Apache SpamAssassin FH_DATE_PAST_20XX 0.0 rule bug

sneader

Well-Known Member
Aug 21, 2003
1,178
57
178
La Crosse, WI
cPanel Access Level
Root Administrator
Today, Chirpy posted the following on his blog at ConfigServer Blog :

There's a bug in SpamAssassin that the developers have yet to fix in sa_update that is causing problems since the turnover to 01/01/2010:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6269

The bug causes every email sent since 01/01/2010 to receive a spam score of 3.19, whether it is spam or not.

If you're running our MailScanner package you can do the following to zero score that rule and alleviate the problem:
Code:
echo score FH_DATE_PAST_20XX 0.0 >> /etc/mail/spamassassin/configserver.cf
I'm not running MailScanner, but certainly running Spam Assassin. Individual users can edit their SA scoring rules within cPanel, but how can I do this for the system wide configuration?

- Scott
 
Last edited by a moderator:

sneader

Well-Known Member
Aug 21, 2003
1,178
57
178
La Crosse, WI
cPanel Access Level
Root Administrator
I believe this will work, but if anyone has suggestions/corrections, I'm all ears:

1) Edit: /etc/mail/spamassassin/local.cf
Add this to the bottom of the file:
score FH_DATE_PAST_20XX 0.0

2) Restart SpamAssassin:
/scripts/restartsrv spamd

- Scott
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
SpamAssassin has fixed the bug in an update:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6269#c12

Now, how does SpamAssassin/cPanel get this update?
Via root SSH access, SpamAssassin rules may be updated using the following command as mentioned in the linked bug report:
Code:
# sa-update
To show more diagnostic/debugging information, the same command can be used with an extra option as seen below:
Code:
# sa-update -D
 
Last edited:

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Friendly Moderator Note

I've moved this thread into the Mail forums area so that the topic will receive more relevant attention and related discussion.
 

ziggyjr

Registered
Feb 10, 2008
4
0
51
When tyring to install the is via '/scripts/autorepair spamd_y2010_fix' I keep getting this error.


[43440] dbg: channel: selected mirror http://www.sa-update.pccc.com
[43440] dbg: http: GET request, http://www.sa-update.pccc.com/895075.tar.gz
[43440] dbg: http: GET request, http://www.sa-update.pccc.com/895075.tar.gz.sha1
[43440] dbg: http: GET request, http://www.sa-update.pccc.com/895075.tar.gz.asc
[43440] dbg: sha1: verification wanted: ade9426b8f85bed554604033c71e925e5e597502
[43440] dbg: sha1: verification result: ade9426b8f85bed554604033c71e925e5e597502
[43440] dbg: channel: populating temp content file
[43440] dbg: gpg: populating temp signature file
[43440] dbg: gpg: calling gpg
[43440] dbg: gpg: gpg: Signature made Fri Jan 1 15:52:54 2010 EST using RSA key ID 24F434CE
[43440] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified
[43440] dbg: gpg: gpg: please see Signing Subkey Cross-Certification - GnuPG.org for more information
[43440] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1262379174 1
[43440] dbg: gpg: gpg: Can't check signature: General error
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed
[43440] dbg: generic: cleaning up temporary directory/files
[43440] dbg: diag: updates complete, exiting with code 4
Done
spamd_y2010_fix: sa-update failed with Error code 4...Auto Repair is done.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
When tyring to install the is via '/scripts/autorepair spamd_y2010_fix' I keep getting this error.
Code:
[43440] dbg: channel: selected mirror http://www.sa-update.pccc.com
[43440] dbg: http: GET request, http://www.sa-update.pccc.com/895075.tar.gz
[43440] dbg: http: GET request, http://www.sa-update.pccc.com/895075.tar.gz.sha1
[43440] dbg: http: GET request, http://www.sa-update.pccc.com/895075.tar.gz.asc
[43440] dbg: sha1: verification wanted: ade9426b8f85bed554604033c71e925e5e597502
[43440] dbg: sha1: verification result: ade9426b8f85bed554604033c71e925e5e597502
[43440] dbg: channel: populating temp content file
[43440] dbg: gpg: populating temp signature file
[43440] dbg: gpg: calling gpg
[43440] dbg: gpg: gpg: Signature made Fri Jan 1 15:52:54 2010 EST using RSA key ID 24F434CE
[43440] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified
[43440] dbg: gpg: gpg: please see [url=http://www.gnupg.org/faq/subkey-cross-certify.html]Signing Subkey Cross-Certification - GnuPG.org[/url] for more information
[43440] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1262379174 1
[43440] dbg: gpg: gpg: Can't check signature: General error
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed
[43440] dbg: generic: cleaning up temporary directory/files
[43440] dbg: diag: updates complete, exiting with code 4
Done
spamd_y2010_fix: sa-update failed with Error code 4...Auto Repair is done.
The provided log detail is output directly by the "sa-update" tool from the SpamAssassin installation.

For corrective measures please refer to the following documentation entry in the official SpamAssassin Wiki:
SaUpdateKeyNotCrossCertified - SpamAssassin Wiki
If you run "sa-update -D" and see something like this:
Code:
[26406] dbg: gpg: calling gpg
[26406] dbg: gpg: gpg: Signature made Thu 18 Oct 2007 02:54:04 AM EDT using RSA key ID 24F434CE
[26406] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified
[26406] dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more 
information
[26406] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1192690444 1
[26406] dbg: gpg: gpg: Can't check signature: general error
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed
[26406] dbg: generic: cleaning up temporary directory/files
[26406] dbg: diag: updates complete, exiting with code 4
Then you need to download an updated sa-update key.

As bug 5775 describes, the GnuPG developers decided to create a new error condition for a potentially-dangerous signature style, which unfortunately was one we use for the SpamAssassin update-signing key.

Running this should fix it:
Code:
# wget http://spamassassin.apache.org/updates/GPG.KEY
# sa-update --import GPG.KEY
 

alankru

Member
Jan 2, 2006
22
0
151
cPanel Access Level
Root Administrator
Via root SSH access, SpamAssassin rules may be updated using the following command as mentioned in the linked bug report:
Code:
# sa-update
To show more diagnostic/debugging information, the same command can be used with an extra option as seen below:
Code:
# sa-update -D
So you have to run the update manually? SpamAssassin won't get it's/the updates automatically?

Thanks!
 

sneader

Well-Known Member
Aug 21, 2003
1,178
57
178
La Crosse, WI
cPanel Access Level
Root Administrator
I've moved this thread into the Mail forums area so that the topic will receive more relevant attention and related discussion.
Don, the Mail Forum is described as:

Learn how to customize mail handling beyond the natively supported capabilities of cPanel and WHM.
Since SpamAssassin is natively supported in cPanel and WHM, I did not think it made sense to have this thread in the Mail forum. Please clarify.

- Scott
 

sneader

Well-Known Member
Aug 21, 2003
1,178
57
178
La Crosse, WI
cPanel Access Level
Root Administrator
cPanel sent out the following email notification. Of note:
  • If you have automatic updates enabled, this will be fixed during the next upcp
  • If you do NOT have automatic updates enabled, there is now a script you can run to manually fix the problem.

Subject: [cPanel-News] URGENT: Spam Assassin Ruleset Bug
From: Aaron Phillips
To: [email protected]

Greetings:

The Quality Assurance team discovered a bug within the SpamAssassin
ruleset that will mark messages sent in the year 2010 (that's today)
and beyond with a higher spam score than expected. This bug can
result in legitimate mail being flagged as spam.

The cPanel Development team has issued a hot fix that will address
this issue and will automatically update the SpamAssassin ruleset to
resolve this issue. If you have automatic cPanel updates enabled, no
further action is required.

If you do not have automatic cPanel updates enabled, you can manually
update the SpamAssassin ruleset by executing the following commands
in a root shell:

/scripts/autorepair spamd_y2010_fix

For a more detailed explanation and information on resolving this
problem on a non-cPanel environment, please review:

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6269

As always, the entire cPanel team has pulled together to provide a
rapid response to this issue as we realize proper email delivery is
mission critical.

If you need any assistance, our 24x7 Technical Analyst team is
standing by to provide you with further instructions, answers, and
solutions to this bug. To reach them please submit a ticket via:

https://tickets.cpanel.net/submit/index.cgi?step=2&reqtype=tickets&product=cpanel

You can also join the discussion on the SpamAssassin bug at http://forums.cpanel.net/f43/spamassassin-fh_date_past_20xx-0-0-rule-bug-142725.html

Happy New Year,
The cPanel Team
 

Dada

Registered
Jan 4, 2010
1
0
51
/scripts/autorepair spamd_y2010_fix shows an error:


Can't locate object method "finish" via package "Mail::SpamAssassin::Timeout" at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PluginHandler.pm line 236.
Done
spamd_y2010_fix: sa-update failed with Error code 255...Auto Repair is done.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Don, the Mail Forum is described as:
Learn how to customize mail handling beyond the natively supported capabilities of cPanel and WHM.
Since SpamAssassin is natively supported in cPanel and WHM, I did not think it made sense to have this thread in the Mail forum. Please clarify.

- Scott
You're correct that SpamAssassin itself is natively supported; I think either of the two forum areas could be considered suitable for a topic like this. It was my determination that the topic involved managing SpamAssassin rules, including problems arising from them, and or managing potentially customized rule configurations, and that this may be better grouped in the Mail discussion area of the forums where the topic is more related to the overall area of interest. Some topics, like this one, may have more than one organizational criteria, and with that in mind I can see where the topic may be swayed either way in terms of determining where to organize the thread.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
/scripts/autorepair spamd_y2010_fix shows an error:
Code:
Can't locate object method "finish" via package "Mail::SpamAssassin::Timeout" at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PluginHandler.pm line 236.
Done
spamd_y2010_fix: sa-update failed with Error code 255...Auto Repair is done.
Does the result occur when using just "sa-update -D"?

Have any plug-ins or custom rules been enabled or added in SpamAssassin?

What is the output of the following command?
Code:
# perl -MMail::SpamAssassin -e 'print"$Mail::SpamAssassin::VERSION\n"'
Please also consider submitting a support request so that we may assist with investigating further; when available, please PM me your new ticket ID number so I may follow-up internally.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
So you have to run the update manually? SpamAssassin won't get it's/the updates automatically?

Thanks!
When SpamAssassin is installed it includes a set of default rules. Outside of this I am not aware if SpamAssassin includes automatic rule updates by default; however, per the news announcement the hot fix that we have in-place will attempt an automated update using the "sa-update" tool in SpamAssassin.
 

shacker23

Well-Known Member
Feb 20, 2005
263
1
168
spamassassin.kluge.net

When I run either:

Code:
sa-update -D
or
Code:
/scripts/autorepair spamd_y2010_fix
I get this error:

Code:
http: request failed: 500 Can't connect to spamassassin.kluge.net:80 (Bad hostname 'spamassassin.kluge.net'): 500 Can't connect to spamassassin.kluge.net:80 (Bad hostname 'spamassassin.kluge.net') 
channel: could not find working mirror, channel failed
Suggestions?
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
When I run either:

Code:
sa-update -D
or
Code:
/scripts/autorepair spamd_y2010_fix
I get this error:

Code:
http: request failed: 500 Can't connect to spamassassin.kluge.net:80 (Bad hostname 'spamassassin.kluge.net'): 500 Can't connect to spamassassin.kluge.net:80 (Bad hostname 'spamassassin.kluge.net') 
channel: could not find working mirror, channel failed
Suggestions?
Use the following command to check the contents of a file containing a list of mirrors:
Code:
# cat /var/lib/spamassassin/3.002004/updates_spamassassin_org/MIRRORED.BY
If only the failing mirror is listed, try adding an alternate. Here is a an example set of entries containing two usable mirrors:
Code:
# test mirror: zone, cached via Coral
#http://buildbot.spamassassin.org.nyud.net:8090/updatestage/
http://daryl.dostech.ca/sa-update/asf/ weight=5
http://www.sa-update.pccc.com/ weight=5
It is also possible to simply replace the existing file with a fresh copy from an available mirror; the following two steps may be used to accomplish this (via root SSH access):
Step 1.) Change directory, then move (backup) the existing file
Code:
# cd /var/lib/spamassassin/3.002004/updates_spamassassin_org
# mv -v MIRRORED.BY MIRRORED.BY.backup
Step 2.) Download a fresh copy using one of the following commands:
Code:
# wget -N http://www.sa-update.pccc.com/MIRRORED.BY
# wget -N http://daryl.dostech.ca/sa-update/asf/MIRRORED.BY
Reference:
http://daryl.dostech.ca/sa-update/asf/MIRRORED.BY
http://www.sa-update.pccc.com/MIRRORED.BY
 

Promethyl

Well-Known Member
Mar 27, 2004
68
0
156
I patched mine by hand.