READER FEEDBACK ON SPAM ASSASSIN ALERT: Updated Jan. 9, 2003 To participate, please send comments to jamesjkeene@gmail.com Thanks. [Editor's Note: a recent post by "whoever" in alt.computer.security -- look for Subject with "Spam Assassin") has stated that SpamAssassin inserts its text in all email it processes and argued that the person who runs the program is a responsible party. These two threads also provide further commentary by me and others on the topic. Some even see a simple incident report with questions and commentary like mine as "libelous". It might be interesting reading.] [Editor's note:] "ISP Assassin aka Spam Assassin" is a warning-alert article to protect the interests of system administrators and internet users. I have started to sort through some reader feedback on this alert article. For example: ===== >I am a system administrator, ... >I was quite puzzled by your article, which seems to show that you did not >really understand what happened nor exactly how spam assassin works. Having read your entire email, I see that you in fact present no data to support your perceptions on both counts, "did not really understand" and "how" the program works. That's why my article was written -- to educate. Re the "how," I was writing (artificial) intelligent, profiling, automation and telecommunications programs 25-30 years ago, and nice guy that I am, I did not mention in my article how amateurish SpamAssassin appears to be, judged by the outputs I saw. I do not have the source code so it is just the published data I saw. >Spam assassin automatically processes all email passing trough a given >computer according to a set of rules defined by the site's administrator. >The principle is as follows: most spam can be identified by some >characteristics. For example messages starting with 'dear friend' or >subjects starting with 'friend,' or html-based email rather than regular, >standard, text-only email. Need I say more -- re amateurish? Most newbies use html, not the more "advanced" email you and I use which is plain text. I have no statistical data (which a professional job on this would have compiled and presented) saying that "dear friend" correlation with "spam" is anything but zero. For "correlation" please consult elementary statistics book, if needed. >Some keywords also can be used, and so on. > >The method SpamAssassin uses is : each messages goes trough all the 'rules' >or 'filters' defined by the sysadmin. >Each time a rule triggers positive results, points are awarded to the message. >At the end, all points are totalled, and if a preset (by the admin) figure >is reached, the message is classified as spam. > >so, here are a few important things to understand: The foregoing was obvious to me, and contains nothing to provide any foundation for your unwarranted inferences in your paragraph above. I am not "angered" (see below), but your making unwarranted inferences regarding an author of an article about a program which makes unwarranted inferences is sort of interesting, isn't it? >- SpamAssassin does not _generate_ spam. it merely tries to identify it In my opinion it does and most probably turns ALL email into spam if it indeed inserts its ad-like banner in every email. You know about the program--please answer that, does it? -- In every piece of email? Programs like this may be major players in the spam generation pest field. Please consult web references which define spam, an unsolicited commercial email. Other aspects include "stealing" user bandwidth and hard drive space. Another applicable spam feature is the large number of copies that are sent. The Spam Assassin version of spam is particularly reprehensible since it inserts spam in non-spam email. What a tricky backdoor way to get spam distributed. This is also an ugly and malicious defacement of private email. >- SpamAssassin does not 'snoop' emails. It's all machine-processing, no >human intervention on a per message basis It may be a matter of definition, for sure, but it not only "snoops" emails, by the data I presented, the descriptions by Deersoft, and your comments above, it appears that every character of private mail is looked at. It remains to be seen if this is only unethical and a scandal or is outright illegal, depending on factors described in my article. The fact that it is automated is one of the more scarey parts. Wouldn't all wiretappers and telecommunication corruptors like to automate their mischief? The fact that a program is used does not in the least remove responsibility from its users or creators. It is like the rock used to break a window in a robbery; the Judge doesn't buy the argument that "the rock did it." >- The setting of the rules, filters and points ratios takes some time to >set up, your message may have crossed a server which was not (yet) properly >configured Not an excuse for defamation of character and violation of privacy in telecommunications. Tell the judge your server was misconfigured. He/she will reply that at the prison you will find lots of fellow prisoners whose things were "misconfigured." Basically, that is irrelevant. Plus, the total absence of any reply from Deersoft or Lehman is curious. Perhaps they want to stonewall; that's OK. Perhaps they are exempt for norms and laws that apply to the rest of us. However, their silence just makes the product liability case stronger for those who have suffered damage at the hands of SpamAssassin. In a world of reason one might expect a flurry of damage control measures by ISPs who have used SpamAssassin. They might not know who they have defamed and almost comically, neither may the defamation victims know ... yet. Gosh, the fallout could go on and on as people discover, perhaps as I did or from recipients of tampered email who write back, "Hey, did you know that....?" Defamation is not a walk in the park -- and some twenty counts of defamation? >Also, don't get me wrong but I must say I was a bit shocked by the >agressive and even contemptuous tone of your article. Well, sorry about that, it is called "investigative reporting." SpamAssassin found me, and abused my privacy and did the defamation, etc, and perhaps that is worthy of contempt. There are the good guys and bad guys -- SpamAssassin did a self-categorization in that regard. >It somehow gave me the impression of something written by someone angered, >as opposed to a well thought-out article. It was just that abuse of email users and system administrators should be posted on the net. We should further list other abusive programs. Sorry, when the wolves want to eat the sheep, I do tend to raise my hand and say, "Excuse me." Why did Deersoft have no reply? If they thought there was any problem with my first-draft text they could have told me and provided data a month before the publication -- I waited some six-seven weeks. So you may be trying to defend people who themselves may know that they have no defense. I do have scheduled an editorial to go with the feature article I have already written. There seems to be a void on the net re rights of users and system administrators in the anti-spam area -- almost like, reduce spam at any cost and no matter how unethical or even illegal the method, or how many innocent people are trampled. It's outrageous, really, especially, as pointed out above, when the program itself appears to be so amateurish. >You really should not take that incident as a personnal attack (as in 'that >sysadmin labelled my email as spam') but rather as a technical error that >can be corrected. Defamation is not defined by me. Wiretapping is not defined by me. Tampering with and falsifying of private communications is not defined by me. Get the facts. >Spam is a real problem, ant getting worse everyday. Please support people >that actually try to do something against it. I do and I have researched and reported on that subject before. My article does "fight spam" as this program is an automated spam generator on top of all of its other apparently immoral activities. Since publication, neither Deersoft or Lehman has said "peep." Get the picture? In effect, they have spoken loudly -- that there is no rebuttal for this article. If there is, I would probably post it on my site or include it in a revised article, etc. You have added no such material either. So where is it? So far, there is none, and my conclusions about SpamAssassin remain uncontested. ===== Dear reader, The point is to notify the public, email users and ISP and network administrators that this product appears to compromise their systems and integrity and pocketbook, and as such appears to be essentially a "front-door" attack on the systems and their operators. Being a friend to ISPs and internet users, it was a moral responsibility to point out the facts in my SpamAssassin alert. >Just a couple things I wanted to point out : > >1) I live in europe, and automated processing of email is regarded very >differently from manual inspection here. >(to make a long story short - the first is no snooping or illegal, while >the latter is :p Plus, YMMV from european cournty to european country) OK, the Carnivore program of the FBI is automated and requires a court order to run and is less invasive than SpamAssassin. I would not be surprised if SpamAssassin users in the U.S. are in for a very rude awakening as these facts become known. That is why my article is a warning to good reputable people who may have been "taken in" by this flawed product with an "anti-spam" label. I read the press release on the formation of Deersoft, Inc. The company, investor and the programmer(s) appear to be in bed together, my friend. >2) spamassassin is an open source product , which means that >- you can get the source code from www.spamassassin.org Then, why as a free-lance writer seeking answers from Deersoft, Inc, I get nothing? Is the public relations firm just a "front"? Not even a "press kit"? My intentions were pure. I waited at least six weeks *after* the article was written before publishing. I would not be surprised if those people have gone underground. >- Deersoft should answer, but it's a pity to defame spamassassin because of >dersoft. By all means post to the spamassassin list or boards, and you >_should_ have positive feedback Check your dictionary -- defame. If there is any false statement in my article, no one has pointed it out yet. My article contains no defamation whatsoever. It is an alert to ISPs re a program that could cause them serious trouble. >- the spamassassin project's people should be made aware of deeroft's >attitude, as it gives them bad press. Nobody is in better position than you >to discuss this with them. Send them the URL for the article. simple. Along with your recommendation above. My first input will be: get your head out of text editors for your code for a few minutes and look at the real world. You appear to be coding a "crime toolbox", duh, and Deersoft is washing its hands of any responsibility. Are you being "used" by commercial interests? Is the real motive to disrupt networks? Networks can go down when their operators are in jail and their hard drives are in the police evidence locker, don't you think? >note that getting feedback directly from spmassassin may take some time as >it is a project made by volunteers, and they as such do not have the end >user support resources a commercial company can afford. (erm, even if the >deersoft unresponsiveness leads to assume the contrary ;-) I am not a user of this "attack-from-the-front" product. >3) It would be a great thing indeed if you could make the spamassassin >project makers benefit from your experience in IA-based filtering! >All it takes is you joining their project, and commiting some time to it :p As you can see, I am quite open and sharing. All they have to do is ask. Hell, I have taught graduate school level courses in advanced statistics and published a number of articles using profiling and multi-variate statistical pattern analysis in peer-reviewed journals. But I am not the issue. Have the SpamAssassin people done anything to halt the damage (particularly the spamming and defamation) which endangers ISPs with their misguided effort, as described in the article? >Again, thanks for your time, controversial as it may be it's great >discussing this with you :) No problem. As a sys admin. yourself, watch out for these front-door attack programs with glossy web sites, artwork and wrapping. In general, if malicious people want "in" on your network, and don't want to hack passwords, etc, what better route than to convince you to use their program voluntarily! Neat scam. Whether Deersoft is a total scam or just seemingly misguided or inept people remains to be seen; but regardless, people should be warned and take precautions. You are free to post in those discussion groups that you know and referred to above, quotes from my email reply so people can become better informed and perhaps stay out of the trouble that SpamAssassin may cause them. I do not believe, as your arguments favoring SpamAssassin might suggest, that most network administrators want to increase spam on their networks or to become spammers and defamers themselves. Thus, my alert article would be in agreement with the goals of the vast majority of system administrators. Take care, Greetings, Doctor Electron Net Census, http://www.angelfire.com/space/netcensus/ Please click the Back button on your browser to return to Net Census. Copyright 2002 Global Services