggregate effect across all those users similar to the Big Players doing
what I suggested?
If the majority of SA users install it and forget about it for five years
(including not running sa-update) then SA probably can't effectively be a
cattle prod with which to encourage proper behavior by MSPs.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You do not examine legislation in the light of the benefits it
will convey if properly administered, but in the light of the
wrongs it would do and the harms it would cause if improperly
administered. -- Lyndon B. Johnson
-----------------------------------------------------------------------
11 days until Bill of Rights day
Re: [sa] Re: Suggestion for use by ANY whitelist service....
Posted by Charles Gregory <cg...@hwcn.org>.
On Fri, 4 Dec 2009, John Hardin wrote:
> Both would have to be done any time a new address was added to the
> mailing list. And there would have to be some watchdog ensuring the MSP
> doesn't relax the policy over time.
Uh-huh. For a -4 in my mail filter? They oughta! :)
> It's a great idea. The problem is, how do you get mail service providers to
> do this? What causes them loss of revenue if they _don't_ do it?
The fact that recipients change their SA score from negative to positive
(or better still, as argued here, the negative *default* is removed from
the distribution, so that millions of mail servers immediately 'downgrade'
the mail's acceptability).
>> I'm sure we would all live with the occasional true 'opt-in' request,
> Absolutely, particulary if it's the proper "ignore means permission denied"
> model.
That's my definition of 'true opt-in'. Yes.
Also goes without saying that the opt-in request be *terse* and not be
used as a 'carrier' for 'one quick sneaky ad'. Plain text. No logos.
> I don't think it would have that effect. Being able to force such a policy
> onto MSPs won't affect spambot networks.
Which leads around to the other issue that seems to be building, which is
whether spambot networks deliberately target whitelisted IP ranges to
improve their chances of getting delivery..... :(
- C
Re: Suggestion for use by ANY whitelist service....
Posted by Charles Gregory <cg...@hwcn.org>.
On Fri, 4 Dec 2009, Greg Troxel wrote:
> A problem with the spam%/ham% checking methodology is that it makes the
> accreditation look reasonable for corpuses that have lots of requested
> commercial mail. That's certainly fine for those people, but the
> outcomes seem very different for those that don't ask for such mail -
> they're left with only the spam.
Agreed. Though reasonably speaking, the overall volume of 'accredited'
spam should be the same as an overall percentage. So it should still raise
a 'red flag' when it gets too large, regardless of how much ham benefits
from the rule.
- C
Re: Suggestion for use by ANY whitelist service....
Posted by Greg Troxel <gd...@ir.bbn.com>.
John Hardin <jh...@impsec.org> writes:
> On Fri, 4 Dec 2009, Charles Gregory wrote:
>
>> 2) Perform their OWN 'opt-in' mailout to that list.
>> "Hello, we at (company eg. Retunrpath) have contracted to operate a
>> mailng list on behalf of (client name). They have provided your
>> address as one that has *requested* advertising mailouts from their
>> company. We respectfully request that you verify this
>> subscription/request by replying to this e-mail. IF you do nothing,
>> this will be your last mailing from this company."
>
> Both would have to be done any time a new address was added to the
> mailing list. And there would have to be some watchdog ensuring the
> MSP doesn't relax the policy over time.
>
> It's a great idea. The problem is, how do you get mail service
> providers to do this? What causes them loss of revenue if they _don't_
> do it?
Perhaps SA could decline to offer negative points for other than actual
COI?
My own experience with HABEAS_ACCREDITED_SOI has been that it's caused
spam to show up in my inbox instead of filtered like it should have
been. Complaining in public seems to be the only thing that works. I
somewhat understand the difficulties of running an accreditation
service, but I think the expectation of the SA community should be that
problems (accredited senders spamming) should be extremely rare. It's
clearly not extremely rare.
A problem with the spam%/ham% checking methodology is that it makes the
accreditation look reasonable for corpuses that have lots of requested
commercial mail. That's certainly fine for those people, but the
outcomes seem very different for those that don't ask for such mail -
they're left with only the spam.
Whitelists that don't accept payment for listing should get treated as
SA has done - estimate a proper score. Those that do accept payment are
a more complicated case - I think it's reasonable to demand that
infractions are highly rare and that non-public complaints are responded
to promptly and appropriately. Probably "SOI" should be entirely
dropped.
Re: Suggestion for use by ANY whitelist service....
Posted by John Hardin <jh...@impsec.org>.
On Fri, 4 Dec 2009, Charles Gregory wrote:
> As soon as any whitelist service like 'returnpath' accepts a client, they
> perform the following:
>
> 1) Review the client's address list - look for honeypot addresses.
> If any are found, clearly the client has not vetted their list.
>
> 2) Perform their OWN 'opt-in' mailout to that list.
> "Hello, we at (company eg. Retunrpath) have contracted to operate a
> mailng list on behalf of (client name). They have provided your
> address as one that has *requested* advertising mailouts from their
> company. We respectfully request that you verify this
> subscription/request by replying to this e-mail. IF you do nothing,
> this will be your last mailing from this company."
Both would have to be done any time a new address was added to the mailing
list. And there would have to be some watchdog ensuring the MSP doesn't
relax the policy over time.
It's a great idea. The problem is, how do you get mail service providers
to do this? What causes them loss of revenue if they _don't_ do it?
About the only leverage I can see is if the large ISPs and freemail
providers (hotmail, comcast, MSN, etc.) start to outright block MSPs that
don't auditably follow these guidelines. And I don't see that happening.
> I'm sure we would all live with the occasional true 'opt-in' request,
Absolutely, particulary if it's the proper "ignore means permission
denied" model.
> if we knew that the end result would be that it would stifle spam by
> giving the legitimate mailers, the ones whose mail we *want* anyway, a
> better chance to reach us.
I don't think it would have that effect. Being able to force such a policy
onto MSPs won't affect spambot networks.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
We have to realize that people who run the government can and do
change. Our society and laws must assume that bad people -
criminals even - will run the government, at least part of the
time. -- John Gilmore
-----------------------------------------------------------------------
11 days until Bill of Rights day
Re: Suggestion for use by ANY whitelist service....
Posted by Per Jessen <pe...@computer.org>.
LuKreme wrote:
> On 5-Dec-2009, at 13:58, Per Jessen wrote:
>> No legislation is any good without enforcement. Provided you have
>> both and the enforcement is "heavy handed", spam is not a problem.
>
> Show where spam is not a problem? Spammers are immune to the law
> because they are largely untrackable.
I didn't say nor meant to imply that a single countrys legislation would
be sufficient. When there are many countries that send virtually no
spam, it's because they have legislation, enforcement and a suitable
infrastructure to prevent it. Implement the same legislation+
enforcement+infrastructure everywhere else and spam is gone.
Of course there are millions of reasons why it will never happen, for
instance countries who explicitly allow spamming.
/Per Jessen, Zürich
Re: Suggestion for use by ANY whitelist service....
Posted by LuKreme <kr...@kreme.com>.
On 5-Dec-2009, at 13:58, Per Jessen wrote:
> No legislation is any good without enforcement. Provided you have both
> and the enforcement is "heavy handed", spam is not a problem.
Show where spam is not a problem? Spammers are immune to the law because they are largely untrackable. Who spent the spam? Some unwitting Windows loser with a zombied PC, in all likelihood. Until you start jailing people for running insecure windows machines, Spam will continue to be a problem with no legislative solution.
> What we have just been discussing are two countries that have no real
> legislation against spam, but in fact explicitly allow it in certain
> cases.
And whether the US or UK 'allow' spam in some circumstances is still completely irrelevant. *I* will reject it, regardless of it spammerscum.co.uk is 'allowed' to send it. The legality or illegality of the specific message is in no way relevant.
--
I AM NOT A LICENSED HAIRSTYLIST
Bart chalkboard Ep. AABF04
Re: Suggestion for use by ANY whitelist service....
Posted by Per Jessen <pe...@computer.org>.
LuKreme wrote:
> On 5-Dec-2009, at 07:57, Per Jessen wrote:
>> It seems to me the UK pretty much has its own CAN-SPAM bill - I can't
>> remember where I saw it, but it is apparently completely legal to
>> send unsolicited marketing email to businesses.
>
> Completely irrelevant.
Not in a context of CAN-SPAM, no.
> the legality or illegality of a specific spam message is not relevant
> to anyone unless that person is tasked with enforcing some anti-spam
> law.
Correct, but that is a different context.
> The simple fact is, the vast majority of spam is completely
> unconcerned with laws, is by design untrackable, and all the
> legislation in the world will do *nothing* to curtail it.
No legislation is any good without enforcement. Provided you have both
and the enforcement is "heavy handed", spam is not a problem. What we
have just been discussing are two countries that have no real
legislation against spam, but in fact explicitly allow it in certain
cases.
/Per Jessen, Zürich
Re: Suggestion for use by ANY whitelist service....
Posted by LuKreme <kr...@kreme.com>.
On 5-Dec-2009, at 07:57, Per Jessen wrote:
> It seems to me the UK pretty much has its own CAN-SPAM bill - I can't
> remember where I saw it, but it is apparently completely legal to send
> unsolicited marketing email to businesses.
Completely irrelevant. the legality or illegality of a specific spam message is not relevant to anyone unless that person is tasked with enforcing some anti-spam law.
The simple fact is, the vast majority of spam is completely unconcerned with laws, is by design untrackable, and all the legislation in the world will do *nothing* to curtail it.
This is why it is incumbent on us, as sysadmins, to deal with the problem as best we can. Until there is some law saying I cannot block spam, I will block as much as I can. If if I am ever forbidden from blocking it, I will simply shut down SMTP services completely.
80-95% of the connection attempts to port 25 are either rejected out of hand, or are spam that is tagged by SA. Somedays the percentage creeps very close to 100%. The total percentage over the last 90 days is 83%.
--
Space Directive 723: Terraformers are expressly forbidden
from recreating Swindon.
Re: Suggestion for use by ANY whitelist service....
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Sat, 2009-12-05 at 15:57 +0100, Per Jessen wrote:
> richard@buzzhost.co.uk wrote:
>
> > In the UK I'm more interested in the offences sending UBE/UCE commits
> > under the Protection from Harassment Act, Section 42 of the
> > Telecommunications Act and possible offences under the Data Protection
> > and Computer Misuse Acts.
>
> It seems to me the UK pretty much has its own CAN-SPAM bill - I can't
> remember where I saw it, but it is apparently completely legal to send
> unsolicited marketing email to businesses.
>
>
> /Per Jessen, Zürich
>
Business yes, but private individuals, no - that *is* illegal. Policing
it when the UCE is from outside of the UK is a question mark - but I
don't think someone like Constant Contact or Return Path would like to
get tangled up in it, if only to spare their reputation.
I'm not picking on them btw, just using them as an out-of-the-uk-bulker
example. There are bad apples in the UK that run the gauntlet on a daily
basis, namely IHM, B2B (The multi-named, ever chaning chamelons of UK
spam), Pure360 and our old mates - dotmailer (big on abuse rhetoric, not
so big on action...) enough.. you'll get me ranting again....
Re: Suggestion for use by ANY whitelist service....
Posted by Per Jessen <pe...@computer.org>.
richard@buzzhost.co.uk wrote:
> In the UK I'm more interested in the offences sending UBE/UCE commits
> under the Protection from Harassment Act, Section 42 of the
> Telecommunications Act and possible offences under the Data Protection
> and Computer Misuse Acts.
It seems to me the UK pretty much has its own CAN-SPAM bill - I can't
remember where I saw it, but it is apparently completely legal to send
unsolicited marketing email to businesses.
/Per Jessen, Zürich
Re: Suggestion for use by ANY whitelist service....
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
> On Dec 4, 2009, at 12:19, Ted Mittelstaedt <te...@ipinc.net> wrote:
>
> > That wouldn't ever happen because the whole point of the CAN-SPAM
> > act is to allow the spammers to send out the "first" mail.
The CAN-SPAM spiel is an American phenomena that holds questionable
relevance to the rest of the world (somewhat more significant than one
Country).
In the UK I'm more interested in the offences sending UBE/UCE commits
under the Protection from Harassment Act, Section 42 of the
Telecommunications Act and possible offences under the Data Protection
and Computer Misuse Acts.
CAN-SPAM or no CAN-SPAM, any 'legitimate' ESP assisting in such acts are
equally guilty in UK law under the joint enterprise rules, although
other than some minor success getting a couple of fixed penalty notices
issued to UK companies sending UCE, I've yet to see a significant legal
test.
Re: Suggestion for use by ANY whitelist service....
Posted by LuKreme <kr...@kreme.com>.
On Dec 4, 2009, at 12:19, Ted Mittelstaedt <te...@ipinc.net> wrote:
> That wouldn't ever happen because the whole point of the CAN-SPAM
> act is to allow the spammers to send out the "first" mail. Direct e-
> mail mailers just setup fake company after fake company, so they can
> repeatedly spam the "first time" over and over again.
No one gives a crap about CAN-SPAM and no one needs to accept spam
just because it's 'first time' spam.
Re: [sa] Re: Suggestion for use by ANY whitelist service....
Posted by John Hardin <jh...@impsec.org>.
On Wed, 9 Dec 2009, Charles Gregory wrote:
> On Wed, 9 Dec 2009, John Hardin wrote:
>> > NOW you're getting somewhere. I saw that info on their site. The IP
>> > returned has the last octet set according to the tier. So maybe the
>> > issue here, which we should push into the SA developers hands is
>> > that the current Habeas rules only look for a binary result,
>> > whereas maybe the Habeas rule code should be updated to score
>> > differently for the different tiers of Habeas accreditation?
>>
>> Underway.
>> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6247
>
> I don't see references to the multiple IP address 'tiers'. Did i miss it?
Oh, sorry. The Habeas rules are being replaced by Return Path rules, which
have two tiers: Certified and Safe. That's what I interpreted you to mean.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Rights can only ever be individual, which means that you cannot
gain a right by joining a mob, no matter how shiny the issued
badges are, or how many of your neighbors are part of it. -- Marko
-----------------------------------------------------------------------
6 days until Bill of Rights day
Re: [sa] Re: Suggestion for use by ANY whitelist service....
Posted by Charles Gregory <cg...@hwcn.org>.
On Wed, 9 Dec 2009, John Hardin wrote:
>> NOW you're getting somewhere. I saw that info on their site. The IP
>> returned has the last octet set according to the tier. So maybe the issue
>> here, which we should push into the SA developers hands is that the
>> current Habeas rules only look for a binary result, whereas maybe the
>> Habeas rule code should be updated to score differently for the different
>> tiers of Habeas accreditation?
>
> Underway.
> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6247
I don't see references to the multiple IP address 'tiers'. Did i miss it?
- C
Re: [sa] Re: Suggestion for use by ANY whitelist service....
Posted by John Hardin <jh...@impsec.org>.
On Wed, 9 Dec 2009, Charles Gregory wrote:
> On Tue, 8 Dec 2009, Ted Mittelstaedt wrote:
>
>> It is my understanding after reviewing the Habeas material that Habeas
>> has defined multiple "tiers" of "permission-based"
>> "bulk-email-advertising" so that "bulk-email-advertising" senders are
>> classified now according to the "level" of "opt-in" they do. The
>> Redbox-style "bulk-email-advertisers" are the lowest tier, the people
>> actually running mailing lists that customers have to make significant
>> effort to get on to, are the highest tier.
>
> NOW you're getting somewhere. I saw that info on their site. The IP
> returned has the last octet set according to the tier. So maybe the
> issue here, which we should push into the SA developers hands is that
> the current Habeas rules only look for a binary result, whereas maybe
> the Habeas rule code should be updated to score differently for the
> different tiers of Habeas accreditation?
Underway.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6247
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Rights can only ever be individual, which means that you cannot
gain a right by joining a mob, no matter how shiny the issued
badges are, or how many of your neighbors are part of it. -- Marko
-----------------------------------------------------------------------
6 days until Bill of Rights day
Re: [sa] Re: Suggestion for use by ANY whitelist service....
Posted by Charles Gregory <cg...@hwcn.org>.
On Tue, 8 Dec 2009, Ted Mittelstaedt wrote:
>> > So, technically if I hire someone to kill you, I'm technically not
>> > guilty of murder since I didn't pull the trigger? Technically speaking.
>> Technically speaking, your analogy is bad, but I'll work with it.
> I see no point in beating that analogy to the extent that you have...
Because it does NOT say THIS:
> ...the point I made is that it's pretty apparent that purveyors of this
> "grand new frontier" are lying when they make the claim that just
> because they manage with clever fine print language to put the onus back
> on the customer to "remember to opt-out later", that this somehow means
> the customer put forth effort to subscribe to their
> bulk-email-advertising.
This is all good. Your analogy of 'murder' is not.
>> > Well, since it's a MINORITY of my users that WANT the spam....
>> We've all agreed that spam, by definition is UNWANTED (advertising) mail,
>> therefore your above statement is an oxymoron. There is NO SUCH THING as
>> 'wanted spam'.
>
> The real issue is what constitutes WANTED mail. I'll
> agree that spam that is wanted is "bulk-email-advertising" if you
> will agree that "bulk-email-advertising" that is NOT wanted is spam,
> OK?
Well, that just restates what I said a different way. Fine by me.
> It is my understanding after reviewing the Habeas material that Habeas
> has defined multiple "tiers" of "permission-based"
> "bulk-email-advertising" so that "bulk-email-advertising" senders are
> classified now according to the "level" of "opt-in" they do. The
> Redbox-style "bulk-email-advertisers" are the lowest tier, the people
> actually running mailing lists that customers have to make significant
> effort to get on to, are the highest tier.
NOW you're getting somewhere. I saw that info on their site. The IP
returned has the last octet set according to the tier. So maybe the issue
here, which we should push into the SA developers hands is that the
current Habeas rules only look for a binary result, whereas maybe the
Habeas rule code should be updated to score differently for the different
tiers of Habeas accreditation?
Okay, so people with 'problems' with Habeas, PLEASE CHECK:
Can you determine whether the problematic spammers being given HAbeas
bonuses are in a specific 'tier' of Habeas results?
>> Any website hiding 'we can send you more email' in their
>> boilerplate/policy rather than as a clear "check here to receive future
>> mail" should not be whitelisted. Any website that 'checks the box for you'
>> should NEVER get accreditation. Indeed, if anyone ever
>> starts to identify those kinds of sites, I'd blacklist them, just for that
>> sleazy practice..... :)
> Then you probably want to block the lowest level of Habeas-accredited
> "bulk-email-advertisers" since that appears to be what they are.
(nod) See above. We need code in SA to differentiate.
> To most users there is no difference
> between spam and "bulk-email-advertisements"
No, but there *is* a difference between the bulk mail produced by the
(nominally) 'wanted' legitimate sender, and spam sent by a hacker who has
turned an accredited server into a zombie.
> They DON'T WANT the "bulk-email-advertisements" even if they have
> allegedly "given permission" by supplying an e-mail address to do
> something like rent a DVD and overlooked unchecking the box in the fine
> print allowing the company to send ""bulk-email-advertisements" to them.
So they don't want what they 'said' they wanted. Heart of every con game
on the planet. Don't approve, but as the courts well know, as long as they
don't outright *lie*, and that checkbox is *there*, then it is 'legal'.
Sleazy, underhanded, but legal.... :(
> It is only a minority that will go out of their way to sign up for
> "bulk-email-advertisements" therefore, that minority should carry the
> burden of personally whitelisting these "bulk-email-advertisements" on a
> shared mailserver.
A point of view that is not entirely unreasonable. :)
> Habeas's existence helps to make it more difficult for the
> MAJORITY of people to have these "bulk-email-advertisements" filtered
> from their mail stream, because now that the system admin is giving a
> free pass to all the alleged "bulk-email-advertisers" the majority
> now has the burden placed on it to unsubscribe from these mailing
> lists.
Again, a good point. As I said in previous mails. Habeas should do the job
of 'weeding out' the 'sleazy' marketers with questionable or hidden
'opt-in' practices. Indeed, I wonder why they do business with them at
all. They should toe the hard line and tell the marketer to clean up their
site and their lists, or as I suggested at the far beginning of this
thread, make it the first step of any new accreditation to perform ANOTHER
opt-in sequence with the client.
> ...This is the case unless Habeas changed their business practices to
> ONLY accredit "bulk-email-advertisers" who ran explicit opt-in
> (ie: the highest tier) But if Habeas did, they would not be using
> the term "permission-based" e-mail in their business marketing,
> they would be using "opt-in" which is the industry-recognized term.
Something that should not be lost among the hyperbole. And SA should make
sure to distinguish the two groups in its scoring....
> You seem to think that mail to a honeypot is the only form of abuse.
No, but it is glaring and obvious. And carries the distinct advantage of
defeatnig ANY claims by a spammer that their stuff was solicited. It
should be a red flag to Habeas to immediately remove accreditation, at
least temporarily until the issue is resolved.
> I say that anytime a user gets a "bulk-email-advertisement"
> that they don't want, EVEN if they "gave permission" by NOT unchecking
> a "can we send you "bulk-email-advertisements" box, that instantly
> becomes spam - and thus it is ALSO ABUSE.
I agree it's abuse, but I would only call it 'spam' if the 'opt-in' form
was obviously designed to obscure or simply omit the fact that future
mailings might not directly relate to the original purpose for which the
address was given. Ie. No check box. No notice of intent. But if the
checkbox is there, in plain sight, and uses simple language, then at the
least I would not score it positively. Might not want to score it
negatively (hence this whole debate) but it is not outright 'spam' because
the user *is* exercising control.
> And, I would also state that any time a user gets one of these
> "bulk-email-advertisements" that they did not EXPLICITLY sign up
> for, EVEN IF they don't object to it after getting it, that it is
> ALSO abuse.
Whether a user bothers to 'object' is irrelevant. If they look at the mail
and say "I didn't sign up for this, WTF?" then there is a *problem* and
one that should be accounted for in Habeas procedures/policy....
(and weighted accordingly in SA rules)
> who DID you refer to? Your statement can be read either way and means
> differently depending on how it's read.
If that's the way you were reading it, then the point was really being
lost anyways, because for me 'them' was the bulk mailers AND Habeas, each
in their own respective roles within the issue...
> No, what Habeas wants is to get SA to put the support into SA for their
> rankings, so that the typical "install-and-ignore" system admin will
> be automatically using the Habeas system once they install SA, whether
> they agree with it or not.
And I agree with this. Any system that proves reliable and helps
distinguish bulk mail from spam is a good thing. The problem under
discussion is not whether SA should 'include' Habeas for doing their
stated job, but whether SA should devalue Habeas because they are NOT
doing their stated job. Or, as suggested above, weigh only the most secure
and reliable 'tiers' of Habeas with negative bonuses.
> In my opinion the issue isn't whether Habeas is doing what their
> doing the "right" or the "wrong" way. There is NO "right" way to
> support bulk-e-mail non-opt-in mailers, period.
There's the hyperbole again. You are welcome to your opinion that a poorly
presented already-checked box on a form amounts to 'sneaking' permission
to send spam, but it is *still* opt-in. So again, you shoot a reasonable
argument in the foot by calling it 'non-opt-in'.....
> Until the bulk-email-advertisers PAY $0.25 or $0.15 or $0.44 or whatever
> the paper-bulk-mailers pay for EACH one of their
> "bulk-email-advertisements" they send out, they are nothing more than
> flies on the back of the dog, stealing resources from everyone else.
Strictly speaking, legitimate bulk mailers DO pay for their servers and
their internet connectivity. Indeed, there is considerable argument to be
made for the idea that a lot of their money goes towards making YOUR
internet as cheap as it is. The 'fleas on the back of the dog' are the
bulk mailers who are genuine criminals, hijacking computers to send their
spew.
> When my employer has to drop thousands of dollars into mailserver
> hardware to buy a bigger and faster server so as to handle the increased
> workload that these bulk-email-advertisers are laying on, a workload
> that 98% of my paying customers don't give a rat's ass if it comes into
> their mailbox or not, my employer has less money to pay ME, thus, in my
> view, those bulk-email-advertisers are stealing money out of MY pocket.
If your customers WANT that e-mail, and choose YOU (your company) as the
means to get it, then they are PAYING you to be stupid sheep receiving
bulk e-mail and you profit from it. Not the way *I* make *my* money here,
but if you are counting the 'dollar impact' of bulk mail, keep in mind
that if it's not 'spam', someone WANTS it, and they are paying YOU for the
privilege of getting it. :)
> When those people see fit to explain how they are HELPING the Internet,
> then I'll listen. So far, all I hear is crickets chirping.
Well, I'm not 'those people', but it is a truism on the net that many of
the biggest developments in technolgy have been driven by the demands of
the *porn* industry. LOL
The web, after all is said and done, is a commercial enterprise. People
make money using it. It jut sucks when criminals try to make money by
using *my* resources. I'm with you on the bitter anger raised by having
spam (not wanted) clog my servers. But this really is a case of not
throwing the baby out with the bathwater....
- C
Re: [sa] Re: Suggestion for use by ANY whitelist service....
Posted by Charles Gregory <cg...@hwcn.org>.
On Tue, 8 Dec 2009, Yet Another Ninja wrote:
> Save your bullets.
> Habeas is history... it's been swallowed and the "new" mothership will be in
> SA 3.3.0
Cryptic, but raising hopes. Could you please explain this remark?
- C
Re: Suggestion for use by ANY whitelist service....
Posted by Jason Bertoch <ja...@i6ix.com>.
Yet Another Ninja wrote:
> Save your bullets.
> Habeas is history... it's been swallowed and the "new" mothership will
> be in SA 3.3.0
>
> meanwhile you'll probably want to disable the relevant rules.
How about the DNSWL rules? Are they toast as well, or might they have
more sane default scores?
Re: Suggestion for use by ANY whitelist service....
Posted by Yet Another Ninja <sa...@alexb.ch>.
On 12/8/2009 9:38 PM, Ted Mittelstaedt wrote:
> Habeas's existence helps to make it more difficult for the
> MAJORITY of people to have these "bulk-email-advertisements" filtered
> from their mail stream, because now that the system admin is giving a
> free pass to all the alleged "bulk-email-advertisers" the majority
> now has the burden placed on it to unsubscribe from these mailing
> lists.
Save your bullets.
Habeas is history... it's been swallowed and the "new" mothership will
be in SA 3.3.0
meanwhile you'll probably want to disable the relevant rules.
Re: Suggestion for use by ANY whitelist service....
Posted by Ted Mittelstaedt <te...@ipinc.net>.
Charles Gregory wrote:
> On Mon, 7 Dec 2009, Ted Mittelstaedt wrote:
>>> Yes, this is the grand new frontier of e-mail marketing.
>>> Technically, you
>>> *are* opting-in. It meets satisfactory criteria because you are
>>> using some
>>> other form of identification to substantiate that you are *really* you
>>> (you are buying stuff). But it puts the burden back on the customer to
>>> remember to later 'opt out' after the genuine purpose for having that
>>> e-mail has been completed. Very sneaky.
>>
>> So, technically if I hire someone to kill you, I'm technically not
>> guilty of murder since I didn't pull the trigger? Technically speaking.
>
> Technically speaking, your analogy is bad, but I'll work with it.
I see no point in beating that analogy to the extent that you have, the
point I made is that it's pretty apparent that purveyors of this "grand
new frontier" are lying when they make the claim that just because they
manage with clever fine print language to put the onus back on the
customer to "remember to opt-out later", that this somehow means the
customer put forth effort to subscribe to their bulk-email-advertising.
>>> But now, because 'technically' you have people 'opting-in' you once
>>> again
>>> face the problem that *some* people actually *want* the after-sale
>>> advertising e-mails, and some don't and consider it spam. What default
>>> score do you set in a situation like that? How much strength does a
>>> whitelist get?
>>>
>> Well, since it's a MINORITY of my users that WANT the spam....
>
> We've all agreed that spam, by definition is UNWANTED (advertising)
> mail, therefore your above statement is an oxymoron. There is NO SUCH
> THING as 'wanted spam'. This looks like a pathetic word game to get
> around the fact that some people actually want the mail that YOU don't.
> So it's "spam" to YOU, but that does not make it "spam" for them, and
> their right to have their WANTED (AKA NON-SPAM-TO-THEM) mail is just as
> important, or more so, as your right to blindly stop every ad you can.
>
The real issue is what constitutes WANTED mail. I'll
agree that spam that is wanted is "bulk-email-advertising" if you
will agree that "bulk-email-advertising" that is NOT wanted is spam,
OK?
>
> Yes, that burden exists. Is it fair? Not really. That's why companies
> like Habeas need to raise their standards to ensure that proper 'double'
> opt-in is used for all lists.
It is my understanding after reviewing the Habeas material that Habeas
has defined multiple "tiers" of "permission-based"
"bulk-email-advertising" so that "bulk-email-advertising" senders are
classified now according to the "level" of "opt-in" they do. The
Redbox-style "bulk-email-advertisers" are the lowest tier, the
people actually running mailing lists that customers have to make
significant effort to get on to, are the highest tier.
> Any website hiding 'we can send you more
> email' in their boilerplate/policy rather than as a clear "check here to
> receive future mail" should not be whitelisted. Any website that 'checks
> the box for you' should NEVER get accreditation. Indeed, if anyone ever
> starts to identify those kinds of sites, I'd blacklist them, just for
> that sleazy practice..... :)
>
Then you probably want to block the lowest level of Habeas-accredited
"bulk-email-advertisers" since that appears to be what they are.
>>> BUT WE'RE NOT TALKING ABOUT THIS. The examples cited in recent posts
>>> have
>>> been genuine unsolicited mails. Mail to honeypot addresses, etc.
>>> There is
>>> an abuse issue, and it is not related to the otherwise worthwhile point
>>> made above.
>
> Didn't bother to address this point, did you?
>
To most users there is no difference
between spam and "bulk-email-advertisements" They DON'T WANT the
"bulk-email-advertisements" even if they have allegedly "given
permission" by supplying an e-mail address to do something like rent
a DVD and overlooked unchecking the box in the fine print allowing
the company to send ""bulk-email-advertisements" to them. It is only
a minority that will go out of their way to sign up for
"bulk-email-advertisements" therefore, that minority should carry
the burden of personally whitelisting these "bulk-email-advertisements"
on a shared mailserver.
Habeas's existence helps to make it more difficult for the
MAJORITY of people to have these "bulk-email-advertisements" filtered
from their mail stream, because now that the system admin is giving a
free pass to all the alleged "bulk-email-advertisers" the majority
now has the burden placed on it to unsubscribe from these mailing
lists. This is the case unless Habeas changed their business practices
to ONLY accredit "bulk-email-advertisers" who ran explicit opt-in
(ie: the highest tier) But if Habeas did, they would not be using
the term "permission-based" e-mail in their business marketing,
they would be using "opt-in" which is the industry-recognized term.
You seem to think that mail to a honeypot is the only form of abuse.
I say that anytime a user gets a "bulk-email-advertisement"
that they don't want, EVEN if they "gave permission" by NOT unchecking
a "can we send you "bulk-email-advertisements" box, that instantly
becomes spam - and thus it is ALSO ABUSE.
And, I would also state that any time a user gets one of these
"bulk-email-advertisements" that they did not EXPLICITLY sign up
for, EVEN IF they don't object to it after getting it, that it is
ALSO abuse.
>>> > That's why Habeas customers need a whitelist in the first place -
>>> > because they are adopting a point of view of what spam is that is
>>> > contrary to what most users hold.
>>> This is self-defeating hyperbole. My first instinct is to argue with
>>> this
>>> brash mis-statement of their
>> Who is "their"
>
> That's your reponse? You use brash hyperbole to totally skew the motives
> of Habeas and the people who might use it, and you think to question who
> I refer to rather than face the bald lie in your hyperbole?
>
who DID you refer to? Your statement can be read either way and means
differently depending on how it's read.
>> The real truth of it is Habeas is operating in that grey area of trying
>> to please 2 opposing camps. On the one side they have the e-mail admins
>> that aren't going to use them unless they can convince those admins to
>> sign on, and unless they can, they won't have anything to sell the
>> mass-marketers. On the other side they have the mass-marketers who
>> have an incentive to use guile, and "sneakiness" as you said, to
>> create large mailing lists of users who may or many not want to be on
>> those lists, and a huge incentive to push Habeas to ignore complaints
>> about their mailings.
>
> Which is all VERY GOOD, and leads back to the single fundamental
> difference we can make here. Regardless of our *opinions*, if the
> NUMBERS show that Habeas is letting through spam, then SA is going to
> adjust its scores accordingly (though I sometimes wish they would react
> more quickly with interim updates to scores/tests at least every few
> months). So Habeas ultimately WANTS to keep *us* happy. You and me.
>
No, what Habeas wants is to get SA to put the support into SA for their
rankings, so that the typical "install-and-ignore" system admin will
be automatically using the Habeas system once they install SA, whether
they agree with it or not.
>> My problem with Habeas, and the reason that I'll never use them on any
>> mailserver I administer, is that they aren't trying to work with both
>> those camps to bring them together. If they were, then a Habeas
>> representative would be responding to the Habeas detractors posting on
>> the SA mailing list, not you.
>
> Actually, there is a guy from Habeas on here. But is he really going to
> talk rationally with someone who accuses him of being in the spammer's
> pocket and/or redefining the word spam? No.
And why not? It's those people that he needs to convince that he's
doing a public service, not the ones who already agree with him. DUH!
> Though honestly, given the
> nature of this list, I find it a *very* weak response to simply say
> "file a report" and then not respond when people say that is difficult
> or doesn't get results.
>
> Is the 'date the UK' spam STILL coming through for those who complained
> about it? If so, why hasn't Habeas acted on it yet?
>
>> They have had the option to do this already for years, now, and have
>> elected to use implied threats to the world's ISP's, rather than
>> regularly participating on this list.
>
> Implied threats? More hyperbole? Got an example?
>
>> Charles, perhaps in real life you ARE a Habeas employee, which is why
>> you are so pro-Habeas.
>
> Actually, I'm pro-make-Habeas-listen-and-respect. Your hyperbole makes
> us all sound like a bunch of irrational whiners who are 'anti-Habeas'
> which simply results in a deaf ear where we could really use it the most.
>
>> I respect a company that is out there doing something that I disagree
>> with, and is willing to come and debate with me why they have chosen
>> to do it...
>
> Then stop with the hyperbole. Stop calling wanted mail 'spam', and
> instead open a respectful discussion to have someone at Habeas
> *question* whether the standards of 'wanted' mail are too loose.
Why? Habeas has not proven to me yet that what they are doing is
anything more than helping increase "bulk-email-advertising" which
ultimately just gives more coverage to the real spammers who aren't
participating in Habeas in the first place.
In my opinion the issue isn't whether Habeas is doing what their
doing the "right" or the "wrong" way. There is NO "right" way to
support bulk-e-mail non-opt-in mailers, period. Until the
bulk-email-advertisers PAY $0.25 or $0.15 or $0.44 or whatever the
paper-bulk-mailers pay for EACH one of their "bulk-email-advertisements"
they send out, they are nothing more than flies on the back of the dog,
stealing resources from everyone else.
When my employer has to drop thousands of dollars into mailserver
hardware to buy a bigger and faster server so as to handle the
increased workload that these bulk-email-advertisers are laying on,
a workload that 98% of my paying customers don't give a rat's ass
if it comes into their mailbox or not, my employer has less money to pay
ME, thus, in my view, those bulk-email-advertisers are stealing money
out of MY pocket.
> Calling
> it 'spam' just makes you look like someone who should be ignored. And
> then they paint us all with that same 'birds of a feather' brush, just
> the same way you wanted to paint me as a Habeas employee. Really, do you
> think they read that and want to take you at all seriously? You sound
> like a conspiracy nut.
>
> Which is as close to ad-hominem arguing as I ever want to get, but the
> point is to start being a bit more mature, and not shoot the REST of us
> here in the metaphoric 'foot' while we'er trying to build a respectful
> relationship with people who just *might* tighten up their rules if we
> tell them about problems nicely.
>
When those people see fit to explain how they are HELPING the Internet,
then I'll listen. So far, all I hear is crickets chirping.
Ted
Re: Suggestion for use by ANY whitelist service....
Posted by Charles Gregory <cg...@hwcn.org>.
On Mon, 7 Dec 2009, Ted Mittelstaedt wrote:
>> Yes, this is the grand new frontier of e-mail marketing. Technically, you
>> *are* opting-in. It meets satisfactory criteria because you are using some
>> other form of identification to substantiate that you are *really* you
>> (you are buying stuff). But it puts the burden back on the customer to
>> remember to later 'opt out' after the genuine purpose for having that
>> e-mail has been completed. Very sneaky.
>
> So, technically if I hire someone to kill you, I'm technically not
> guilty of murder since I didn't pull the trigger? Technically speaking.
Technically speaking, your analogy is bad, but I'll work with it. To make
it work, the two aspects that matter are:
1) You (murderer) used a sneaky method to get me to sign up for a service
to be beaten up (I'm a masochist, okay?), but failed to notice the option
that says "in addition to the requested beating the customer is also
asking to be nurdered". So technically it's not murder. At best it's
assisted suicide.
2) When you hire someone to murder me, you show them that you got
'permission' on your website form, so the guy you hire doesn't think he's
being asked to murder anyone, but merely provide a *requested* service.
The arguments and issues with respect to that third party is to exercise
due dilligence in determining whether I *really* MEANT to request my
murder. :)
>> But now, because 'technically' you have people 'opting-in' you once again
>> face the problem that *some* people actually *want* the after-sale
>> advertising e-mails, and some don't and consider it spam. What default
>> score do you set in a situation like that? How much strength does a
>> whitelist get?
>>
> Well, since it's a MINORITY of my users that WANT the spam....
We've all agreed that spam, by definition is UNWANTED (advertising) mail,
therefore your above statement is an oxymoron. There is NO SUCH THING as
'wanted spam'. This looks like a pathetic word game to get around the fact
that some people actually want the mail that YOU don't. So it's "spam" to
YOU, but that does not make it "spam" for them, and their right to have
their WANTED (AKA NON-SPAM-TO-THEM) mail is just as important, or more so,
as your right to blindly stop every ad you can.
Stop mussing up the arguments with idiotic straw man arguments. Or it will
quickly become a one-sided argument.
> Because the fact is if I use Habeas then the majority who DON'T want the
> marketing stuff, (or don't care either ay) even though they technically"
> signed up for it, now have the burden of unsubscribing or blacklisting.
Yes, that burden exists. Is it fair? Not really. That's why companies like
Habeas need to raise their standards to ensure that proper 'double' opt-in
is used for all lists. Any website hiding 'we can send you more email' in
their boilerplate/policy rather than as a clear "check here to receive
future mail" should not be whitelisted. Any website that 'checks the box
for you' should NEVER get accreditation. Indeed, if anyone ever starts to
identify those kinds of sites, I'd blacklist them, just for that sleazy
practice..... :)
>> BUT WE'RE NOT TALKING ABOUT THIS. The examples cited in recent posts have
>> been genuine unsolicited mails. Mail to honeypot addresses, etc. There is
>> an abuse issue, and it is not related to the otherwise worthwhile point
>> made above.
Didn't bother to address this point, did you?
>> > That's why Habeas customers need a whitelist in the first place -
>> > because they are adopting a point of view of what spam is that is
>> > contrary to what most users hold.
>> This is self-defeating hyperbole. My first instinct is to argue with this
>> brash mis-statement of their
> Who is "their"
That's your reponse? You use brash hyperbole to totally skew the motives
of Habeas and the people who might use it, and you think to question who I
refer to rather than face the bald lie in your hyperbole?
> The real truth of it is Habeas is operating in that grey area of trying
> to please 2 opposing camps. On the one side they have the e-mail admins
> that aren't going to use them unless they can convince those admins to sign
> on, and unless they can, they won't have anything to sell the mass-marketers.
> On the other side they have the mass-marketers who have an incentive to use
> guile, and "sneakiness" as you said, to create large mailing lists of
> users who may or many not want to be on those lists, and a huge
> incentive to push Habeas to ignore complaints about their mailings.
Which is all VERY GOOD, and leads back to the single fundamental
difference we can make here. Regardless of our *opinions*, if the NUMBERS
show that Habeas is letting through spam, then SA is going to adjust its
scores accordingly (though I sometimes wish they would react more quickly
with interim updates to scores/tests at least every few months). So Habeas
ultimately WANTS to keep *us* happy. You and me.
> My problem with Habeas, and the reason that I'll never use them on any
> mailserver I administer, is that they aren't trying to work with both those
> camps to bring them together. If they were, then a Habeas representative
> would be responding to the Habeas detractors posting on
> the SA mailing list, not you.
Actually, there is a guy from Habeas on here. But is he really going to
talk rationally with someone who accuses him of being in the spammer's
pocket and/or redefining the word spam? No. Though honestly, given the
nature of this list, I find it a *very* weak response to simply say "file
a report" and then not respond when people say that is difficult or
doesn't get results.
Is the 'date the UK' spam STILL coming through for those who complained
about it? If so, why hasn't Habeas acted on it yet?
> They have had the option to do this already for years, now, and have
> elected to use implied threats to the world's ISP's, rather than
> regularly participating on this list.
Implied threats? More hyperbole? Got an example?
> Charles, perhaps in real life you ARE a Habeas employee, which is why
> you are so pro-Habeas.
Actually, I'm pro-make-Habeas-listen-and-respect. Your hyperbole makes us
all sound like a bunch of irrational whiners who are 'anti-Habeas' which
simply results in a deaf ear where we could really use it the most.
> I respect a company that is out there doing something that I disagree
> with, and is willing to come and debate with me why they have chosen to
> do it...
Then stop with the hyperbole. Stop calling wanted mail 'spam', and instead
open a respectful discussion to have someone at Habeas *question* whether
the standards of 'wanted' mail are too loose. Calling it 'spam' just makes
you look like someone who should be ignored. And then they paint us all
with that same 'birds of a feather' brush, just the same way you wanted to
paint me as a Habeas employee. Really, do you think they read that and
want to take you at all seriously? You sound like a conspiracy nut.
Which is as close to ad-hominem arguing as I ever want to get, but the
point is to start being a bit more mature, and not shoot the REST of us
here in the metaphoric 'foot' while we'er trying to build a respectful
relationship with people who just *might* tighten up their rules if we
tell them about problems nicely.
- C
Re: Suggestion for use by ANY whitelist service....
Posted by Jonas Eckerman <jo...@frukt.org>.
Assuming "they" below refers to Habeas. Please ignore this mail if it
refers to Return Path.
Ted Mittelstaedt wrote:
> They have had the option to do this already for years, now, and have
> elected to use implied threats to the world's ISP's, rather than
> regularly participating on this list.
To my knowledge Return Path hasn't owned Habeas for "years" yet (I think
they bought it a little more than a year ago or so).
If your view of Return Path is the same as your view of Habeas your
statement makes sense, but otherwise I think you ought to let your view
of Return Path color your opinions of Habeas.
This might still be a good time (though a little late) to get Habeas'
current owners to make the necessary changes to the Habeas part of their
company for the Habeas brand to get a a somewhat better reputation among
anti-spam folk. After all, the reputation of Habeas can now tarnish the
reputation of their main brand as well.
Regards
/Jonas
--
Jonas Eckerman
Fruktträdet & Förbundet Sveriges Dövblinda
http://www.fsdb.org/
http://www.frukt.org/
http://whatever.frukt.org/
Re: Suggestion for use by ANY whitelist service....
Posted by Ted Mittelstaedt <te...@ipinc.net>.
Charles Gregory wrote:
> On Fri, 4 Dec 2009, Ted Mittelstaedt wrote:
>>> What are you asking? Obviously 'unsolicited' is NOT 'wanted', so
>>> therefore
>>> by using the word 'wanted' I am by definition meaning *solicited*. That
>>> means somone ASKED for the mail. REQUESTED it via an
>>> opt-in mechanism, with confirmation.
>> I will then have to REPEAT that this will NEVER fly.
>
> If you mean the marketers will fight to get around it, well, of course,
> that is their goal in life: Trying to look legitimate while skirting the
> thin edge of spamming....
>
>> If you look at return path they are ....
>> whitelisting "permission-based" e-mail.
> ...(snipped good 'redbox' example)
>
> Yes, this is the grand new frontier of e-mail marketing. Technically,
> you *are* opting-in. It meets satisfactory criteria because you are
> using some other form of identification to substantiate that you are
> *really* you (you are buying stuff). But it puts the burden back on the
> customer to remember to later 'opt out' after the genuine purpose for
> having that e-mail has been completed. Very sneaky.
>
So, technically if I hire someone to kill you, I'm technically not
guilty of murder since I didn't pull the trigger? Technically speaking.
> But now, because 'technically' you have people 'opting-in' you once
> again face the problem that *some* people actually *want* the after-sale
> advertising e-mails, and some don't and consider it spam. What default
> score do you set in a situation like that? How much strength does a
> whitelist get?
>
Well, since it's a MINORITY of my users that WANT the spam it seems to
me that the burden of whitelisting should be put on them. That seems to
be the fair thing.
Because the fact is if I use Habeas then the majority who DON'T want the
marketing stuff, (or don't care either ay) even though they technically"
signed up for it, now have the burden of unsubscribing or blacklisting.
>> No, the recipients HAVE NOT explicitly requested an opt-in, they have
>> merely NOT explicitly requested to opt-out when they provided their
>> e-mail address for some other reason.
>
> Now I don't *know* Habeas policy, but I would suspect that they would
> require any company of this type to have a click-box that, if left
> unchecked, results in no further mail than that necessary to complete
> the transaction. If they don't then the value of the whitelist is
> degraded, and so it should not be favored by mail filters like SA.
>
> BUT WE'RE NOT TALKING ABOUT THIS. The examples cited in recent posts
> have been genuine unsolicited mails. Mail to honeypot addresses, etc.
> There is an abuse issue, and it is not related to the otherwise
> worthwhile point made above.
>
>>> And yes, people *do* request notices of weekly specials at their
>>> computer
>>> store, and ads for the next event at the colliseum. There is a lot of
>>> legitimate e-mail advertising. None of it is (should be) 'unsolicited'.
>
>> Wrong.
>> People fall into a bell-curve on this issue.
>
> Thank you for clarifying that yes, my point is that SOME people (not
> 'all') sign up for these e-mails. Doesn't make me 'wrong'. Just means
> you read into my words an 'all' that I did not explicitly use.
>
>> That's why Habeas customers need a whitelist in the first place -
>> because they are adopting a point of view of what spam is that is
>> contrary to what most users hold.
>
> This is self-defeating hyperbole. My first instinct is to argue with
> this brash mis-statement of their
Who is "their"
> intent and practices. So please avoid
> this
> kind of hyped garbage and stick to the simple facts you presented in the
> rest of your post which say it like it really is.
>
> Habeas *says* they review each client carefully. So the question is
> whether they are doing a good enough job. People who wish to entertain
> accusations that they are deliberately doing a poor one for profit *may*
> have a point, but I consider it unlikely, as Habeas has a strong
> profit-driven motive to NOT be viewed as unreliable in the community.
>
The real truth of it is Habeas is operating in that grey area of trying
to please 2 opposing camps. On the one side they have the e-mail admins
that aren't going to use them unless they can convince those admins to
sign on, and unless they can, they won't have anything to sell the
mass-marketers. On the other side they have the mass-marketers who have
an incentive to use guile, and "sneakiness"
as you said, to create large mailing lists of users who may or many not
want to be on those lists, and a huge incentive to push Habeas to ignore
complaints about their mailings.
My problem with Habeas, and the reason that I'll never use them on any
mailserver I administer, is that they aren't trying to work with both
those camps to bring them together. If they were, then a Habeas
representative would be responding to the Habeas detractors posting on
the SA mailing list, not you.
Instead, Habeas is trying to strong-arm both those groups. To the
mass-mailers they are saying "all the mailserver admins out there are
using us, so unless you use us, everyone will delete your mass-mail"
To the admins, they are saying that "all the legitimate mass-mailers are
using us, so your users are going to complain about FP's unless you use
us". To people like me and Richard, who bring up perfectly legitimate
examples like the redbox example, and who understand what they are all
about, they IGNORE us, because they figure that there's plenty of
stupider mailserver admins out there that are easier to cow, and once
they get the rest of them cowed into using their stuff, then people like
me won't have any choice but to use them.
> If we stop with the crazy 'who is in whose pocket' kind of junk, and dig
> into what is really happening, this company may take us seriously and
> consider it in its own best interests to investigate the way spam (true
> unsolicited, NEVER approved) *is* being accredited by their whitelists
> and delivered to addresses that can be demonstrated to be 100% certain
> to have never requested it.
>
They have had the option to do this already for years, now, and have
elected to use implied threats to the world's ISP's, rather than
regularly participating on this list.
I'll tell you what would make me change my mind and use Habeas. It
would be if a Habeas employee regularly monitored this list, and posted
corrections to some of the more outrageous mis-statements as to how they
operate. It would be if Habeas contributed code and rulesets to the SA
project itself. That is what Cisco corporation does with the cisco-nsp
mailing list. Cisco PARTICIPATES, albet in a non-official manner, they
have one employee who tries to help answer questions and identifies
himself as a Cisco employee, and Cisco has released thousands of lines
of open source code to the community, and many good utilities. For
example I've used the Cisco TFTP server under Windows many times to TFTP
update devices that aren't even Cisco devices.
Charles, perhaps in real life you ARE a Habeas employee, which is why
you are so pro-Habeas. But, the fact is that Habeas doesn't have any
credibility in my book as long as their employees only go where they
have cheering choirs.
I respect a company that is out there doing something that I disagree
with, and is willing to come and debate with me why they have chosen to
do it, and who has solid legitimate reasons for doing what they are
doing. For example, PGE runs the Boardman coal plant that has the
highest mercury emissions in the country. I don't like it, since I
think that coal is not a long term solution to electrical generation.
But, I respect PGE because even though I'd like to see them shut
Boardman down, PGE is also going great guns to get adequate wind
capacity generation online, has some more hundreds of millions of
dollars budgeted for even more pollution controls on Boardman in the
future, and if they shut Boardman down right now and bought power
elsewhere, it would just be generated by coal elsewhere so there would
be no net decrease in coal electrical generation. These are solid
reasons and PGE has and continues to make attempts to reach out to the
various environmental camps that oppose Boardman.
Habeas, by contrast, isn't helping me when they are working to
essentially help legitimize spamming, and they are too much a coward
(apparently) to come here and justify why they are doing it. You don't
seem to understand that it's not our business to come crawling to
Habeas, begging them to take us seriously. We have a public forum, they
can participate if they want. They have chosen not to, and instead
chosen to try to force mailserver admins to use them on their terms.
Well, you can do what you want, but I am one mailserver admin who has
chosen to NOT use them.
Ted
Re: Suggestion for use by ANY whitelist service....
Posted by Charles Gregory <cg...@hwcn.org>.
On Fri, 4 Dec 2009, Ted Mittelstaedt wrote:
>> What are you asking? Obviously 'unsolicited' is NOT 'wanted', so therefore
>> by using the word 'wanted' I am by definition meaning *solicited*. That
>> means somone ASKED for the mail. REQUESTED it via an
>> opt-in mechanism, with confirmation.
> I will then have to REPEAT that this will NEVER fly.
If you mean the marketers will fight to get around it, well, of course,
that is their goal in life: Trying to look legitimate while skirting the
thin edge of spamming....
> If you look at return path they are ....
> whitelisting "permission-based" e-mail.
...(snipped good 'redbox' example)
Yes, this is the grand new frontier of e-mail marketing. Technically, you
*are* opting-in. It meets satisfactory criteria because you are using some
other form of identification to substantiate that you are *really* you
(you are buying stuff). But it puts the burden back on the customer to
remember to later 'opt out' after the genuine purpose for having that
e-mail has been completed. Very sneaky.
But now, because 'technically' you have people 'opting-in' you once again
face the problem that *some* people actually *want* the after-sale
advertising e-mails, and some don't and consider it spam. What default
score do you set in a situation like that? How much strength does a
whitelist get?
> No, the recipients HAVE NOT explicitly requested an opt-in, they have
> merely NOT explicitly requested to opt-out when they provided their
> e-mail address for some other reason.
Now I don't *know* Habeas policy, but I would suspect that they would
require any company of this type to have a click-box that, if left
unchecked, results in no further mail than that necessary to complete the
transaction. If they don't then the value of the whitelist is degraded,
and so it should not be favored by mail filters like SA.
BUT WE'RE NOT TALKING ABOUT THIS. The examples cited in recent posts have
been genuine unsolicited mails. Mail to honeypot addresses, etc. There is
an abuse issue, and it is not related to the otherwise worthwhile point
made above.
>> And yes, people *do* request notices of weekly specials at their computer
>> store, and ads for the next event at the colliseum. There is a lot of
>> legitimate e-mail advertising. None of it is (should be) 'unsolicited'.
> Wrong.
> People fall into a bell-curve on this issue.
Thank you for clarifying that yes, my point is that SOME people (not
'all') sign up for these e-mails. Doesn't make me 'wrong'. Just means you
read into my words an 'all' that I did not explicitly use.
> That's why Habeas customers need a whitelist in the first place -
> because they are adopting a point of view of what spam is that is
> contrary to what most users hold.
This is self-defeating hyperbole. My first instinct is to argue with this
brash mis-statement of their intent and practices. So please avoid this
kind of hyped garbage and stick to the simple facts you presented in the
rest of your post which say it like it really is.
Habeas *says* they review each client carefully. So the question is
whether they are doing a good enough job. People who wish to entertain
accusations that they are deliberately doing a poor one for profit *may*
have a point, but I consider it unlikely, as Habeas has a strong
profit-driven motive to NOT be viewed as unreliable in the community.
If we stop with the crazy 'who is in whose pocket' kind of junk, and dig
into what is really happening, this company may take us seriously and
consider it in its own best interests to investigate the way spam (true
unsolicited, NEVER approved) *is* being accredited by their whitelists and
delivered to addresses that can be demonstrated to be 100% certain to have
never requested it.
- Charles
Re: [sa] Re: Suggestion for use by ANY whitelist service....
Posted by Ted Mittelstaedt <te...@ipinc.net>.
Charles Gregory wrote:
> On Fri, 4 Dec 2009, Ted Mittelstaedt wrote:
>> That wouldn't ever happen because the whole point of the CAN-SPAM
>> act is to allow the spammers to send out the "first" mail. Direct
>> e-mail mailers just setup fake company after fake company, so they can
>> repeatedly spam the "first time" over and over again.
>
> Well, if a company wants to sell a 'reputation', then it has to have
> more behind it than letting in 'first time' companies. any registration
> process should involve a clear investigation of whether a business is
> merely a 'front' for a spammer. Shouldn't be too hard to spot.
>
>> Who exactly are those mailers? Just curious since I've never in my
>> life seen an unsolicited commercial e-mail from a list that I never
>> opted in on in the first place, that I "wanted"
>
> What are you asking? Obviously 'unsolicited' is NOT 'wanted', so
> therefore by using the word 'wanted' I am by definition meaning
> *solicited*. That means somone ASKED for the mail. REQUESTED it via an
> opt-in mechanism, with confirmation.
I will then have to REPEAT that this will NEVER fly. The devil is in
the details, here.
If you look at return path they aren't talking about opt-in mailing
lists because that's NOT what they are whitelisting. They are
whitelisting "permission-based" e-mail.
What this means is for example I go to Redbox to rent a DVD, which
requires me to put in my e-mail address, and the
rental process has some boilerplate in it that in the small print
says I will get e-mails from redbox.
It does NOT mean that I deliberately e-mailed redbox to get on their
list, then responded in the affirmative to a confirmation mail. THAT
is a true "opt-in" Companies that do their mailing list that way, and
there's many that do, don't need what a whitelist service provides
because since the user was looking for a confirmation, they are going to
know that when it doesn't come that it got in their spam folder, so they
are going to look in there, pull it out, and whitelist the sender in
their private whitelists.
The companies that need a whitelist service are the ones like Redbox who
are gathering e-mail addresses as part of some other function then using
them to market. They need Habeas and friends because since the user who
supplied them with their e-mail address didn't bother to read the fine
print the company's "first" mail is going to be unexpected, as a result
it will normally go into the users spam folder and never be seen and
the user will never pull it out and put it in their own personal whitelist.
> Companies that apply for habeas
> accreditation send
> material that has similar *content* to spam (buzzwords like percentages
> off and the like) that might make a spam filter *mistake* their ad for
> an unsolicited spam, but which should NOT be blocked because the
> recipients HAVE requested and WANT the mail. It is SOLICITED.
>
No, the recipients HAVE NOT explicitly requested an opt-in, they have
merely NOT explicitly requested to opt-out when they provided their
e-mail address for some other reason.
> And yes, people *do* request notices of weekly specials at their
> computer store, and ads for the next event at the colliseum. There is a
> lot of legitimate e-mail advertising. None of it is (should be)
> 'unsolicited'.
>
Wrong.
People fall into a bell-curve on this issue.
There's a small number of consumers who go out of their way to sign
up for all of the e-mail lists run by all the companies they buy from.
There's a small number who go out of their way to unsubscribe from
all the e-mail lists run by all the companies they buy from.
But the majority don't care one way or another. They won't go out
of their way to sign up for notices from the vendors they buy from,
but if that vendor signs them up, they won't go out of their way
to unsubscribe.
What's happened in the "commercial spamming" business is that the
spammers have figured this out, and managed to convince the legitimate
companies out there that if their customer doesn't object if they
start sending advertising e-mails to them, that the customer has "given
permission to be spammed" So those companies create flimsy pretexts to
obtain e-mail addresses from customers that are supposedly for other
reasons than spamming them, and then they put in the fine print during
that obtaining process a check box to uncheck being on the spam list,
and the customers in the middle of the bell curve don't go out of
their way to uncheck it and then Habeas considers this as "having
obtained permission to spam" for that customer. That's why Habeas
customers need a whitelist in the first place - because they are
adopting a point of view of what spam is that is contrary to what
most users hold.
Ted
Re: [sa] Re: Suggestion for use by ANY whitelist service....
Posted by Charles Gregory <cg...@hwcn.org>.
On Fri, 4 Dec 2009, Ted Mittelstaedt wrote:
> That wouldn't ever happen because the whole point of the CAN-SPAM
> act is to allow the spammers to send out the "first" mail. Direct e-mail
> mailers just setup fake company after fake company, so they can
> repeatedly spam the "first time" over and over again.
Well, if a company wants to sell a 'reputation', then it has to have more
behind it than letting in 'first time' companies. any registration process
should involve a clear investigation of whether a business is merely a
'front' for a spammer. Shouldn't be too hard to spot.
> Who exactly are those mailers? Just curious since I've never in my life
> seen an unsolicited commercial e-mail from a list that I never opted in
> on in the first place, that I "wanted"
What are you asking? Obviously 'unsolicited' is NOT 'wanted', so therefore
by using the word 'wanted' I am by definition meaning *solicited*. That
means somone ASKED for the mail. REQUESTED it via an opt-in mechanism,
with confirmation. Companies that apply for habeas accreditation send
material that has similar *content* to spam (buzzwords like percentages
off and the like) that might make a spam filter *mistake* their ad for
an unsolicited spam, but which should NOT be blocked because the
recipients HAVE requested and WANT the mail. It is SOLICITED.
And yes, people *do* request notices of weekly specials at their computer
store, and ads for the next event at the colliseum. There is a lot of
legitimate e-mail advertising. None of it is (should be) 'unsolicited'.
- Charles
Re: Suggestion for use by ANY whitelist service....
Posted by Ted Mittelstaedt <te...@ipinc.net>.
Charles Gregory wrote:
>
> All this debate about 'legitimate' mail services like 'returnpath'
> being abused by 'sneaky' spammers. How is that possible? There should be
> easy ways to prevent it. Here's a few ideas:
>
> As soon as any whitelist service like 'returnpath' accepts a client,
> they perform the following:
>
> 1) Review the client's address list - look for honeypot addresses.
> If any are found, clearly the client has not vetted their list.
>
> 2) Perform their OWN 'opt-in' mailout to that list.
> "Hello, we at (company eg. Retunrpath) have contracted to operate a
> mailng list on behalf of (client name). They have provided your
> address as one that has *requested* advertising mailouts from their
> company. We respectfully request that you verify this
> subscription/request by replying to this e-mail. IF you do nothing,
> this will be your last mailing from this company."
>
That wouldn't ever happen because the whole point of the CAN-SPAM
act is to allow the spammers to send out the "first" mail. Direct
e-mail mailers just setup fake company after fake company, so they can
repeatedly spam the "first time" over and over again.
> I'm sure we would all live with the occasional true 'opt-in' request, if
> we knew that the end result would be that it would stifle spam by giving
> the legitimate mailers, the ones whose mail we *want* anyway,
Who exactly are those mailers? Just curious since I've never in my
life seen an unsolicited commercial e-mail from a list that I never
opted in on in the first place, that I "wanted"
Ted
Re: Suggestion for use by ANY whitelist service....
Posted by Charles Gregory <cg...@hwcn.org>.
On Sat, 5 Dec 2009, R-Elists wrote:
> Nyet, nyet, nyet... we would *not* all live with the occassional "opt-in"
> request from Return Path.
>
> frankly, nothing against them, yet if an organization really needs Return
> Path to get their email through to mailboxes without rejection, then doesn't
> the originator of the email have problems?
Yes. The problem is called a FALSE POSITIVE. Legitimate mail, perhaps not
even primarily advertising but only discussions, misflagged as spam.
Example: The originator of the e-mail is the genuine seller of a drug,
and operates a closed mailing list for physicians to discuss that drug,
but the drug is scored overly high in combination with other buzzwords
such as body parts (relevant to the drug). For a small list, individual
correspondence can promote personal whitelists, but for a large forum,
with thousands of users, it becomes a hassle.
> ...your usage of the "true" qualifier was interesting though... ;-)
(nod) I have heard more claims of 'opt-in' regarding addresses in my
control that never ever subscribe, nor even send mail, that there is most
certainly a broad category of 'untrue' opt-ins.... :)
- C
Re: Suggestion for use by ANY whitelist service....
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Sun, 2009-12-06 at 12:02 -0700, LuKreme wrote:
> On 6-Dec-2009, at 02:24, richard@buzzhost.co.uk wrote:
> > A truly clean company that always uses opt-in and never spams has
> > nothing to fear from any anti-spam measure.
>
> Oh, that is CERTAINLY not true. It's not even true of just SpamAssassin, but it is completely disingenuous to claim that for ANY anti-spam measure. completely clean messages that are not spam get miss-tagged ALL THE TIME. I dig mails out of my spam folder that I want at least on a weekly basis.
>
> Just this week I had someone I know quite well send me an evite invitation to a meeting next week. It was tagged with Bayes_99, probably due to all the fake 'marketing seminar' invitations that go out.
>
> Ironically enough, this one would have still squeaked under the wire had I not tagged it +2.0 for HABEAS_ACCREDITED_SOI, but that's another thread :)
>
> Another was an email from a friend of mine that for some odd reason tripped bayes_99 and a relay check and a couple of others. So there's two this week.
>
> OTOH, there's 410 more spam messages in that folder from this week that all appear to be correctly tagged.
>
That would point more to the quality of the Bayesian db's IMHO, but it was careless to say 'any'. The point to get across is reputable businesses
should not need the services of an ESP who attempts to subvert anti-spam systems. Optimising email for delivery is quite one thing, getting into bed with
anti-spam vendors and coders to serious weight the deck in the favour of the bulker is not acceptable.
ESP's are to be distrusted. They are mostly the devils advocate and I don't think that is unfair. When you have people like eBay spending money with you,
you are not going to say 'sorry, we are dropping you because you occasionally spam millions of your users'. Feedback reminders spring to mind. A link tells
you that you can update the preference to stop them, but follow the link and the option is nowhere to be found - but you get to see the latest adds going there.
Re: Suggestion for use by ANY whitelist service....
Posted by LuKreme <kr...@kreme.com>.
On 6-Dec-2009, at 02:24, richard@buzzhost.co.uk wrote:
> A truly clean company that always uses opt-in and never spams has
> nothing to fear from any anti-spam measure.
Oh, that is CERTAINLY not true. It's not even true of just SpamAssassin, but it is completely disingenuous to claim that for ANY anti-spam measure. completely clean messages that are not spam get miss-tagged ALL THE TIME. I dig mails out of my spam folder that I want at least on a weekly basis.
Just this week I had someone I know quite well send me an evite invitation to a meeting next week. It was tagged with Bayes_99, probably due to all the fake 'marketing seminar' invitations that go out.
Ironically enough, this one would have still squeaked under the wire had I not tagged it +2.0 for HABEAS_ACCREDITED_SOI, but that's another thread :)
Another was an email from a friend of mine that for some odd reason tripped bayes_99 and a relay check and a couple of others. So there's two this week.
OTOH, there's 410 more spam messages in that folder from this week that all appear to be correctly tagged.
--
The way I see it, the longer I put it off, the better it'll end up
being. Heck, school doesn't start for another 43 minutes.
RE: Suggestion for use by ANY whitelist service....
Posted by Charles Gregory <cg...@hwcn.org>.
On Tue, 8 Dec 2009, Mike Cardwell wrote:
> On 08/12/2009 16:35, Charles Gregory wrote:
>> ..... My SMTP gateway (Mail Avenger) works best if mail is scanned for
>> *all* recipients, and so it is not possible to use individual per-user
>> Bayes. ....
> In cases were there is only a single recipient, I run SpamAssassin at
> SMTP time as the destination user.
Unfortunately, "Mail Avenger" does not have a mechanism to make decisions
like that. I simply tell it which script to run against the body/data.
If that script has user-specific code, the SMTP engine forces all
recipients after the first to tempfail before it ever sees the body.
Not the best design, but at least for me it is a simple script-controlled
way of putting SA on the SMTP transaction. :)
This also prevents determination of almost-full mailbox conditions, so
that I sometimes have to generate bounces... :(
I've written to the Mail Avenger author, hoping he'll add a 'feature' to
distinguish when there is only one recipient and allow scripts to do more
under that condition.... no response yet.... :)
- C
Re: [sa] RE: Suggestion for use by ANY whitelist service....
Posted by Mike Cardwell <sp...@lists.grepular.com>.
On 08/12/2009 16:35, Charles Gregory wrote:
> Sadly, with such a diverse user base, I cannot use a single Bayes DB
> that would work well for all our users. My SMTP gateway (Mail Avenger)
> works best if mail is scanned for *all* recipients, and so it is not
> possible to use individual per-user Bayes. This is not an SA problem,
> but just the nature of the SMTP gateway. It has to decide to accept or
> reject the DATA transaction for ALL recipients. Once mail proves to be
> lower scoring than the 10 threshold, individual user whitelists and
> blacklists come into play, and other special per-user tests, but that
> merely results in mail being diverted to their 'spamtrap' folder. I do
> not 'bounce' mail once the SMTP gate is closed. :)
In cases were there is only a single recipient, I run SpamAssassin at
SMTP time as the destination user. In cases where there are multiple
recipients, it runs as the "nobody" user. This allows me to have per
user preferences and bayes applied to the vast majority of incoming
mail, during SMTP; only a tiny proportion of incoming mail here is
multi-recipient... YMMV
--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Technical Blog: https://secure.grepular.com/blog/
Re: [sa] RE: Suggestion for use by ANY whitelist service....
Posted by Charles Gregory <cg...@hwcn.org>.
On Mon, 7 Dec 2009, R-Elists wrote:
>> Nonsense. I had to score this list -2000 just to keep it from
>> scoring so darn high that it was hitting the 'automatic'
>> rejection at the SMTP gate before any of my whitelists could
>> function.
> Charles,
> you would be better off properly whitelisting the SA mailing list...
> depending on your situation, possibly to and from...
That -2000 score IS the 'whitelisting'. As mentioned in OP, my SMTP
gateway is set to detect mail scoring very high (over 10) and issue an
SMTP REJECT response, so that I don't have to deal with the bounce, or an
overly cluttered spam file. The very rare false positive results in the
sender seeing their rejection, so they see what to fix in their mail.
Works well except for cases like the SA list where I trip over my own
poison pill rules.... LOL
> also possibly telling bayes to ignore those emails to and from as
> well...
Sadly, with such a diverse user base, I cannot use a single Bayes DB that
would work well for all our users. My SMTP gateway (Mail Avenger) works
best if mail is scanned for *all* recipients, and so it is not possible to
use individual per-user Bayes. This is not an SA problem, but just the
nature of the SMTP gateway. It has to decide to accept or reject the DATA
transaction for ALL recipients. Once mail proves to be lower scoring than
the 10 threshold, individual user whitelists and blacklists come into
play, and other special per-user tests, but that merely results in mail
being diverted to their 'spamtrap' folder. I do not 'bounce' mail once the
SMTP gate is closed. :)
- Charles
RE: Suggestion for use by ANY whitelist service....
Posted by R-Elists <li...@abbacomm.net>.
>
> Nonsense. I had to score this list -2000 just to keep it from
> scoring so darn high that it was hitting the 'automatic'
> rejection at the SMTP gate before any of my whitelists could
> function. Sometimes legit mail scores high. A 'truly clean
> company' should be permitted to enjoy a 'whitelist'
> bonus just in case its material *looks* like spam.
>
> But of course, the whole issue is defining 'truly clean',
> especially when even the cleanest company and get hacked....
>
> - C
>
Charles,
you would be better off properly whitelisting the SA mailing list...
depending on your situation, possibly to and from...
also possibly telling bayes to ignore those emails to and from as well...
- rh
Re: Suggestion for use by ANY whitelist service....
Posted by Charles Gregory <cg...@hwcn.org>.
On Sun, 6 Dec 2009, richard@buzzhost.co.uk wrote:
> A truly clean company that always uses opt-in and never spams has
> nothing to fear from any anti-spam measure.
Nonsense. I had to score this list -2000 just to keep it from scoring so
darn high that it was hitting the 'automatic' rejection at the SMTP gate
before any of my whitelists could function. Sometimes legit mail scores
high. A 'truly clean company' should be permitted to enjoy a 'whitelist'
bonus just in case its material *looks* like spam.
But of course, the whole issue is defining 'truly clean', especially when
even the cleanest company and get hacked....
- C
RE: Suggestion for use by ANY whitelist service....
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Sat, 2009-12-05 at 22:12 -0800, R-Elists wrote:
>
> frankly, nothing against them, yet if an organization really needs Return
> Path to get their email through to mailboxes without rejection, then doesn't
> the originator of the email have problems?
Of course they do! That's why ESP's exist - because bulk mailers get
blocked and they turn to those that court the anti-spam markets. To get
a handle on it, you only have to bad mouth any of them here, on a spam
list or NANAE and watch them pop up in defence to smooth it all over.
A truly clean company that always uses opt-in and never spams has
nothing to fear from any anti-spam measure.
RE: Suggestion for use by ANY whitelist service....
Posted by R-Elists <li...@abbacomm.net>.
>
> I'm sure we would all live with the occasional true 'opt-in'
> request, if we knew that the end result would be that it
> would stifle spam by giving the legitimate mailers, the ones
> whose mail we *want* anyway, a better chance to reach us.
>
> - Charles
>
Charles,
Nyet, nyet, nyet... we would *not* all live with the occassional "opt-in"
request from Return Path.
frankly, nothing against them, yet if an organization really needs Return
Path to get their email through to mailboxes without rejection, then doesn't
the originator of the email have problems?
...your usage of the "true" qualifier was interesting though... ;-)
- rh
Re: Suggestion for use by ANY whitelist service....
Posted by Charles Gregory <cg...@hwcn.org>.
On Fri, 4 Dec 2009, richard@buzzhost.co.uk wrote:
>> I disagree. I think a spam filter should do it's best to give a
>> reasonable weight to both whitelists and blacklists.
> In which case how about including several other whitelists and not just
> giving advantage to one?
SA also scores negatively for various IADB rules (whoever they are) as
well as 'DNSWL'. Not a lot, but really, how many organizations ever had a
running start at being that reliable? But perhaps they should be reviewed
and removed if they've been hacked too often....
- C
Re: Suggestion for use by ANY whitelist service....
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Fri, 2009-12-04 at 12:01 -0500, Bowie Bailey wrote:
> richard@buzzhost.co.uk wrote:
> > That to one side, the default for a spam filter should not be to give
> > any weight to a white list unless the user modifies the config
> > themselves specifically. It can be seen to be suspicious and offering a
> > pecuniary advantage to those involved and using it.
> >
>
> I disagree. I think a spam filter should do it's best to give a
> reasonable weight to both whitelists and blacklists.
In which case how about including several other whitelists and not just
giving advantage to one?
Re: Suggestion for use by ANY whitelist service....
Posted by Bowie Bailey <Bo...@BUC.com>.
Jason Bertoch wrote:
> Bowie Bailey wrote:
>> In this case, there are a few people complaining about the Habeas
>> rules, but just as many people who do not see any problems.
>>
> Silence does not necessarily mean assent. I disabled the Habeas rules
> long ago and therefore have no useful data to add to the thread. If
> speaking up helps to rid myself of the free ride whitelists receive in
> the default install, then count my vote towards a more sane whitelist
> score.
No, but people with problems are more likely to speak out than people
whose systems are working well. Besides, once everyone starts talking
about something like this, more people will start checking into it on
their own servers (as I did). If this were a major problem, I would
expect that as this thread continues, more and more people would look at
their servers and see a problem. Since I currently see about a 50/50
split (non-scientific guess) between people who have problems with
Habeas and people who don't, and there are a fairly small number of
people on either side of the issue, I would conclude that this is not a
major problem, but rather a problem that affects a subset of users
(possibly determined by their location and userbase).
--
Bowie
Re: Suggestion for use by ANY whitelist service....
Posted by Jason Bertoch <ja...@i6ix.com>.
Bowie Bailey wrote:
> In this case, there are a few people complaining about the Habeas
> rules, but just as many people who do not see any problems.
>
Silence does not necessarily mean assent. I disabled the Habeas rules
long ago and therefore have no useful data to add to the thread. If
speaking up helps to rid myself of the free ride whitelists receive in
the default install, then count my vote towards a more sane whitelist score.
Re: Suggestion for use by ANY whitelist service....
Posted by Bowie Bailey <Bo...@BUC.com>.
richard@buzzhost.co.uk wrote:
> That to one side, the default for a spam filter should not be to give
> any weight to a white list unless the user modifies the config
> themselves specifically. It can be seen to be suspicious and offering a
> pecuniary advantage to those involved and using it.
>
I disagree. I think a spam filter should do it's best to give a
reasonable weight to both whitelists and blacklists. Obviously, a
default SA install needs a bit of tweaking to get the best accuracy, but
the default install should be as good as possible and that includes
finding the best rules, blacklists, and whitelists to include in the
default ruleset as well as generating reasonable scores for all of them.
Any bad rules (regex rules, blacklists, or whitelists) should show up
quickly enough as just about everyone would start seeing problems with
them. In this case, there are a few people complaining about the Habeas
rules, but just as many people who do not see any problems.
--
Bowie
RE: [sa] Re: Suggestion for use by ANY whitelist service....
Posted by R-Elists <li...@abbacomm.net>.
forgive me for asking this in the middle of this thread yet in all
seriousness...
Q) what is the inverse of Spamassassin ?
i am quite certain that those in the know have spent a lot of time thinking
about HAM signatures.
maybe that isnt quite the right way to say the question...
so, what do you call it?
Ham Catcher?
Ham Identifier?
Pork Platter?
Pork Roaster?
Mail Helper?
it certainly isnt a "whitelist" thing correct??
- rh
Re: [sa] Re: Suggestion for use by ANY whitelist service....
Posted by Charles Gregory <cg...@hwcn.org>.
On Fri, 4 Dec 2009, richard@buzzhost.co.uk wrote:
> ..... the default for a spam filter should not be to give
> any weight to a white list unless the user modifies the config
> themselves specifically. It can be seen to be suspicious and offering a
> pecuniary advantage to those involved and using it.
If it turns out that the whitelists FAIL to deliver a sufficiently
reliable 'standard' of only sending e-mails to confirmed double-opt-in
recipients, then yes, SA should not 'favor' them. But if they offer a
reliable way to judge mail as 'valid' (by which I mean that the recipient
in their own sole judgement says "I wanted that") then I see no problem
with scoring. But based on current examples (datetheuk) I have serious
reservations that the practical reality meets this standard....
- Charles
Re: Suggestion for use by ANY whitelist service....
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Fri, 2009-12-04 at 11:08 -0500, Charles Gregory wrote:
> All this debate about 'legitimate' mail services like 'returnpath'
> being abused by 'sneaky' spammers. How is that possible? There should be
> easy ways to prevent it. Here's a few ideas:
>
> As soon as any whitelist service like 'returnpath' accepts
> a client, they perform the following:
>
> 1) Review the client's address list - look for honeypot addresses.
> If any are found, clearly the client has not vetted their list.
>
> 2) Perform their OWN 'opt-in' mailout to that list.
> "Hello, we at (company eg. Retunrpath) have contracted to operate a
> mailng list on behalf of (client name). They have provided your
> address as one that has *requested* advertising mailouts from their
> company. We respectfully request that you verify this
> subscription/request by replying to this e-mail. IF you do nothing,
> this will be your last mailing from this company."
>
> I'm sure we would all live with the occasional true 'opt-in' request, if
> we knew that the end result would be that it would stifle spam by giving
> the legitimate mailers, the ones whose mail we *want* anyway, a better
> chance to reach us.
>
> - Charles
Sensible. I would suggest that 2) forms a footer that the sender cannot
remove and that the ESP was fully responsible for deleting unsubscribes
or anything giving a 5xx error.
That to one side, the default for a spam filter should not be to give
any weight to a white list unless the user modifies the config
themselves specifically. It can be seen to be suspicious and offering a
pecuniary advantage to those involved and using it.
Suggestion for use by ANY whitelist service....
Posted by Charles Gregory <cg...@hwcn.org>.
All this debate about 'legitimate' mail services like 'returnpath'
being abused by 'sneaky' spammers. How is that possible? There should be
easy ways to prevent it. Here's a few ideas:
As soon as any whitelist service like 'returnpath' accepts
a client, they perform the following:
1) Review the client's address list - look for honeypot addresses.
If any are found, clearly the client has not vetted their list.
2) Perform their OWN 'opt-in' mailout to that list.
"Hello, we at (company eg. Retunrpath) have contracted to operate a
mailng list on behalf of (client name). They have provided your
address as one that has *requested* advertising mailouts from their
company. We respectfully request that you verify this
subscription/request by replying to this e-mail. IF you do nothing,
this will be your last mailing from this company."
I'm sure we would all live with the occasional true 'opt-in' request, if
we knew that the end result would be that it would stifle spam by giving
the legitimate mailers, the ones whose mail we *want* anyway, a better
chance to reach us.
- Charles
Re: J.D. Falk & Richard dispute (was J.D. Falk...)
Posted by Rob McEwen <ro...@invaluement.com>.
I'm just changing the subject line because I find the previous subject
line to be extremely offensive and out of line.
-----------------------------
As long as we have some spam filters which block some legitimate
confirmed opt-in senders (and/or legit organizations sending to their
unquestionable members), then that makes Return Path's business model
legitimate and helpful.
If anyone believes that Return Path's execution of this business model
ends up giving some spammers a "pass", then they should "shame" Return
Path by pointing out the most egregious examples that come along. But it
is understandable that a few undesirable situations are going to happen
every once in a while, no matter how good and ethical a job is done by
Return Path. So an egregious example that comes up every once in a while
is understandable. (just like it is understandable for a legit hoster to
unknowingly and occasionally sign up a spammer who deceived the
hoster--happens all the time!)
As long as Return Path reacts appropriately to such spammers, and as
long as they are not a constant revolving door for many spammers (or
anything close to that), then I don't see any problems here. I do
understand the argument that their business model might provide
incentives for them to be unethical in the short run just to drum up
extra sales, but this is balanced by the longer-term damage this does to
their reputation.
Amazingly, I deal with black- or "dark gray"-hat ESPs blacklistings on
invaluement.com where the ESP is run by 20-something-year-old punk kids
who don't understand the long-term negative repurcussions of their
business practices and seem to think that they can spam with impunity as
long as they are CAN-SPAM compliant.
But, in contrast, Return Path is run by rational and mature adults who
"get it", imo. For the reasons stated, I reject the ridiculous argument
that their business plan makes them unethical. But I do believe that it
is helpful if/when the anti-spam community points out their most
questionable clients, if/when deemed appropriate. That will only help
inspire them to further tighten their standards and keep them
accountable. (actually, I do NOT personally see any current deficiencies
with them--but I'm just saying that this is a productive way of dealing
with any problems anyone has with Return Path that will have a tangible
good results for the industry as a whole.)
So, instead of insults, if anyone has a grip with them, please just
point out SPECIFIC examples. Over time, if you find many egregious ones,
that will speak for itself. Otherwise, I'd prefer to not be bothered
with this.
--
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032
Re: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)
Posted by Justin Mason <jm...@jmason.org>.
On Fri, Dec 4, 2009 at 14:04, richard@buzzhost.co.uk <richard@buzzhost.co.uk
> wrote:
> On Fri, 2009-12-04 at 06:55 -0700, LuKreme wrote:
> > On 3-Dec-2009, at 23:06, R-Elists wrote:
> > > certainly we understand your point here, yet what about accountability
> for
> > > Return Path Inc (and other RPI companies) related rules in the default
> > > Spamassassin configs?
> >
> >
> > My position on HABEAS is well-know by anyone who cares (I score it +0.5
> and +2.0); that's not what I'm talking about: it's the constant whinging by
> richard and falk at each other. Obviously they WANT to be communicating
> since otherwise they could easily ignore/killfile each other. I'm just tired
> of them doing it on this mailinglist.
> >
> Your idea of 'constant' amuses me and is stretching the truth
> exponentially.
>
> I'm curious why a commercial whitelist from a bulk mailing company has
> such a positive inroad in Spamassassin. It's a fair question. I'm not
> interested in your personal views of me, my question or my posting. You
> have a killfile? You able to ignore on subject? Skills you may find
> useful to learn yes?
>
Richard, quit it.
It's unreasonable to assume that all of the subscribers to this list should
have to listen to, or need to set up a killfile just to avoid, your ranting.
--
--j.
Re: HABEAS_ACCREDITED SPAMMER
Posted by jdow <jd...@earthlink.net>.
From: "Robert Lopez" <rl...@gmail.com>
Sent: Friday, 2009/December/04 11:24
On Fri, Dec 4, 2009 at 7:33 AM, Bowie Bailey <Bo...@buc.com> wrote:
> LuKreme wrote:
>> On 4-Dec-2009, at 01:18, jdow wrote:
>>
>>> With all the animosity on this issue I decided to give the HABEAS
>>> rules a score, a negligible score to be sure, just to see what the
>>> state of HABEAS is for me today.
>>>
>>> In the last four days - nothing either spam or ham.
>>>
>>
>> I tend to see little clusters of HABEAS scores, but they are rare. I
>> might see only 10-20 a month.
>
> After following this thread for a while, I decided to take a look at my
> server. So here's one more data point:
>
> In the last month, I have seen 718 messages that hit one of the HABEAS
> rules. Of those, none of them had an overall score higher than 4, and
> there were only 12 that would have been scored as spam without the rule.
>
> Since I don't have access to look at the actual messages and I don't
> know what lists my customers may be signed up for, I can't say anything
> for sure, but it looks like it's working fine here based on the numbers.
>
> --
> Bowie
>
Here is one more data point:
Since October 18th I have seen HABEAS rules listed in Spamassassin
score lines 496122 times.
One such phishing email this week was successfully delivered to 387
in-boxes.
Were it not for the HABEAS_ACCREDITED_SOI -4.30 other rules would have
lead to successfully stopping the message.
<< jdow: OK a 0.07% failure rate is remarkably good, In My Pathetic
Opinion. It ought to earn a fairly respectable negative score on that
basis. How far off was your -4.30 score on that spam/phish? Was that
the ONLY one that got through?
{^_^}
Re: HABEAS_ACCREDITED SPAMMER
Posted by Robert Lopez <rl...@gmail.com>.
On Fri, Dec 4, 2009 at 7:33 AM, Bowie Bailey <Bo...@buc.com> wrote:
> LuKreme wrote:
>> On 4-Dec-2009, at 01:18, jdow wrote:
>>
>>> With all the animosity on this issue I decided to give the HABEAS
>>> rules a score, a negligible score to be sure, just to see what the
>>> state of HABEAS is for me today.
>>>
>>> In the last four days - nothing either spam or ham.
>>>
>>
>> I tend to see little clusters of HABEAS scores, but they are rare. I might see only 10-20 a month.
>
> After following this thread for a while, I decided to take a look at my
> server. So here's one more data point:
>
> In the last month, I have seen 718 messages that hit one of the HABEAS
> rules. Of those, none of them had an overall score higher than 4, and
> there were only 12 that would have been scored as spam without the rule.
>
> Since I don't have access to look at the actual messages and I don't
> know what lists my customers may be signed up for, I can't say anything
> for sure, but it looks like it's working fine here based on the numbers.
>
> --
> Bowie
>
Here is one more data point:
Since October 18th I have seen HABEAS rules listed in Spamassassin
score lines 496122 times.
One such phishing email this week was successfully delivered to 387 in-boxes.
Were it not for the HABEAS_ACCREDITED_SOI -4.30 other rules would have
lead to successfully stopping the message.
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
Re: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)
Posted by jdow <jd...@earthlink.net>.
From: <ri...@buzzhost.co.uk>
Sent: Friday, 2009/December/04 06:04
> On Fri, 2009-12-04 at 06:55 -0700, LuKreme wrote:
>> On 3-Dec-2009, at 23:06, R-Elists wrote:
>> > certainly we understand your point here, yet what about accountability
>> > for
>> > Return Path Inc (and other RPI companies) related rules in the default
>> > Spamassassin configs?
>>
>>
>> My position on HABEAS is well-know by anyone who cares (I score it +0.5
>> and +2.0); that's not what I'm talking about: it's the constant whinging
>> by richard and falk at each other. Obviously they WANT to be
>> communicating since otherwise they could easily ignore/killfile each
>> other. I'm just tired of them doing it on this mailinglist.
>>
> Your idea of 'constant' amuses me and is stretching the truth
> exponentially.
>
> I'm curious why a commercial whitelist from a bulk mailing company has
> such a positive inroad in Spamassassin. It's a fair question. I'm not
> interested in your personal views of me, my question or my posting. You
> have a killfile? You able to ignore on subject? Skills you may find
> useful to learn yes?
Have you two gentlemen reported these spammers to ReturnPath, Lukreme's
long unused address might be a good source for scrubbing the ReturhPath
lists. (So far I've not seen one either way here.) I presume you two
gentlemen are telling me that you never see HABEAS on ham, right?
{^_^}
Re: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Fri, 2009-12-04 at 06:55 -0700, LuKreme wrote:
> On 3-Dec-2009, at 23:06, R-Elists wrote:
> > certainly we understand your point here, yet what about accountability for
> > Return Path Inc (and other RPI companies) related rules in the default
> > Spamassassin configs?
>
>
> My position on HABEAS is well-know by anyone who cares (I score it +0.5 and +2.0); that's not what I'm talking about: it's the constant whinging by richard and falk at each other. Obviously they WANT to be communicating since otherwise they could easily ignore/killfile each other. I'm just tired of them doing it on this mailinglist.
>
Your idea of 'constant' amuses me and is stretching the truth
exponentially.
I'm curious why a commercial whitelist from a bulk mailing company has
such a positive inroad in Spamassassin. It's a fair question. I'm not
interested in your personal views of me, my question or my posting. You
have a killfile? You able to ignore on subject? Skills you may find
useful to learn yes?
Re: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)
Posted by LuKreme <kr...@kreme.com>.
On 3-Dec-2009, at 23:06, R-Elists wrote:
> certainly we understand your point here, yet what about accountability for
> Return Path Inc (and other RPI companies) related rules in the default
> Spamassassin configs?
My position on HABEAS is well-know by anyone who cares (I score it +0.5 and +2.0); that's not what I'm talking about: it's the constant whinging by richard and falk at each other. Obviously they WANT to be communicating since otherwise they could easily ignore/killfile each other. I'm just tired of them doing it on this mailinglist.
--
'They come back to the mountains to die,' said the King.
'They live in Ankh-Morpork.' --The Fifth Elephant
Re: HABEAS_ACCREDITED SPAMMER
Posted by Bowie Bailey <Bo...@BUC.com>.
LuKreme wrote:
> On 4-Dec-2009, at 01:18, jdow wrote:
>
>> With all the animosity on this issue I decided to give the HABEAS
>> rules a score, a negligible score to be sure, just to see what the
>> state of HABEAS is for me today.
>>
>> In the last four days - nothing either spam or ham.
>>
>
> I tend to see little clusters of HABEAS scores, but they are rare. I might see only 10-20 a month.
After following this thread for a while, I decided to take a look at my
server. So here's one more data point:
In the last month, I have seen 718 messages that hit one of the HABEAS
rules. Of those, none of them had an overall score higher than 4, and
there were only 12 that would have been scored as spam without the rule.
Since I don't have access to look at the actual messages and I don't
know what lists my customers may be signed up for, I can't say anything
for sure, but it looks like it's working fine here based on the numbers.
--
Bowie
Re: HABEAS_ACCREDITED SPAMMER
Posted by LuKreme <kr...@kreme.com>.
On 4-Dec-2009, at 01:18, jdow wrote:
> With all the animosity on this issue I decided to give the HABEAS
> rules a score, a negligible score to be sure, just to see what the
> state of HABEAS is for me today.
>
> In the last four days - nothing either spam or ham.
I tend to see little clusters of HABEAS scores, but they are rare. I might see only 10-20 a month.
> Those seeing HABEAS hits: are the hits ancient haiku hits or are they
> the modern DNS test version?
I haven't seen the haiku in ages. But then again, I am very aggressive about dropping mail early vi helo checks and zen, etc.
> And how was the email determined to be unsolicited? (I believe in one
> case it was a "never used spam trap address.")
In my case I see them on THIS email address in non-list mail (I don't check list mail with SpamAssassin) and since this email address is exclusively 100% used for mailing lists… I also see it on a very old email address that hasn't been used for real mail in close to 10 years and simply sits there collecting spam for me.
--
'What shall we do?' said Twoflower.
'Panic?' said Rincewind hopefully. --The Light Fantastic
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by Charles Gregory <cg...@hwcn.org>.
On Fri, 4 Dec 2009, Yet Another Ninja wrote:
>> ..... 'just change the score' is not the correct answer.
> the answer is totally correct.
No, it is not. No more than it is correct for a spammer to offer me a
(working) 'unsubscribe' link. I don't want to discover I've been letting
spam in the door and get complaints from users because of one (or more!)
'default' settings that are permitting spam.
The 'correct' answer that is being sought is to judge the entire
underlying 'policy' mechanism for spamassassin which results in the
*category* of choices about negative scores of which the habeas rule is
only ONE possible example!
>> The correct answer will be precisely why this state of affairs exists.
> - because developers think/have thought its a good idea.
SLAP! Don't restate the question like its an answer. He asked for
reasoning behind the choice, not whether the developers *liked* their
choice. Of course they liked it. WHY did they like it?
> - because nobody other than you makes such a noise about it.
There's a good point. Why *does* this person see so much spam with the
habeas rule in it? Which leads to the obvious corrolary, it seems likely
that the habeas rule got a negative score because it only appears in ham
in the SA 'master' test corpus. Why is THAT? What skews the messages
contents so badly? What is different between the two? Anyone thought to
sit down and question it?
I'm not even blindly accepting his assertions. I used to devalue habeas
back when it was the 'haiku' variety, but I haven't had a problem lately,
even without a special score. So why is there a problem for him?
- Charles
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Fri, 2009-12-04 at 11:28 +0100, Yet Another Ninja wrote:
> > The correct answer will be precisely why this state of affairs exists.
>
> - because developers think/have thought its a good idea.
>
> - because nobody other than you makes such a noise about it. And YOU who
> are so against, have you submitted a bug to have whatever reconsidered.
I don't recall that I was making much noise about it, I said my piece
and others with to carry it on - but I'm more than happy to do that.
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by Per Jessen <pe...@computer.org>.
jdow wrote:
> From: "Per Jessen" <pe...@computer.org>
> Sent: Friday, 2009/December/04 09:11
>
>
> richard@buzzhost.co.uk wrote:
>
>> This was raised as the IP appeared in HABEAS and for a few hours it
>> 'vanished' from the list. It's back there now, but DateTheUk is now
>> pumping out via an ip six decimal places up on the last octet.
>>
>> 80.75.69.195 WHITELISTED: sa-accredit.habeas.com
>>
>> The customer concerned then hopped their output to:80.75.69.201
>> 80.75.69.201 WHITELISTED: sa-accredit.habeas.com
>
> FYI, 80.75.69.192 - 80.75.69.255 belongs to Easydate Ltd in Edinburgh.
>
> << jdow: And somehow I suspect Richard didn't bother to report. It
> is more fun to bitch instead.
Personally I don't bother with reporting either - it's not my job. I
filter out spam, and when I receive spam from an accredited source, the
accreditors' reputation is lowered (on my system). That's the risk of
that business.
/Per Jessen, Zürich
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by jdow <jd...@earthlink.net>.
From: "Per Jessen" <pe...@computer.org>
Sent: Friday, 2009/December/04 09:11
richard@buzzhost.co.uk wrote:
> This was raised as the IP appeared in HABEAS and for a few hours it
> 'vanished' from the list. It's back there now, but DateTheUk is now
> pumping out via an ip six decimal places up on the last octet.
>
> 80.75.69.195 WHITELISTED: sa-accredit.habeas.com
>
> The customer concerned then hopped their output to:80.75.69.201
> 80.75.69.201 WHITELISTED: sa-accredit.habeas.com
FYI, 80.75.69.192 - 80.75.69.255 belongs to Easydate Ltd in Edinburgh.
<< jdow: And somehow I suspect Richard didn't bother to report. It
is more fun to bitch instead. So far the only real metrics I've seen
indicates it works. That's data from three people, one off this list.
{^_^}
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Fri, 2009-12-04 at 18:11 +0100, Per Jessen wrote:
> richard@buzzhost.co.uk wrote:
>
> > This was raised as the IP appeared in HABEAS and for a few hours it
> > 'vanished' from the list. It's back there now, but DateTheUk is now
> > pumping out via an ip six decimal places up on the last octet.
> >
> > 80.75.69.195 WHITELISTED: sa-accredit.habeas.com
> >
> > The customer concerned then hopped their output to:80.75.69.201
> > 80.75.69.201 WHITELISTED: sa-accredit.habeas.com
>
> FYI, 80.75.69.192 - 80.75.69.255 belongs to Easydate Ltd in Edinburgh.
>
>
> /Per Jessen, Zürich
>
Correct, and the hits in habeas are shown. The issue with RP is a side
distraction to this.
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by Per Jessen <pe...@computer.org>.
richard@buzzhost.co.uk wrote:
> This was raised as the IP appeared in HABEAS and for a few hours it
> 'vanished' from the list. It's back there now, but DateTheUk is now
> pumping out via an ip six decimal places up on the last octet.
>
> 80.75.69.195 WHITELISTED: sa-accredit.habeas.com
>
> The customer concerned then hopped their output to:80.75.69.201
> 80.75.69.201 WHITELISTED: sa-accredit.habeas.com
FYI, 80.75.69.192 - 80.75.69.255 belongs to Easydate Ltd in Edinburgh.
/Per Jessen, Zürich
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by Per Jessen <pe...@computer.org>.
Charles Gregory wrote:
> I don't care. Spamassassin does not have an 'opinion'. It has a
> methodology.
Umm, it also has a set of rules which essentially make up the
SA "opinion".
/Per Jessen, Zürich
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by Charles Gregory <cg...@hwcn.org>.
On Fri, 4 Dec 2009, richard@buzzhost.co.uk wrote:
>> Okay, let's be methodical. Let us indeed start with those.
>> Did anyone else get them?
No answer.
>> If, so, how did they score?
No answer.
>> If not, then why did only Richard get them?
No answer.
> Point 1 - The Subject that was changed on the other post. JD Falk made
> the original change to abuse me. Go back to the archive and take a look.
> I just inverted it.
I don't care. You can each call the other all the names you want.
But if there is a legitimate issue, it will be answered by addressing the
questions I posed.
> Point 2 -
> I've stated my opinions on organisations that are involved in bulk
> mailing, but that's all it is. An opinion. They are like axxholes,
> everyone has one.
I don't care. Spamassassin does not have an 'opinion'. It has a
methodology. If that methodology requires review/correction, your opinion
provides no quantitative feedback.
> Point 3 - My Habeas issue is not about quantity.
If you read my post you would have grasped the simple idea that if ANY
spam comes to your attention, it is very likely the tip of an unseen
iceberg of missed spam. So we treat it seriously and investigate. I didn't
ask how *much* anyone got. I asked whether there was something peculiar to
your situation that prevented other people from seeing this problem.
see *nay
> ..... I can only cite the current ongoing issue with DateTheUk.
> A company that fished a watermarked address from a Facebook 'Farmville'
> group and then spammed it.
Good enough to work with. You've posted your data, now my next question
is whether anyone else sees the same mail. Just because I don't see it
over here in Canada doesn't mean you are the only one. But it may very
well highlight a 'regional bias' in the main spamassassin test corpora.
> 80.75.69.195 WHITELISTED: sa-accredit.habeas.com
> 80.75.69.201 WHITELISTED: sa-accredit.habeas.com
Which now leads back to questions about whether we're seeing *hacked*
servers that just *happen* to be habeas accredited?
> The customer also hits on: list.dnswl.org, so they are clearly aware of
> the need to grease the wheels. Spamassassin was passing the stuff at -9.
(nod) I've seen similar scores on (obvious) spam from 'mailengine'.
> It's not about the listing of a Rogue Customer, it's why they are not
> delisted for doing it - this would give some kind of confidence back.
It may not be the 'customer' at all. Never attribute to malice that which
can be ascribed to ignorance.
> My personal view is no blind eye should be turned to any spammer,
> especially one coming from a so called reputable source.
So let's get back to defining the source. We've got a habeas
representative on here? Let's trace this 'datetheul' stuff and see if it
really is their legitimate business.
By the by, I think I posted on this list a while ago on a similar
question, as to whether we could really trust *any* whitelists, as they
simply made for a *deliberate* target of botnet owners. No one made a fuss
about it before, but what about now? Maybe, once again, the flaw is in
having a whitelisting system that relies upon third party servers with
unknown security.
> Point 4 -
> All that is largely irrelevant to this list, but my point of interest is
> why a commercial white list appears in Spamassassin with the default
> scores set the way they are? It's perfectly reasonable to ask.
Well, the obvious 'startnig answer' (just to cut the pedants short) is
that a whitelist *should* generally betoken increased trust in a source,
and that it is 'permitted' to look a 'little' spammy because their
business is advertisting, but not 'spam'. So with that category of mail in
the 'ham' corpora, spamassassin score generation allows a generous
negative score. The flaw, here, may be regional bias. Perhaps Spamassassin
should get a bit more sophsiticated and attempt to generate corpora for
different regions?
> It could be expanded to ask if there are any plans to include whitelists
> from other vendors in the default, such as Apache donator Barracuda?
> Perhaps emailreg.org with a -4 score in the next SA release?
That is the most meaningful question. What is the policy for inclusion,
and how reliable is it? The key to understanding is to verify whether the
'spam' you see is *actually* from the 'customer' who obtained the habeas
accredit and then probe how we would deal with a 'yes' or a 'no'.
> Much that the personality battles and offlist threats and abuse amuse
> me, my question is perfectly reasonable, has it's foundation in fact and
> is on topic.
Which is pretty much what I said. I just clarified the question because
pedants were answering "because the developers like it".....
But it might help to skip the personality/ad hominem crap. Prove that the
mail you receive is the rightful mail of the legitimate IP address owner,
and then ask the habeas people how they 'earned' that accredit....
- C
Re: [sa] Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
I've just had another one to a honeypot - care of myspace. My dog does
not have a myspace account. Again, this is a harvested email address.
204.16.33.75 WHITELISTED: sa-accredit.habeas.com
Whilst I appreciate that nobody would turn their noses up at taking $$$
from someone like myspace, there are some serious concerns about their
data here.
I'll check with my dog to make sure he has not subscribed whilst I
turned my back .........
Received: from vmta12.myspace.com (vmta12.myspace.com [204.16.33.75]) by
..... with ESMTP id for
<.....>; Fri, 4 Dec 2009 19:48:32 +0000 (GMT)
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by Per Jessen <pe...@computer.org>.
Charles Gregory wrote:
> There's a need. A real genuine need for services like Habeas.
It almost certainly depends on your environment - like my numbers
showed, over four months, I only had 45 emails that would have gone
down the drain without Habeas. In comparison to what was processed
that is an incredibly low number.
/Per Jessen, Zürich
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by jdow <jd...@earthlink.net>.
What I call spam you may call ham. What I call ham you might call spam.
One ring to control them all er one list to filter them all inherently
cannot
work, especially when people change their minds and decide to
"unsubscribe with extreme prejudice."
{^_^}
----- Original Message -----
From: "LuKreme" <kr...@kreme.com>
To: <us...@spamassassin.apache.org>
Sent: Monday, 2009/December/07 09:22
Subject: Re: HABEAS_ACCREDITED WHY BY DEFAULT?
On 7-Dec-2009, at 09:03, Charles Gregory wrote:
> There's a need. A real genuine need for services like Habeas. But they
> need to be *very* well managed and policed. And it seems, from some
> complaints, that this is not happening....
How a service like HABEAS needs to work is that 1) It keeps a massive
database of email addresses that are known to either be bad, or to be users
who have specifically submitted their addresses as not accepting any
unsolicited unconfirmed emails, ever. A spammer — er, marketer, submits
their mailing list and it is 'cleaned' of all those addresses, then
submitted back to the spammer.
The spammer, in order to register with the service has to pay some amount of
money (probably a range of $0-$1,000,000 depending on the size of their list
and profit/non-profit status of the sender) that is held in a third party
trust. This is money that is deposited in addition to whatever charges there
are to clean the list. If the spammer sends any messages to an address that
was scrubbed, then the trust money is donated to some charity and the
spammers account with the service is revoked and their ENTIRE IP CLASS is
submitted to RBLs. In addition, bounce processing for the spam—er, marketing
email is handled by the service. Addresses that bounce are added to the
database of bad addresses. Spam complaints are added to the database of
opt-out addresses.
THAT service I would allow negative points to in my SA. I can't imagine any
other commercial whitelist that I would allow negative points for.
--
"Whose motorcycle is this?" "It's chopper, baby." "Whose chopper
is this?" "It's Zed's." "Who's Zed?" "Zed' dead, baby. Zed's
dead."
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by LuKreme <kr...@kreme.com>.
On 7-Dec-2009, at 09:03, Charles Gregory wrote:
> There's a need. A real genuine need for services like Habeas. But they need to be *very* well managed and policed. And it seems, from some complaints, that this is not happening....
How a service like HABEAS needs to work is that 1) It keeps a massive database of email addresses that are known to either be bad, or to be users who have specifically submitted their addresses as not accepting any unsolicited unconfirmed emails, ever. A spammer — er, marketer, submits their mailing list and it is 'cleaned' of all those addresses, then submitted back to the spammer.
The spammer, in order to register with the service has to pay some amount of money (probably a range of $0-$1,000,000 depending on the size of their list and profit/non-profit status of the sender) that is held in a third party trust. This is money that is deposited in addition to whatever charges there are to clean the list. If the spammer sends any messages to an address that was scrubbed, then the trust money is donated to some charity and the spammers account with the service is revoked and their ENTIRE IP CLASS is submitted to RBLs. In addition, bounce processing for the spam—er, marketing email is handled by the service. Addresses that bounce are added to the database of bad addresses. Spam complaints are added to the database of opt-out addresses.
THAT service I would allow negative points to in my SA. I can't imagine any other commercial whitelist that I would allow negative points for.
--
"Whose motorcycle is this?" "It's chopper, baby." "Whose chopper
is this?" "It's Zed's." "Who's Zed?" "Zed' dead, baby. Zed's
dead."
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Sat, 5 Dec 2009, Per Jessen wrote:
>> Won't customers dealing with such a company will have whitelisted them
>> long ago?
>
> For every 'mark' that is out there, stupidly entering their e-mail and
> then getting a bunch of ads for which they didn't realize they had given
> permission, there are people that are equally technologically illiterate
> that don't *think* that they need to do *anything* 'special' to make the
> mail from their favorite drug company arrive in their mailbox. They see
> very little spam (thanks to MY efforts - preen, preen) and so they don't
> think of a spam 'problem' and that the mail they just requested might not
> make it through.
On 07.12.09 11:03, Charles Gregory wrote:
> So I end up with a customer on the phone complaining. So if that drug
> company could get themselves on a 'standard' whitelist which I already
> trust and use, then I don't have to do anything special, and neither does
> my customer.
I find it a bit funny that you blame HABEAS whitelist, while you recommend
"ordinary" whitelist where both have some rules for listing, and I think
HABEAS has even more scrct rules.
I am not telling that you are correct or not, it's just my observation
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by Charles Gregory <cg...@hwcn.org>.
On Sat, 5 Dec 2009, Per Jessen wrote:
> Won't customers dealing with such a company will have whitelisted them
> long ago?
For every 'mark' that is out there, stupidly entering their e-mail and
then getting a bunch of ads for which they didn't realize they had given
permission, there are people that are equally technologically illiterate
that don't *think* that they need to do *anything* 'special' to make the
mail from their favorite drug company arrive in their mailbox. They see
very little spam (thanks to MY efforts - preen, preen) and so they don't
think of a spam 'problem' and that the mail they just requested might not
make it through.
So I end up with a customer on the phone complaining. So if that drug
company could get themselves on a 'standard' whitelist which I already
trust and use, then I don't have to do anything special, and neither does
my customer.
Some companies are smart enough to add a note to their website that says
"be sure to add us to your whitelist", but that doesn't help the thousands
of people who read it and say "too complicated for me I hope it works" and
call me if it doesn't.... :)
There's a need. A real genuine need for services like Habeas. But they
need to be *very* well managed and policed. And it seems, from some
complaints, that this is not happening....
- Charles
Re: [sa] Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by jdow <jd...@earthlink.net>.
From: "Per Jessen" <pe...@computer.org>
Sent: Saturday, 2009/December/05 02:20
Charles Gregory wrote:
> On Fri, 4 Dec 2009, Per Jessen wrote:
>> The other side of the argument is - why does any legitimate company
>> need to employ a service such as Habeas/Returnpath/whatever?
>
> Any legitimate drug company that wants to send price lists to its
> legitimate distributors or end customers, upon request, even if not a
> mailing list mail, but specific, one-by-one request/response mails,
> would have trouble with spam filters that check for drug names and
> percentages and hot words like 'sale'.
Won't customers dealing with such a company will have whitelisted them
long ago?
<<jdow: You could take it to the bank that most won't figure out how,
no matter how simple you make it for them. And they WILL complain.
{^_^}
No matter how idiot proof you make your product you will find that
God rewards you by presenting you with a better idiot.
Re: [sa] Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by Per Jessen <pe...@computer.org>.
McDonald, Dan wrote:
> On Dec 5, 2009, at 4:20 AM, "Per Jessen" <pe...@computer.org> wrote:
>
>> Charles Gregory wrote:
>>
>>> On Fri, 4 Dec 2009, Per Jessen wrote:
>>>> The other side of the argument is - why does any legitimate company
>>>> need to employ a service such as Habeas/Returnpath/whatever?
>>>
>>> Any legitimate drug company that wants to send price lists to its
>>> legitimate distributors or end customers, upon request, even if not
>>> a mailing list mail, but specific, one-by-one request/response
>>> mails, would have trouble with spam filters that check for drug
>>> names and percentages and hot words like 'sale'.
>>
>> Won't customers dealing with such a company will have whitelisted
>> them long ago?
>
> No. I only locally whitelist when there is a reported problem, and
> only as a last resort.
Same here, but that means any regular business partner in the pharma
business will have been whitelisted long ago. All it takes is one FP.
/Per Jessen, Zürich
Re: [sa] Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Dec 5, 2009, at 4:20 AM, "Per Jessen" <pe...@computer.org> wrote:
> Charles Gregory wrote:
>
>> On Fri, 4 Dec 2009, Per Jessen wrote:
>>> The other side of the argument is - why does any legitimate company
>>> need to employ a service such as Habeas/Returnpath/whatever?
>>
>> Any legitimate drug company that wants to send price lists to its
>> legitimate distributors or end customers, upon request, even if not a
>> mailing list mail, but specific, one-by-one request/response mails,
>> would have trouble with spam filters that check for drug names and
>> percentages and hot words like 'sale'.
>
> Won't customers dealing with such a company will have whitelisted them
> long ago?
No. I only locally whitelist when there is a reported problem, and
only as a last resort. There is no way for me to know all of the
"trusted partners" that we might do business with. A common whitelist
of legitimate companies is a welcome thing for me.
The other way I use it, when I get complaints about receiving "spam",
is to determine if it is safe to unsubscribe. My users know that bad
spammers use unsubscribes as reconnaissance to add valid addresses to
their lists. So, when they forgot that they signed up for something, I
will often unsubscribe them from a company that is listed in returnpath.
>
> /Per Jessen, Zürich
>
Re: [sa] Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by Per Jessen <pe...@computer.org>.
Charles Gregory wrote:
> On Fri, 4 Dec 2009, Per Jessen wrote:
>> The other side of the argument is - why does any legitimate company
>> need to employ a service such as Habeas/Returnpath/whatever?
>
> Any legitimate drug company that wants to send price lists to its
> legitimate distributors or end customers, upon request, even if not a
> mailing list mail, but specific, one-by-one request/response mails,
> would have trouble with spam filters that check for drug names and
> percentages and hot words like 'sale'.
Won't customers dealing with such a company will have whitelisted them
long ago?
/Per Jessen, Zürich
Re: [sa] Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by Charles Gregory <cg...@hwcn.org>.
On Fri, 4 Dec 2009, Per Jessen wrote:
> The other side of the argument is - why does any legitimate company need
> to employ a service such as Habeas/Returnpath/whatever?
Any legitimate drug company that wants to send price lists to its
legitimate distributors or end customers, upon request, even if not a
mailing list mail, but specific, one-by-one request/response mails, would
have trouble with spam filters that check for drug names and percentages
and hot words like 'sale'. The preponderance of drug spams makes it very
difficult for these companies. Help from a whitelist is a welcome thing.
But it becomes useless if the spammers suborn the process.
- Charles
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by jdow <jd...@earthlink.net>.
From: "Per Jessen" <pe...@computer.org>
Sent: Friday, 2009/December/04 11:19
Chr. von Stuckrad wrote:
> After all this debate about a negatively scored rule I'd disable it
> anyway, because the spammers on the list will target it specifically
> now, knowing it works well for them.
The other side of the argument is - why does any legitimate company need
to employ a service such as Habeas/Returnpath/whatever?
If their customer emails are getting caught as spam, surely they or SA
is doing something wrong to begin with. There is not much spam that is
getting caught purely based on content, most is getting caught on
origin and its reputation.
<<jdow: I have several email sources with which I have a "relationship"
as in signed up for that are not important enough to me to outright
whitelist. I have fun watching them dance around the deadly 5.0 score.
OK OK it is fun for the feeble minded or somebody needing a dose of
graveyard humor, I suppose. But it illustrates the problem an ISP spam
filter might have.
JD's description indicates RP makes an honest attempt to scrub their
lists when problems appear. And, if they do not hear of a problem their
list does not get scrubbed. And if a user plays the 'report as spam'
trick to unsubscribe to a list (something a legitimate friend of mine
experiences too often) that can result in problems for everybody, JD,
his customers, and the cut-off recipients. RP has taken on a job that
is not trivial.
{^_^}
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by Per Jessen <pe...@computer.org>.
Chr. von Stuckrad wrote:
> After all this debate about a negatively scored rule I'd disable it
> anyway, because the spammers on the list will target it specifically
> now, knowing it works well for them.
The other side of the argument is - why does any legitimate company need
to employ a service such as Habeas/Returnpath/whatever?
If their customer emails are getting caught as spam, surely they or SA
is doing something wrong to begin with. There is not much spam that is
getting caught purely based on content, most is getting caught on
origin and its reputation.
/Per Jessen, Zürich
RE: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by R-Elists <li...@abbacomm.net>.
>
> After all this debate about a negatively scored rule I'd
> disable it anyway, because the spammers on the list will
> target it specifically now, knowing it works well for them.
>
> Stucki
Stucki,
it seems to me that you, of all people, would want a small negative or
positive score on that rule (or any rule) for statistical purposes...
being in the math department and all
:-)
logically, why would you just zero it then?
- rh
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by "Chr. von Stuckrad" <st...@mi.fu-berlin.de>.
On Fri, 04 Dec 2009, richard@buzzhost.co.uk wrote:
> Point 4 -
> All that is largely irrelevant to this list, but my point of interest is
> why a commercial white list appears in Spamassassin with the default
> scores set the way they are? It's perfectly reasonable to ask. It could
> be expanded to ask if there are any plans to include whitelists from
> other vendors in the default, such as Apache donator Barracuda? Perhaps
> emailreg.org with a -4 score in the next SA release?
So if, after a while of wading through the debate, I understand this
right, it boils down to 'are spammers buying out spamassassin
rule-makers' or 'do we have to assume that spamassassin development
was taken over by spammers' or some such theory?
Wouldn't it be far easier to believe, that in long gone times when
'habeas' seemed to proof nonspam (I seem to remember it worked a
while) somebody put that rule in. And a while later lots of people
simply set their habeas rules to zero after noticing spam-with-habeas.
(the oldest mails with 'Subject:.*habeas' I can find in my archive
were about habeas haikus and these were beginning to be faked 2003/4).
Then I personally simply forgot the whole thing ... til yesterday :-)
AND if the spam-with-habeas is seldom seen it might simply vanish
in the noise or hide below the other rules until somebody(!) notices.
For me all this means - simply forget (zero out) the rules - and if
need be file a bug/request/whatever to get them removed - but not that
I'd assume that spamassassin was subverted to allow spammers? But even
if it were so, it could not go on very long - somebody would(did?) wonder ...
After all this debate about a negatively scored rule I'd disable it
anyway, because the spammers on the list will target it specifically
now, knowing it works well for them.
Stucki
--
Christoph von Stuckrad * * |nickname |Mail <st...@mi.fu-berlin.de> \
Freie Universitaet Berlin |/_*|'stucki' |Tel(Mo.,Mi.):+49 30 838-75 459|
Mathematik & Informatik EDV |\ *|if online| (Di,Do,Fr):+49 30 77 39 6600|
Takustr. 9 / 14195 Berlin * * |on IRCnet|Fax(home): +49 30 77 39 6601/
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Fri, 2009-12-04 at 10:50 -0500, Charles Gregory wrote:
> On Fri, 4 Dec 2009, richard@buzzhost.co.uk wrote:
> > Qualifies what, that I get UBE that is Habeas Accredited? Should I start
> > with the 40 from 'DateTheuk' in the last 8 days?
>
> Okay, let's be methodical. Let us indeed start with those.
>
> Did anyone else get them?
> If, so, how did they score?
> If not, then why did only Richard get them?
>
> Keep in mind that a 'problem' may be buried by conditions where most of
> the spam still gets flagged, then blocked because of other positive
> scoring tests, so we don't *see* the habeas test firing....
> I don't record hits on rules in mail that is flagged ham, but notice that
> I do see the habeas rule in a couple of cases where I have deliberately
> blacklisted a mail server like 'mailengine'.
>
> - Charles
Point 1 - The Subject that was changed on the other post. JD Falk made
the original change to abuse me. Go back to the archive and take a look.
I just inverted it.
Point 2 -
I've stated my opinions on organisations that are involved in bulk
mailing, but that's all it is. An opinion. They are like axxholes,
everyone has one.
Point 3 - My Habeas issue is not about quantity. Most of the previous
Habeas spam I did not log, and I regret that.I've set things up
differently so I log each and everyone from now on. So other than my
worthless word I can only cite the current ongoing issue with DateTheUk.
A company that fished a watermarked address from a Facebook 'Farmville'
group and then spammed it.
This was raised as the IP appeared in HABEAS and for a few hours it
'vanished' from the list. It's back there now, but DateTheUk is now
pumping out via an ip six decimal places up on the last octet.
80.75.69.195 WHITELISTED: sa-accredit.habeas.com
The customer concerned then hopped their output to:80.75.69.201
80.75.69.201 WHITELISTED: sa-accredit.habeas.com
The customer also hits on: list.dnswl.org, so they are clearly aware of
the need to grease the wheels. Spamassassin was passing the stuff at -9.
It's not about the listing of a Rogue Customer, it's why they are not
delisted for doing it - this would give some kind of confidence back.
My personal view is no blind eye should be turned to any spammer,
especially one coming from a so called reputable source.
Point 4 -
All that is largely irrelevant to this list, but my point of interest is
why a commercial white list appears in Spamassassin with the default
scores set the way they are? It's perfectly reasonable to ask. It could
be expanded to ask if there are any plans to include whitelists from
other vendors in the default, such as Apache donator Barracuda? Perhaps
emailreg.org with a -4 score in the next SA release?
Much that the personality battles and offlist threats and abuse amuse
me, my question is perfectly reasonable, has it's foundation in fact and
is on topic.
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by Charles Gregory <cg...@hwcn.org>.
On Fri, 4 Dec 2009, richard@buzzhost.co.uk wrote:
> Qualifies what, that I get UBE that is Habeas Accredited? Should I start
> with the 40 from 'DateTheuk' in the last 8 days?
Okay, let's be methodical. Let us indeed start with those.
Did anyone else get them?
If, so, how did they score?
If not, then why did only Richard get them?
Keep in mind that a 'problem' may be buried by conditions where most of
the spam still gets flagged, then blocked because of other positive
scoring tests, so we don't *see* the habeas test firing....
I don't record hits on rules in mail that is flagged ham, but notice that
I do see the habeas rule in a couple of cases where I have deliberately
blacklisted a mail server like 'mailengine'.
- Charles
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Fri, 2009-12-04 at 04:16 -0800, jdow wrote:
> From: "Yet Another Ninja" <sa...@alexb.ch>
> Sent: Friday, 2009/December/04 02:28
>
>
> > On 12/4/2009 10:57 AM, richard@buzzhost.co.uk wrote:
> > > FINAL
> >> This is not a social club, it's a question and issues list for
> >> Spamassassin. My question and issue is why, by default, does
> >> Spamassassin use the HABEAS white list, and why is it out of the box set
> >> with a score to favour delivery of their junk? It's a fair question. The
> >> answer 'just change the score' is not the correct answer.
> >
> > the answer is totally correct. SA is a framework, which luckily allows
> > YOU do whatever you want with it, so please do, whatever YOU want (that
> > does not include beating a dead horse on the list) and move on.
> >
> >> The correct answer will be precisely why this state of affairs exists.
> >
> > - because developers think/have thought its a good idea.
> >
> > - because nobody other than you makes such a noise about it. And YOU who
> > are so against, have you submitted a bug to have whatever reconsidered.
> >
> > EOT
>
> Heh, at this site procaine sits in front of SA. It has a few email
> addresses, a very few, redirected to their own folders that I check
> any time I want some "amusement of that kind." I want to find out just
> how much Richard qualifies for this dubious honor.
>
> {^_-}
Qualifies what, that I get UBE that is Habeas Accredited? Should I start
with the 40 from 'DateTheuk' in the last 8 days?
That's 40 to many - would you like to talk in hundreds and thousands to
justify removal or changing of a default white list score?
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by jdow <jd...@earthlink.net>.
Outlook Express spell checker, that is Procmail not your stupid
substitution however apt it might be.
{+_+}
----- Original Message -----
From: "jdow" <jd...@earthlink.net>
Sent: Friday, 2009/December/04 04:16
> Heh, at this site procaine sits in front of SA. It has a few email
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by jdow <jd...@earthlink.net>.
From: "Yet Another Ninja" <sa...@alexb.ch>
Sent: Friday, 2009/December/04 02:28
> On 12/4/2009 10:57 AM, richard@buzzhost.co.uk wrote:
> > FINAL
>> This is not a social club, it's a question and issues list for
>> Spamassassin. My question and issue is why, by default, does
>> Spamassassin use the HABEAS white list, and why is it out of the box set
>> with a score to favour delivery of their junk? It's a fair question. The
>> answer 'just change the score' is not the correct answer.
>
> the answer is totally correct. SA is a framework, which luckily allows
> YOU do whatever you want with it, so please do, whatever YOU want (that
> does not include beating a dead horse on the list) and move on.
>
>> The correct answer will be precisely why this state of affairs exists.
>
> - because developers think/have thought its a good idea.
>
> - because nobody other than you makes such a noise about it. And YOU who
> are so against, have you submitted a bug to have whatever reconsidered.
>
> EOT
Heh, at this site procaine sits in front of SA. It has a few email
addresses, a very few, redirected to their own folders that I check
any time I want some "amusement of that kind." I want to find out just
how much Richard qualifies for this dubious honor.
{^_-}
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by Yet Another Ninja <sa...@alexb.ch>.
On 12/4/2009 10:57 AM, richard@buzzhost.co.uk wrote:
> FINAL
> This is not a social club, it's a question and issues list for
> Spamassassin. My question and issue is why, by default, does
> Spamassassin use the HABEAS white list, and why is it out of the box set
> with a score to favour delivery of their junk? It's a fair question. The
> answer 'just change the score' is not the correct answer.
the answer is totally correct. SA is a framework, which luckily allows
YOU do whatever you want with it, so please do, whatever YOU want (that
does not include beating a dead horse on the list) and move on.
> The correct answer will be precisely why this state of affairs exists.
- because developers think/have thought its a good idea.
- because nobody other than you makes such a noise about it. And YOU who
are so against, have you submitted a bug to have whatever reconsidered.
EOT
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by Kris Deugau <kd...@vianet.ca>.
jdow wrote:
> Color me smartassed but I want numbers not accusations. Can the
> rhetoric and in bland neutral terms describe what you see in terms of
> numbers, possible business relations, however loose, and so forth.
Here's some numbers to play with:
~500K messages delivered daily (as in, passed on to from Postfix to the
program that actually writes the message to the customer's mailbox tree
somewhere)
~16K of ~48K accounts have spam filtering enabled
Since Jan 1 2009, hits on HABEAS* rules have resulted in an average of:
rulename | spamperday | hamperday
-----------------------+------------------------+-----------------------
HABEAS_ACCREDITED_COI | 0.04154302670623145401 | 161.4124629080118694
HABEAS_ACCREDITED_SOI | 6.4124629080118694 | 3887.0326409495548961
(I run a daily script to stuff yesterday's SA log data into a database;
so far I haven't gotten around to doing anything with the data.)
I can't attest to the accuracy of any of the hits because this is an ISP
mail system. But even considering only a third of the accounts have
filtering enabled, that's still somewhere in the neighbourhood of 1% of
all mail hitting HABEAS_ACCREDITED_*.
Checking the spam reporting account shows no actual spams reported with
HABEAS hits, and one legitimate book fair travel ad from a publishing
company hitting _SOI; about 8500 messages have been reported and
confirmed. A further ~350 have been reported, but considered legit.
Admittedly, I have to consider a broader range of mail to be
"legitimate"... but I really haven't had to strain very hard in making
that distinction in hand-confirming messages reported as spam.
Checking my own personal account on my own server shows a newsletter for
a rewards program with my bank, occasional messages from eBay, and a
message from Adobe. All legitimate. I don't keep spam around all that
long, but what's still sticking around doesn't show any HABEAS* hits.
-kgd
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by jdow <jd...@earthlink.net>.
From: <ri...@buzzhost.co.uk>
Sent: Friday, 2009/December/04 01:57
> On Fri, 2009-12-04 at 00:18 -0800, jdow wrote:
>> From: "LuKreme" <kr...@kreme.com>
>> Sent: Thursday, 2009/December/03 20:55
>>
>>
>> > On Dec 3, 2009, at 13:43, "richard@buzzhost.co.uk"
>> > <richard@buzzhost.co.uk
>> > > wrote:
>> >> On Thu, 2009-12-03 at 11:23 -0700, J.D. Falk wrote:
>> >>> On Dec 2, 2009, at 12:59 AM, richard@buzzhost.co.uk wrote:
>> >
>> > Look, get a room. Or at least take this twisted courtship dance
>> > offlist
>> > and spare us, please.
>>
>> With all the animosity on this issue I decided to give the HABEAS
>> rules a score, a negligible score to be sure, just to see what the
>> state of HABEAS is for me today.
>>
>> In the last four days - nothing either spam or ham.
>>
>> Those seeing HABEAS hits: are the hits ancient haiku hits or are they
>> the modern DNS test version? I imagine the haiku is still used by
>> some spammers. The DNS tests should legitimately show a rather small
>> percentage of spam. It appears (weasel word notice) ReturnPath puts
>> its members through a wringer to get the approval levels.
>>
>> And how was the email determined to be unsolicited? (I believe in one
>> case it was a "never used spam trap address.")
>>
>> Let's lay some facts out on the table rather than heap a load of
>> anecdotal poo on JD over various HABEAS hits.
>>
>> And JD, I don't see on your site what it "costs" people to get listed
>> on your DNS approval lists other than some tests and documentation. Is
>> it possible spammers simply submit some buttered up documentation, get
>> approved, and accept getting it knocked back off your lists rapidly as
>> a business "time" expense?
>>
>> Less shouting and more data and facts seems to be called for on both
>> sides. And for the nonce I'll grant both sides the legitimacy of their
>> frustrations on this HABEAS thing.
>>
>> I note that JD is quite willing to discuss (and seemed to recommend)
>> a lowered default score. That seems quite reasonable.
>>
>> {^_^} (Another JD, Jolly Dirty Old Woman type.)
>>
> PREAMBLE:
> It's simple for me - I'm not out to win friends or influence anyone and
> I find those that grease the wheels for the wholesale distribution of
> spam (be it they hold the view it is legitimate or not) in exchange for
> money - whilst claiming to be anti-spam - sick individuals that deserve
> a good kicking at the very least. That's just my personal view.
>
> RETURN PATH OFFER A PAID FACILITY TO ASSIST IN THE DELIVERY OF UBE.
> That's what they do - no matter how nicey nicey Mr Falk may appears to
> be. It's his job.
>
> SPAMASSASSIN is about assassinating spam - not facilitating it. Negative
> scores applied to a bulk mailing service without the users consent (the
> default for Spamassassin is to allow this rule at a minus score) has me
> wondering just who's in bed with who? There may be a reasonable argument
> that Spamassassin, as configured by default, gives unfair commercial
> advantage to HABEAS registered spammers and I'm more curious to find out
> WHY than anything else. It would be acceptable for me if it shipped with
> a zero score by default with notes in the readme for giving it a minus
> score at the users discretion.
>
> Although this is only a few points in the wrong direction, the
> implications this has for the integrity of Spamassassin as an anti-spam
> system is in question. Are Return Path making regular donations to
> Apache and wanting something in return? What possible plausible reason
> is there for a bulk mailing whitelist to appear with a favourable score
> in a program heavily used to block spam?
>
> Being well known companies that a person may have once done a very small
> amount of business with does not mean that their UBE habits are
> acceptable in any way.
>
> FACT
> For me, until I changed it to a positive +10 score for HABEAS, the only
> time I saw the name was in unwanted UBE - to me, that is SPAM. Making a
> fuss on this list (and nowhere else) suddenly had IP's disappear off the
> HABEAS list. {dark forces at work indeed}. The kind of people this has
> appeared in are not the expected MAINSLEAZE, but shabby bottom feeders.
> The kind that think registering with PaytoSpam services (be that a
> listing in emailreg.org or Habeas Accreditation) will make them in some
> way legitimate in their actions.
>
> FINAL
> This is not a social club, it's a question and issues list for
> Spamassassin. My question and issue is why, by default, does
> Spamassassin use the HABEAS white list, and why is it out of the box set
> with a score to favour delivery of their junk? It's a fair question. The
> answer 'just change the score' is not the correct answer. The correct
> answer will be precisely why this state of affairs exists.
Color me smartassed but I want numbers not accusations. Can the
rhetoric and in bland neutral terms describe what you see in terms of
numbers, possible business relations, however loose, and so forth.
I do note I also want a précis's of what ReturnPath insists upon for
opting into receiving business emails. If it is double opt-in that is
good. If it's "I sent one inquiry, received an answer, and presumed
that was the end of the affair but messages keep coming" that is another.
(It is staggeringly bad marketing behavior. But, these days that is an
epidemic.)
Then let's compare what is seen with what is claimed on both sides of
this battle royale. The name calling creates no progress to a worthwhile
understanding. It may be that ReturnPath has a hole in their qualification
process they need to plug to restore their reputation. If it leads to
their DNS tool being a better tool for spam fighting so be it. (I suspect
the default is as wonkity off one way as your +10 is the other.)
If this were a debate JD would be winning at this point, mainly for
holding his rhetoric away from ad-hominem attacks.
{^_^}
Re: HABEAS_ACCREDITED WHY BY DEFAULT?
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Fri, 2009-12-04 at 00:18 -0800, jdow wrote:
> From: "LuKreme" <kr...@kreme.com>
> Sent: Thursday, 2009/December/03 20:55
>
>
> > On Dec 3, 2009, at 13:43, "richard@buzzhost.co.uk" <richard@buzzhost.co.uk
> > > wrote:
> >> On Thu, 2009-12-03 at 11:23 -0700, J.D. Falk wrote:
> >>> On Dec 2, 2009, at 12:59 AM, richard@buzzhost.co.uk wrote:
> >
> > Look, get a room. Or at least take this twisted courtship dance offlist
> > and spare us, please.
>
> With all the animosity on this issue I decided to give the HABEAS
> rules a score, a negligible score to be sure, just to see what the
> state of HABEAS is for me today.
>
> In the last four days - nothing either spam or ham.
>
> Those seeing HABEAS hits: are the hits ancient haiku hits or are they
> the modern DNS test version? I imagine the haiku is still used by
> some spammers. The DNS tests should legitimately show a rather small
> percentage of spam. It appears (weasel word notice) ReturnPath puts
> its members through a wringer to get the approval levels.
>
> And how was the email determined to be unsolicited? (I believe in one
> case it was a "never used spam trap address.")
>
> Let's lay some facts out on the table rather than heap a load of
> anecdotal poo on JD over various HABEAS hits.
>
> And JD, I don't see on your site what it "costs" people to get listed
> on your DNS approval lists other than some tests and documentation. Is
> it possible spammers simply submit some buttered up documentation, get
> approved, and accept getting it knocked back off your lists rapidly as
> a business "time" expense?
>
> Less shouting and more data and facts seems to be called for on both
> sides. And for the nonce I'll grant both sides the legitimacy of their
> frustrations on this HABEAS thing.
>
> I note that JD is quite willing to discuss (and seemed to recommend)
> a lowered default score. That seems quite reasonable.
>
> {^_^} (Another JD, Jolly Dirty Old Woman type.)
>
PREAMBLE:
It's simple for me - I'm not out to win friends or influence anyone and
I find those that grease the wheels for the wholesale distribution of
spam (be it they hold the view it is legitimate or not) in exchange for
money - whilst claiming to be anti-spam - sick individuals that deserve
a good kicking at the very least. That's just my personal view.
RETURN PATH OFFER A PAID FACILITY TO ASSIST IN THE DELIVERY OF UBE.
That's what they do - no matter how nicey nicey Mr Falk may appears to
be. It's his job.
SPAMASSASSIN is about assassinating spam - not facilitating it. Negative
scores applied to a bulk mailing service without the users consent (the
default for Spamassassin is to allow this rule at a minus score) has me
wondering just who's in bed with who? There may be a reasonable argument
that Spamassassin, as configured by default, gives unfair commercial
advantage to HABEAS registered spammers and I'm more curious to find out
WHY than anything else. It would be acceptable for me if it shipped with
a zero score by default with notes in the readme for giving it a minus
score at the users discretion.
Although this is only a few points in the wrong direction, the
implications this has for the integrity of Spamassassin as an anti-spam
system is in question. Are Return Path making regular donations to
Apache and wanting something in return? What possible plausible reason
is there for a bulk mailing whitelist to appear with a favourable score
in a program heavily used to block spam?
Being well known companies that a person may have once done a very small
amount of business with does not mean that their UBE habits are
acceptable in any way.
FACT
For me, until I changed it to a positive +10 score for HABEAS, the only
time I saw the name was in unwanted UBE - to me, that is SPAM. Making a
fuss on this list (and nowhere else) suddenly had IP's disappear off the
HABEAS list. {dark forces at work indeed}. The kind of people this has
appeared in are not the expected MAINSLEAZE, but shabby bottom feeders.
The kind that think registering with PaytoSpam services (be that a
listing in emailreg.org or Habeas Accreditation) will make them in some
way legitimate in their actions.
FINAL
This is not a social club, it's a question and issues list for
Spamassassin. My question and issue is why, by default, does
Spamassassin use the HABEAS white list, and why is it out of the box set
with a score to favour delivery of their junk? It's a fair question. The
answer 'just change the score' is not the correct answer. The correct
answer will be precisely why this state of affairs exists.
Re: actual facts (was Re: HABEAS_ACCREDITED SPAMMER)
Posted by Michael Parker <pa...@pobox.com>.
FYI, the original bug is here: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=3998
All the bitching about it, took me about 30 seconds to find it.
Michael
Re: actual facts (was Re: HABEAS_ACCREDITED SPAMMER)
Posted by "J.D. Falk" <jd...@cybernothing.org>.
On Dec 4, 2009, at 12:24 PM, John Hardin wrote:
> On Fri, 4 Dec 2009, J.D. Falk wrote:
>
>> The current defaults for both the HABEAS and BSP rules were set long before Return Path operated either service, so we have no clue where they came from either.
>
> J.D., may I suggest you open a SA Bugzilla ticket suggesting that the scores be reviewed in light of this large change in how HABEAS operates?
Glad to.
--
J.D. Falk <jd...@returnpath.net>
Return Path Inc
Re: actual facts (was Re: HABEAS_ACCREDITED SPAMMER)
Posted by John Hardin <jh...@impsec.org>.
On Fri, 4 Dec 2009, J.D. Falk wrote:
> The current defaults for both the HABEAS and BSP rules were set long
> before Return Path operated either service, so we have no clue where
> they came from either.
J.D., may I suggest you open a SA Bugzilla ticket suggesting that the
scores be reviewed in light of this large change in how HABEAS operates?
3.3.0 is in beta right now, it's still not too late to adjust the default
scores for these rules for this major release.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You do not examine legislation in the light of the benefits it
will convey if properly administered, but in the light of the
wrongs it would do and the harms it would cause if improperly
administered. -- Lyndon B. Johnson
-----------------------------------------------------------------------
11 days until Bill of Rights day
Re: [sa] actual facts (was Re: HABEAS_ACCREDITED SPAMMER)
Posted by Charles Gregory <cg...@hwcn.org>.
On Fri, 4 Dec 2009, J.D. Falk wrote:
> They have to police themselves, or else they get kicked off the list.
> Simple, neh?
Neh. Definitely NEH. That is the logic of spambots. They get on there,
abuse the heck out of it until someone files a complaint and then they get
cut off, but not before millions of spams have gone out the door with your
'blessing'. The notion of waiting for complaints opens the doors to
failure of systems through overburdening (gee, we got so many complaints
we couldn't get to them all in a timely manner).
For example, you've heard a complaint about 'thedateuk' being tossed
around this list. Seems to me that if your above statement represented an
effective policy, the comment from the original complainant should be
"I saw a flood of spam from these IP's and then it just stopped a few
hours later." But that's not what I'm reading.
And I don't want excuses. No claims that a certain reporting mechanism
"should" have been used. There are enough people receiving spam that if
any mechanism were reputable and worthwhile, *someone* would have used it
and the spam would have stopped. At the very least, judging by the
comments here, no attempt was made to 'group' the offending IP's and the
offender just switched to another IP in their block?
Anyway you look at it, there is a reliability issue here....
- Charles
Re: actual facts (was Re: HABEAS_ACCREDITED SPAMMER)
Posted by Kris Deugau <kd...@vianet.ca>.
J.D. Falk wrote:
> There's only one Safe list (which SA still calls Habeas.) In other words: no difference between the SOI and COI lists. Or at least, that's how it's supposed to be -- so Kris's results were somewhat surprising.
*shrug* I haven't seen enough evidence in the mail flow here to bother
messing with the stock scores in the installations here, but there *are*
three different rules in the stock SA set (up to date via sa-update):
# Habeas Accredited Senders
# Last octet of the returned A record indicates the Habeas-assigned
# "Permission Level" of the Sender.
# 10 to 39 Personal, transactional, and Confirmed
Opt In
# 40 to 59 Secure referrals and Single Opt In
# 60 to 99 Checked but not accredited by Habeas.
#
# sa-accredit.habeas.com is for SpamAssassin use.
#
header HABEAS_ACCREDITED_COI eval:check_rbl('habeas-firsttrusted',
'sa-accredit.habeas.com.', '127\.\d+\.\d+\.[123]\d')
describe HABEAS_ACCREDITED_COI Habeas Accredited Confirmed Opt-In or Better
tflags HABEAS_ACCREDITED_COI net nice
header HABEAS_ACCREDITED_SOI
eval:check_rbl_sub('habeas-firsttrusted', '127\.\d+\.\d+\.[45]\d')
describe HABEAS_ACCREDITED_SOI Habeas Accredited Opt-In or Better
tflags HABEAS_ACCREDITED_SOI net nice
header HABEAS_CHECKED
eval:check_rbl_sub('habeas-firsttrusted', '127\.\d+\.\d+\.[6789]\d')
describe HABEAS_CHECKED Habeas Checked
tflags HABEAS_CHECKED net nice
score HABEAS_ACCREDITED_COI 0 -8.0 0 -8.0
score HABEAS_ACCREDITED_SOI 0 -4.3 0 -4.3
score HABEAS_CHECKED 0 -0.2 0 -0.2
-kgd
nonfactual fact: distrust
Posted by Arvid Picciani <ae...@exys.org>.
J.D. Falk wrote:
>> By the by, I think I posted on this list a while ago on a similar question, as to whether we could really trust *any* whitelists, as they simply made for a *deliberate* target of botnet owners. No one made a fuss about it before, but what about now? Maybe, once again, the flaw is in having a whitelisting system that relies upon third party servers with unknown security.
>
> We're EXTREMELY concerned about this as well, and we've got a 24x7 operations staff keeping an eye on things. That's one of the reasons we charge money for the service: it lets us buy hardware and software and hire staff to keep it running smoothly, and securely.
>
I don't trust returnpath, and i have disabled their lists. The reason
being that shiny marketing websites don't convince me at all
I don't know if they're good or bad, and i have no data to prove
anything, neither do i trust any external data. In my eyes they're
simple a comercial entitiy whichs purposes are unclear to my uneducated
eyes.
Personaly i like the simple "hey we're having these policies and here's
a list you can use if you agree" kind, most blacklists are about.
Also i don't trust people who make up charts.
Honestly, if you want to convince people to run your lists, think about
the thousand of small scale systems out there, that don't bother to look
behind your shiny. I understand why no one is willing to report abusers
to your list. I searched 4 minutes, and couldnt find an abuse link at
all. I'm a lazy bastard easily scared away by suits and huge colorful
creep, and i might not be alone with that.
--
Arvid
Asgaard Technologies
actual facts (was Re: HABEAS_ACCREDITED SPAMMER)
Posted by "J.D. Falk" <jd...@cybernothing.org>.
On Dec 4, 2009, at 1:18 AM, jdow wrote:
> And JD, I don't see on your site what it "costs" people to get listed
> on your DNS approval lists other than some tests and documentation. Is
> it possible spammers simply submit some buttered up documentation, get
> approved, and accept getting it knocked back off your lists rapidly as
> a business "time" expense?
No, there's a lengthy application process and a lot of monitoring involved. I'd be happy to ask someone from the Certification team to join the list and explain further as soon as I can be certain they won't be harassed and insulted here. In the meantime I'll answer as well as I can, considering that I work on entirely different products at Return Path.
> I note that JD is quite willing to discuss (and seemed to recommend)
> a lowered default score. That seems quite reasonable.
The current defaults for both the HABEAS and BSP rules were set long before Return Path operated either service, so we have no clue where they came from either.
On Dec 4, 2009, at 9:08 AM, Charles Gregory wrote:
> As soon as any whitelist service like 'returnpath' accepts a client, they perform the following:
>
> 1) Review the client's address list - look for honeypot addresses.
> If any are found, clearly the client has not vetted their list.
Our staff doesn't review their list, but we do operate a great many honeypots of our own -- and we receive feeds of honeypot messages from ISPs and other data partners. So, spammers can't hide that way.
We also get feeds of complaints, where users click "this is spam" in a partner ISP's webmail interface. Spammers can't hide that way, either.
(You can see the results of much of this data at senderscore.org.)
I saw some other interesting ideas in the conversation, but they all assume the accreditor is able to change messages or otherwise interrupt the sender's mailstream. We don't have that ability, and don't want to. They have to police themselves, or else they get kicked off the list. Simple, neh?
On Dec 4, 2009, at 10:06 AM, Greg Troxel wrote:
> Probably "SOI" should be entirely dropped.
There's only one Safe list (which SA still calls Habeas.) In other words: no difference between the SOI and COI lists. Or at least, that's how it's supposed to be -- so Kris's results were somewhat surprising.
On Dec 4, 2009, at 11:08 AM, Charles Gregory wrote:
> By the by, I think I posted on this list a while ago on a similar question, as to whether we could really trust *any* whitelists, as they simply made for a *deliberate* target of botnet owners. No one made a fuss about it before, but what about now? Maybe, once again, the flaw is in having a whitelisting system that relies upon third party servers with unknown security.
We're EXTREMELY concerned about this as well, and we've got a 24x7 operations staff keeping an eye on things. That's one of the reasons we charge money for the service: it lets us buy hardware and software and hire staff to keep it running smoothly, and securely.
--
J.D. Falk <jd...@returnpath.net>
Return Path Inc
Re: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)
Posted by jdow <jd...@earthlink.net>.
From: "LuKreme" <kr...@kreme.com>
Sent: Thursday, 2009/December/03 20:55
> On Dec 3, 2009, at 13:43, "richard@buzzhost.co.uk" <richard@buzzhost.co.uk
> > wrote:
>> On Thu, 2009-12-03 at 11:23 -0700, J.D. Falk wrote:
>>> On Dec 2, 2009, at 12:59 AM, richard@buzzhost.co.uk wrote:
>
> Look, get a room. Or at least take this twisted courtship dance offlist
> and spare us, please.
With all the animosity on this issue I decided to give the HABEAS
rules a score, a negligible score to be sure, just to see what the
state of HABEAS is for me today.
In the last four days - nothing either spam or ham.
Those seeing HABEAS hits: are the hits ancient haiku hits or are they
the modern DNS test version? I imagine the haiku is still used by
some spammers. The DNS tests should legitimately show a rather small
percentage of spam. It appears (weasel word notice) ReturnPath puts
its members through a wringer to get the approval levels.
And how was the email determined to be unsolicited? (I believe in one
case it was a "never used spam trap address.")
Let's lay some facts out on the table rather than heap a load of
anecdotal poo on JD over various HABEAS hits.
And JD, I don't see on your site what it "costs" people to get listed
on your DNS approval lists other than some tests and documentation. Is
it possible spammers simply submit some buttered up documentation, get
approved, and accept getting it knocked back off your lists rapidly as
a business "time" expense?
Less shouting and more data and facts seems to be called for on both
sides. And for the nonce I'll grant both sides the legitimacy of their
frustrations on this HABEAS thing.
I note that JD is quite willing to discuss (and seemed to recommend)
a lowered default score. That seems quite reasonable.
{^_^} (Another JD, Jolly Dirty Old Woman type.)
RE: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)
Posted by R-Elists <li...@abbacomm.net>.
> From: LuKreme
>
> Look, get a room. Or at least take this twisted courtship
> dance offlist and spare us, please.
>
LuKreme,
certainly we understand your point here, yet what about accountability for
Return Path Inc (and other RPI companies) related rules in the default
Spamassassin configs?
we all know we can change them, yet why are they even there as a default?
how did they get in there in the first place?
i do not know and/or forgot specifically where to check...
last but not least, has any of that been changed in the upcoming future
version(s) of Spamassassin?
tia
- rh
Re: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)
Posted by LuKreme <kr...@kreme.com>.
On Dec 3, 2009, at 13:43, "richard@buzzhost.co.uk" <richard@buzzhost.co.uk
> wrote:
> On Thu, 2009-12-03 at 11:23 -0700, J.D. Falk wrote:
>> On Dec 2, 2009, at 12:59 AM, richard@buzzhost.co.uk wrote:
Look, get a room. Or at least take this twisted courtship dance
offlist and spare us, please.
>>
Re: J.D. Falk spineless insults (Re: HABEAS_ACCREDITED SPAMMER)
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Thu, 2009-12-03 at 11:23 -0700, J.D. Falk wrote:
> On Dec 2, 2009, at 12:59 AM, richard@buzzhost.co.uk wrote:
>
> > As for
> > insulting you - grow up. You work in the business of sending unwanted
> > junk email.
>
> You haven't done any research at all, have you?
>
> http://www.cauce.org/about/bod.html
> http://www.circleid.com/members/3217/
>
> I expect an apology.
>
> --
> J.D. Falk <jd...@returnpath.net>
> Return Path Inc
>
>
>
>
Me to. I'll give you a hand written apology if you give me an individual
handwritten apology for every item of UCE I've had from a RP customer?
Sound fair?
Whilst your links fill me with laughter - the first Google I do for
'return path' says it all:
"Return Path
Improve email delivery and avoid email blacklists with Return Path."
So you sold out El Spamtard?