Re: ANNOUNCE: Apache SpamAssassin 3.4.3 available
On 12 Dec 2019, at 11:36, sebb wrote: Please don't ever use HTML for announce mails. One might as well say "Please don't ever top-post." Kevin's announcement message was multipart/alternative with a text/plain part first. As superfluous as the text/html part was, this style of mail is the default format generated by the MUAs used by the vast majority of users. They are more likely to be treated as spam -- as this one was If you are using SpamAssassin and don't locally rescore HTML_MESSAGE or make it a sub-rule of a meta-rule with a significant score, that is simply not true. Using the default SA ruleset & scores, that message scored -6.0, i.e. definitely not spam. If you are using some other spam detection tool which considers the mere existence of a text/html part in a multipart/alternative message to be a significant indicator of spam, that bug should be discussed with that broken tool's developer(s). If you simply have made a personal decision to treat such mail as spam, as it is absolutely your right to decide, you should be reconciled by now to the fact that a lot of legitimate mail sent by people who will never switch to sending pure text/plain mail is misidentified by your chosen configuration. -- and so may be overlooked by the moderators. This mailing list is not moderated. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: ANNOUNCE: Apache SpamAssassin 3.4.3 available
Kevin A. McGrail skrev den 2019-12-12 18:54: It is only old school people like us that even know how to send text only, heh. https://www.boredpanda.com/this-privacy-tech-company-decided-to-make-posters-for-its-holiday-party-and-the-results-are-hilarious/ dont worry, be happy
Re: ANNOUNCE: Apache SpamAssassin 3.4.3 available
Interesting though who told you that html was more spammy because the data doesn't back that up. Multipart html with text alternative will usually score lower because like 99% of the mail flow looks like that. It is only old school people like us that even know how to send text only, heh. On Thu, Dec 12, 2019, 11:36 sebb wrote: > Please don't ever use HTML for announce mails. > > They are more likely to be treated as spam -- as this one was -- and so > may be overlooked by the moderators. > > Thanks. > S. > > On Thu, 12 Dec 2019 at 16:26, Kevin A. McGrail > wrote: > >> On behalf of the Apache SpamAssassin Project, I am proud to share the >> release notes for Apache SpamAssassin v3.4.3. -KAM >> >> Release Notes -- Apache SpamAssassin -- Version 3.4.3 >> >> Introduction >> >> >> Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we >> prepare to move to version 4.0.0 with better, native UTF-8 handling. >> >> There are a number of functional patches, improvements as well as security >> reasons to upgrade to 3.4.3. In this release, there are bug fixes for two >> CVEs. >> >> *** On March 1, 2020, we will stop publishing rulesets with SHA-1 signatures. >> If you do not update to 3.4.2 or later, you will be stuck at the last >> ruleset with SHA-1 signatures. *** >> >> Many thanks to the committers, contributors, rule testers, mass checkers, >> and code testers who have made this release possible. >> >> Happy Birthday >> -- >> Apache SpamAssassin turned 18 on September 5th, 2019. >> >> Now in its 18th year, 15 of which as an Apache project, SpamAssassin is the >> world's most popular email anti-spam platform. Apache SpamAssassin can be >> used on a wide variety of email systems including Postfix, procmail, qmail, >> sendmail, and more. >> >> It serves as the spam-filtering and detection solution for numerous ISPs and >> hosting providers, and is integrated in commercial software including Plesk, >> cPanel, Vesta Control Panel, and many others. >> >> SpamAssassin was originally created by Justin Mason, who had maintained a >> number of patches against an earlier program named filter.plx by Mark >> Jeftovic, which began in August 1997. Mason rewrote all of Jeftovic's code >> from scratch and uploaded the resulting codebase to SourceForge on April 20, >> 2001. SpamAssassin entered the Apache Incubator in December 2003 and >> graduated as an Apache Top-Level Project in June 2004. >> >> Notable features: >> = >> >> New plugins >> --- >> There is 1 new plugin added with this release: >> >> # OLEVBMacro - Detects both OLE macros and VB code inside Office documents >> # >> # It tries to discern between safe and malicious code but due to the threat >> # macros present to security, many places block these type of documents >> # outright. >> # >> # For this plugin to work, Archive::Zip and IO::String modules are required. >> # loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro >> >> >> This plugin is disabled by default. To enable, uncomment the loadplugin >> configuration options in file v343.pre, or add it to some local .pre file >> such as local.pre. >> >> Notable changes >> --- >> >> Safer and faster scanning of large emails using body_part_scan_size and >> rawbody_part_scan_size settings. >> >> New tflag "nosubject" for 'body' rules, to stop matching the Subject header >> which is part of the body text. >> >> Two CVE security bug fixes are included in this release: >> >> CVE-2019-12420 for Multipart Denial of Service Vulnerability >> >> CVE-2018-11805 for nefarious CF files can be configured to >> run system commands without any output or errors. >> >> Security updates include deprecation of the unsafe sa-update '--allowplugins' >> option, which now prints a warning that '--reallyallowplugins' is required >> to use it. >> >> New configuration options >> - >> >> A new subjprefix keyword used to add a prefix to the subject of the >> email if a rule is matched. >> >> A new template tag _SUBJPREFIX_ that maps to the subject prefix that >> has been added by the subjprefix keyword. >> >> A new template tag _SUBTESTSCOLLAPSED(,)_ that maps to subtests that >> hits with duplicated rules collapsed. >> >> A config option rbl_headers has been added to DNSEval plugin, >> this option is used to specify in which headers check_rbl_headers >> should check for content used to query the specified rbl. >> >> A new check_rbl_ns_from function has been added to check >> the dns server of the from addrs domain name against a specific rbl. >> >> A new check_rbl_rcvd function has been added to check >> all received headers domains or ip addresses against a >> specific rbl. >> >> New options has been added to check_hashbl_emails function >> has been added; it is now possible to specify in which headers >> the function should check for content used to query the >> specified rbl and an acl to filter the email addresses the
Re: ANNOUNCE: Apache SpamAssassin 3.4.3 available
Please don't ever use HTML for announce mails. They are more likely to be treated as spam -- as this one was -- and so may be overlooked by the moderators. Thanks. S. On Thu, 12 Dec 2019 at 16:26, Kevin A. McGrail wrote: > On behalf of the Apache SpamAssassin Project, I am proud to share the release > notes for Apache SpamAssassin v3.4.3. -KAM > > Release Notes -- Apache SpamAssassin -- Version 3.4.3 > > Introduction > > > Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we > prepare to move to version 4.0.0 with better, native UTF-8 handling. > > There are a number of functional patches, improvements as well as security > reasons to upgrade to 3.4.3. In this release, there are bug fixes for two > CVEs. > > *** On March 1, 2020, we will stop publishing rulesets with SHA-1 signatures. > If you do not update to 3.4.2 or later, you will be stuck at the last > ruleset with SHA-1 signatures. *** > > Many thanks to the committers, contributors, rule testers, mass checkers, > and code testers who have made this release possible. > > Happy Birthday > -- > Apache SpamAssassin turned 18 on September 5th, 2019. > > Now in its 18th year, 15 of which as an Apache project, SpamAssassin is the > world's most popular email anti-spam platform. Apache SpamAssassin can be > used on a wide variety of email systems including Postfix, procmail, qmail, > sendmail, and more. > > It serves as the spam-filtering and detection solution for numerous ISPs and > hosting providers, and is integrated in commercial software including Plesk, > cPanel, Vesta Control Panel, and many others. > > SpamAssassin was originally created by Justin Mason, who had maintained a > number of patches against an earlier program named filter.plx by Mark > Jeftovic, which began in August 1997. Mason rewrote all of Jeftovic's code > from scratch and uploaded the resulting codebase to SourceForge on April 20, > 2001. SpamAssassin entered the Apache Incubator in December 2003 and > graduated as an Apache Top-Level Project in June 2004. > > Notable features: > = > > New plugins > --- > There is 1 new plugin added with this release: > > # OLEVBMacro - Detects both OLE macros and VB code inside Office documents > # > # It tries to discern between safe and malicious code but due to the threat > # macros present to security, many places block these type of documents > # outright. > # > # For this plugin to work, Archive::Zip and IO::String modules are required. > # loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro > > > This plugin is disabled by default. To enable, uncomment the loadplugin > configuration options in file v343.pre, or add it to some local .pre file > such as local.pre. > > Notable changes > --- > > Safer and faster scanning of large emails using body_part_scan_size and > rawbody_part_scan_size settings. > > New tflag "nosubject" for 'body' rules, to stop matching the Subject header > which is part of the body text. > > Two CVE security bug fixes are included in this release: > > CVE-2019-12420 for Multipart Denial of Service Vulnerability > > CVE-2018-11805 for nefarious CF files can be configured to > run system commands without any output or errors. > > Security updates include deprecation of the unsafe sa-update '--allowplugins' > option, which now prints a warning that '--reallyallowplugins' is required > to use it. > > New configuration options > - > > A new subjprefix keyword used to add a prefix to the subject of the > email if a rule is matched. > > A new template tag _SUBJPREFIX_ that maps to the subject prefix that > has been added by the subjprefix keyword. > > A new template tag _SUBTESTSCOLLAPSED(,)_ that maps to subtests that > hits with duplicated rules collapsed. > > A config option rbl_headers has been added to DNSEval plugin, > this option is used to specify in which headers check_rbl_headers > should check for content used to query the specified rbl. > > A new check_rbl_ns_from function has been added to check > the dns server of the from addrs domain name against a specific rbl. > > A new check_rbl_rcvd function has been added to check > all received headers domains or ip addresses against a > specific rbl. > > New options has been added to check_hashbl_emails function > has been added; it is now possible to specify in which headers > the function should check for content used to query the > specified rbl and an acl to filter the email addresses the rule > should apply. > > A new check_hashbl_bodyre function has been added, it is now possible > to search body for matching regexp and query the string captured > against the specified rbl. > > A new check_hashbl_uris function has been added, it is now possible > to match uris in email's body and query the uris against the > specified rbl. > > Notable Internal changes > > > None noted. > > Other updates > - > > None noted.
[SECURITY] Apache SpamAssassin v3.4.3 released with fix for CVE-2019-12420
Apache SpamAssassin 3.4.3 was recently released [1], and fixes an issue of security note where a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly. Thanks to Joran Dirk Greef, Ronomon, Cape Town for reporting the issue. This issue has been assigned CVE id CVE-2019-12420 [2] To contact the Apache SpamAssassin security team, please e-mail security at spamassassin.apache.org. For more information about Apache SpamAssassin, visit the http://spamassassin.apache.org/ web site. Apache SpamAssassin Security Team [1]: https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-12420 -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
[SECURITY] Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805
Apache SpamAssassin 3.4.3 was recently released [1], and fixes an issue of security note where nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places. This issue has been assigned CVE id CVE-2018-11805 [2] To contact the Apache SpamAssassin security team, please e-mail security at spamassassin.apache.org. For more information about Apache SpamAssassin, visit the http://spamassassin.apache.org/ web site. Apache SpamAssassin Security Team [1]: https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11805 -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
[Bug 7727] New Plugin TesseractOcr
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7727 --- Comment #11 from spamassas...@arcsin.de --- > https://mail-archives.apache.org/mod_mbox/spamassassin-users/201912.mbox/ > browser Should have been https://mail-archives.apache.org/mod_mbox/spamassassin-users/201912.mbox/%3Cc29b2b71-436e-89f2-41ca-48dee7d0289a%40netcore.co.in%3E -- You are receiving this mail because: You are the assignee for the bug.
[Bug 7727] New Plugin TesseractOcr
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7727 spamassas...@arcsin.de changed: What|Removed |Added CC||spamassas...@arcsin.de --- Comment #10 from spamassas...@arcsin.de --- This thread has been mentioned on the users mailing list, so I gave the second attached version a try. 0. I like the idea to provide a more general approach of passing recognized text back to SA. 1. There is a call to cleanup() where it should be clean_up(). 2. There is a call to kill_pid() which is undefined. 3. Some tests: 3.1: I trained a bayes database from a personal ham and a spam corpus without TesseractOcr. Then I compared the classification of enabled vs disabled TesseractOcr. 3.1.1. A run against the sample provided in [1]: 3.1.1.1. Without ocr it hits BAYES_40. 3.1.1.2. With ocr it hits BAYES_50 and additionally FUZZY_BROWSER. 3.1.2. A run against a current "Deutsche Burger werden reich" sample: 3.1.2.1. Without ocr it hits BAYES_99/BAYES_999. 3.1.2.2. With ocr it hits BAYES_95 and provides nothing additional, so the total score actually decreased. 3.2: I trained a new bayes database from the same corpora with TesseractOcr and made the same quick tests. 3.2.1. A run against the sample provided in [1] provided same results as in 3.1.1. 3.2.2. A run against a current "Deutsche Burger werden reich" sample provides identical test results, i.e. the bayes scores match. This is good, as one can improve the situation with custom rules. Some my takeaway is, that one should probably retrain bayes. [1] https://mail-archives.apache.org/mod_mbox/spamassassin-users/201912.mbox/browser -- You are receiving this mail because: You are the assignee for the bug.
ANNOUNCE: Apache SpamAssassin 3.4.3 available
On behalf of the Apache SpamAssassin Project, I am proud to share the release notes for Apache SpamAssassin v3.4.3. -KAM Release Notes -- Apache SpamAssassin -- Version 3.4.3 Introduction Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we prepare to move to version 4.0.0 with better, native UTF-8 handling. There are a number of functional patches, improvements as well as security reasons to upgrade to 3.4.3. In this release, there are bug fixes for two CVEs. *** On March 1, 2020, we will stop publishing rulesets with SHA-1 signatures. If you do not update to 3.4.2 or later, you will be stuck at the last ruleset with SHA-1 signatures. *** Many thanks to the committers, contributors, rule testers, mass checkers, and code testers who have made this release possible. Happy Birthday -- Apache SpamAssassin turned 18 on September 5th, 2019. Now in its 18th year, 15 of which as an Apache project, SpamAssassin is the world's most popular email anti-spam platform. Apache SpamAssassin can be used on a wide variety of email systems including Postfix, procmail, qmail, sendmail, and more. It serves as the spam-filtering and detection solution for numerous ISPs and hosting providers, and is integrated in commercial software including Plesk, cPanel, Vesta Control Panel, and many others. SpamAssassin was originally created by Justin Mason, who had maintained a number of patches against an earlier program named filter.plx by Mark Jeftovic, which began in August 1997. Mason rewrote all of Jeftovic's code from scratch and uploaded the resulting codebase to SourceForge on April 20, 2001. SpamAssassin entered the Apache Incubator in December 2003 and graduated as an Apache Top-Level Project in June 2004. Notable features: = New plugins --- There is 1 new plugin added with this release: # OLEVBMacro - Detects both OLE macros and VB code inside Office documents # # It tries to discern between safe and malicious code but due to the threat # macros present to security, many places block these type of documents # outright. # # For this plugin to work, Archive::Zip and IO::String modules are required. # loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro This plugin is disabled by default. To enable, uncomment the loadplugin configuration options in file v343.pre, or add it to some local .pre file such as local.pre. Notable changes --- Safer and faster scanning of large emails using body_part_scan_size and rawbody_part_scan_size settings. New tflag "nosubject" for 'body' rules, to stop matching the Subject header which is part of the body text. Two CVE security bug fixes are included in this release: CVE-2019-12420 for Multipart Denial of Service Vulnerability CVE-2018-11805 for nefarious CF files can be configured to run system commands without any output or errors. Security updates include deprecation of the unsafe sa-update '--allowplugins' option, which now prints a warning that '--reallyallowplugins' is required to use it. New configuration options - A new subjprefix keyword used to add a prefix to the subject of the email if a rule is matched. A new template tag _SUBJPREFIX_ that maps to the subject prefix that has been added by the subjprefix keyword. A new template tag _SUBTESTSCOLLAPSED(,)_ that maps to subtests that hits with duplicated rules collapsed. A config option rbl_headers has been added to DNSEval plugin, this option is used to specify in which headers check_rbl_headers should check for content used to query the specified rbl. A new check_rbl_ns_from function has been added to check the dns server of the from addrs domain name against a specific rbl. A new check_rbl_rcvd function has been added to check all received headers domains or ip addresses against a specific rbl. New options has been added to check_hashbl_emails function has been added; it is now possible to specify in which headers the function should check for content used to query the specified rbl and an acl to filter the email addresses the rule should apply. A new check_hashbl_bodyre function has been added, it is now possible to search body for matching regexp and query the string captured against the specified rbl. A new check_hashbl_uris function has been added, it is now possible to match uris in email's body and query the uris against the specified rbl. Notable Internal changes None noted. Other updates - None noted. Optimizations - None noted. Downloading and availability Downloads are available from: https://spamassassin.apache.org/downloads.cgi sha256sum of archive files: a5b8fde50e468be8b36b90f5c39b19dfea947d6184a06cbf6dd16bf97265008d Mail-SpamAssassin-3.4.3.tar.bz2 bb3adac71b2a5b69d584ee9843460f61c62da0bb7441c4007cc741b404ad27b8 Mail-SpamAssassin-3.4.3.tar.gz
[Bug 7777] askdns problem with multi-valued resource records
https://bz.apache.org/SpamAssassin/show_bug.cgi?id= Kevin A. McGrail changed: What|Removed |Added CC||kmcgr...@apache.org --- Comment #4 from Kevin A. McGrail --- I didn't even put in a milestone for 3.4.4. Recommend you try out trunk or use your own patched version. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 7777] askdns problem with multi-valued resource records
https://bz.apache.org/SpamAssassin/show_bug.cgi?id= --- Comment #3 from Henrik Krohns --- Should have reported it sooner to have a chance for 3.4.3. :-) But unless there are any serious bugs, I doubt 3.4.4 will be released. And since this "limitation" has been all the way from atleast 3.4.0, we can probably just think it as more of a feature.. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 7777] askdns problem with multi-valued resource records
https://bz.apache.org/SpamAssassin/show_bug.cgi?id= Michael Storz changed: What|Removed |Added CC||sa-...@lrz.de --- Comment #2 from Michael Storz --- Yeah, the deleted line looks really suspicious. That's the reason I did not report the error immediately when I discovered the bug. For me it looks like a left over optimization after a rewrite of the code. I had the hope that someone could find the meaning of the line in the history of the plugin. I'm running the patched version on a cluster of servers since September last year filtering at least 200.000 emails a day in pre-queue-mode without any problems. That's the reason, I wrote it is working for me. I'm using askdns for a bunch of rules querying SPF, DMARC, MX and NS records to build anti-spam-signatures. Some spammers did not realize that they can be tracked via these records. -- You are receiving this mail because: You are the assignee for the bug.