Copyrighted Haiku Delivers Spam Through Filters

An anonymous reader writes "Remember that antispam company that includes a copyrighted haiku (which I can't quote here due to copyright reasons...) in emails vouching for their nonspaminess and thus bypassing spamfilters? The idea is that a spammer using said haiku to get through spamfilters can be prosecuted under the more stringent copyright laws instead of the weaker antispam ones. Well it seems said haiku has lately been figuring in a large spam run trying to pitch the usual medical remedies for various unfortunate ailments. What do you think? Is it time to start filtering for haikus or will Habeas succeed in thwarting the spam attack?" We mentioned this brilliant anti-spam scheme last April.

Re:frist port?

[wheresdrew]

You made the first post
Hey, mother Anonymous!
You proud of your son?

screw the copyright - here are the haikus ;)

Train of slick spam (a heller mail than mine), now corpus on third rail - Bill Bailey

art science and law forged together into one synchronicity - Justin S. Houk

Like oceans of wind Habeas SWE clears Email server jams. - Barbara Kane Pilliod

As Habeas shows that spam email can be banned with lawsuits at hand - Stanislaus Jaworski

Messages pile up. Unauthorized, unwanted. Now undelivered. - John H. Lee

Habeas striving to rid my inbox of spam. Hope it will succeed. - Steve Wilhelm

Hasty limerick My gift to all Habeas An honor for me. -Sandy Bumgarner

Habeas Web Page Elegant as your concept Navigating joy. -Sandy Bumgarner

Incorporeal Dear old friends send mail. As do incorporeal robot pretenders. -James Kobielus

Too much spam today Sender Warranted Email Spam-free tomorrow -Stacey Irvine

email said hello, email police jumped on it, now, no one writes me . . . . -Michael Siwinski

I get no email, any day that ends in y, fixed spam problem though . . . . -Michael Siwinski

I lost my baby, I lost my bathwater too, might be my filter? -Michael Siwinski

Awesome find today.. One expanded header full.. Hinted things to come! -Cindy Sue Causey

Habeas info.. In a header full of Shtuff.. Brought new hope at last! -Cindy Sue Causey

I built a new soul Using the remaining pieces Of my Habeas -Anthony Oertel

habeas makes herring out of yucky spam happy penguin -Philipp Droessler

spam free mail inbox clean like the first spring rain thanks to habeas -Philipp Droessler

unwanted porn ads and get rich quick nevermore thank you habeas -Philipp Droessler

Re:screw the copyright - here are the haikus ;)

[D-Cypell]

Psssst... Now quickly, tell 'em about the viagra!

Re:screw the copyright - here are the haikus ;)

[commodoresloat]

What's wrong with you fools
Last April we wrote haikus
In response to this

we get one more chance
to write haiku for karma
and we blow it big

I was hoping to
waste my valuable work time
reading horrid verse

Habeus have won once already

[Rogerborg]

Which would have taken any semi-literate reporter or editor ten second to find on their site. I guess that would have spoiled the illusion of a breaking story though.

Re:Habeus have won once already

[Rogerborg]

That's just dissembling. The article gives the impression that this is the first time this has happened (implicitely, by not mentioning anything between now and last April). Basic journalistic integrity means not ignoring relevant aspects of a story just because they happen to lessen the impact.

Interesting

[Urkki]

It's an interesting idea, I really hope it'll work too.

Unfortunately I think they might need to make it so that they couple it with a white-list, ie *all* mail with their signature that is *not* on their whitelist is assumed to be spam... Otherwise there will just be too much spam specifically intended to make their service useless, actually harmful to their customers... There'll even be fake spam designed to be hard to track, just to force people to filter out any mail with their delivery and thus forcing them out of business :-/

It was always going to happen

[Ckwop]

Darwinian Selection is the governing rule of spam.. If appending a Haiku makes a message 'fitter' it will survive the slaughter more readily and therefore make it into your inbox more often.. until some realises what's going on and combats it with a new filter.. and then the process starts all over again.. :) For this reason, I think we're going to be fighting spam for a long time to come :) Simon.

Copyright infringement on the internet?

[product+byproduct]

Unbelievable.

Re:Copyright infringement on the internet?

[Rufus211]

I think the word you are looking for is inconceivable!

Re:Copyright infringement on the internet?

[balthan]

You keep using that word. I do not think it means what you think it means.

I've gotten a few

[ghettoboy22]

About 5 in the past couple days. I noticed the unusual X-headers and finally remembered what it was. Increased the SA score yesterday and now I get none! woot!

I can see this company being semi-successful in taking spammers to court under copyright lawsuits, however like the article says the latest rash is (not suprisingly) zombied broadband hosts, making their chances of finding someone to sue almost nil.

Re:I've gotten a few

[Tripster]

making their chances of finding someone to sue almost nil

Not quite, the spams are selling a product at some point, someone is somehow receiving payment for doing the advertising and there is where you get them, whether it be the actual spammer or the company being advertised.

If the spammer is paid per lead there you have them, if they are paid per sale same thing, somehow the money gets to the spammer and there will be a trail to it. Even if they use false aliases they just add fraud to the list, they still have to pick up the money at some point.

The choice for the companies involved should be disclose the information for the spammer you hired or you get fined or criminally charged instead.

The spammers could flood the world with false spam runs targetting innocent companies, hiding their true money making runs, but I think those would stand out as the ones selling Viagra/Penis Patches/etc. as they do now.

We need something and soon, it's a losing battle on the mailservers, I tend to a local dialup ISPs incoming scanning server, they have slowly been losing clients over the years as broadband has taken hold and yet the mail server resource requirements continues to grow at an alarming rate, we turn away 80% of the SMTP connections that come in as it is and still a large percentage of what comes in is still spam. His customers are demanding a solution and the sad thing is the stuff that gets past all the RBL/SpamAssassin checks is the freaking adult stuff most people want rid of the most, especially parents.

Re:I've gotten a few

[Nefarious+Wheel]

If they're found, they'll be lucky if they only get sued.

Thought -- Imagine if they end up in jail; considering how many inmates' only contact with the outside world is via the Internet, what would be the inside lifespan of a convicted spammer?

bayesian filters

[ddent]

I just checked through the mail I've received in the last while, and there is only one newsletter I am on using Habeas -- other than that, I have only received Habeas headers in spam.

Guess what my bayesian filter is going to start thinking of those headers soon... this could prove to be a problem for them if they don't get things fixed ASAP.

Re:bayesian filters

[silentbozo]

I've already manually kicked the SpamAssassin score for Habeas to -.5. If things don't get better, I may help out the bayes filter by turning Habeas scoring off (set to 0). Habeas should be spitting brass tacks PRwise - every day that goes by without a peep from them just enboldens other spammers thinking about trying the same stunt.

After all, Habeas was whitelisted because they promised legal action against spammers infringing on their copyrights... well, the spammers are infringing. Where are those spam-eating lawyers we were promised?

Never likely to work

[DrPepper]

In theory the Habeas scheme is very clever. It's difficult to get spammers under any anti-spam law (where they exist), so change the ballgame so that you can prosecute under copyright law instead.

Unfortunately though, I suspect it's going to be difficult to track these people down, and even when Habeas do, they will need to mount a prosecution in another country - wherever that happens to be. The spammers may even win given that each country enforces copyright laws differently.

According to the statement given, the latest version of SpamAssassin should be able to filter these out. We're running what I think is the latest (2.61) and it still seems to be letting them through - thanks to the Habeas mark. I'm beginning to think I should just disable the Habeas rules completely and let these get scorded normally.

Re:Never likely to work

[MForster]

Note that using the Habeas Headers to filter out such mail may be a copyright infringement, too.

See also the following Paragraph of the "HABEAS WHITELIST LICENSING AGREEMENT":

Use of the Habeas Whitelist, or the data contained in the Habeas Whitelist, for the purpose of blocking, rejecting, or otherwise failing to deliver email coming from IP addresses listed on the Habeas Whitelist is expressly prohibited.

Re:Never likely to work

According to the statement given, the latest version of SpamAssassin should be able to filter these out. We're running what I think is the latest (2.61) and it still seems to be letting them through - thanks to the Habeas mark.

You have to enable network checks to filter these. Then when someone sends you an email with the Habeas mark, Spamassassin will check to see if the originating IP is on the infringer's list. If it is, then they don't get the credit for using the hiaku.

This assumes that Habeas has listed the spammer's IP address in thier list. I don't know how long it takes for it to get updated.

Re:Never likely to work

[Tackhead]

> I don't want to remove the SA rule for Habeas. They have an interesting and original idea that I would like to see work.

Likewise.

The more people who do remove the SA rule for Habeas, however, the more damage this spammer has done to Habeas' customers -- and consequently, to Habeas.

Every system that starts using X-Habeas-SWE as an automatic "+5.0" (instead of (-5.0)) in their SA scoring mechanism, is another $BIGNUM in damages for which Habeas can sue when this spammer is finally brought to court.

This is the Habeas test case. Either Habeas is able to enforce its trademark and copyright, and sue this spammer off the face of the earth, or Habeas - the company - dies, due to the efforts of one spammer.

Easy to defeat....

[SirFozzie]

Joe-Jobs are made to order... Just send a bunch of mail through a rooted proxy, advertising the competition's stuff, and watch Habeas sic the lawyer dogs of war on your competition. You'd laugh all the way to the bank.

Same type of thing if enough spammers use this trick, the lawyers will be too busy.

Did Habeas actually think this was going to work? I mean, spammers are willing to do ANYTHING to make sure Joe Public reads their garbage. Constantly changing tactics to evade filters, to write viruses specifically to generate more open proxies to send their garbage through, to Denial of Service attacks against those who try to filter out this stuff, to garbage lawsuits. This is nothing compared to those..

Check this out

[ArcticPuppy]

Seems they were hacked

translation of article header

[JimBobJoe]

The idea is that a spammer using said haiku to get through spamfilters can be prosecuted under the more stringent copyright laws instead of the weaker antispam ones.

Which should read:

The idea is that a spammer using said haiku to get through spamfilters can be prosecuted under the more stringent laws that are difficult to enforce instead of the weaker laws which have proven so hard to enforce.

I'm amused by the idea, but it seems to me that if you couldn't get (find) them under anti-spam laws (especially the newest ones) then how could you get them on copyright laws? Are the new anti-spam laws so lacking in punishment that they pale in comparison to copyright laws?

Rule #1.

[valentyn]

The Habeas mark is just a way of making money, it has nothing to do with opt-in or responsible e-mailing. I've tried to contact Habeas in the past about a company that used their mark, while they did not correctly verify their opt-in mailadresses. There was no reply (and IIRC, their web form didn't work at all at the time).

Copyrighted spam

[mutant+mouse]

Next time Alan Ralsky will use copyrighted spam to bypass anti-spam filters. He will sue anti-spam companies and blacklists for including his copyrighted fake sender addresses, and also special characteristics and words like 5p4m or V14gr4.

Extra SpamAssassin rules for this batch of spams

[mehu]

My roommate told me he was getting a bunch of spam last night that was going through SA. I noted that I hadn't. Of course, I got 2 today, and while looking through w/ -t to check everything (it should've been quite obvious), noticed the Habeas X-Headers in there, & found their little notice about this rash of spams. So, rather than just add a score of 0 for HABEAS_SWE, I figured I'd give them a chance & added the following to my ~/.spamassassin/user_prefs, which takes care of the current rash:

body PHARMAWHAREHOUSE /pharmawharehouse.biz/
describe PHARMAWHAREHOUSE Link to pharmawharehouse.biz

body PHARMACOURT /pharmacourt.biz/
describe PHARMACOURT Link to pharmacourt.biz

body VALUEPOINTMEDS /valuepointmeds.biz/
describe VALUEPOINTMEDS Link to valuepointmeds.biz

score PHARMAWHAREHOUSE 10
score PHARMACOURT 10
score VALUEPOINTMEDS 10

Looking through my mail, it turns out some of my valid mail actually does contain those headers (would never have noticed them), and a few spams, even w/ the haiku headers, have been blocked by HABEAS_VIOLATOR (RBL: Has Habeas warrant mark and on Infringer List), so the company does appear to be doing its job..

Re:Fair Use

[Sircus]

bright-ly an-tic-i-pa-ted

5 syllables in anticipated, for a total of 7 on the line, making it (assuming you pronounce SWE as Swee and ignore the tm) 5-7-5, with a mention of seasons. Seems valid to me...

next japanese technique

[]ix[]

Ok, so spammers are using haiku. If we only could convince them that harikiri is a spamfilter prevention technique....

Scaling Up?

[windside]

If they want to up the ante, maybe they should consider using some of the Emperor's Waka Poetry (more syllables == more boring).

Disable habeas rule

[mattiv]

To disable the Habeas rule, edit file $HOME/.spamassassin/user_prefs
add line

score HABEAS_SWE 0

a replacement haiku

[Schlemphfer]

they stole my haiku
my moment of sartori
sold fake viagra

Attack of Haiku-Resistant Killer Spam

[leoaugust]

It just illustrates the lengths the spammers will go to, including taking on Habeas' proven legal capabilities, to distribute their spam.

It is interesting that they tout their proven legal capabilities rather than "proven" technology. Will it be enough to stop the Attack of Haiku-Resistant Killer Spam. RIAA and SCO are trail blazers in using the legal system to stop ....

Our patent-pending Sender Warranted Email(TM) service vets messages for legitimacy, guaranteeing that they're not spam.

Guaranteeing? Sounds like a pretty tall claim now. Not to say what should happen to the pending-patent - a review of the claims perhaps ?

Adding the IP addresses to the HIL (aka Habeas Blacklist) should not impact the legitimate mailing activities of the owners of the compromised PCs.

It would be nice if it works well, but I am curious as to how they are going to distinguish from a single IP address whether the email was sent from the compromised PC when it was "alert" or when it was in a "zombie" state.

Your reporting here of spam you've received with the Habeas Warrant Mark will help us track down and prosecute the responsible parties.

Habeas - Welcome to the Party. In addition to the call for rounding up a posse, if you need some help from the Feds, write in to the FTC at uce@ftc.gov. Despite having the Federal powers to kick a**, I am not really sure how successful they have been.

What Can I Do With the Spam in my In-Box? Report it to the Federal Trade Commission. Send a copy of unwanted or deceptive messages to uce@ftc.gov. The FTC uses the unsolicited emails stored in this database to pursue law enforcement actions against people who send deceptive spam email.

Hey, and I forgot - What happened to the CAN-SPAM ? How long before we have Attacks of the CAN-SPAM-Resistant Killer Spam.

FYI: The spammer's client had been hacked ...

[p2sam]

http://pharmacourt.biz/about.html
http://pharmaco urt.biz/contact.html

Make sure your report to Habeas

[p2sam]

Since they will add the offender's on to the blacklist, make sure you report that spam at http://www.habeas.com/report. That way the next unfortunate receiver of that spam would have adjust their score accordingly.

See: http://www.habeas.com/supportBlackList.html

Re:Just... make... me.... UGHRHGH!@~

[dossen]

Another way these nonsense spams work is, in my experience, by having two different MIME parts, a plaintext part of random words, and an html part with the actual spam content. Since I don't use html mail, it works rather poorly on me, but I did once take a look at the html part, and it was formated text, not random nonsense like in the plaintext part.

Re:Fair Use

[Sheriff+Fatman]

Like autumn harvest,
Writing haikus correctly,
Is very diffic

Why should the spammers worry about copyright?

[MROD]

Now, we've seen spammers use a copyrighted poem in their spam headers. I'd like to know how much they're worried about being taken to court about this. After all, they're not exactly on the right side of the law already...

(1) They subvert other people's computers to relay spam: illegal in most juristictions.
(2) They send out viruses and worms to break into other people's computers: illegal in most juristictions.

So, if they're already doing two illegal things, why should they worry about a third?

Re:Why should the spammers worry about copyright?

[WuphonsReach]

Agreed... and it's something that I think a lot of folks miss. Creating yet another law will not stop X, but it might make it easier to prosecute once X has happened. However, whenever you create a new law to prosecute X, there's a high chance of the system being subverted to also allow Y and Z to be prosecuted, or weirdness where X doesn't get addressed at all.

Spam, in particular, is a combination of technical (SMTP is too trusting), economic (receiver pays the majority of the costs), and social (willing to do anything, don't care about existing laws).

On the technical side, there's small rays of hope. Reverse-MX proposals (SPF, LMAP) or Yahoo!'s domain-keys are trying to eliminate the Mack-truck sized loophole that allows domains to be forged and companies to be joe-job'd. This should also put a dent in the e-mail worm/spam problem or at least force those machines to route e-mail through a (likely) better-administered SMTP server. Bayesian seems to be working well still and has a bit of life left (multi-word / markov bayesian is probably next). Whitelisting of domains gets easier once the forging issue is taken care of. IP blacklists are still around (don't care for them personally, like hunting flies with a shotgun). We may even see e-mail get as far as requiring public-key signatures along with web-of-trust. I'd say that all e-mail will be required to be encrypted to each recipient's private key, but gov'ts would probably nix that. Individually, none of these technical proposals make much of an impact, but each one closes up yet another loophole.

Social-side I'm not sure of what is going to make a difference. Too many countries involved with different social mores or laws (or lack thereof).

Economic sanction is possible, but currently it's easy-as-sin to joe-job your competition - so there's a high risk of false-accusations. Plus, it's easy to move the stuff off-shore and out of reach of authorities. However, as some of the technical means come into mainstream it will hopefully drive spammer costs up (having to register new domains all the time, etc.).

Haiku in the fight for spam?

[mabu]

The Habeas plan
Most ineffective effort
Ever to stop spam

(c) 2004 Mabu
ALL RIGHTS RESERVED!

Re: Here's some Haiku for Habeas.

[geminidomino]

Oops.. .forgot my linebreaks

Like a dying wind
Habeas screams to the sky
But they're still worthless


Experience says
The Habeas Haiku means
"This Message is Spam"

Habeas Haiku
To some, touching poetry
Me, I filter it.

Re:Just... make... me.... UGHRHGH!@~

[rawshark]

Maybe this would help?
The Spammer's Compendium

Look at the dates fool.

[fred87]

Main article refers to a spam attack started in 2004, your link refers to a spam attack in 2003, so i find it unlikely that they are referring to the same case unless habeus have a time machine.

Don't be foolish...

[chuckw]

It would be foolish to turn off the habeas checking in spamassassin, or otherwise filter out based on the habeas mark for 2 reasons:

1) Habeas has shown a commitment to actually *EXPEND* The resources to go after spammers. If you dimish the value of the habeas mark by filtering out email with their mark in it, then they have nothing to protect. I personally don't have time to go after spammers. Anyone who has a proven track record of winning against spammers (which habeas has) should be encouraged!

2) There is a large number of users who have added the habeas mark to their e-mail headers based on the assumption that it was a protected mark that would ensure their mail *WASN'T* filtered out. If you start filtering on that mark you *WILL* falsely filter out a lot of legitimate mail.

A previous poster named Mehu, posted an excellent solution to the problem if you're using spamassassin:

"So, rather than just add a score of 0 for HABEAS_SWE, I figured I'd give them a chance & added the following to my ~/.spamassassin/user_prefs, which takes care of the current rash:

body PHARMAWHAREHOUSE /pharmawharehouse.biz/
describe PHARMAWHAREHOUSE Link to pharmawharehouse.biz

body PHARMACOURT /pharmacourt.biz/
describe PHARMACOURT Link to pharmacourt.biz

body VALUEPOINTMEDS /valuepointmeds.biz/
describe VALUEPOINTMEDS Link to valuepointmeds.biz

score PHARMAWHAREHOUSE 10
score PHARMACOURT 10
score VALUEPOINTMEDS 10

Looking through my mail, it turns out some of my valid mail actually does contain those headers (would never have noticed them), and a few spams, even w/ the haiku headers, have been blocked by HABEAS_VIOLATOR (RBL: Has Habeas warrant mark and on Infringer List), so the company does appear to be doing its job.."

-Chuck

You mean stop the fraud

[swb]

I'm not sure how serious you are, but since even a stopped clock is right twice a day I'll have to agree at least with the literal interpretation of your posting.

If law enforcement generally were applied to the sellers of spamvertised products, spam would become far less of a menace. Most spamvertised products are prima faciae illegal (ie, you can't get prescription medications without a prescription), false advertising (a sugar pill won't give you a 12" penis) or are actually just fraud schemes to take money and not deliver a product.

Tracking down email senders is extremely difficult due to header forgery and the use of zombies and other kinds of compromised systems. But just about all spam will take a credit card, which should enable tracking of a financial trail to the sellers. If the Feds would make a RICO case out of it, they could ensnare just about anyone with their finger in the pie, including the spammers, who I'm sure would be fingered by sellers caught in the net.

A few RICO cases that put the squeeze on ISPs, banks handling their financial transactions, spammers, and most importantly, sellers and suppliers of these products would have a pretty significant effect on the whole "scam 'n' spam" business environment. I think there's probably some otherwise legitimate players (ISPs, banks) participating in this field behind the scenes, and some negative exposure in a few of these cases could close the door to a lot of "operators" who need access to the legitimate economy in order to operate.

It's pretty clear that nobody likes spam, but the fact that there have been no high-profile FBI/Treasury/Commerce investigations into some of these things really puzzles me. It may be that the investigations have been done but this angle was deemed not fruitful (doubtful), resources aren't available due to the war on terror (more likely, but not entirely credible), or political pressure has been applied by heavy corporate players to keep their shady business segments viable (somewhat conspiratorial, but believable) -- yet even these theories don't explain the lack of credible, visible efforts on the part of Federal law enforcment to crack down on internet fraud.

The latest big spam technique...

[devphil]

...is not haiku or any other kind of rearrangment of normal speech. What's pouring right through my filters are messages consisting of just a half-dozen lines of random English words. No sentences, no advertisements, no links, nothing but everyday words.

It's a fairly clever attempt to poison the Bayesian filters. Either I associate these words with spam and risk losing legit email, or I loosen things up and let more real spam slide through. It's frustrating because there's absolutely nothing I can do about it.

[insert long ranting call for vigilante bullet-to-the-head-style action here]

Most spam is already actionable

[Animats]

The FTC's study of false claims in spam has already established that most spam is legally actionable under current law. Adding a copyrighted haiku doesn't help much.

Under the CAN-SPAM act, ISPs can sue. If you read the definition of an "ISP" in the act, it's clear that a mail processing service like SpamCop would qualify. What's needed is a paid service like SpamCop that files at least one high-profile lawsuit a month, increasing to one a week as volume builds up. That would make a dent.

Large

[harlows_monkeys]

It's definitely a large spam run. These spams use forged "From" addresses, and one of the domains they are forging is owned by my employer, and all mail to non-existent addresses ends up in a mailbox I handle. It's getting 10000 bounce messages per day from these spams.

When I checked on net.admin.net-abuse.sightings, there are several hundred of these reported, and NONE of them use our domain. Checking a few at random, it looks like they are using many many many forged domains, so we are just getting the bounces from a tiny fraction of these these.