Sign in to follow this  
Followers 0
scarville

Whitelisted Spammer?

5 posts in this topic

Recently a user complained that he was getting emails from newsmax.com he never signed up for. After a bit of searching I found that Newsmax publishes polls and requires you enter an email to have your opinion recorded. I verified with the user that he had filled out just such a poll.

The poll sounded suspicious so I located one and answered using a throw away address. Sure enough I started getting "News Alerts" several times a day. However, Newsmax seemed like a legitimate site so I used the unsubscribe link but was not removed from the list. I tried it two more time just to be sure. That failure, to me, makes them spammers so I started reporting them via spamcop.

Reviewing a few reports I saw that was a strange (to me) listing for accredit.habeas.com which looks like a whitelist.

8.28.94.215 not listed in dnsbl.njabl.org ( 127.0.0.8 )

8.28.94.215 not listed in dnsbl.njabl.org ( 127.0.0.9 )

8.28.94.215 not listed in cbl.abuseat.org

8.28.94.215 not listed in dnsbl.sorbs.net

8.28.94.215 listed in accredit.habeas.com ( 1 ) <============

8.28.94.215 not listed in plus.bondedsender.org

8.28.94.215 not listed in iadb.isipp.com

I am not a big fan of whitelisting and only use it as last resort. Consequently, I've not paid a lot of attention to how the publically available whitelists operate. Is the above whitelist legitimate? A quick search on Google certainly makes it look legitimate but if a a spammer can use it, I have my doubts.

Share this post


Link to post
Share on other sites

No idea how to interpret habeas response codes. For 8.28.94.215 -

C:\Documents and Settings\Admin>nslookup 215.94.28.8.accredit.habeas.com 8.8.8.8

Server: google-public-dns-a.google.com

Address: 8.8.8.8

Non-authoritative answer:

Name: 215.94.28.8.accredit.habeas.com

Address: 127.0.0.50

C:\Documents and Settings\Admin>

127.0.0.50 means what?? I see from

...Habeas accredits personal email, transaction-based email (non-bulk email tied to a specific online transaction, such as a purchase), closed-loop confirmed opt in (COI) bulk email, opt-in (OI) bulk email, bulk email from servers known to Habeas and vouched for, and bulk email from listed servers that Habeas does not vouch for, returning different response codes for each type of email. Many (although not all) of those codes should guarantee that email from a listed server is not spam.
- there is evidently some scope for "accredited" spam. That makes it hard to know when a complaint to complaints[at]habeas.com is justified. But I think there should be habeas headers in any message from a "non-spam" habeas accredited source (vague memory, I could be wrong) which probably indicate the complaints process to be followed when the sender breaches the terms of the accreditation.

The Habeas Safelist is primarily an e-mail marketing tool, we can't expect it to have an anti-spam focus.

Share this post


Link to post
Share on other sites

No idea how to interpret habeas response codes. For 8.28.94.215 -

127.0.0.50 means what??

According to spamassassin

Habeas Accredited Senders

Last octet of the returned A record indicates the Habeas-assigned

"Permission Level" of the Sender.

10 to 39 Personal, transactional, and Confirmed Opt In

40 to 59 Secure referrals and Single Opt In

60 to 99 Checked but not accredited by Habeas.

The first range is HABEAS_ACCREDITED_COI

The second is HABEAS_ACCREDITED_SOI

The third is HABEAS_CHECKED

They are scored:

score HABEAS_ACCREDITED_COI 0 -8.0 0 -8.0

score HABEAS_ACCREDITED_SOI 0 -4.3 0 -4.3

score HABEAS_CHECKED 0 -0.2 0 -0.2

So it is obvious that Spamassassin trusts them.

The Habeas Safelist is primarily an e-mail marketing tool, we can't expect it to have an anti-spam focus

True. I am just curious about it now that I see email I would identify as spam being OKed because of it.

Share this post


Link to post
Share on other sites

Thanks for the info - not sure if the dodgy referral process and failure to honour multiple unsubscribe requests (may depend on time-frame) constitutes a breach of accreditation terms but from here it sure sounds like it ought to. I would start with the complaints to Habeas if I were you. Nothing wrong with SA scoring, necessarily, just with (lack of) Habeas compliance, would be my take on it.

I had an unsolicited contact from what looked like a reputable IT applications firm just now - gave them the benefit of the doubt and simply deleted it (no unsubscribe) but they won't want to do it again anytime soon or else... Habeas accreditation was not involved in that one but it could be that reputable companies are stepping over the line just a little more than previously. Just an impression. All that Google "data mining" has to be showing some effects, going somewhere? The kids companies are hiring for the marketing work might need some "training". Scandalously slim evidence for such thoughts and I'm seeing a bit of an uptick in spam to my accounts, anyway.

Share this post


Link to post
Share on other sites

As I said, I am not fan of whitelisteing but I can understand why spamassassin might use it to reduce false positives. I've had a few requests to whitelist addresses here because they were being labeled as spam.

My first unsubscribe request to Newsmax was about three weeks ago and I waited about a week before I started reporting them to SpamCop. That seemed more than long enough to respond. Interestingly enough, I haven't received a single email from them since I posted my original question yesterday and the unsubscribe page linked in emails forwarded to me by a user has changed. Maybe in response to complaints forwarded by SpamCop? That would be nice.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0