On behalf of the Apache SpamAssassin Project,
I am pleased to announce version 4.0.0 is available.
Release Notes -- Apache SpamAssassin -- Version 4.0.0
Introduction
Apache SpamAssassin 4.0.0 contains numerous tweaks and bug fixes over
the past releases. In particular, it includes major changes that
significantly improve the handling of text in international language.
As with any major release, there are countless functional patches and
improvements to upgrade to 4.0.0. Apache SpamAssassin 4.0.0 includes
several years of fixes that significantly improve classification and
performance. It has been thoroughly tested in production systems. We
strongly recommend upgrading as soon as possible.
Important Notes
---
*** On March 1, 2020, we stopped publishing rulesets with SHA-1
signatures. If you do not update to 3.4.2 or later, you will be
stuck at the last ruleset with SHA-1 signatures. Such an upgrade
should be to 3.4.6 to obtain the contained security fixes ***
*** Ongoing development on the 3.4 branch has ceased. All future
releases and bug fixes will be on the 4.0 series, unless a new
security issue is found that necessitates a 3.4.7 release. ***
Thanks
--
Many thanks to the committers (see CREDITS file), contributors, rule
testers, mass checkers, and code testers who have made this release
possible. We would also like to thank cPanel for their continued
support of new features.
Notable features:
=
New plugins
---
There are three new plugins added with this release:
#1 Mail::SpamAssassin::Plugin::ExtractText
This plugin uses external tools to extract text from message parts,
and then sets the text as the rendered part. All SpamAssassin rules
that apply to the rendered part will run on the extracted text as
well.
#2 Mail::SpamAssassin::Plugin::DMARC
This plugin checks if emails match DMARC policy after parsing DKIM and
SPF results.
#3 Mail::SpamAssassin::Plugin::DecodeShortURLs
This plugin looks for URLs shortened by a list of URL shortening
services. Upon finding a matching URL, plugin will send a HTTP request
to the shortening service and retrieve the Location-header which
points to the actual shortened URL. It then adds this URL to the list
of URIs extracted by SpamAssassin which can then be accessed by uri
rules and plugins such as URIDNSBL.
Removed plugin
--
HashCash module, formerly deprecated, has now been removed completely
Notable changes
---
This release includes fixes for the following:
- Support for international text such as UTF-8 rules has been
completed and significantly improved to include native UTF-8
processing
- Bayes plugin has been improved to skip common words aka noise
words written in languages other than English
- OLEVBMacro plugin has been improved in order to detect more
Microsoft Office macros and dangerous content. It has also been
improved to extract URIs from Office documents for automatic
inclusion in rules such as RBL lookups.
- You can now use Captured Tags to use tags “captured” in one rule
inside other rules
- sa-update(1) tool has been improved with three new options:
#1 forcemirror: forces sa-update to use a specific mirror server,
#2 score-multiplier: adjust all scores from update channel by a
given multiplier to quickly level set scores to match your
preferred threshold
#3 score-limit adjusts all scores from update channel over a
specified limit to a new limit
* SSL client certificate support has been improved and made easier to
implement with spamc/spamd
* DKIM plugin can now detect ARC signatures
* More work on improving the configuration and internal coding to use
more inclusive and less divisive language
* spamc(1) speed has been improved when both SSL and compression are
used
* The normalize_charset option is now enabled by default. NOTE: Rules
should not expect specific non-UTF-8 or UTF-8 encoding in the body.
Matching is done against the raw body, which may vary depending on
normalize_charset setting and whether UTF-8 decoding was successful.
* Mail::SPF is now the only supported module used by the SPF plugin.
* Mail::SPF::Query use is deprecated, along with settings
do_not_use_mail_spf, do_not_use_mail_spf_query.
* SPF lookups are not done asynchronously and you may consider using
an SPF filter at the MTA level (pypolicyd-spf / spf-engine / etc)
which generates a Received-SPF header that can be parsed by
SpamAssassin.
* The default sa-update ruleset doesn't make ASN lookups or header
additions anymore. Configure desired methods (asn_use_geodb /
asn_use_dns) and add_header clauses manually, as described in
documentation for the Mail::SpamAssassin::Plugin::ASN.
New configuration options
-
All rules, functions, command line options and modules that contain
"whitelist" or "blacklist" have been