ben moretti on Fri, 14 Feb 2003 05:01:01 +0100 (CET)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Nettime-bold] at last a use for haiku (was: Re: <nettime> spamfree-full digest [arrest x2, guderian, cramer, hwang, jett])


# on the spam discussion, a company called habeas is using a copyrighted haiku 
# in combination with some email client plug-ins as an email 'authenticity' 
# validation mechanism. this excerpt below is from TidBITS#661/06-Jan-03,
# without permission. ben

http://www.tidbits.com/tb-issues/TidBITS-661.html#lnk2

TidBITS Using Habeas Headers

 by Adam C. Engst <ace@tidbits.com>

The spam pandemic has grown to epic proportions. In 2002, I received over 
23,000 spam messages (about 35 percent of my mail), and that's even after 
employing the Mail Abuse Prevention System RBL+ realtime blackhole list and a 
handful of other conservative server-side spam filters on our primary mail 
server. There's no question that my address is both older (it hasn't changed 
since I switched away from the UUCP style <ace@tidbits.uucp>) and more widely 
published than most, but my exposure generally means I'm just ahead of the 
curve. If you're not getting a lot of spam now, you're both lucky and living 
on borrowed time.


<http://mail-abuse.org/rbl/>
 <http://www.eudora.co.nz/eimsfilters.html>


Think Positive -- Nevertheless, although I don't see the amount of spam 
dropping for a while yet, I think we've turned the corner in developing the 
basic concepts that will eliminate most spam from our lives - at least when 
those concepts are intelligently combined and implemented. These concepts 
include so-called Bayesian filtering, which attempts to predict the 
likelihood that a message is spam by the frequencies with which certain words 
occur; whitelists, which allow mail through only when it comes from people 
from whom you've received legitimate mail in the past; and challenge/response 
systems, which require that new senders authenticate themselves before their 
mail reaches you. Also potentially useful deterrents are the various U.S. 
state anti-spam laws and the lawsuits against spammers they make possible; 
well-run blackhole lists that let mail servers refuse to accept connections 
from other mail servers that have been compromised by spammers; and the 
combination of proper default settings and network administrator education 
that has cut down on the number of open relays for spammers to exploit.


<http://www.paulgraham.com/spam.html>
 <http://www-106.ibm.com/developerworks/linux/library/l-spamf.html>


Note that I explicitly do not include arbitrary server-side content filtering 
in that list of potentially useful approaches to controlling spam. Creating 
server-side filters that reject mail based on the inclusion of a word or two 
merely because the administrator has seen those words in spam is more 
damaging to the overall utility of email than spam itself. Geoff Duncan 
brought this problem to light with "Email Filtering: Killing the Killer App" 
back in TidBITS-637; that article triggered widespread coverage in mainstream 
media outlets such as the New York Times, the Newhouse News Service, and 
more.


<http://db.tidbits.com/getbits.acgi?tbart=06866>
 <http://db.tidbits.com/getbits.acgi?tbart=06869>
 <http://www.nytimes.com/2002/07/15/technology/15SPAM.html>


Our efforts at educating the public to the dangers of arbitrary content 
filters certainly don't hurt, but the problem continues. Our recent gift 
issue was rejected by one mail server (which will undoubtedly do so again 
with this issue) because the word "cows" appeared in the text. (Ironically, 
it wasn't even in relation to the worthy Heifer Project charity, but to a 
comment about the game Tropico.) In an effort to avoid losing subscribers 
when these content filter rejections trigger our bounce automation, we've 
taken to trying to switch impacted subscribers to the announcement version of 
TidBITS, which is much more likely to slip past content filters purely on the 
basis of containing many fewer words.


Cue Habeas -- There's one more new tool that we've just started to employ. A 
new company called Habeas, started by TidBITS author Dan Kohn, has come up 
with "sender warranted email." The idea is that, with the addition of nine 
specific header lines to your messages, you can warrant that your outgoing 
email is not spam. ISPs, email providers, spam filters, and even individual 
recipients can then trust that any incoming message that contains Habeas 
headers is legitimate.


<http://www.habeas.com/>


Here's what the Habeas headers look like.

 X-Habeas-SWE-1: winter into spring
 X-Habeas-SWE-2: brightly anticipated
 X-Habeas-SWE-3: like Habeas SWE (tm)
 X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
 X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
 X-Habeas-SWE-6: email in exchange for a license for this Habeas
 X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
 X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
 X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.

"But but but...," I can hear you saying. "What prevents spammers from simply 
adding the Habeas headers to spam as well?" Nothing. Well, except for the 
thousandweight of lawyers that Habeas plans to drop on anyone who does so, 
basing such lawsuits on both copyright and trademark law. Habeas can do this 
because the Habeas headers include a copyrighted three-line haiku and several 
trademarks. In addition, Habeas will add any infringers to a DNS-based 
blacklist that doesn't suffer from some of the legal problems that have 
plagued other blacklists.


I'm waiting with bated breath to see how Habeas handles the first infringers. 
My experience with suing a spammer under the Washington State anti-spam law 
wasn't great because I couldn't expend the money, time, and effort to carry 
the suit through to the most satisfactory conclusion. In contrast, Habeas has 
venture capital and significant incentive to make examples of infringers, so 
they're likely to have a better chance of running the spammers to ground and 
extracting financial penalties from them. By basing the protection on 
copyright and trademark law, Habeas avoids the many variations on state 
anti-spam laws and doesn't have to wait for federal legislation that may be 
too little and is already too late. Plus, international copyright law offers 
similar protections everywhere but Afghanistan, Bhutan, Ethiopia, Iran, Iraq, 
Nepal, Oman, San Marino, Tonga, and Yemen. On the collection side, Habeas 
plans to turn spammers over to the collection agency Dun & Bradstreet for 
maximum extraction.


<http://db.tidbits.com/getbits.acgi?tbser=1167>


Although there are some high-profile spammers who are making very real money 
at spam (but are stupid enough to give their real names in interviews, 
opening themselves up to real world harassment from furious spam victims), I 
doubt Habeas will end up making significant money from successful lawsuits. 
Most spammers simply don't have deep pockets. However, Habeas does earn money 
from licensing the Habeas headers to businesses. Licenses are free for 
individuals and ISPs that warrant that all their email is not spam; other 
companies pay $200 per year for a license unless their business revolves 
around sending verified opt-in commercial email, at which point the license 
is based on the number of recipients.


<http://www.habeas.com/services/swe.htm>


Practical Habeas -- From a user's standpoint, you need to know two things 
about Habeas: how to add Habeas headers to your email messages (remember, 
it's free for individuals) and how to filter Habeas warranted messages. The 
details vary significantly with the software you use for email, but Habeas 
has developed instructions and plug-ins for many common pieces of email 
software (it's just a matter of dropping a plug-in into the appropriate 
folder with Eudora, for instance), and they're happy to post user-submitted 
instructions for additional programs. Also, many email programs hide unusual 
headers by default, and for those programs that don't, Habeas also offers 
instructions for hiding the Habeas headers so you don't have to look at them 
in every message.


<http://www.habeas.com/support/install.htm>


What are we hoping to get out of adding Habeas headers to our mailing lists? 
Quite simply, less damage due to errant spam filters. Habeas is working with 
many of the vendors of server-side spam filters to encourage them to 
whitelist Habeas compliant messages, and we hope that anyone who has gone to 
the effort of rolling their own spam filters will do the same to reduce the 
incidence of false positive spam identification. I encourage everyone who's 
concerned about spam to sign up for a free individual Habeas license, and for 
anyone working on anti-spam tools, make sure your tools whitelist Habeas 
compliant messages as well.


There's no question that the use of Habeas headers will not eliminate the spam 
problem overnight, but when combined with the other tools and techniques that 
have started to appear, it should make a difference.


 PayBITS: Want to support TidBITS in our ongoing fight against
 spam? Consider supporting TidBITS by contributing via Kagi!
 <http://www.tidbits.com/about/support/contributors.html>
 Read more about PayBITS: <http://www.tidbits.com/paybits/>


-- 
ben moretti
bmoretti@chariot.net.au
http://www.chariot.net.au/~bmoretti

_______________________________________________
Nettime-bold mailing list
Nettime-bold@nettime.org
http://amsterdam.nettime.org/cgi-bin/mailman/listinfo/nettime-bold