Editor's Note: These are selected messages in threads I started in alt.computer.security. These are for the brave since news group culture is a little like the wild west. Google.com has complete transcripts. Those who responded to my threads are not necessarily as foolish and uninformed as it might sometimes seem -- blame it on the news group culture. ======== Subject: ISP Assassin aka Spam Assassin From: doctor electron Date: Sat, 04 Jan 2003 09:34:44 -0500 Message-ID: -------- Hello, all. I have come across perhaps a new twist is network security threats. Rather than attempt to run harmful software through a "back-door" attack, network administrators should be alert to the possibility that unethical activities may be "installed" on the network by its operators themselves, by parties who package software attractively and convince the network operator that it is "harmless" and performs a needed task, such as "anti-spam." I describe one such apparent "front-door" attack here in this alert: http://www.angelfire.com/space/netcensus/ispassassin.html Please be on the lookout for other products offered to network operators which may indeed cause serious trouble for the network. Thanks. Please note any other examples of this kind of threat. Greetings, doctor electron ======== Subject: Re: ISP Assassin aka Spam Assassin From: doctor electron Date: Sun, 05 Jan 2003 16:07:24 -0500 Message-ID: -------- Long, long ago in far off alt.computer.security, xxx xxx transmitted: [...] Dear xxx: A reader who does have sense! Thanks. Isn't it a little strange in this news group, particularly, how an article to alert network administrators on potential (and demonstrably actual) problems is taken as something other than what it obviously is? Ho, hum, yawn. I thought security alerts would be commonplace. Objection to such alerts does sort of waive a red flag. But meaning what? Thanks again, for your info and good sense. To all readers, sorry for so many replies to your welcome posts. Greetings, doctor electron ======== Subject: Re: ISP Assassin aka Spam Assassin From: doctor electron Date: Sun, 05 Jan 2003 16:03:29 -0500 Message-ID: -------- Long, long ago in far off alt.computer.security, xxx xxx transmitted: >A page on a website constitutes publication, and as its a free >website, and its a commerical defamation rather than a political >issue I expect a strong complaint from the company would get >it taken down pronto. I doubt the web hosting service is as "fascist" as you might esteem concerning my simple, factual product alert and review. All Deersoft, Inc., has to do is simply provide the facts, but I have received no answer from them to date. Your scenario seems to assume that they have no defense or rebuttal and would then resort to treachery. Come on, let's give them some credit. Greetings, doctor electron ======== Subject: Re: ISP Assassin aka Spam Assassin From: doctor electron Date: Sun, 05 Jan 2003 21:43:51 -0500 Message-ID: -------- After intense interrogation under a bright light in alt.computer.security, xxx xxx finally admitted: >My opinion is it's defamatory, read their ToS >they also have a liability to protect. Hi, xxx, as I said, I'm no legal expert. With all due respect, I am still waiting for what "it" in "it's" above is. My site does contain lots of data and commentary as does the article that concerns you. How about the Micosoft Excel articles? Is that defamation, too? Those are OK re your concerns? I rather think few actually care. Or at least care enough to point out what the troubling statement(s) is/are. As far as I can see, data is presented and the description of the data pretty much conforms to what the data presents. That is what reviewers and scientists do every day. Gather data and report results. Are all such common activities libel? Your approach is novel, to be sure. Actually, this program came to me; clearly I did not seek it out. In the absence of any specifics, I might just assume you are a fan of that particular program, which is your right. Regards, Greetings, doctor electron ======== Subject: Re: ISP Assassin aka Spam Assassin From: doctor electron Date: Sun, 05 Jan 2003 22:12:03 -0500 Message-ID: <9frh1vg1f2s794jjqhgv9dkr27np43uiv4@4ax.com> -------- After intense interrogation under a bright light in alt.computer.security, xxx finally admitted: >On Sat, 4 Jan 2003, doctor electron wrote: > >> Hello, all. >> I have come across perhaps a new twist is network security threats. >> Rather than attempt to run harmful software through a "back-door" >> attack, network administrators should be alert to the possibility that >> unethical activities may be "installed" on the network by its >> operators themselves, by parties who package software attractively and >> convince the network operator that it is "harmless" and performs a >> needed task, such as "anti-spam." I describe one such apparent >> "front-door" attack here in this alert: >> http://www.angelfire.com/space/netcensus/ispassassin.html > >Well, the quality of your research is not very good, since you don't seem >to have noticed that it seems to be the open source version of >SpamAssassin that marked your email as SPAM. Look at >http://spamassassin.org The article was not a research feature. It reported and commented on an episode. There was no research required to do that except a few hours looking at anti-spam sites and legal references for context. My thinking, for better or worse, was that extensive "research" on the legal aspects by me was pointless, since that is not my expertise. I did enough, to point the reader to issues that should be considered like telecommunications laws, TOS agreements, etc, as reported in the article. But there was no need for me to pontificate on those things per se. >Your assertions are rather wild also: hmmm, walk on the "wild" side, not bad; let's see.... >1. Almost every mailserver in the world modifies the headers. This is what >SpamAssassin does. Now this is progress. People will now learn that what mail servers do in modifying headers *and* the purpose in that, is entirely different than what SpamAssassin does -- see article. Glad to clarify that. >2. Many mail service providers and anti-virus programs alter mail, putting >on a tag at the end of the email advertising their services. No-one seems >to feel that this has any great legal problems. Me neither; but (mentioned also in the article) it is spam, right? I emailed one company that was doing this in my email, saying that I am paying for ad-free email service and not getting it. Also, their banners were ugly (at bottom, like you say). And most important for them, possibly misleading with the statement like "Your email has been checked by .... for virus content and has been cleared." I suggested that the program might allow a virus to pass and the "has been cleared" might be a troublesome description for them in that event. I even allowed that an "initial" notification that such screening was taking place did not seem unreasonable, but that such ugly and possibly misleading banners for ever was at minimum a very disappointing development. To make a long story short, the banners disappeared several days later. >3. Your analysis shows no evidence of "unethical" actions. No problem, if that is your view. For me, the following are unethical. 1. possible failure to warn network administrators re issues. 2. eavesdropping private mail and telecommunications. 3. tampering with, and altering the content of, same. 4. generation of spam by every definition of the word. 5. generation of libel, false accusations about innocent persons sent to others (recipients of email). 6. continuing damage to victim, by recommending that future communications from victim be blocked or treated differently than normal. 7. is that enough? For me, one of the above is enough. >You have no right to send email to those news organizations -- if they >choose to delete your emails without reading them, they entirely have that Based on false accusations of SpamAssassin? You are kidding, right? >right. You don't know where the SpamAssassin ran and labelled the emails >as SPAM -- if it was the news organizations own mailserver then clearly >they are at liberty to make such judgements and modifications to emails >they receive for the purpose of filtering the many, many emails they must >receive. Very good! The question of *where* the program was run. Excellent. For my article, it is not, however, a key point. It is an intermediary making false accusations about an innocent person and tampering with the private communication from that person to the intended recipient. The only relevance of *where* the program was run, ie., *who* is responsible, is in finding them to chat about it. I repeat, very good point!! Thank you. >You sent email that may not have been SPAM, but had many >characteristics of SPAM. Get over it! Can I quote that? "Get over it!" I love it. Can I wiretap your phone and just tell you "Get over it"? Can I insert "not" in your email to change "I do love you" to "I do not love you"? or if the subject is "I love you" can I insert "*****JOKE*****" because I know better what you intended or what the actual truth is? How about expanding the slogan: "Oppression. Get over it." or "Loss of Privacy: Get over it." or "Loss of contact with friends, family and business associates: Get over it." :-) I guess your world is upsidedown from mine. Anyway, enjoy your world, guy. Take care and thanks for the creative input! Greetings, doctor electron ======== Subject: Re: ISP Assassin aka Spam Assassin From: doctor electron Date: Sun, 05 Jan 2003 23:11:48 -0500 Message-ID: <0muh1v0n6fc93vb2v7b72boc9h52s7he4i@4ax.com> -------- After intense interrogation under a bright light in alt.computer.security, xxx finally admitted: >On Sun, 5 Jan 2003, doctor electron wrote: > >> After intense interrogation under a bright light in >> alt.computer.security, xxx finally admitted: >> >> 1. possible failure to warn network administrators re issues. > >What "issues"? Network admins who install SpamAssassin are well aware of >what it does -- both from the documentation and if they want to be reading >the code. Um, you are in the list right now. If what you say is true, then my alert feature provided no new information. So what is the concern? Are you saying that in the "what it does" Deersoft has libeled itself? >> 2. eavesdropping private mail and telecommunications. > >Eavsdropping? By who? An automated process changed the email and attempted >to deliver it to its recipient. Fortunately, we have an answer from the web page in the spam. It says "who" -- the ISP or network administrator. So you do know the facts after all. >> 3. tampering with, and altering the content of, same. >Well, the alterations are pretty clear and don't change the meaning. Man, you seem to be a dreamer. OK, let's set it up. You send all of your email through my office from now on. I change what I want, I add what I want, and to make you happy, I will write a program to do it. I will warn certain parties to consider blocking your mail in the future. Good deal. Let's set it up and see what you think... 1, 2, 3, go... Glad to hear you have no problem with that. >> 4. generation of spam by every definition of the word. >This is ridiculous -- either your email was SPAM to start with or it was >never SPAM. Merely including "***SPAM**" in the subject does not make an >email SPAM. Nothing was "generated" Here you show you haven't even read the article you are critiquing. Golly, in school, that's like C- or D, man. >> 5. generation of libel, false accusations about innocent persons sent >> to others (recipients of email). > >There has to be a third person, it may be that the recipient's mailserver >modified the email, thus there is no third person. The third person is the recipient(s) and remember if SpamAssassin and its like are widely used, we may be talking about one of the largest libel operations ever launched on planet earth. Who would have dreamed such a thing would be implemented by network administrators, duh. In the case of such a program being run by the recipient, we open the floor for inputs. >> 6. continuing damage to victim, by recommending that future >> communications from victim be blocked or treated differently than >> normal. > >What recommendation? Gosh, it is only about ten lines long, and you missed it. Well, read it. I published the text in full. If this is a language problem, I would be glad to read it with you and discuss the text and its meaning. >> >You have no right to send email to those news organizations -- if they >> >choose to delete your emails without reading them, they entirely have that >> >> Based on false accusations of SpamAssassin? You are kidding, right? > >No. If you send an unsolicited email to me, I can do whatever I like with >it. That was not what my article was about. I thought you were writing about the article. >> >right. You don't know where the SpamAssassin ran and labelled the emails >> >as SPAM -- if it was the news organizations own mailserver then clearly >> >they are at liberty to make such judgements and modifications to emails >> >they receive for the purpose of filtering the many, many emails they must >> >receive. >> >> Very good! The question of *where* the program was run. Excellent. >> For my article, it is not, however, a key point. It is an >> intermediary making false accusations about an innocent person and >> tampering with the private communication from that person to the >> intended recipient. > >If the recipient's mailserver modifed the email then there is no >"intermediary" -- so no possiblility of libel. Maybe, but if it is a network, the person who runs the program (responsible according to Deersoft), may be different than the recipient and there may be many thousands of recipients on that network. Dig? >> >characteristics of SPAM. Get over it! >> >> Can I quote that? "Get over it!" I love it. Can I wiretap your >> phone and just tell you "Get over it"? Can I insert "not" in your >> email to change "I do love you" to "I do not love you"? or if the >> subject is "I love you" can I insert "*****JOKE*****" because I know >> better what you intended or what the actual truth is? > >If I send you an email you can do whatever you like with it PROVIDING YOU >DON'T SEND IT TO ANYONE ELSE. Yes, but off topic re your concerns about my article, which never touched on such matters. To tell you the truth, my friend (and I don't mind if you are culturally different or disagree -- I still mean, my friend), I am struck by the total lack of concern for individual privacy, for the right of freedom of speech unfettered by censorship, for the loss of any concern about eavesdropping or the welfare of system administrators of computer networks. All there is, apparently, is smoke screens about the author of the article, which could have been anybody. The fact that automated defamation and blocking of legitimate private mail seems to be totally accepted is a wonder. Anti-spam is king. All else is gone. We will destroy our most precious values and freedoms to "fight spam." That upside down world appears to be trying to replace my right side up world. We can do the above experiment without computers. OK? I will just stand by your mail box and all of your personal mail -- going out or coming in -- I will open and if I feel like it, I will scribble my own thoughts to deface it and put it back in the envelop and send it on its way. I will require plane fare and an honorarium for this work. We will prove to the world that there are people who just don't care about privacy and freedom of speech. Please advise, we would of course want to make this a major media event -- you know, interviews, the whole package. Thanks for appearing to volunteer. I think such a demonstration would be very beneficial to show folks the issues involved and to help you find them (you said above you could not find them). We would want real-time interviews and TV presence. Like you might say, when I open a letter to mom, "That's OK, it's just a letter to my mom." You might get a little worried when the cameras in the background show me (or a stand-in actor) opening your love letters and scribbling nonsense in them. Hmmm. I like it. What do you think? This would be for educational purposes, of course. Then, I think network administrators are going to (1) get noses out of source code and focus on what is relevant and (2) sit down and think about damage control. The funny thing is they may not even have records of everybody they have defamed or damaged. We are talking "hair-pulling-time." We do know, however, that falsely calling a person a spammer is in the defamation of character category. Spammers are despised almost as much as common criminals, don't you think? Agree or disagree, let's have fun. Greetings, doctor electron ======== Subject: Re: ISP Assassin aka Spam Assassin From: doctor electron Date: Mon, 06 Jan 2003 03:00:26 -0500 Message-ID: -------- After intense interrogation under a bright light in alt.computer.security, xxx finally admitted: >Once again, Deersoft is NOT involved here. Read the documents on >spamassassin.org. "See http://spamassassin.org/tag/ for more details." was in the text of the spam insertion in my email. Did you read the press release of Deersoft, Inc. re its formation? Why did Deersoft not indicate that it is not involved with SpamAssassin when I wrote in early November? The article also states: "a program called SpamAssassin, which apparently is a product of Deersoft, Inc." So I have no problem with your assertion. Then what company is it? Why did the apparent public relations firm of Deersoft, Inc. not note that it cannot address questions about the product since it is not their product? Who knows? >> Fortunately, we have an answer from the web page in the spam. It says >> "who" -- the ISP or network administrator. So you do know the facts >> after all. > >Since you have edited this out, we have no way to verify what you are >saying. As I have pointed out, there is a difference between the >recipient's adminstrator and an ISP. Finally, it is not a "who" but a >"what" -- an automated process is different to a person reading the email. No, sir, it was not edited out, but only cited since the text is on the web, right now, unless they took it down or changed it. Just look at the URL above given by SpamAssassin. So you can verify by looking at the web page, again, for clarity, http://spamassassin.org/tag/ About the "difference" you mention above, I am sure that there are many different settings and countries where this program may be used and the details of its features would have to evaluated in those contexts. In this case, it appears that it was an ISP running the program. The question of automated process vs person is interesting and one reader in Europe, quoted in the "view reader feedback" section next to the article, points out that the laws appear to be different in Europe. I am no expert on these legal variations, but my impression is that in U.S. law there is no such distinction. There, I think, it is the result that matters, not the technical means. See the Carnivore controversy, for example. Actually, the data I presented shows that SpamAssassin goes beyond what Carnivore does, and yet I have not heard of any network administrator getting a court order to run the program, as the FBI seems to need, re its program Carnivore. Also, I might add that I tend to think that law enforcement is a greater priority (a point for the FBI technology) than anti-spam (a point lost by Spam Assassin). Given this juxtaposition, maybe the FBI should look at how SpamAssassin users can do what they can't do without a court order. Maybe the significance of this program is the reality that the FBI is wrong in thinking it needs court orders. :-) So, yes, the agent (person) and the tool (program, rock, knife, gun, etc) are different. Quite often the details of the tool are irrelevant because the user of the tool is held responsible regardless of what the tool is or how exactly it works. >> >Well, the alterations are pretty clear and don't change the meaning. >> >> Man, you seem to be a dreamer. OK, let's set it up. You send all of >> your email through my office from now on. I change what I want, I add >> what I want, and to make you happy, I will write a program to do it. >> I will warn certain parties to consider blocking your mail in the >> future. Good deal. Let's set it up and see what you think... 1, 2, >> 3, go... Glad to hear you have no problem with that. > >If you are going to deliberately mis-interpret my posts its not worth >replying. Sorry, if my reply was offensive. Simply put, I and countless others do think that the alterations "change the meaning." Inserting "*****SPAM*****" in the Subject line and before the subject text does not change the meaning? For me, it changes it about 180 degrees. Sorry if I assumed that that point was self-evident. >Feel free to correct me, but the only "generated" email was a non-existent >user BOUNCE. From your web page: "In one case, an out-of-service address >resulted in return of my message in this form". Thus the only GENERATED >email had NOTHING to do with the SPAM analysis. I think I don't get your point here, sir. Since I don't understand, it might help just to say that some twenty emails were sent and one was returned. So I have stated that we don't know whether every email was processed in exactly the same way; however, there is evidence that the ISP on my end was running the program as I note in the letter to them that I quote in the article (this ISP are great people trying to do a good job and the last thing that should happen is any negative fallout for them -- I am squarely in their corner). Anyway, the quoted material is there. Should it be of interest, I have the entire bounced email header and body. The body is quoted in the article and the attachment is essentially identical to what is on the web site minus the angelfire ad header. I have assumed that all of the recipients of the mail received it with the *****SPAM****** and insertions cited in my article. A further step would be to confirm that. Summary: It appears that the spam analysis and results were done and generated on all of the email and one was returned so I could see how it was altered. Simple as that. >According to you ANY bounced email is SPAM? I see or know of no relationship between the two. A bounced mail, as I understand your usage, is a returned email that was not deliverable. Spam is defined all over the place including briefly on my site (feedback section). >You have not shown that the place where the changes were made and the >recipient were not different -- we only have to take your word about this. My quoted email to the ISP was not responded to with a denial that they were running the program. Is that enough? I have no reason to believe in this case that it was not my ISP, but of course, as you have mentioned, there is always the chance that the recipients' networks were also running it or at least some of them. This is my word. Obviously, it may be of interest to list all of the ISP's running various kinds of software that could be flawed. >> Gosh, it is only about ten lines long, and you missed. Well, read it. >> I published the text in full. If this is a language problem, I would >> be glad to read it with you and discuss the text and its meaning. > >No you misread it: it's an analysis of the email any a description of why >SpamAssassin thinks it it SPAM. It makes no recommendations about future >emails from you. SPAM: This mail is probably spam. The original message has been altered SPAM: so you can recognize or block similar unwanted mail in future. You may call the above a "recommendation" or "informational suggestion" or whatever, but its meaning is clear. The program is in effect making a twofold effort to interfere with communication by characterizing the email and pointing out that it can be blocked (which is also an ad for itself, of course). Are we clear on that now? This intrusion is extraordinary, that anyone would undertake to do such a thing in not only altering private communications but also admitting to it. Like the robber who leaves a note where he can be found. I read those two "SPAM:..." lines as something like: "The sender of this message is unsavory and deserves to be ignored." In science, we call the defamation-generation of software like this "false positives." To simply ask victims to "bear with us" while we trample on you, because it's an "anti-spam" crusade sounds almost in the area of fanaticism. >> That was not what my article was about. I thought you were writing >> about the article. > >I was making an analogy. I assumed that you would understand such a >concept. You assumed right, my friend. >You may have noticed Earthlink advertising their SPAM blocker. Do you >think they are advertising a libel-creating service? What is the >difference between their offering and SpamAssassin? 1. I have no idea. 2. I have no idea. Sounds like you have yourself a project, tiger. Let us know what you find out. Good ideas, man. I notice that "xxx" (another poster here) seems to have no ideas and no facts, nor even the wits to see that I am not the issue. Anyone can be victimized by this program (the false positives) and we could be talking about hundreds of innocent people. I hope our beloved "xxx" doesn't go after all of them looking for a piece of flesh. What is worthy is fighting spam and doing so in an ethical manner (the old two wrongs don't make a right theory). This is not a project I was specifically "working on" although several obvious ideas come to mind and are probably already implemented in other programs. Anyway, the field needs to be looked at and the whole idea of wrapping something that can cause trouble (to say it sweetly) in a glossy wrapper and fancy label to entice system admin's into just running it. Greetings, doctor electron ======== Subject: Re: ISP Assassin aka Spam Assassin From: doctor electron Date: Mon, 06 Jan 2003 19:55:57 -0500 Message-ID: -------- After intense interrogation under a bright light in alt.computer.security, xxx finally admitted: >> "See http://spamassassin.org/tag/ for more details." was in the text >> of the spam insertion in my email. Did you read the press release of > >There is no mention of Deersoft on that page. Dear xxx, that page is the disclaimer page I referred to. It was either somewhere at spamassasin.org (other pages) or in google search that Deersoft came up and the press release on their formation. I seem to recall (this was 2 months ago) that I myself could not see who was running this show (sourceforge was a dead end) so maybe it was the search that did the trick. Anyway, I just received a private email from a major player among anti-spam web sites. In that email the person is well aware of Deersoft and described their role along the lines of packaging the software. This is an additional confirmation that Deersoft is the corporate entity doing the marketing and distribution. So try a search on Deersoft, if you want, to satisfy your curiosity. >> The article also states: "a program called SpamAssassin, which >> apparently is a product of Deersoft, Inc." So I am no problem with >> your assertion. Then what company is it? > >Have you ever heard of Open Source Software? Do you not know that much >software is not generated by any company, but by groups of individuals >working together towards a common goal? I've been writing software for 30 years. Need I say more? OK re your two questions: specifically, yes and yes. And that, years ago. >In this case, had you actually read any pages from the Deersoft site, you >would see that Deersoft's products are derived from the OSS version of >SpamAssassin. And since the email in question seems to have been processed >by the OSS version of SpamAssassin, Deersoft have zero involvement with >your issue. Excellent, you may know more about it than Deersoft! Why didn't they or their honorable rep. Susan Lehman say that? hmmmm. Great. Your "And since the email in question..." part above deals with the version numbers? Please elaborate more specifically, if you would be so kind. Maybe you and I can give the Deersoft people a reason to party tonight! And they would owe you, dude. Silly, they don't know their own version numbers? Unfortunately, however, the question would immediately arise of whether Deersoft has edited out the objectionable features in SpamAssassin. >> I have assumed that all of the >> recipients of the mail received it with the *****SPAM****** and >> insertions cited in my article. A further step would be to confirm >> that. > >So why did you not take this important step? Once again, your lack of >basic research is stunning. Sorry you think so. Research develops. The article published has a beginning, middle and end and is a whole. There are always more questions that arise from good research. So it is the half-full, half-empty situation. You are free to your view, of course. There is no implication of "lack" of research on my site, stunning or otherwise, IMHO. But you can do your "product review". If everyone waited for every last question to be answered, very little would ever be published in science or in news reporting. >> Summary: It appears that the spam analysis and results were done and >> generated on all of the email and one was returned so I could see how >> it was altered. Simple as that. > >You have no facts to base this assertion on. Let me make an alternative >suggestion: And there are no facts to contest it, either. Read: "It appears that..." >One email was processed by the company that received it (or by THEIR >ISP on their behalf) and labelled SPAM. >It was also bounced back to you BECAUSE IT WAS SENT TO AN OUT OF SERCIVE >ADDRESS NOT BECAUSE IT WAS LABELLED AS SPAM. Could be. The headers may have something there. However, it is my working hypothesis that my own ISP was running spamassassin and that the bad address was an entirely different issue (reporters at these places come and go) and the network server for the recipient did the bad address part (returning as undeliverable) as is customary. So I agree totally with your analysis that the spamassassin insertions and the delivery issues are separate. >> >You have not shown that the place where the changes were made and the >> >recipient were not different -- we only have to take your word about this. >> >> My quoted email to the ISP was not responded to with a denial that >> they were running the program. Is that enough. > >What lack of denial constitutes an agreement? How ridiculous. Why? I correspond with this person regularly. Not ridiculous at all. Why is that a crucial point anyway, xxx? If that is not enough for someone else, then they can pursue it. >> I have no reason to >> believe in this case that it was not my ISP, but of course, as you >> have mentioned, there is always the chance that the recipients' >> networks were also running it or at least some of them. > >No, but it might have made sense to check this before going to the effort >of creating the web page. Sorry, maybe my bad, but I don't see the relevance of where the mail intrusion took place, if you want to put it that way. That it took place is relevant and indeed the subject of the article. As mentioned from the start (the article), I believe I know where it took place. You have added other possibilities, as well. What exactly is the interest in that ... you want to know who to blame? Help me here, I am not sure why this is a key point, unless one wants to "hunt" them down to talk with them or whatever, which doesn't interest me. What does interest me are the ideas and principles involved and to foster discussion of them. If indeed it was an ISP or network admin that ran the instance of the program that did the insertions, I must say that my position is pro these people, not contra. I suspect they are fellow victims. My warning is that others may want to sue them for real money. I, however, view them as possible additional victims and would not support any unfavorable action against ISP or network admin. My stated purpose has been from the beginning to be helpful to these internet participants. Greetings, doctor electron ======== Subject: Re: ISP Assassin aka Spam Assassin From: doctor electron Date: Tue, 07 Jan 2003 02:02:44 -0500 Message-ID: -------- After intense interrogation under a bright light in alt.computer.security, xxx finally admitted: >Simple: I have installed SpamAssassin on my home mailserver (for incoming >mail only) and recognize the headers as those added by the OSS version of >SpamAssassin. While this does not preclude the possibility that the >version of SpamAssassin used was packaged and delivered by Deersoft, I >would expect a specific mention of Deersoft if their product were used. >The lack of any such indications in the headers supports a theory that >Deersoft were not involved. OK, good point. So in all the "tizzy" in some the posts in this thread, one can see some writing style elements that are advisable, like saying "may be" not "is" and adding that magic word "apparently." I would rather hope that the issues raised would receive attention rather than a single episode I wrote about. It does seem (notice the magic words again -- "seem"?) that Deersoft is packaging this product for sale and that it may be essentially similar to the version reported in my little article. >The crucial point here is that from my personal knowledge I can tell you >that the inserted headers are consistent with an OSS version of >SpamAssassin. This is not conjecture. OK. Thanks for info. >> Maybe you and I can give the Deersoft people a reason to party >> tonight! And they would owe you, dude. Silly, they don't know their >> own version numbers? > >Whatever Deersoft do or do not know (I have no connection with Deersoft >and thus cannot comment on this), the version numbers and additional >headers matched an OSS version of SpamAssassin. Hey, it's nice to chat with a person who knows what he has and does not have -- you're a real scholar-type. >The Deersoft peopls already have a reason to party tonight: they have just >announced that the company is being bought by McAfee/Network Associates. I >expect that they have been negotiating this deal for a few months. I wish them well. >I have personal experience of SpamAssassin and mailservers, I can make >educated suggestions. I say "suggestions" because the OSS nature of >SpamAssassin allows administrators to change the way it operates. > >Given that most SPAM arrives with faked "from" addreses, it would be a >really dumb adminstrator who modified/configured SpamAssassin to bounce >emails to the "sender". Right, agreed, sound logic. It was probably just an ordinary server (not with SpamAssassin) that bounced the mail back. This is common. I just made about 4 NG posts yesterday and clicked email reply (wrongly) and of course they all came back as undeliverable... :-) >It would seem that you would prefer to continue to make unsupported >allegations rather than checking issues already called into question: you >have had enough time to verify if YOUR ISP is adding the SpamAssassin >headers since I raised the question, yet you persist in insisting that >your theory is viable. Well, xxx, to sort this out, the "allegations" (i.e., statements in my article) are supported by the data presented. No one has provided information that I have misrepresented anything (or have I missed it?). Why is it my responsibility to verify anything re my ISP? What theory? Re the ISP. Well, I know the person personally and this is a very diligent, dedicated and competent individual. In various recent exchanges re internet matters, he always has replied immediately if their was a question of fact in my emails to him. Re a router bug (see my page), e.g., he replied immediately that the network in question was not his and thanked me for the info which he said he was forwarding immediately to the person in charge of the network. [I noticed the next day, the router bug was "fixed".] If this matters, send me a private email and I will give you the email address of the sys. admin. and you can ask him anything you want. He is very busy but maybe you will get a reply. I will say additionally: 1. there is more to this whole story, partly in private email to me from various other readers. 2. not only did the ISP person receive the email quoted in my article to him; he also received a blind copy of my first-draft of the article as sent to Deersoft, Inc. along with my query as a writer preparing this article re what disclaimers, warnings, etc apply. Thus, I would say he is reasonably well informed re the particulars here and I have no particular concern. >Let me suggest that you post more of the bounced email for others to look >at and analyze. OK, it's not that long [minus the attachment which is on the web site minus the angelfire ad header.] Warning --- it's full of porn!! [ha, ha] Watch for a NEW thread starting with the words "Returned Mail..." >> Why? I correspond with this person regularly. Not ridiculous at all. >> Why is that a crucial point anyway, xxx? If that is not enough >> for someone else, then they can pursue it. > >This is simply not worth a response. I agree. I don't see the point at all about the ISP. Greetings, doctor electron ======== Subject: Re: ISP Assassin aka Spam Assassin From: doctor electron Date: Mon, 06 Jan 2003 20:46:29 -0500 Message-ID: <1vbk1vkmbaoipsalmbvaf0godbbudkfvlr@4ax.com> -------- After intense interrogation under a bright light in alt.computer.security, xxx finally admitted: >Clearly, you have no understanding, nor experience, in network >administration. > >xxx Hi, xxx, long time no see. Your comments have been raised in the thread already or on the web site and responded to. And others have already beat you to the "holier-than-thou" pitch. I hope that gives you some mileage or helps you find what you seek. But better late then never. Check out the facts, man. Take care, Greetings, doctor electron ======== Subject: Returned Mail re Spam Assassin Thread From: doctor electron Date: Tue, 07 Jan 2003 02:31:00 -0500 Message-ID: -------- Dear xxx [yes, folks, that is a person who posts here.], Per your request and for what it is worth, here is a copy of the returned email. In my email program the html attachment is shown below and I snipped the bulk of the attachment since the same article is available on my site (to save NG bandwidth): =====BEGIN RETURNED EMAIL===== Received: from cwispsmtp3.cwisp.com.bb ([10.2.0.8]) by candwall.com with Microsoft SMTPSVC(5.5.1877.687.68); Sat, 2 Nov 2002 00:32:34 -0400 Received: from newsfactor.com [207.178.137.30] by cwispsmtp3.cwisp.com.bb (SMTPD32-7.13) id A42C305A009C; Sat, 02 Nov 2002 00:27:24 -0400 Received: (qmail 18270 invoked for bounce); 2 Nov 2002 04:27:24 -0000 Date: 2 Nov 2002 04:27:24 -0000 From: MAILER-DAEMON@newsfactor.com To: doctorelectron@cwdom.dm Subject: failure notice Message-Id: <200211020027108.SM00320@newsfactor.com> Return-Path: <> Hi. This is the qmail-send program at newsfactor.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : Sorry, no mailbox here by that name. --- Below this line is a copy of the message. Return-Path: Received: (qmail 18266 invoked by alias); 2 Nov 2002 04:27:23 -0000 Delivered-To: contact@technewsworld.com Received: (qmail 18262 invoked by uid 0); 2 Nov 2002 04:27:23 -0000 Received: from doctorelectron@cwdom.dm by www.ecommercetimes.com with qmail-scanner-0.96 (. Clean. Processed in 1.157902 secs); 02 Nov 2002 04:27:23 -0000 Received: from unknown (HELO cwispsmtp1.cwisp.local) (205.214.214.249) by 0 with SMTP; 2 Nov 2002 04:27:22 -0000 Received: from dslcust84.cwdom.dm [204.188.170.103] by cwispsmtp1.cwisp.local with ESMTP (SMTPD32-7.13) id A4256AD0110; Sat, 02 Nov 2002 00:27:17 -0400 From: Doctor Electron To: contact@technewsworld.com Subject: *****SPAM***** Microsoft Office Users Assess Damage Date: Sat, 02 Nov 2002 00:28:23 -0500 Organization: Global Services Reply-To: doctorelectron@cwdom.dm Message-ID: X-Mailer: Forte Agent 1.8/32.553 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--=_njo6suopor1hke8aula23l2kipnfgveke4.MFSBCHJLHS" X-Spam-Status: Yes, hits=7.0 required=5.0 tests=SMTPD_IN_RCVD,DEAR_FRIEND,HTML_WITH_BGCOLOR,PORN_3 version=2.31 X-Spam-Flag: YES X-Spam-Level: ******* X-Spam-Checker-Version: SpamAssassin 2.31 (devel $Id: SpamAssassin.pm,v 1.94.2.2 2002/06/20 17:20:29 hughescr Exp $) X-Spam-Report: Detailed Report SPAM: -------------------- Start SpamAssassin results ---------------------- SPAM: This mail is probably spam. The original message has been altered SPAM: so you can recognise or block similar unwanted mail in future. SPAM: See http://spamassassin.org/tag/ for more details. SPAM: SPAM: Content analysis details: (7 hits, 5 required) SPAM: SMTPD_IN_RCVD (2.1 points) Received via SMTPD32 server (SMTPD32-n.n) SPAM: DEAR_FRIEND (3.1 points) BODY: How dear can you be if you don't know my name? SPAM: HTML_WITH_BGCOLOR (1.3 points) BODY: HTML mail with non-white background SPAM: PORN_3 (0.5 points) Uses words and phrases which indicate porn (3) SPAM: SPAM: -------------------- End of SpamAssassin results --------------------- ----=_njo6suopor1hke8aula23l2kipnfgveke4.MFSBCHJLHS Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Dear friends: In the attached press release for immediate release, Net Census presents: Microsoft Office Users Assess Damage: "Demonstrable and indisputable fact" may be scandal or industrial sabotage. (attached excelfacts.html) You have permission to quote the press release with attribution to my pen names/aliases "Maj. Hog" or "Doctor Electron" or to my real name, [real name was here], as required by your standards. Your writers may formulate their own articles based on the information provided. Best wishes, [real name was here] phone: [real phone number was here] Greetings, Doctor Electron http://www.angelfire.com/space/netcensus/ keenej@cwdom.dm. ----=_njo6suopor1hke8aula23l2kipnfgveke4.MFSBCHJLHS Content-Type: text/html; charset=us-ascii; name=excelfacts.html Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename=excelfacts.html Microsoft Office Users Assess Damage

News Press Release for immediate release -- all media

Microsoft Office Users Assess = Damage
"Demonstrable and indisputable fact" may be scandal or industrial = sabotage

by Maj. Hog

Microsoft Office users are assessing the damage after reports by ...

Copyright © 2002 Global Services

Original Publication: November 1, 2002

----=_njo6suopor1hke8aula23l2kipnfgveke4.MFSBCHJLHS-- =====END RETURNED EMAIL===== Greetings, doctor electron ======== Subject: Re: Returned Mail re Spam Assassin Thread From: doctor electron Date: Tue, 07 Jan 2003 12:38:54 -0500 Message-ID: -------- After intense interrogation under a bright light in alt.computer.security, xxx finally admitted: >"doctor electron" wrote in message >news:o00l1v8q6rpg72r231flcu36cnai5i7qfu@4ax.com... >> Dear xxx [yes, folks, that is a person who posts here.], >> >> Per your request and for what it is worth, here is a copy of the >> returned email. In my email program the html attachment is shown >> below and I snipped the bulk of the attachment since the same article >> is available on my site (to save NG bandwidth): >> > > >So WTF you whining about? Dear xxx, The only whining I see is yours. Hope your good whine made you feel better. There is a line -- you may not be the only piggy squealing for a tit, as they say back home on the farm. However, we do hope that your NG experience continues to be pleasurable and satisfying and that whoever pays for the internet connection account keeps the money flowing. Greetings, doctor electron ======== Subject: Re: Returned Mail re Spam Assassin Thread From: doctor electron Date: Tue, 07 Jan 2003 18:48:53 -0500 Message-ID: <2ulm1v8v7t1emh7kjv9o89o70jqhnu8oor@4ax.com> -------- After intense interrogation under a bright light in alt.computer.security, xxx finally admitted: Dear xxx, Thanks for your excellent substantive reply. I will give a few reactions/clarifications on my facts and thinking below, without sniping any of your reply. I also would like to put a URL to this post quoting your comments in full, on my site, if you don't mind. >On Tue, 7 Jan 2003, doctor electron wrote: > >> Dear xxx [yes, folks, that is a person who posts here.], >> >> Per your request and for what it is worth, here is a copy of the >> returned email. In my email program the html attachment is shown >> below and I snipped the bulk of the attachment since the same article >> is available on my site (to save NG bandwidth): >> > >OK, so let's go through your claims: >1. A "third party ....had tampered with the subject". You have no evidence >of this, only speculation. You don't know and have not taken the simple >step of running a test to see if your own ISP is running SpamAssassin. >Rather you have relied upon their lack of repsonse to your question. You are right that I have not definitively identified the third party apparently running SpamAssassin. Should it be necessary to do so, and it was my own ISP network(s), that could be established in a minute. However, I did not put it there (1st party), the recipient (2nd) party didn't put it there (your point 6 below) so that leaves "agents" for the recipient (also discussed below) or my ISP and its networks. So there is clear evidence of third party tampering, for my purposes in that article. If it were by an agent of the recipient, it is still tampering in my view, but the recipient and agent would have a right to do so as you do describe. >2. "SpamAssassin (1) turns ordinary email into spam by inserting an >advertisement". SpamAssassin adds HEADERS to every email it processes, >but: > a. These headers are not seen by most people reading the email > b. Almost every mail server adds its own headers and using > your logic, could be said to be creating SPAM. Yours is the first clear statement that "SpamAssassin adds HEADERS to every email it processes." Thank you. Re 2 (b), I have posted the contrary, that changes in headers by every mail server are clearly different in both purpose and kind than those insertions by SpamAssassin. I might now add, and dramatically so. Mail servers do not evaluate message body or attachment content nor add content re the original content, etc. I am sure there would be a variety of views re 2 (a), the "not seen by most" people part. However, my article publishes an example, so at least some will become aware of its existence and form their own opinions. >3. "Thus, network administrators running SpamAssassin and its like will be >busy with spam". You have provided no evidence that SpamAssassin makes >administrators more busy handling SPAM. In fact, I know from my personal >experience that the filtering it provides reduces my and others' time >required to process SPAM emails. Your assertion in 2. above, and an evaluation by readers on whether or not a reader views that as spam (it does meet accepted definitions), along with the concept that the program is the agent acting for somebody (say a network administrator), means that by definition they "will be busy with spam." I have received several other inputs praising the filtering process and this is motive to fix any problems with the implementation, e.g., the false positive rate. This latter problem is the "hard part" in profiling, if we allow that the "easy part" is up and running. Reduction, if not elimination of false positives (and negatives), usually requires more advanced techniques. Even in drug creation, a substance may "do what you want" but have side effects. The "hard part" is to remodel it to address that issue. >4. "It is illegal in most countries to eavesdrop on private mail or >private telecommunications. .....There may be severe penalties for users >of SpamAssassin, since it violates these laws". You have shown no evidence >that SpamAssassin in any way records the contents of emails so that they >can be access by people other than the sender and recipient. Also, >there is no expectation or privacy when sending emails over the Internet, >since they are sent in clear text. It is as if you expected the contents >of a postcard to be considered private. I'll leave the legal details to experts, but it does seem clear that SpamAssassin "processes" every "email", according to you. Question: can't network administrators view email on their own servers from a technical point of view (leaving aside legal or SpamAssassin issues)? The "expectation" of email privacy, or not, is widely discussed on the net and remains a concern to the general public (see, e.g., Carnivore controversy and new anti-terrorism legislation, etc). I or we have no monopoly on that angle. What is clear is that it is an issue. >5. "It is illegal in most countries to alter the contents of private mail >or telecommunications." As stated in point 4. Emails cannot be considered >private. Also, as the recipient, I am perfectly at liberty to alter >emails that are sent to me, PROVIDING that I do not re-send them to anyone >else. "Emails cannot be considered private" is in my view a majority opinion of informed observers of the internet and a matter of concern for the general public. Re "perfectly at liberty", of course, you are. >Imagine I have a secretary who screens my email for me -- some goes into >the trash, some is stamped "probably SPAM" and the remainder is put in my >in tray. Is there an illegal activity going on here? Not unless it is "illegal" to run an efficient office. :-) >Now replace the secretary with an automated process that does the same. >What illegal acts have been committed? Ditto, your point about the automated process, when it is an agent for the recipient, is, for me, entirely valid. >Now, I ask MY ISP to run the automated process for me. What illegal acts >have taken place? Remember that the ISP is now acting as MY agent, not >yours! Ditto. You should go before a jury!! (This NG is sort of a jury!) >6. You have also suggested in your follow-up posts that the email was >returned to you because it was labelled as SPAM. This line in the bounced >email clearly shows that the email was returned to you because you sent it >to a non-existent email address: Actually, no. There must be a misunderstanding. In my email to Deersoft (early November) and article, it was clear to me and stated as such that the email was returned because of a non-deliverable address. Never have I stated that the insertions of SpamAssassin had anything to do with that. If something previously was not clear, there should be no mistake on this point. It is apples and oranges: two different things. >> : >> Sorry, no mailbox here by that name. > >I am surprised that you could not read this line in the bounce reply. I did, as clearly stated previously and summarized above. This is not an issue, just routine stuff. Even if one mistypes an email address, mail may be returned; this has nothing to do with SpamAssassin. However, the fact of the return showed me what the insertions by SpamAssassin were in that instance, exactly as reported. >7. You have repeatedly characterized your email as "private", despite the >technical issues of privacy of any emails. Also, the email was sent to an >email addres that appears to be a generic (non-personal) address. If it is >non-personal, then you don't know who would receive it and you cannot >possibly consider it to be private. The floor is open for discussion of who can consider what mail to be private. This is why the article was written to provide an example where the issues -- which deal with what people do (machines are tools) with regard to communications of other people. I call my mail "personal"; but I am not the final authority. Society will collectively work its way through these issues. >OK, now, IF your own ISP were labelling your outgoing emails as SPAM AND >there was no mention of this in their agreements with you as a customer, >then you would have some valid concerns, but you have not substanciated >none of this. Fine. I intend the article to stimulate discussion on a whole range of issues and perhaps there is a lot of mileage there, for such a brief report of an episode. I think all these concerns are by definition valid. The speaker who expresses a concern is the first "expert" as to whether it merits attention. As pointed out previously, there is no need for me to specifically substantiate this (although there is always the future), for the reasons indicated. My point re issues has been made according to your point above, that such a thing could happen, as it appears. If the program was run by an agent of the recipient re your comments, then the question is raised as to whether the recipient is really well informed re false positives. Otherwise, you cover well the ethical questions there. If this is not boring, perhaps a quick example. Say I am a salesman who responds to a client's request for information on vehicles I sell. I send out an email to the potential customer who replies, "Yes, I want to buy." That reply contains a copy of my "solicited sales pitch" including, say, a html section. I never receive the email saying "I want to buy" because some program -- any program -- blocked it for any reason. Or somewhere else in the path, a program labels my solicited sales pitch as *****SPAM***** and the customer never sees what he asked for. Am I harmed? Is the customer harmed? Do I or the customer have a place to inquire as to who has the authority to do such a thing? >Over and OUT. Thanks, Mr. xxx, you are one neat guy. Greetings, doctor electron ======== Subject: Re: Returned Mail re Spam Assassin Thread From: doctor electron Date: Tue, 07 Jan 2003 22:06:25 -0500 Message-ID: -------- After intense interrogation under a bright light in alt.computer.security, xxx xxx finally admitted: Dear xxx: >So what? If you are claiming that software is not allowed to alter >email, then that may be your opinion, but that is all. Mr. xxx and I just finished agreeing on the fact (not opinion) that software *is* allowed to alter email _and_ that there is a responsible person. Now you are disputing that? So what is *your* story? Anyway, these facts will elicit the formation of a variety of opinions by observers, I suppose. Opinions participate in forming behaviors, how programs are written and so forth. >The agent (ie the program) may be busy with spam, but the administrator >is not. That is its purpose to relieve the recipient and the >administrator of dealing with spam. This and other contexts in which the program is used can be described in a variety of ways. As long as everyone understands the events that actually occur, we can talk about the same events. One use of the program is evidently the recipient and the administrator being the same person or closely related. I suspect this was not the case in the example I described because it appears that the mail appeared to have been altered first and then bounced back because of undeliverable address. Whether those two steps occurred on the same/different computer/network simply indicates that variations on this theme are possible. BTW, Mr. xxx makes a distinction on the generic "contact@etc" in that particular email. Others in the group were addressed to specific persons known to me in the respective media organizations and the question still remains: did they receive the emails and in what form? >Certainly false positives are a worry in any spam filtering. What more >can one say. Glad you say that. The "more" I have said is that the product should be polished. Gulp. I guess that's not exactly a "revelation." But there has to be a desire to do that. If what I reported is a totally freak occurrence then maybe that can be handled on a case-by-case basis. It is too early to know how bad the problem really is. I have one private email from a person that did their own personal study running SpamAssassin on their own system. This person reported numbers and was generally satisfied with the results. Those numbers might not be satisfactory for an ISP where a single case could be costly in scenarios I have described. Whatever the case, risk is reduced if the false positives problem is reduced. >Yes. They are expected not to unless necessary for the efficient running >of their system. Elimination of spam could be considered a part of such >efficient running. Just as I thought. I wouldn't write an email server any other way. There must be somebody with access to the text of email still on the server -- say, in the case of an emergency, a search warrant, or whatever. >Yes. That is why encryption is an options. Incidentally, I do lots of math in work and I just wrote my own encryption system -- I think is it quite neat. I am working on another project where encryption would be used, so I said why not write a new one, so that snoopers would not have an "off-the-shelf" deciphering method, where they exist. he, he. Greetings, doctor electron