SpamAssassin 2010 Bug

Posted by Joe Topjian on January 3, 2010 under Administration | Be the First to Comment

I first heard of the SpamAssassin 2010 bug in an email notice from cPanel and then saw it mentioned on LWN. The full details of the incident can be read in the bug report.

It exact rule causing the problem is

header   FH_DATE_PAST_20XX      Date =~ /20[1-9][0-9]/ [if-unset: 2006]
describe FH_DATE_PAST_20XX      The date is grossly in the future.

The updated rule is

header   FH_DATE_PAST_20XX      Date =~ /20[2-9][0-9]/ [if-unset: 2006]
describe FH_DATE_PAST_20XX      The date is grossly in the future.

Implementing sa-update looks to be a good way to ensure you have the latest core rules at all times.

If SpamAssassin is still being used 10 years from now, we’ll be in this situation again. Unfortunately it’s a necessary precaution as there is quite a bit of spam that toys around with dates.