The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Habeas spam - cPanel exim allows them in!!!

Discussion in 'E-mail Discussions' started by sehh, Sep 18, 2009.

  1. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    There is a known "accredited" spam known as "Habeas" which was originally its own spammer company and now has been taken over by another spammer known as Return Mail.

    Unfortunately, these guys have infiltrated SpamAssassin and cPanel/WHM in some way and their spam instead of having high rating, they get negative ratings and can by-pass our minimum spam score (usually set to 5.0).

    Check this out:

    HABEAS_ACCREDITED_COI -8.0
    HABEAS_ACCREDITED_SOI -4.3
    HABEAS_CHECKED -0.2

    wow, -8 or -4.3 points to the spam score!!!

    We noticed this by accident when spam started coming through because of this, as can be seen below:

    -4.3 HABEAS_ACCREDITED_SOI RBL: Habeas Accredited Opt-In or Better
    [208.75.168.167 listed in sa-accredit.habeas.com]

    We managed to fix it in all our servers by editing /etc/mail/spamassassin/local.cf and adding:

    score HABEAS_ACCREDITED_COI 15
    score HABEAS_ACCREDITED_SOI 15
    score HABEAS_CHECKED 15
     
    #1 sehh, Sep 18, 2009
    Last edited: Sep 21, 2009
  2. chrish.

    chrish. Member

    Joined:
    Jun 30, 2009
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    so out of curiosity, before I go any further, where did you read that Habeas was originally its own "spammer company" ?
     
  3. chrish.

    chrish. Member

    Joined:
    Jun 30, 2009
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Just to add to my last post

    Habeas is a legitimate entity, basically a known whitelist of people who follow certain guidelines for sending email. It functions no differently from a CA trust - when see a cert from Verisign, you know that at the very least somebody has paid for the cert and met a few basic criteria when you connect to them via SSL. This is no different - people have to meet certain criteria to be on that list, and pay for it as well.

    A list of the criteria involved can be found hee

    Email Optimization for Senders: Improve Email Reputation with Return Path

    If you're seeing legitimate spam missed as a result of the Habeas checks, and the entity is genuinely whitelisted (as opposed to, for example, having a misbehaving DNS server that reports every host as being listed), realistically Habeas (or whomever runs them nowadays) needs to be notified of it.

    This is a reasonably widely utilized service, and its list is viewed as a whitelist not only by SpamAssassin, but a number of the reputable big name commercial anti-spam vendors.

    Its list isn't maintained by SpamAssassin. SpamAssassin uses it and scores it as such

    a)because it's been widely recognized as a functional method for avoiding false positives, one that numerous other vendors utilize

    b)because the corpus of e-mail they use for training their scoring system shows this rule triggering almost exclusively in ham, and virtually never in spam

    If it is causing you to miss spam, the correct mitigation is

    -adjust the scores as you have, but rather than casing it to have a *positive* weighting as you have done, the score should negate the check completely, with a net score of zero.

    -get the spam messages reported to the people who run Habeas nowadays for review, so that they can see about potentially delisting the offending host until they clean up their act


    There is no infiltration of cPanel, SpamAssassin, nor anyone else. It is far more likely one of the hosts utilizing that service unknowingly became compromised and as a result was being used as a spam generator.

    And again, it isn't a spamming company - it is an entity virtually every commercial anti-spam vendor considers legitimate.
     
Loading...

Share This Page