Apache SpamAssassin FH_DATE_PAST_20XX 0.0 rule bug

[sneader]

Today, Chirpy posted the following on his blog at ConfigServer Blog :

There's a bug in SpamAssassin that the developers have yet to fix in sa_update that is causing problems since the turnover to 01/01/2010:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6269

The bug causes every email sent since 01/01/2010 to receive a spam score of 3.19, whether it is spam or not.

If you're running our MailScanner package you can do the following to zero score that rule and alleviate the problem:

echo score FH_DATE_PAST_20XX 0.0 >> /etc/mail/spamassassin/configserver.cf

I'm not running MailScanner, but certainly running Spam Assassin. Individual users can edit their SA scoring rules within cPanel, but how can I do this for the system wide configuration?

- Scott

 

[sneader]

I believe this will work, but if anyone has suggestions/corrections, I'm all ears:

1) Edit: /etc/mail/spamassassin/local.cf
Add this to the bottom of the file:
score FH_DATE_PAST_20XX 0.0

2) Restart SpamAssassin:
/scripts/restartsrv spamd

- Scott

 

[alankru]

SpamAssassin has fixed the bug in an update:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6269#c12

Now, how does SpamAssassin/cPanel get this update?

 

[cPanelDon]

SpamAssassin has fixed the bug in an update:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6269#c12

Now, how does SpamAssassin/cPanel get this update?

Via root SSH access, SpamAssassin rules may be updated using the following command as mentioned in the linked bug report:

# sa-update

To show more diagnostic/debugging information, the same command can be used with an extra option as seen below:

# sa-update -D

 

[cPanelDon]

Friendly Moderator Note

I've moved this thread into the Mail forums area so that the topic will receive more relevant attention and related discussion.

 

[ziggyjr]

When tyring to install the is via '/scripts/autorepair spamd_y2010_fix' I keep getting this error.


[43440] dbg: channel: selected mirror http://www.sa-update.pccc.com
[43440] dbg: http: GET request, http://www.sa-update.pccc.com/895075.tar.gz
[43440] dbg: http: GET request, http://www.sa-update.pccc.com/895075.tar.gz.sha1
[43440] dbg: http: GET request, http://www.sa-update.pccc.com/895075.tar.gz.asc
[43440] dbg: sha1: verification wanted: ade9426b8f85bed554604033c71e925e5e597502
[43440] dbg: sha1: verification result: ade9426b8f85bed554604033c71e925e5e597502
[43440] dbg: channel: populating temp content file
[43440] dbg: gpg: populating temp signature file
[43440] dbg: gpg: calling gpg
[43440] dbg: gpg: gpg: Signature made Fri Jan 1 15:52:54 2010 EST using RSA key ID 24F434CE
[43440] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified
[43440] dbg: gpg: gpg: please see Signing Subkey Cross-Certification - GnuPG.org for more information
[43440] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1262379174 1
[43440] dbg: gpg: gpg: Can't check signature: General error
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed
[43440] dbg: generic: cleaning up temporary directory/files
[43440] dbg: diag: updates complete, exiting with code 4
Done
spamd_y2010_fix: sa-update failed with Error code 4...Auto Repair is done.

 

[cPanelDon]

When tyring to install the is via '/scripts/autorepair spamd_y2010_fix' I keep getting this error.

[43440] dbg: channel: selected mirror http://www.sa-update.pccc.com
[43440] dbg: http: GET request, http://www.sa-update.pccc.com/895075.tar.gz
[43440] dbg: http: GET request, http://www.sa-update.pccc.com/895075.tar.gz.sha1
[43440] dbg: http: GET request, http://www.sa-update.pccc.com/895075.tar.gz.asc
[43440] dbg: sha1: verification wanted: ade9426b8f85bed554604033c71e925e5e597502
[43440] dbg: sha1: verification result: ade9426b8f85bed554604033c71e925e5e597502
[43440] dbg: channel: populating temp content file
[43440] dbg: gpg: populating temp signature file
[43440] dbg: gpg: calling gpg
[43440] dbg: gpg: gpg: Signature made Fri Jan 1 15:52:54 2010 EST using RSA key ID 24F434CE
[43440] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified
[43440] dbg: gpg: gpg: please see [url=http://www.gnupg.org/faq/subkey-cross-certify.html]Signing Subkey Cross-Certification - GnuPG.org[/url] for more information
[43440] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1262379174 1
[43440] dbg: gpg: gpg: Can't check signature: General error
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed
[43440] dbg: generic: cleaning up temporary directory/files
[43440] dbg: diag: updates complete, exiting with code 4
Done
spamd_y2010_fix: sa-update failed with Error code 4...Auto Repair is done.

The provided log detail is output directly by the "sa-update" tool from the SpamAssassin installation.

For corrective measures please refer to the following documentation entry in the official SpamAssassin Wiki:
SaUpdateKeyNotCrossCertified - SpamAssassin Wiki

If you run "sa-update -D" and see something like this:

[26406] dbg: gpg: calling gpg
[26406] dbg: gpg: gpg: Signature made Thu 18 Oct 2007 02:54:04 AM EDT using RSA key ID 24F434CE
[26406] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified
[26406] dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more 
information
[26406] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1192690444 1
[26406] dbg: gpg: gpg: Can't check signature: general error
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed
[26406] dbg: generic: cleaning up temporary directory/files
[26406] dbg: diag: updates complete, exiting with code 4

Then you need to download an updated sa-update key.

As bug 5775 describes, the GnuPG developers decided to create a new error condition for a potentially-dangerous signature style, which unfortunately was one we use for the SpamAssassin update-signing key.

Running this should fix it:

# wget http://spamassassin.apache.org/updates/GPG.KEY
# sa-update --import GPG.KEY

 

[alankru]

Via root SSH access, SpamAssassin rules may be updated using the following command as mentioned in the linked bug report:

# sa-update

To show more diagnostic/debugging information, the same command can be used with an extra option as seen below:

# sa-update -D

So you have to run the update manually? SpamAssassin won't get it's/the updates automatically?

Thanks!

 

[sneader]

I've moved this thread into the Mail forums area so that the topic will receive more relevant attention and related discussion.

Don, the Mail Forum is described as:

Learn how to customize mail handling beyond the natively supported capabilities of cPanel and WHM.

Since SpamAssassin is natively supported in cPanel and WHM, I did not think it made sense to have this thread in the Mail forum. Please clarify.

- Scott

 

[sneader]

cPanel sent out the following email notification. Of note:

• If you have automatic updates enabled, this will be fixed during the next upcp
• If you do NOT have automatic updates enabled, there is now a script you can run to manually fix the problem.

Subject: [cPanel-News] URGENT: Spam Assassin Ruleset Bug
From: Aaron Phillips
To: [email protected]

Greetings:

The Quality Assurance team discovered a bug within the SpamAssassin
ruleset that will mark messages sent in the year 2010 (that's today)
and beyond with a higher spam score than expected. This bug can
result in legitimate mail being flagged as spam.

The cPanel Development team has issued a hot fix that will address
this issue and will automatically update the SpamAssassin ruleset to
resolve this issue. If you have automatic cPanel updates enabled, no
further action is required.

If you do not have automatic cPanel updates enabled, you can manually
update the SpamAssassin ruleset by executing the following commands
in a root shell:

/scripts/autorepair spamd_y2010_fix

For a more detailed explanation and information on resolving this
problem on a non-cPanel environment, please review:

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6269

As always, the entire cPanel team has pulled together to provide a
rapid response to this issue as we realize proper email delivery is
mission critical.

If you need any assistance, our 24x7 Technical Analyst team is
standing by to provide you with further instructions, answers, and
solutions to this bug. To reach them please submit a ticket via:

https://tickets.cpanel.net/submit/index.cgi?step=2&reqtype=tickets&product=cpanel

You can also join the discussion on the SpamAssassin bug at http://forums.cpanel.net/f43/spamassassin-fh_date_past_20xx-0-0-rule-bug-142725.html

Happy New Year,
The cPanel Team

 

[Dada]

/scripts/autorepair spamd_y2010_fix shows an error:

Can't locate object method "finish" via package "Mail::SpamAssassin::Timeout" at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PluginHandler.pm line 236.
Done
spamd_y2010_fix: sa-update failed with Error code 255...Auto Repair is done.

 

[cPanelDon]

Don, the Mail Forum is described as:

Learn how to customize mail handling beyond the natively supported capabilities of cPanel and WHM.

Since SpamAssassin is natively supported in cPanel and WHM, I did not think it made sense to have this thread in the Mail forum. Please clarify.

- Scott

You're correct that SpamAssassin itself is natively supported; I think either of the two forum areas could be considered suitable for a topic like this. It was my determination that the topic involved managing SpamAssassin rules, including problems arising from them, and or managing potentially customized rule configurations, and that this may be better grouped in the Mail discussion area of the forums where the topic is more related to the overall area of interest. Some topics, like this one, may have more than one organizational criteria, and with that in mind I can see where the topic may be swayed either way in terms of determining where to organize the thread.

 

[cPanelDon]

/scripts/autorepair spamd_y2010_fix shows an error:

Can't locate object method "finish" via package "Mail::SpamAssassin::Timeout" at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PluginHandler.pm line 236.
Done
spamd_y2010_fix: sa-update failed with Error code 255...Auto Repair is done.

Does the result occur when using just "sa-update -D"?

Have any plug-ins or custom rules been enabled or added in SpamAssassin?

What is the output of the following command?

# perl -MMail::SpamAssassin -e 'print"$Mail::SpamAssassin::VERSION\n"'

Please also consider submitting a support request so that we may assist with investigating further; when available, please PM me your new ticket ID number so I may follow-up internally.

 

[cPanelDon]

So you have to run the update manually? SpamAssassin won't get it's/the updates automatically?

Thanks!

When SpamAssassin is installed it includes a set of default rules. Outside of this I am not aware if SpamAssassin includes automatic rule updates by default; however, per the news announcement the hot fix that we have in-place will attempt an automated update using the "sa-update" tool in SpamAssassin.

 

[shacker23]

spamassassin.kluge.net

When I run either:

sa-update -D

or

/scripts/autorepair spamd_y2010_fix

I get this error:

http: request failed: 500 Can't connect to spamassassin.kluge.net:80 (Bad hostname 'spamassassin.kluge.net'): 500 Can't connect to spamassassin.kluge.net:80 (Bad hostname 'spamassassin.kluge.net') 
channel: could not find working mirror, channel failed

Suggestions?

 

[cPanelDon]

When I run either:

sa-update -D

or

/scripts/autorepair spamd_y2010_fix

I get this error:

http: request failed: 500 Can't connect to spamassassin.kluge.net:80 (Bad hostname 'spamassassin.kluge.net'): 500 Can't connect to spamassassin.kluge.net:80 (Bad hostname 'spamassassin.kluge.net') 
channel: could not find working mirror, channel failed

Suggestions?

Use the following command to check the contents of a file containing a list of mirrors:

# cat /var/lib/spamassassin/3.002004/updates_spamassassin_org/MIRRORED.BY

If only the failing mirror is listed, try adding an alternate. Here is a an example set of entries containing two usable mirrors:

# test mirror: zone, cached via Coral
#http://buildbot.spamassassin.org.nyud.net:8090/updatestage/
http://daryl.dostech.ca/sa-update/asf/ weight=5
http://www.sa-update.pccc.com/ weight=5

It is also possible to simply replace the existing file with a fresh copy from an available mirror; the following two steps may be used to accomplish this (via root SSH access):
Step 1.) Change directory, then move (backup) the existing file

# cd /var/lib/spamassassin/3.002004/updates_spamassassin_org
# mv -v MIRRORED.BY MIRRORED.BY.backup

Step 2.) Download a fresh copy using one of the following commands:

# wget -N http://www.sa-update.pccc.com/MIRRORED.BY
# wget -N http://daryl.dostech.ca/sa-update/asf/MIRRORED.BY

Reference:
http://daryl.dostech.ca/sa-update/asf/MIRRORED.BY
http://www.sa-update.pccc.com/MIRRORED.BY

 

[Promethyl]

I patched mine by hand.

 

[shacker23]

Thanks much cPanel Don - that did the trick.