After a year of development new version of the spam filtering platform, SpamAssassin 3.4.3 which comes with a number of changes and bug fixes one of which was a vulnerability that could lead to a denial of service.
SpamAssassin is a program for filtering spam which uses a variety of spam detection techniques, including DNS and fuzzy-checksum-based spam detection, filtering, external programs, blacklists, and online databases. The program can be integrated with the mail server to automatically filter all mail from a site.
It can also be run by individual users in their own mailbox and integrates with various email programs. Apache SpamAssassin it is highly configurable if used as a whole system filter.
SpamAssassin implements a comprehensive approach to making a decision on the blocko: A message undergoes a series of checks (context analysis, DNSBL black and white lists, trained Bayesian classifiers, signature verification, sender authentication using SPF and DKIM, etc.).
After evaluating the message by different methods, a certain weight coefficient is accumulated. If the calculated coefficient exceeds a certain threshold, the message is blocked or marked as spam.
Besides that uses compatible tools for automatic rule updating filter, the packet can be used on both client and server systems. The SpamAssassin code is written in Perl and distributed under the Apache license.
SpamAssassin 3.4.3 Features
In the announcement of the new version of SpamAssassin 3.4.3 it is highlighted that it has been added a new keyword "Subjprefix" to the configuration to add a prefix to the subject of the message when the rule is triggered. The label "_SUBJPREFIX_»Has been added to templates, reflecting the setting of«subjprefix«.
Added check_rbl_ns_from function to check DNS server in RBL list. Added function check_rbl_rcvd to verify domains or IP addresses of all headers received in RBL.
Regarding the corrections in this new version of SpamAssassin 3.4.3 it is mentioned the correction of a vulnerability (CVE-2018-11805), who allows you to run system commands from CF files (SpamAssassin configuration files) without showing information about its launch.
As well as the correction of the vulnerability (CVE-2019-12420) that could be used to cause a denial of service when processing an email with a specially designed Multipart section.
Developers from SpamAssassin too announced the preparation of branch 4.0, which will implement full embedded processing of UTF-8.
On March 1, 2020, the publication of rules with signatures based on the SHA-1 algorithm will also be discontinued (in version 3.4.2, the SHA-256 and SHA-512 hash functions replaced SHA-1).
Of the other changes that stand out in the ad:
- Added a new plugin OLEVBMacro designed to detect OLE macros and VB code within documents.
- Enhanced speed and security of large print scanning with settings body_part_scan_size and rawbody_part_scan_size.
- The holder for the indicator «nosubject»Has been added to the rules for processing the body of a letter to stop looking for the Subject header as part of the text in the body of the message
- For security reasons, the option 'sa-update –allowplugins'has been deprecated.
- The option rbl_headers has been added to the plugin DNSEval to define headings to check for in RBL lists.
- Options added to function check_hashbl_emails to define headers, the content of which must be checked against RBL or ACL.
- The function check_hashbl_bodyre has been added to find the body of a letter using a regular expression and looking for matches found in RBL.
- The function check_hashbl_uris has been added to detect URLs in message body and verify them in RBL.
Finally for those who want to get this new version they can get the source code from the following link or on the other hand, wait for the corresponding binaries for the different Linux distributions to be built and updated in the corresponding channels.