SpamAssassin Bug Blocks Untold Numbers of Legit Emails

Written by Sue Walsh on January 11, 2010

spamA bug in the popular SpamAssassin anti-spam engine caused legit emails sent in the first few days of 2010 to be marked as spam. It’s not known exactly how many emails were affected but the bug affected ISPs across the globe. The problem was with the ‘FH_DATE_PAST_20XX’ rule. In compiled versions of the SpamAssassin 3.2.0 through 3.2.5, the rule was not fixed to reflect the new year, causing emails with a date of 2010 to be flagged. The rule is in response to the practice some spammers have of sending their messages with a date far into the future to appear at the top of recipent’s inboxes. Apache released a statement apologizing for the error:

          Versions of the FH_DATE_PAST_20XX rule released with versions of Apache SpamAssassin 3.2.0 thru 3.2.5 will trigger on most mail with a Date header that includes the year 2010 or later.  The rule will add a score of up to 3.6 towards the spam classification of all email.  You should take corrective action immediately; there are two easy ways to correct the problem:

If your system is configured to use sa-update run sa-update now.  An update is available that will correct the rule.  No further action is necessary (other than restarting spamd or any service that uses SpamAssassin directly).

Add “score FH_DATE_PAST_20XX 0″ without the quotes to the end of your local.cf file to disable the rule.

If you require help updating your rules to correct this issue you are encouraged to ask for assistance on the Apache SpamAssassin Users’ list.  Users’ mailing list info is here.

On behalf of the Apache SpamAssassin project I apologize for this error and the grief it may have caused you.

Experts say the incident is further proof that the practice of deleting flagged messages should be stopped and instead all messages marked as spam should be sent to a folder for review by the recipient.

Apache fixed the issue when it became aware of it and urged all their customers to update their filters regularly.

Bookmark the permalink. Follow any comments here with the RSS feed for this post.

Related Posts

One Response to “SpamAssassin Bug Blocks Untold Numbers of Legit Emails”

  1. Daryl C. W. O'Shea Says:
    January 12th, 2010 at 8:20 am

    Hi Sue,

    Just to clarify on the issue, the issue with the one rule did not cause all email to be marked as spam (you didn’t say it did, I just want to make sure there’s no confusion). Judging by the stats in the STATISTICS-set3 file included with the Apache SpamAssassin 3.2.x tarballs, even with the rule issue SpamAssassin would have correctly classified approximately 98% or more of ham emails correctly when using the default spam threshold of 5.0. This is the result of a core principle of SpamAssassin of not too heavily relying on any single method of spam detection.

    Further, many people have reported that no ham emails were incorrectly identified as spam (on their systems) as a result of this rule issue while others have said that extremely few were identified. While we’re disappointed that this issue happened we are pleased to see that the robustness of SpamAssassin has prevented the issue from being a bigger problem than it was.

    While I’m here, I’d like to mention that another alternative to auto-deleting (bad idea!) spam or quarantining it is to not accept it in the first place. If an email is not accepted; a properly working email system will notify the sender so that they will be aware you did not receive the email. This prevents the problem of people not going through a quarantine folder (who wants to do that, that’s why you’ve got a spam filter in the first place) and nobody (the sender nor the recipient) knowing that you didn’t receive the email.

    Regards,

    Daryl

Leave a Reply

Comment Policy