News Press Release for immediate release -- all media

ISP Assassin a.k.a. Spam Assassin
A wolf in sheep clothing exploiting anti-spam sentiment?

by Doctor Electron

Editor's note: In researching this article, a wealth of information was found on anti-spam efforts and almost nothing on the rights of email users. This report focuses on this neglected area.

Anti-spam efforts must be worthy, since wolves in sheep clothing are appearing to exploit the gullible. One such case may be the computer program for network administrators called SpamAssassin(tm). This program purports to be a "mail filter to identify spam," but it actually turns the mail network into a spam generator and the administrator running it into a spammer. Thus, SpamAssassin may be a prototype of exploitation for financial gain of anti-spam sentiment among ISP's and other network administrators.

What does SpamAssassin actually do? Far from "fighting spam," SpamAssassin (1) turns ordinary email into spam by inserting an advertisement for itself in the email and (2) may further alter ordinary email by inserting "SPAM" in the Subject line. Thus, network administrators running SpamAssassin and its like will be busy with spam, whether or not spammers are attacking their networks, because SpamAssassin will generate spam all by itself.

If this is not enough, SpamAssassin also automates defamation by manufacturing false accusations about innocent email users and emailing the defamation to others. SpamAssassin would be the right choice for ISPs and network administrators where the legal department is bored. Just click "run" and generate defamation and watch the law suits roll in. Although not yet observed by the author, programs like SpamAssassin may also block or reject user email, further violating user communications.

Furthermore, it appears that network users of SpamAssassin are not warned about these automated spam-generation and defamation-generation features or the privacy and legal issues involved in the kind of snooping in private email that SpamAssassin implements.

How does the author know this? Here is the story.

As an established researcher in three fields -- neuroscience, psychology and computer science, I have sometimes sent press releases to major media outlets concerning work that might be of public interest.

Imagine my surprise to find that a recent technical press release distributed to media was labeled as pornographic spam by a program called SpamAssassin, which apparently is a product of Deersoft, Inc.

Reduction and elimination of spam email is widely accepted as a good cause. I am on record as an opponent of spam and have conducted research and published on this subject previously.

Much like the case of feeding starving children, however, there may be unscrupulous fund raisers who will take in money in the name of starving children, and not one penny feeds any child. SpamAssassin may garner sympathy because it purports to help in a worthy cause. Who will this program help and who will it hurt? Let us look at the facts.

This press release was sent by email to some 18 media houses, such as CNN, the Wall Street Journal, Associated Press, Reuters and United Press International and other wire services and web sites specializing in technology news. In one case, an out-of-service address resulted in return of my message in this form:

--- Below this line is a copy of the message.
...snip...
Subject: *****SPAM***** Microsoft Office Users Assess Damage

Incredibly, a third party, the ISP using SpamAssassin had tampered with the subject content of my message by the ugly insertion of "*****SPAM*****." Count them: ten asterisks and "spam" is shouted in all capital letters.

The following content was also added to my private email:

X-Spam-Status: Yes, hits=7.0 required=5.0
	tests=SMTPD_IN_RCVD,DEAR_FRIEND,HTML_WITH_BGCOLOR,PORN_3
	version=2.31
X-Spam-Flag: YES
X-Spam-Level: *******
X-Spam-Checker-Version: SpamAssassin 2.31 (devel $Id:
SpamAssassin.pm,v 1.94.2.2 2002/06/20 17:20:29 hughescr Exp $)
X-Spam-Report: Detailed Report
  SPAM: -------------------- Start SpamAssassin results----------------------
  SPAM: This mail is probably spam.  The original message has been altered
  SPAM: so you can recognize or block similar unwanted mail in future.
  SPAM: See http://spamassassin.org/tag/ for more details.
  SPAM: 
  SPAM: Content analysis details:   (7 hits, 5 required)
  SPAM: SMTPD_IN_RCVD      (2.1 points)  Received via SMTPD32 server (SMTPD32-n.n)
  SPAM: DEAR_FRIEND        (3.1 points)  BODY: How dear can you be if you don't know my name?
  SPAM: HTML_WITH_BGCOLOR  (1.3 points)  BODY: HTML mail with non-white background
  SPAM: PORN_3             (0.5 points)  Uses words and phrases which indicate porn (3)
  SPAM: 
  SPAM: -------------------- End of SpamAssassin results
I immediately emailed the ISP comments which are now quoted in part:

Subject: Very Serious Problem with SpamAssassin
From: Doctor Electron
Date: Sat, 02 Nov 2002 00:55:35 -0500

Dear [blanked out]:
As you know, I oppose spam and support efforts to reduce it. Tonight I found a very serious problem. I was sending an ordinary press release to news outlets which was labeled as SPAM by your program. I went to the web site and they say it is the ISP that chooses to use this.

You will note below what is the equivalent of slander and defamation -- a extremely serious problem for [ISP name]. If any of those emails reached the addressees with the false claims of SpamAssassin concerning my actions, then this is slander and defamation as my real name is used in the emails. I do not plan legal action (I'm a sweet guy); but others could take [ISP name] to court and without doubt would win. Look below. My real name appears with false charges about my actions to a third party. Ask any lawyer -- that is slander and defamation. I am your friend, but the next customer may see this as an easy way to sue [ISP name] and pick up some easy money.

My real name appears twice in the cover letter for the press release as follows:

Dear friends:
In the attached press release for immediate release, Net Census presents:

Microsoft Office Users Assess Damage: "Demonstrable and indisputable fact" may be scandal or industrial sabotage. (attached excelfacts.html)

You have permission to quote the press release with attribution to my pen names/aliases "Maj. Hog" or "Doctor Electron" or to my real name, [real name here], as required by your standards. Your writers may formulate their own articles based on the information provided.
Best wishes, [real name here]
phone: [real phone number here]

Notice how the above text is rife with pornography. At least, maybe you see it, because I don't see it. If it turns you on, OK. The text of the press release can be viewed on the Net Census web site. No need to look at it if you seek pornography; there isn't any.

Now that we have seen how law suits against network users of SpamAssassin might be provoked, let us look at the web site cited above by SpamAssassin itself. In the email above which was corrupted by SpamAssassin, the web site listed appears to wash its hands of any responsibility for use of this software.

It is true that bored system administrators might get many thrills wondering, "Who will I defame today and to whom?" How about defaming an internationally known researcher to the top media outlets of the world? Maybe worth a thrill, if the ISP has very deep pockets. And how about Deersoft, Inc. Does this mean I am going to be the new chairman of the board? Do they really have no product liability?

How does Deersoft, Inc., warn ISP and network administrators about liabilities of running SpamAssassin and similar programs? I asked and to date have no reply to the question. Here are the warnings that might be appropriate:

*****WARNING*****WARNING*****WARNING*****WARNING
1. It is illegal in most countries to eavesdrop on private mail or private telecommunications. It is illegal even for law enforcement agencies to eavesdrop on private mail or private telecommunications, except in cases where a court has issued a specific order for a specific time period signed by a judge. There may be severe penalties for users of SpamAssassin, since it violates these laws.

In the U.S., even the FBI must obtain a court order to look at just the headers of private email. If you do not have a specific court order, you may be subject to arrest or stiff fines.

2. It is illegal in most countries to alter the contents of private mail or telecommunications. Be aware that SpamAssassin admittedly and demonstrably violates these laws as well.

3. SpamAssassin is known to mislabel legitimate email as "spam," "porn" or the like. Thus, users of SpamAssassin may be subject to civil lawsuits for slander and defamation, where the user of the program makes false accusations about an innocent person which are then sent via email to other parties. What SpamAssassin does meets the legal requirements to file and most likely win slander and defamation law suits against users of this software.

4. Considering items #1 to #3 above, it is not anticipated that users of SpamAssassin would have any legitimate argument or defense and courts may reasonably be expected to "throw the book" at offenders. For ISP users of SpamAssassin, this might mean bankruptcy if judges impose stiff fines as punitive damages for the brazen disregard for established principles regarding the privacy and sanctity of mail and telecommunications and numerous state, federal or national laws.

5. Before running this software, users are strongly urged to consult legal authorities in their jurisdictions, and if necessary, establish a sufficient budget for legal expenses, posting bail bond and paying fines.
*****WARNING*****WARNING*****WARNING*****WARNING

So what do you think? ISP Assassin or SpamAssassin? Considering the above, it might appear that ISP Assassin might have been a better name for this software and its like. [Remember those virus-checking programs that added ad banners defacing your email and turning it into spam?]

Although moral and ethical issues related to privacy and freedom of personal communications such as email remain, it should be noted that some telecommunications laws do allow telephone companies to examine the contents of certain transmissions for purposes such as maintenance. Also, the Terms of Service (TOS) agreements accepted by network users may include terms where users do waive some or all privacy rights. Further, for private networks, e.g., in businesses, employees may not enjoy privacy rights in email sent over company networks.

While the foregoing points may well cover the kinds of warnings to SpamAssassin users that may be sufficient and satifactory, I personally maintain that SpamAssassin and programs like it are intrinsically unethical. I emailed the substance of this article to Deersoft, Inc. and the only reply was:

To: freepress@myrealbox.com
Subject: RE: ISP Assassin a.k.a. Spam Assassin
From: "Susan Lehman" susan@lehco.com
Date: Mon, 4 Nov 2002 13:47:54 -0800

Hello,

Can you tell me what publication you are writing for and when you expect
your article to appear?

Thank you,

Susan Lehman

I further raised my questions with Susan Lehman, who is apparently a key person in a public relations firm serving Deersoft, Inc., and hence, SpamAssassin. The lack of any substantive initial reply from Deersoft, Inc., or later reply from Ms. Lehman, suggests that both the facts and their interpretation above are uncontested. If so, then SpamAssassin should be revised to remove the snooping in emails and the spam- and defamation-generation features. The internet world has enough spam without SpamAssassin adding to the problem while it purports to be anti-spam. However, it may be that the only way to implement the required revisions in SpamAssassin would be to delete it completely.

Copyright © 2002 Global Services

Original Publication: December 23, 2002

Back to Net Census