[Dshield] Bogus Habeas header in emails, thwarting spam software

Yevette Maurer yevettem at gsmt.com
Mon Jan 19 19:31:44 GMT 2004

Hello all. I was not originally going to forward this email announcment that
I received from Mdeamon - but then I did a little investigating, and found
hundreds of these SPAM emails in our mail server. (Check for "Habeas" in the
header) All of which made it through SpamAssassin. We have corrected the
problem, and hopefully we will not being seeing anymore of these. What will
they think of next?



Recently, the HABEAS service (www.habeas.com), which is designed to certify
non-spam email messages, has come under attack and is being used by spammers
in an illegal fashion.  HABEAS works by inserting special email headers
inside messages which certify their legitimacy, and such messages are scored
by MDaemon as being legitimate.

Some spammers have figured out how to forge the HABEAS headers and have
begun inserting them into their spam messages.  To counteract this threat,
perform the following steps as noted in our Knowledge Base Article #



The following is from Habeas:

Habeas Responds to Spammer Violation of Habeas Warrant Mark 

Habeas, the leading provider of emailer reputation services, has recently
come under attack from an as yet unidentified spammer. The spammer is
illegally utilizing the Habeas Warrant Mark in emails which are promoting
websites such as pharmawharehouse.biz, pharmacourt.biz and
valuepointmeds.biz which are sites promoting or selling prescription drugs.
The attack began on Sunday January 11, 2004 at about 11am PT. 

Habeas is aggressively pursuing this incident to stop this illegal
mailstream and to utilize the Habeas legal tools at our disposal to punish
the responsible spammer for copyright and trademark violation. We are
tracking down the identity of the spammer for further action. 

"This is a blatant and unacceptable misuse of the Habeas Warrant Mark - it
will not go unaddressed. We've stopped spammers before and now we'll do it
again." said Des Cahill, Habeas CEO. "It is interesting that this spam
attack appears to be originating from a distributed set of zombie cable/DSL
modems that someone likely took over in a past virus attack. It just
illustrates the lengths the spammers will go to, including taking on Habeas'
proven legal capabilities, to distribute their spam. We are very pleased
with the timeliness and volume of spam reports we've received regarding this
incident: it affirms that the Habeas system is working and our mail
community support remains strong. This spammer has made a poor choice in
infringing the Habeas Warrant Mark." 

Habeas has begun systematically adding the IP addresses of the hundreds of
compromised PCs sending this spam to the Habeas Infringers List (HIL).
Access to the HIL (aka Habeas Blacklist) is free, with details available at
http://www.habeas.com/supportBlackList.html. All recent versions of
SpamAssassin configured with network checks "on" automatically query the HIL
when receiving an email containing the Habeas Warrant Mark. Adding the IP
addresses to the HIL should not impact the legitimate mailing activities of
the owners of the compromised PCs. 

Des Cahill
Habeas, Inc 


More information about the list mailing list