Mailing List Archive

why i dont understand is why this total -8.0 ? and nonspam


X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.8 tests=HABEAS_SWE
autolearn=ham version=2.63

On Thu, 2004-03-11 at 16:59, Steve Thomas wrote:
> On Thu, Mar 11, 2004 at 01:52:00PM -0800, Kelson Vibber is rumored to have said:
> >
> > At 01:27 PM 3/11/2004, Gregory Sloop wrote:
> > >I've NEVER, to my knowledge, ever received a SWE marked mail that was
> > >legitimate.
> >
> > Not even Justin's post in this thread a two hours ago?
>
> Or any of mine?
>
> Remember that you're not likely to notice them when they're part of a legitimate message, but they stick out like a sore thumb when you're perusing your false negatives. The fact that you're reading this (assuming you didn't +5 the HABEAS_SWE rule) means that you're getting legitimate mail from people/orgs that use the mark properly.
>

Steve Thomas said:
<snip>
>
> The fact that you're reading this (assuming
> you didn't +5 the HABEAS_SWE rule) means that you're getting legitimate
> mail from people/orgs that use the mark properly.
>

But why are people using it?
Do you regularly send email that has so many of the characteristics of
spam that it needs Habeas to get it through?
I can see why some mailing lists or marketing organizations might use it
but I really don't understand why an individual would.

FWIW, I don't pass this list though SA.

I don't closely examine all the headers in all the mail I receive. I do tend
to check out mails that are spam that skip by SA. In a very large percentage
of the ones checked lately - like50%+ - the SWE mark is used.

I've now changed my SWE score to 0, but still, a small positive number isn't
likely to push anyone over unless you have other spammy-ness
characteristics.

Other than people on this list-serv, which I wouldn't be impacted negatively
by a FP, I don't know a single person or business with whom I do business
that uses SWE.

In short, no personal or business related mail I want to receive has SWE.

I *do* understand your rant about wanting a perfect world, and that giving
positve scores to SWE seems unfair. I tend to agree. *But*, given my and I
expect most others' experiences with SWE, it's much more likely to be a spam
indicator than not.

Cheers,
Greg
=================================================================
Sloop Network & Computer Consulting
Gregory Sloop, Principal
networkguru@sloop.net / www.sloop.net
PO Box 16990 Portland OR 97292
v. 503.251.0452
================================================================
----- Original Message -----
From: "Kelson Vibber" <kelson@speed.net>
To: <spamassassin-users@incubator.apache.org>
Sent: Thursday, March 11, 2004 1:52 PM
Subject: Re: Habeas status?


> At 01:27 PM 3/11/2004, Gregory Sloop wrote:
> >I've NEVER, to my knowledge, ever received a SWE marked mail that was
> >legitimate.
>
> Not even Justin's post in this thread a two hours ago?
>
> Kelson Vibber
> SpeedGate Communications <www.speed.net>
>

I may be misinterpreting your question, but
a negative score is not an indicator of spam,
but rather a strong indicator of non-spam.
So a -8 is supposedly very strongly non-spam.

Is that what you were asking?

-glenn

Butrus orman wrote:

> why i dont understand is why this total -8.0 ? and nonspam
>
>
> X-Spam-Level:
> X-Spam-Status: No, hits=-8.0 required=4.8 tests=HABEAS_SWE
> autolearn=ham version=2.63
>
> On Thu, 2004-03-11 at 16:59, Steve Thomas wrote:
>
>>On Thu, Mar 11, 2004 at 01:52:00PM -0800, Kelson Vibber is rumored to have said:
>>
>>>At 01:27 PM 3/11/2004, Gregory Sloop wrote:
>>>
>>>>I've NEVER, to my knowledge, ever received a SWE marked mail that was
>>>>legitimate.
>>>
>>>Not even Justin's post in this thread a two hours ago?
>>
>>Or any of mine?
>>
>>Remember that you're not likely to notice them when they're part of a legitimate message, but they stick out like a sore thumb when you're perusing your false negatives. The fact that you're reading this (assuming you didn't +5 the HABEAS_SWE rule) means that you're getting legitimate mail from people/orgs that use the mark properly.
>>

On Thu, Mar 11, 2004 at 10:13:36PM -0000, Peter Campion-Bye is rumored to have said:
>
> But why are people using it?

Because it's an indicator of being a legitimate sender. Whether it be an individual or large marketing firm is irrelevant, IMHO. I'm a real person sending legitimate mail to various persons or organizations, so why shouldn't I use it?


> Do you regularly send email that has so many of the characteristics of
> spam that it needs Habeas to get it through?
> I can see why some mailing lists or marketing organizations might use it
> but I really don't understand why an individual would.

Regularly? I don't think so. But you never know - I could forward a spammy joke, or a news article with the "V" word, or be forced to relay through a server that's on a bunch of DNSBLs (at a hotel or hotspot, for example), or...

There's a lot of reasons why an individual might want to use it. The more people use it, for personal or commercial reasons, the stronger of an indicator it becomes. I use it because there's no reason not to, except for the occasional (adjective deleted) admin who gives the test a positive score. ;)


--
"A doctor can bury his mistakes but an architect can only advise his clients to plant vines."
- Frank Lloyd Wright (1868-1959)

Heh, I have noticed that for a company that seems firmly based in winning
lawsuits they have trumpted to the news media precious few, like zero,
wins for their supposed copyright suits. Heck, the news media do not even
know they exist. I've never seen them mentioned on the IRIA Security In
The News summaries. That's another nail in their coffin.

{^_^}
----- Original Message -----
From: "Aleksander Adamowski" <aleksander.adamowski.spamassassin@altkom.pl>


> jdow wrote:
>
> >I am ready to run their score up positive 1 or so. On one hand Their
> >logic is faulty, I believe - unless they are spammers.
> >
> I'm beginning to suspect that Habeas is just a mystification set up by
> spammers in order to temporarily let them get their spam through the
> filters whose authors caught Habeas's bait.
>
> Had anyone seen any evidence that Habeas is a legitimate company? If so,
> please, share with us.
>
> --
> Best Regards,
> Aleksander Adamowski
> GG#: 274614
> ICQ UIN: 19780575
> http://olo.ab.altkom.pl

From: "Bob Apthorpe" <apthorpe+sa@cynistar.net>

I read all the above stuff on their site and left it alone as a
spamdicator. Since then I have noticed that outside of this list
it does not seem to be used much at all. It is not known by the
media or else they do not take it seriously. So....
> ----- Sensitive viewers should tune out now -----
>
>
>
>
>
>
>
>
>
>
> I've seen very little Habeas marked spam, hardly any worth mentioning.

True, and 90% of that has been markable as spam with the proviso that
I have no idea how many messages to this list use it. This list bypasses,
for now, the spamassassin tests in case I ever turn on awl again.

> What I have seen though, is every ignorant loudmouth dumbass come out of
> the woodwork and trash Habeas in a public forum without doing a shred of
> research into the company, their history, and their business model. Habeas
> is as much a victim as spam recipients are, moreso because they can
> actually show how their business has been damaged by misuse of their IP.
>
> "Your system, your rules" but IMO anyone who scores HABEAS_SWE as positive
> is a moron and anyone who advocates that stupidity to others shouldn't be
> trusted to operate a mailserver. Set the score to zero and get on with
> your lives; I'm tired of hearing about it.

I guess I am a moron, Bob. I go with what I see. I do not see any evidence
outside of their website that they exist, win lawsuits, deter spammers, and
so forth. I have seen about 10 messages with it in the headers, one was to
this list when I made a global search of my mail database, and about 7
were already marked as spam with remarkably high scores. The remaining 2
found their way to legitimate email folders and upon examining them found
they were Habeas marked. That led me to their web site. My first reaction
was, "What a perfect setup for spam organizations!" That still remains
much of my reaction based on personally collected evidence in my possession.

If I see objective evidence that they have won some lawsuits thoroughly
enough that spammers were seriously financially injured by the win, $1e6
or more, then I might start believing them. It'd take something that big
to deter the bastards.

{^_^}

On Fri, 2004-03-12 at 01:54, jdow wrote:
> Heh, I have noticed that for a company that seems firmly based in winning
> lawsuits they have trumpted to the news media precious few, like zero,
> wins for their supposed copyright suits. Heck, the news media do not even
> know they exist. I've never seen them mentioned on the IRIA Security In
> The News summaries. That's another nail in their coffin.

Your judgement is flawed, and your methods are reprehensible. By marking
Habeas mail positive, you're effectively killing it. So, you might not
agree with it, so just give it a 0.00 score, simple. Spammers are
gaining new ways of getting their trash into our inboxes everyday, we
need all the help we can get.

If you opened your eyes, you'd see that it's not escaped the attention
of the media:
http://www.wired.com/news/technology/0,1282,54645,00.html
http://www.internetnews.com/IAR/article.php/2199181
http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=8600167
http://www.guardian.co.uk/online/story/0,3605,884672,00.html
http://www.emailsherpa.com/sample.cfm?contentID=2253

FYI they have *fought* and *won* lawsuits against spammers, which is
directly impacting the root of the problem (the spammer), instead of
just fighting the symptoms.

As Bob said, instead of uttering comments about an anti-spam technology
that you know nothing about, go and invest some time in learning about
what they are doing about the problem, then (and only then) can you have
the right to trash them in a public forum.

-j

--
-jamie <jamie@silverdream.org> | spamtrap: spam@silverdream.org
w: http://silverdream.org | p: sms@silverdream.org
pgp key @ http://silverdream.org/~jps/pub.key
01:30:01 up 8 days, 10:50, 11 users, load average: 0.22, 0.22, 0.27

From: "Butrus orman" <landy@despiertapr.com>
To: "Steve Thomas" <lists@sthomas.net>
> why i dont understand is why this total -8.0 ? and nonspam
>
>
> X-Spam-Level:
> X-Spam-Status: No, hits=-8.0 required=4.8 tests=HABEAS_SWE
> autolearn=ham version=2.63
>
> On Thu, 2004-03-11 at 16:59, Steve Thomas wrote:
> > On Thu, Mar 11, 2004 at 01:52:00PM -0800, Kelson Vibber is rumored to
have said:
> > >
> > > At 01:27 PM 3/11/2004, Gregory Sloop wrote:
> > > >I've NEVER, to my knowledge, ever received a SWE marked mail that was
> > > >legitimate.
> > >
> > > Not even Justin's post in this thread a two hours ago?
> >
> > Or any of mine?
> >
> > Remember that you're not likely to notice them when they're part of a
legitimate message, but they stick out like a sore thumb when you're
perusing your false negatives. The fact that you're reading this (assuming
you didn't +5 the HABEAS_SWE rule) means that you're getting legitimate mail
from people/orgs that use the mark properly.
> >

No - it simply means I have spamassassin bypassing this list.
{^_-}

From: "Butrus orman" <landy@despiertapr.com>
> The fact that you're reading this (assuming you didn't +5 the HABEAS_SWE
rule) means that you're getting legitimate mail from people/orgs that use
the mark properly.

Sorry, Butrus, your message was NOT Habeas signed by the time it got
into my system. After my previous reply to it I decided to check out
your assertion. Ah well....

{^_^}

On Thu, Mar 11, 2004 at 06:15:05PM -0800, jdow is rumored to have said:
>
> I read all the above stuff on their site...
> <snip>
> ...I do not see any evidence outside of their website that they exist,
> win lawsuits, deter spammers, and so forth.

Erm...

http://www.habeas.com/companyPressPR.html#victory1

Give the new kid on the block a chance to play. Any business model based on the legal system is not going to provide results overnight - give them a few years to prove whether or not their model will work. So far, it looks like it's working reasonably well.

--
"There are two ways of constructing a software design; one way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult."
- C. A. R. Hoare

On Thu, Mar 11, 2004 at 06:36:16PM -0800, jdow is rumored to have said:
>
> From: "Butrus orman" <landy@despiertapr.com>
> > The fact that you're reading this (assuming you didn't +5 the HABEAS_SWE
> rule) means that you're getting legitimate mail from people/orgs that use
> the mark properly.
>
> Sorry, Butrus, your message was NOT Habeas signed by the time it got
> into my system. After my previous reply to it I decided to check out
> your assertion. Ah well....

Uh, that's because Butrus didn't write that - I did. (Check the headers of this one.)

Oh, and you're still reading this, so regardless of whether or not you have list mail bypassing SA, you're getting legitimate mail with the SWE mark in it.

St-


--
"Assassins!"
- Arturo Toscanini (1867-1957) to his orchestra

From: "Steve Thomas" <lists@sthomas.net>

> On Thu, Mar 11, 2004 at 06:15:05PM -0800, jdow is rumored to have said:
> >
> > I read all the above stuff on their site...
> > <snip>
> > ...I do not see any evidence outside of their website that they exist,
> > win lawsuits, deter spammers, and so forth.
>
> Erm...
>
> http://www.habeas.com/companyPressPR.html#victory1
>
> Give the new kid on the block a chance to play. Any business model based
on the legal system is not going to provide results overnight - give them a
few years to prove whether or not their model will work. So far, it looks
like it's working reasonably well.

I may have given it a +1 score for now. Do note that I review all the
marked spam by subject and sender before discarding it. I also sometimes
review the SpamAssassin applied wrapper. (Sometimes I review due to an
expected astronomical score and other things because of some doubt about
the potential it was a ham message. At the moment I am running with no
false positives for spam for well over a month now. I've had several
false negatives popping up from time to time. I feed them back into a
newly automated spamlearning trick using Outlook Express, imap, and a
tiny C futility I built so SA does not repeatedly "learn" on the mbox
format message 1 that my available IMAP tool insists should be there.
Once I train with a message I seldom have Bayes fail to catch it when
I retest the spam explicitly.)

So if I start to see X-Habeas marked false positives you can bet I will
modify the scoring. I would like to see them win. However, the latest
craze of spam generating viruses makes it rather hard to track down the
authors of the spam to nail them. And going after the manufacturer of
the spammed product is also a bad thing because they might have a
competitor or enemy who wants to injure then indirectly. A worst case
analysis of the Habeas model suggests it's worthy of only a small score
plus or minus in the long run. (Please do be aware of the fact that I
an a well known slightly paranoid searcher for worst case scenarios
when presented with new ideas. So I zero in on the flaws rather quickly,
unless, alas, they are my own ideas. If I could only go after my own
ideas as harshly I'd be better at my job - fewer bugs.)

{^_^}

Hi,

On Thu, 11 Mar 2004 18:15:05 -0800 "jdow" <jdow@earthlink.net> wrote:

> From: "Bob Apthorpe" <apthorpe+sa@cynistar.net>

> > "Your system, your rules" but IMO anyone who scores HABEAS_SWE as positive
> > is a moron and anyone who advocates that stupidity to others shouldn't be
> > trusted to operate a mailserver. Set the score to zero and get on with
> > your lives; I'm tired of hearing about it.
>
> I guess I am a moron, Bob. I go with what I see. I do not see any evidence
> outside of their website that they exist, win lawsuits, deter spammers, and
> so forth.

Here's a technical argument for you then.

The Habeas mark is not widely used but up until, what, mid-January? The
vast majority of this list's readership had only seen the Habeas mark on
ham, if they had seen it at all. So at the time SA 2.60 came out, ham
very occasionally had the Habeas mark and spam virtually never did. That
is, up until that point the HABEAS_SWE test was a pretty good one for
detecting ham.

Then around 1/10/2004 some ballsy dirtbag(s) started spamming using
Habeas marks to pick up some negative points in SA. There was no mad
rush among legitimate mailers to remove the Habeas mark from their mail
since a) many of them paid for it, and b) up to that point there was no
reason to expect it on spam based on observed spam. So from 1/10
onwards, the Habeas mark was no longer as good a sign of ham since it
was appearing in both ham and spam.

Q: What does the GA[1] do to tests that match equal amounts of ham and
spam? Hint: Look at the score for BAYES_50.

If the HABEAS_SWE test is hitting both spam and ham, it's no longer a
good indicator and should be zeroed out. It gives you no useful
information in telling ham from spam and setting it to anything but zero
will degrade SA's accuracy.

That's the technical argument for setting HABEAS_SWE's score to zero, if
you feel the need to change it at all.

> If I see objective evidence that they have won some lawsuits thoroughly
> enough that spammers were seriously financially injured by the win, $1e6
> or more, then I might start believing them. It'd take something that big
> to deter the bastards.

I take it you've never spent time around lawyers. I shared an office
with one for a few years and I learned a little about how they operate.
They're normal people, which is to say they're lazy. Their
clients/employers are normal too, which is to say they're cheap. If what
you want is for a spammer to stop diluting the value of your trademark
or to stop illegaly copying your copyrighted poem, you find them and
tell them to stop in increasingly more formal and expensive ways until
either they stop or you decide that it's no longer worth your money to
pursue the issue.

Usually this starts with a simple phone call, maybe a few letters
through registered mail, and (rarely) with the filing of a civil suit.
Usually once the suit has been filed, the defendent figures out that
you're serious and settles. You as a member of the unwashed general
public will not see that, but each time a would-be defendent settles,
the plaintiff's lawyers 'win.' The got what they wanted without spending
a lot of money or time trying to find parking near the courthouse. Both
sides will often declare victory after a settlement, and in a weird way,
they're often both right, but not for the reasons they state in public.

Pursuing a suit to conclusion is often a losing battle for the plaintiff
due to a lovely two word phrase: "judgment proof." This means that the
although the plaintiff spent $150k winning a case where the judge
awarded them $1M in damages (plus court costs!), it turns out the
defendent's assets consist of an El Camino on blocks, a can of Skoal,
and a half-eaten 9-pc. bucket of The Colonel's finest (the double-wide
is a rental.) It doesn't matter what you win, it matters what you can
collect, and if you can't collect more than you've spent (often the
case) then you effectively lose. And since it takes a lot of time and
money to pursue a case to the end, and there may be no way to tell how a
judge or jury will react, it's often in both parties' interest to settle
(judges and juries are lazy too.)

For that reason it's unlikely you'll ever see any big rewards. And from
an IANAL legal perspective, Habeas is on strong legal footing so it's
doubtful that you'll see much court action beyond filing suits and
having spammers settle. The weaknesses are that if enough spammers start
abusing the mark, it takes a prohibitive amount of work to track them
all down and file suits, especially if they're outside the US.

Conveniently, most spammers are in the US (see
http://www.spamhaus.org/rokso/index.lasso) and there are only a few of
them abusing the Habeas mark, otherwise we'd see it on a lot more spam.

Regardless, if HABEAS_SWE is causing you problems, the best thing to do
is set the test's score to zero, forward the spam to Habeas as evidence
of abuse, and get back to the PS2. Complaining about Habeas, criticizing
their business model, giving technically unsound advice on scores, etc.
does nobody here any good because nobody here can fix any of that. That
is the reason I'm tired of this topic and why I'm wasting so much time
trying to kill it.

Sorry for the length; most people are blissfully unaware of the workings
of the US legal system (myself included) - corrections and elaborations
by real lawyers & paralegals are appreciated and will not be taken as
legal advice, yadda, yadda...

-- Bob

[1] Genetic algorithm - that which automagically sets most of SA's rule
scores. Since replaced by a perceptron-based system that's as accurate
but much much faster.

lists@sthomas.net said:
> There's a lot of reasons why an individual might want to use it. The more
> people use it, for personal or commercial reasons, the stronger of an
> indicator it becomes. I use it because there's no reason not to, except for
> the occasional (adjective deleted) admin who gives the test a positive score.
> ;)

I said:

omcshane@vianetworks.co.uk said:
> I for one give Habeas a + score.

That's I as in me, in my own user_prefs, for my own personal mail. I do not impose it system wide (in fact the default -8 is still in place).

As has been said previously, Habeas is, for me, a strong indicator of spam. The only ham I have ever received with the mark has been to this list, and I have all_spam_to spamassassin-*@incubator.apache.org

I'm sorry if that upsets people that use it legitimately, and I like the concept of it, but that's just the way it is.

Owen

--
Via Net.Works UK Ltd
Local Touch Global Reach
Owen McShane Systems Administrator
http://www.vianetworks.co.uk Tel +44 (0)1925 484444