Neil Turner's Blog

Blogging about technology and randomness since 2002

Habeas being exploited

Some scum-of-the-earth spammer has been using Habeas headers in their email to get around junk email filters. For the unitiated, Habeas licences watermarks to content publishers, allowing them to mark their messages to prove that they are legitimate. Only those that comply with Habeas’ terms of service can sign up, and their customers (I believe) include Lockergnome. Mail filters like SpamAssassin automatically lower the score of any email that has a Habeas header, since the email is likely to be legitimate.
Which is why an email that had all the hallmarks of a message designed to get around bayesian filters (words with punctuation inserted in them, mystery blocks of random text, random poetry, random tags etc.) came into my inbox today with a SpamAssassin score of just 0.4 – despite being received from an IP address in several blocklists, including SpamCop. So, naturally, I reported said email, and got an automated response saying that they will investigate. The response also mentioned that a particular spammer is illegally using a Habeas watermark for promoting his pharmacy sites, which looks like what I got.
Actually, as I write this I’ve had another email with similar characteristics, with a score of -1.9. Fortunately both were identified as spam by Thunderbird’s Bayesian filter, and I’ve reported this email too in case Habeas can find a pattern and then take action. It’s just a pity that yet another anti-spam system have been exploited.

3 Comments

  1. Lets hope for another victory then 🙂
    I’ve a ton of this spam and will be reporting it on bulk via mail.
    Have you noticed the word ‘habeas’ in a lot of the anti-bayesian text? Worthy of a SA rule that is…

  2. Neil, thanks for pointing this out. Early this week a flood of spam was unleashed on my inbox. SpamAssassin usually blocks about 500 spam emails per week… with *maybe* one per week getting through. But as of Monday I’ve had 30-50 getting through per DAY. It’s crazy. Most are “pharmacy.biz” sites using the forged habeas headers… but much of it not. For the prescription stuff I suspect Alan Ralsky.
    I have SpamAssasin set up, but it relies heavily on blacklists. I suspect the last wave of viruses has exploited hundreds of new ‘zombie’ computers which are being used as spam relays, and which aren’t in any blacklists yet. I’ve also seen recent reports of comment spam on the rise from “hundreds of different IP addresses”… probably the same zombies running a MT-comment spamming script. And my SpambotTrap has been getting hit by all sorts of bots this week. Someone in the spamming business got active recently.
    Time to do some SpamAssasin tweaking…

  3. The same thing happened to me. You can set HABEAS_SWE to 0 in your spamassassin config files.
    I have never received real email with habeas headers, but I received a ton of spam with them.
    The threat of copyright infringement lawsuits is not enough to prevent spammers from adding these headers. The threat of lawsuits isn’t doing much to slow down kazaa users, and it’s much easier to track them down then most spammers.
    If habeas wants to have a viable business, they need a hard-to-fake, easy-to-verify method to identify “clean” email senders that pay habeas for the referal.
    Habeas operates a DNS whitelist, but *I* have to pay to use it – no thanks. Habeas should charge the sender, not the receipient.
    At this rate, it won’t be long before my bayesian learner (and others) rejects habeas email entirely.