You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Kevin A. McGrail" <km...@apache.org> on 2019/12/12 11:04:26 UTC
ANNOUNCE: Apache SpamAssassin 3.4.3 available
On behalf of the Apache SpamAssassin Project, I am proud to share the release notes for Apache SpamAssassin v3.4.3. -KAM
Release Notes -- Apache SpamAssassin -- Version 3.4.3
Introduction
------------
Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we
prepare to move to version 4.0.0 with better, native UTF-8 handling.
There are a number of functional patches, improvements as well as security
reasons to upgrade to 3.4.3. In this release, there are bug fixes for two
CVEs.
*** On March 1, 2020, we will stop publishing rulesets with SHA-1 signatures.
If you do not update to 3.4.2 or later, you will be stuck at the last
ruleset with SHA-1 signatures. ***
Many thanks to the committers, contributors, rule testers, mass checkers,
and code testers who have made this release possible.
Happy Birthday
--------------
Apache SpamAssassin turned 18 on September 5th, 2019.
Now in its 18th year, 15 of which as an Apache project, SpamAssassin is the
world's most popular email anti-spam platform. Apache SpamAssassin can be
used on a wide variety of email systems including Postfix, procmail, qmail,
sendmail, and more.
It serves as the spam-filtering and detection solution for numerous ISPs and
hosting providers, and is integrated in commercial software including Plesk,
cPanel, Vesta Control Panel, and many others.
SpamAssassin was originally created by Justin Mason, who had maintained a
number of patches against an earlier program named filter.plx by Mark
Jeftovic, which began in August 1997. Mason rewrote all of Jeftovic's code
from scratch and uploaded the resulting codebase to SourceForge on April 20,
2001. SpamAssassin entered the Apache Incubator in December 2003 and
graduated as an Apache Top-Level Project in June 2004.
Notable features:
=================
New plugins
-----------
There is 1 new plugin added with this release:
# OLEVBMacro - Detects both OLE macros and VB code inside Office documents
#
# It tries to discern between safe and malicious code but due to the threat
# macros present to security, many places block these type of documents
# outright.
#
# For this plugin to work, Archive::Zip and IO::String modules are required.
# loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
This plugin is disabled by default. To enable, uncomment the loadplugin
configuration options in file v343.pre, or add it to some local .pre file
such as local.pre.
Notable changes
---------------
Safer and faster scanning of large emails using body_part_scan_size and
rawbody_part_scan_size settings.
New tflag "nosubject" for 'body' rules, to stop matching the Subject header
which is part of the body text.
Two CVE security bug fixes are included in this release:
CVE-2019-12420 for Multipart Denial of Service Vulnerability
CVE-2018-11805 for nefarious CF files can be configured to
run system commands without any output or errors.
Security updates include deprecation of the unsafe sa-update '--allowplugins'
option, which now prints a warning that '--reallyallowplugins' is required
to use it.
New configuration options
-------------------------
A new subjprefix keyword used to add a prefix to the subject of the
email if a rule is matched.
A new template tag _SUBJPREFIX_ that maps to the subject prefix that
has been added by the subjprefix keyword.
A new template tag _SUBTESTSCOLLAPSED(,)_ that maps to subtests that
hits with duplicated rules collapsed.
A config option rbl_headers has been added to DNSEval plugin,
this option is used to specify in which headers check_rbl_headers
should check for content used to query the specified rbl.
A new check_rbl_ns_from function has been added to check
the dns server of the from addrs domain name against a specific rbl.
A new check_rbl_rcvd function has been added to check
all received headers domains or ip addresses against a
specific rbl.
New options has been added to check_hashbl_emails function
has been added; it is now possible to specify in which headers
the function should check for content used to query the
specified rbl and an acl to filter the email addresses the rule
should apply.
A new check_hashbl_bodyre function has been added, it is now possible
to search body for matching regexp and query the string captured
against the specified rbl.
A new check_hashbl_uris function has been added, it is now possible
to match uris in email's body and query the uris against the
specified rbl.
Notable Internal changes
------------------------
None noted.
Other updates
-------------
None noted.
Optimizations
-------------
None noted.
Downloading and availability
----------------------------
Downloads are available from:
https://spamassassin.apache.org/downloads.cgi
sha256sum of archive files:
a5b8fde50e468be8b36b90f5c39b19dfea947d6184a06cbf6dd16bf97265008d Mail-SpamAssassin-3.4.3.tar.bz2
bb3adac71b2a5b69d584ee9843460f61c62da0bb7441c4007cc741b404ad27b8 Mail-SpamAssassin-3.4.3.tar.gz
3f4e55e8b4f2420c6d0b30850acd6cfb8808c7e559e0a9168b93950ca5289e86 Mail-SpamAssassin-3.4.3.zip
d4804c19c5ee2065443fa09e3940462daa48481dfa9d4a1d95e2683d75c7c7d9 Mail-SpamAssassin-rules-3.4.3.r1871124.tgz
sha512sum of archive files:
4d50b30a42d318c3a4c868b4940d1f56c329cc501270df12e1a369dd7de670c30f328a5fbc37dbd3b0d06538b9500085e920939c62de80ad6d8740bc47162cb0 Mail-SpamAssassin-3.4.3.tar.bz2
d2fd657d3c20273b0c06cb1da083d757d3f2a7f60c7ed6e6ad8f98e6df33c9c5f3824f0531abf5dbc32b0dde22979d7d671231fa2ef0d8b073ea6804c5de0c3a Mail-SpamAssassin-3.4.3.tar.gz
608d8db07e08475e8eba42584fbff95210539e34fdfdc62cc8112d8aa42e88a7537be5bc1c624d5dd9aadce717c459407e64f1b56592ac743051d2c31e817d14 Mail-SpamAssassin-3.4.3.zip
2089bd97798c64fec8dea127cc12fbd9d9647bfe42c056a7674c7e9f85bb9e29ad73f741317ec74824016192736d57f16f70ff9bfd1eac0a8de747e417e3175f Mail-SpamAssassin-rules-3.4.3.r1871124.tgz
Note that the *-rules-*.tgz files are only necessary if you cannot,
or do not wish to, run "sa-update" after install to download the latest
fresh rules.
See the INSTALL and UPGRADE files in the distribution for important
installation notes.
GPG Verification Procedure
--------------------------
The release files also have a .asc accompanying them. The file serves
as an external GPG signature for the given release file. The signing
key is available via the wwwkeys.pgp.net key server, as well as
https://www.apache.org/dist/spamassassin/KEYS
The following key is used to sign releases after, and including SA 3.3.0:
pub 4096R/F7D39814 2009-12-02
Key fingerprint = D809 9BC7 9E17 D7E4 9BC2 1E31 FDE5 2F40 F7D3 9814
uid SpamAssassin Project Management Committee <pr...@spamassassin.apache.org>
uid SpamAssassin Signing Key (Code Signing Key, replacement for 1024D/265FA05B) <de...@spamassassin.apache.org>
sub 4096R/7B3265A5 2009-12-02
The following key is used to sign rule updates:
pub 4096R/5244EC45 2005-12-20
Key fingerprint = 5E54 1DC9 59CB 8BAC 7C78 DFDC 4056 A61A 5244 EC45
uid updates.spamassassin.org Signing Key <re...@spamassassin.org>
sub 4096R/24F434CE 2005-12-20
To verify a release file, download the file with the accompanying .asc
file and run the following commands:
gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814
gpg --verify Mail-SpamAssassin-3.4.3.tar.bz2.asc
gpg --fingerprint F7D39814
Then verify that the key matches the signature.
Note that older versions of gnupg may not be able to complete the steps
above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11
worked flawlessly.
See https://www.apache.org/info/verification.html for more information
on verifying Apache releases.
About Apache SpamAssassin
-------------------------
Apache SpamAssassin is a mature, widely-deployed open source project
that serves as a mail filter to identify spam. SpamAssassin uses a
variety of mechanisms including mail header and text analysis, Bayesian
filtering, DNS blocklists, and collaborative filtering databases. In
addition, Apache SpamAssassin has a modular architecture that allows
other technologies to be quickly incorporated as an addition or as a
replacement for existing methods.
Apache SpamAssassin typically runs on a server, classifies and labels
spam before it reaches your mailbox, while allowing other components of
a mail system to act on its results.
Most of the Apache SpamAssassin is written in Perl, with heavily
traversed code paths carefully optimized. Benefits are portability,
robustness and facilitated maintenance. It can run on a wide variety of
POSIX platforms.
The server and the Perl library feels at home on Unix and Linux platforms
and reportedly also works on MS Windows systems under ActivePerl.
For more information, visit https://spamassassin.apache.org/
About The Apache Software Foundation
------------------------------------
Established in 1999, The Apache Software Foundation provides
organizational, legal, and financial support for more than 100
freely-available, collaboratively-developed Open Source projects. The
pragmatic Apache License enables individual and commercial users to
easily deploy Apache software; the Foundation's intellectual property
framework limits the legal exposure of its 2,500+ contributors.
For more information, visit https://www.apache.org/
##
--
Kevin A. McGrail
KMcGrail@Apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
[SECURITY] Apache SpamAssassin v3.4.3 released with fix for
CVE-2019-12420
Posted by "Kevin A. McGrail" <km...@apache.org>.
Apache SpamAssassin 3.4.3 was recently released [1], and fixes an issue
of security note where a message can be crafted in a way to use
excessive resources. Upgrading to SA 3.4.3 as soon as possible is the
recommended fix but details will not be shared publicly. Thanks to Joran
Dirk Greef, Ronomon, Cape Town for reporting the issue.
This issue has been assigned CVE id CVE-2019-12420 [2]
To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.
Apache SpamAssassin Security Team
[1]:
https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-12420
--
Kevin A. McGrail
KMcGrail@Apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
[SECURITY] Apache SpamAssassin v3.4.3 released with fix for
CVE-2019-12420
Posted by "Kevin A. McGrail" <km...@apache.org>.
Apache SpamAssassin 3.4.3 was recently released [1], and fixes an issue
of security note where a message can be crafted in a way to use
excessive resources. Upgrading to SA 3.4.3 as soon as possible is the
recommended fix but details will not be shared publicly. Thanks to Joran
Dirk Greef, Ronomon, Cape Town for reporting the issue.
This issue has been assigned CVE id CVE-2019-12420 [2]
To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.
Apache SpamAssassin Security Team
[1]:
https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-12420
--
Kevin A. McGrail
KMcGrail@Apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
[SECURITY] Apache SpamAssassin v3.4.3 released with fix for
CVE-2019-12420
Posted by "Kevin A. McGrail" <km...@apache.org>.
Apache SpamAssassin 3.4.3 was recently released [1], and fixes an issue
of security note where a message can be crafted in a way to use
excessive resources. Upgrading to SA 3.4.3 as soon as possible is the
recommended fix but details will not be shared publicly. Thanks to Joran
Dirk Greef, Ronomon, Cape Town for reporting the issue.
This issue has been assigned CVE id CVE-2019-12420 [2]
To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.
Apache SpamAssassin Security Team
[1]:
https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-12420
--
Kevin A. McGrail
KMcGrail@Apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
[SECURITY] Apache SpamAssassin v3.4.3 released with fix for
CVE-2019-12420
Posted by "Kevin A. McGrail" <km...@apache.org>.
Apache SpamAssassin 3.4.3 was recently released [1], and fixes an issue
of security note where a message can be crafted in a way to use
excessive resources. Upgrading to SA 3.4.3 as soon as possible is the
recommended fix but details will not be shared publicly. Thanks to Joran
Dirk Greef, Ronomon, Cape Town for reporting the issue.
This issue has been assigned CVE id CVE-2019-12420 [2]
To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.
Apache SpamAssassin Security Team
[1]:
https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-12420
--
Kevin A. McGrail
KMcGrail@Apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@spamassassin.apache.org
For additional commands, e-mail: announce-help@spamassassin.apache.org
[SECURITY] Apache SpamAssassin v3.4.3 released with fix for
CVE-2018-11805
Posted by "Kevin A. McGrail" <km...@apache.org>.
Apache SpamAssassin 3.4.3 was recently released [1], and fixes an issue
of security note where nefarious CF files can be configured to run
system commands without any output or errors. With this, exploits can
be injected in a number of scenarios. In addition to upgrading to SA
3.4.3, we recommend that users should only use update channels or 3rd
party .cf files from trusted places.
This issue has been assigned CVE id CVE-2018-11805 [2]
To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.
Apache SpamAssassin Security Team
[1]:
https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11805
--
Kevin A. McGrail
KMcGrail@Apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@spamassassin.apache.org
For additional commands, e-mail: announce-help@spamassassin.apache.org
[SECURITY] Apache SpamAssassin v3.4.3 released with fix for
CVE-2018-11805
Posted by "Kevin A. McGrail" <km...@apache.org>.
Apache SpamAssassin 3.4.3 was recently released [1], and fixes an issue
of security note where nefarious CF files can be configured to run
system commands without any output or errors. With this, exploits can
be injected in a number of scenarios. In addition to upgrading to SA
3.4.3, we recommend that users should only use update channels or 3rd
party .cf files from trusted places.
This issue has been assigned CVE id CVE-2018-11805 [2]
To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.
Apache SpamAssassin Security Team
[1]:
https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11805
--
Kevin A. McGrail
KMcGrail@Apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
[SECURITY] Apache SpamAssassin v3.4.3 released with fix for
CVE-2018-11805
Posted by "Kevin A. McGrail" <km...@apache.org>.
Apache SpamAssassin 3.4.3 was recently released [1], and fixes an issue
of security note where nefarious CF files can be configured to run
system commands without any output or errors. With this, exploits can
be injected in a number of scenarios. In addition to upgrading to SA
3.4.3, we recommend that users should only use update channels or 3rd
party .cf files from trusted places.
This issue has been assigned CVE id CVE-2018-11805 [2]
To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.
Apache SpamAssassin Security Team
[1]:
https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11805
--
Kevin A. McGrail
KMcGrail@Apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
[SECURITY] Apache SpamAssassin v3.4.3 released with fix for
CVE-2018-11805
Posted by "Kevin A. McGrail" <km...@apache.org>.
Apache SpamAssassin 3.4.3 was recently released [1], and fixes an issue
of security note where nefarious CF files can be configured to run
system commands without any output or errors. With this, exploits can
be injected in a number of scenarios. In addition to upgrading to SA
3.4.3, we recommend that users should only use update channels or 3rd
party .cf files from trusted places.
This issue has been assigned CVE id CVE-2018-11805 [2]
To contact the Apache SpamAssassin security team, please e-mail
security at spamassassin.apache.org. For more information about Apache
SpamAssassin, visit the http://spamassassin.apache.org/ web site.
Apache SpamAssassin Security Team
[1]:
https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11805
--
Kevin A. McGrail
KMcGrail@Apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: ANNOUNCE: Apache SpamAssassin 3.4.3 available
Posted by Benny Pedersen <me...@junc.eu>.
Kevin A. McGrail skrev den 2019-12-12 18:54:
> It is only old school people like us that even know how to send text
> only, heh.
https://www.boredpanda.com/this-privacy-tech-company-decided-to-make-posters-for-its-holiday-party-and-the-results-are-hilarious/
dont worry, be happy
Re: ANNOUNCE: Apache SpamAssassin 3.4.3 available
Posted by "Kevin A. McGrail" <km...@apache.org>.
Interesting though who told you that html was more spammy because the data
doesn't back that up. Multipart html with text alternative will usually
score lower because like 99% of the mail flow looks like that.
It is only old school people like us that even know how to send text only,
heh.
On Thu, Dec 12, 2019, 11:36 sebb <se...@gmail.com> wrote:
> Please don't ever use HTML for announce mails.
>
> They are more likely to be treated as spam -- as this one was -- and so
> may be overlooked by the moderators.
>
> Thanks.
> S.
>
> On Thu, 12 Dec 2019 at 16:26, Kevin A. McGrail <km...@apache.org>
> wrote:
>
>> On behalf of the Apache SpamAssassin Project, I am proud to share the release notes for Apache SpamAssassin v3.4.3. -KAM
>>
>> Release Notes -- Apache SpamAssassin -- Version 3.4.3
>>
>> Introduction
>> ------------
>>
>> Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we
>> prepare to move to version 4.0.0 with better, native UTF-8 handling.
>>
>> There are a number of functional patches, improvements as well as security
>> reasons to upgrade to 3.4.3. In this release, there are bug fixes for two
>> CVEs.
>>
>> *** On March 1, 2020, we will stop publishing rulesets with SHA-1 signatures.
>> If you do not update to 3.4.2 or later, you will be stuck at the last
>> ruleset with SHA-1 signatures. ***
>>
>> Many thanks to the committers, contributors, rule testers, mass checkers,
>> and code testers who have made this release possible.
>>
>> Happy Birthday
>> --------------
>> Apache SpamAssassin turned 18 on September 5th, 2019.
>>
>> Now in its 18th year, 15 of which as an Apache project, SpamAssassin is the
>> world's most popular email anti-spam platform. Apache SpamAssassin can be
>> used on a wide variety of email systems including Postfix, procmail, qmail,
>> sendmail, and more.
>>
>> It serves as the spam-filtering and detection solution for numerous ISPs and
>> hosting providers, and is integrated in commercial software including Plesk,
>> cPanel, Vesta Control Panel, and many others.
>>
>> SpamAssassin was originally created by Justin Mason, who had maintained a
>> number of patches against an earlier program named filter.plx by Mark
>> Jeftovic, which began in August 1997. Mason rewrote all of Jeftovic's code
>> from scratch and uploaded the resulting codebase to SourceForge on April 20,
>> 2001. SpamAssassin entered the Apache Incubator in December 2003 and
>> graduated as an Apache Top-Level Project in June 2004.
>>
>> Notable features:
>> =================
>>
>> New plugins
>> -----------
>> There is 1 new plugin added with this release:
>>
>> # OLEVBMacro - Detects both OLE macros and VB code inside Office documents
>> #
>> # It tries to discern between safe and malicious code but due to the threat
>> # macros present to security, many places block these type of documents
>> # outright.
>> #
>> # For this plugin to work, Archive::Zip and IO::String modules are required.
>> # loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
>>
>>
>> This plugin is disabled by default. To enable, uncomment the loadplugin
>> configuration options in file v343.pre, or add it to some local .pre file
>> such as local.pre.
>>
>> Notable changes
>> ---------------
>>
>> Safer and faster scanning of large emails using body_part_scan_size and
>> rawbody_part_scan_size settings.
>>
>> New tflag "nosubject" for 'body' rules, to stop matching the Subject header
>> which is part of the body text.
>>
>> Two CVE security bug fixes are included in this release:
>>
>> CVE-2019-12420 for Multipart Denial of Service Vulnerability
>>
>> CVE-2018-11805 for nefarious CF files can be configured to
>> run system commands without any output or errors.
>>
>> Security updates include deprecation of the unsafe sa-update '--allowplugins'
>> option, which now prints a warning that '--reallyallowplugins' is required
>> to use it.
>>
>> New configuration options
>> -------------------------
>>
>> A new subjprefix keyword used to add a prefix to the subject of the
>> email if a rule is matched.
>>
>> A new template tag _SUBJPREFIX_ that maps to the subject prefix that
>> has been added by the subjprefix keyword.
>>
>> A new template tag _SUBTESTSCOLLAPSED(,)_ that maps to subtests that
>> hits with duplicated rules collapsed.
>>
>> A config option rbl_headers has been added to DNSEval plugin,
>> this option is used to specify in which headers check_rbl_headers
>> should check for content used to query the specified rbl.
>>
>> A new check_rbl_ns_from function has been added to check
>> the dns server of the from addrs domain name against a specific rbl.
>>
>> A new check_rbl_rcvd function has been added to check
>> all received headers domains or ip addresses against a
>> specific rbl.
>>
>> New options has been added to check_hashbl_emails function
>> has been added; it is now possible to specify in which headers
>> the function should check for content used to query the
>> specified rbl and an acl to filter the email addresses the rule
>> should apply.
>>
>> A new check_hashbl_bodyre function has been added, it is now possible
>> to search body for matching regexp and query the string captured
>> against the specified rbl.
>>
>> A new check_hashbl_uris function has been added, it is now possible
>> to match uris in email's body and query the uris against the
>> specified rbl.
>>
>> Notable Internal changes
>> ------------------------
>>
>> None noted.
>>
>> Other updates
>> -------------
>>
>> None noted.
>>
>> Optimizations
>> -------------
>>
>> None noted.
>>
>>
>> Downloading and availability
>> ----------------------------
>>
>> Downloads are available from:
>> https://spamassassin.apache.org/downloads.cgi
>>
>> sha256sum of archive files:
>>
>> a5b8fde50e468be8b36b90f5c39b19dfea947d6184a06cbf6dd16bf97265008d Mail-SpamAssassin-3.4.3.tar.bz2
>> bb3adac71b2a5b69d584ee9843460f61c62da0bb7441c4007cc741b404ad27b8 Mail-SpamAssassin-3.4.3.tar.gz
>> 3f4e55e8b4f2420c6d0b30850acd6cfb8808c7e559e0a9168b93950ca5289e86 Mail-SpamAssassin-3.4.3.zip
>> d4804c19c5ee2065443fa09e3940462daa48481dfa9d4a1d95e2683d75c7c7d9 Mail-SpamAssassin-rules-3.4.3.r1871124.tgz
>>
>> sha512sum of archive files:
>>
>> 4d50b30a42d318c3a4c868b4940d1f56c329cc501270df12e1a369dd7de670c30f328a5fbc37dbd3b0d06538b9500085e920939c62de80ad6d8740bc47162cb0 Mail-SpamAssassin-3.4.3.tar.bz2
>> d2fd657d3c20273b0c06cb1da083d757d3f2a7f60c7ed6e6ad8f98e6df33c9c5f3824f0531abf5dbc32b0dde22979d7d671231fa2ef0d8b073ea6804c5de0c3a Mail-SpamAssassin-3.4.3.tar.gz
>> 608d8db07e08475e8eba42584fbff95210539e34fdfdc62cc8112d8aa42e88a7537be5bc1c624d5dd9aadce717c459407e64f1b56592ac743051d2c31e817d14 Mail-SpamAssassin-3.4.3.zip
>> 2089bd97798c64fec8dea127cc12fbd9d9647bfe42c056a7674c7e9f85bb9e29ad73f741317ec74824016192736d57f16f70ff9bfd1eac0a8de747e417e3175f Mail-SpamAssassin-rules-3.4.3.r1871124.tgz
>>
>> Note that the *-rules-*.tgz files are only necessary if you cannot,
>> or do not wish to, run "sa-update" after install to download the latest
>> fresh rules.
>>
>> See the INSTALL and UPGRADE files in the distribution for important
>> installation notes.
>>
>>
>> GPG Verification Procedure
>> --------------------------
>> The release files also have a .asc accompanying them. The file serves
>> as an external GPG signature for the given release file. The signing
>> key is available via the wwwkeys.pgp.net key server, as well ashttps://www.apache.org/dist/spamassassin/KEYS
>>
>>
>>
>> The following key is used to sign releases after, and including SA 3.3.0:
>>
>> pub 4096R/F7D39814 2009-12-02
>> Key fingerprint = D809 9BC7 9E17 D7E4 9BC2 1E31 FDE5 2F40 F7D3 9814
>> uid SpamAssassin Project Management Committee <pr...@spamassassin.apache.org> <pr...@spamassassin.apache.org>
>> uid SpamAssassin Signing Key (Code Signing Key, replacement for 1024D/265FA05B) <de...@spamassassin.apache.org> <de...@spamassassin.apache.org>
>> sub 4096R/7B3265A5 2009-12-02
>>
>> The following key is used to sign rule updates:
>>
>> pub 4096R/5244EC45 2005-12-20
>> Key fingerprint = 5E54 1DC9 59CB 8BAC 7C78 DFDC 4056 A61A 5244 EC45
>> uid updates.spamassassin.org Signing Key <re...@spamassassin.org> <re...@spamassassin.org>
>> sub 4096R/24F434CE 2005-12-20
>>
>> To verify a release file, download the file with the accompanying .asc
>> file and run the following commands:
>>
>> gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814
>> gpg --verify Mail-SpamAssassin-3.4.3.tar.bz2.asc
>> gpg --fingerprint F7D39814
>>
>> Then verify that the key matches the signature.
>>
>> Note that older versions of gnupg may not be able to complete the steps
>> above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11
>> worked flawlessly.
>>
>> See https://www.apache.org/info/verification.html for more information
>> on verifying Apache releases.
>>
>>
>> About Apache SpamAssassin
>> -------------------------
>>
>> Apache SpamAssassin is a mature, widely-deployed open source project
>> that serves as a mail filter to identify spam. SpamAssassin uses a
>> variety of mechanisms including mail header and text analysis, Bayesian
>> filtering, DNS blocklists, and collaborative filtering databases. In
>> addition, Apache SpamAssassin has a modular architecture that allows
>> other technologies to be quickly incorporated as an addition or as a
>> replacement for existing methods.
>>
>> Apache SpamAssassin typically runs on a server, classifies and labels
>> spam before it reaches your mailbox, while allowing other components of
>> a mail system to act on its results.
>>
>> Most of the Apache SpamAssassin is written in Perl, with heavily
>> traversed code paths carefully optimized. Benefits are portability,
>> robustness and facilitated maintenance. It can run on a wide variety of
>> POSIX platforms.
>>
>> The server and the Perl library feels at home on Unix and Linux platforms
>> and reportedly also works on MS Windows systems under ActivePerl.
>>
>> For more information, visit https://spamassassin.apache.org/
>>
>>
>> About The Apache Software Foundation
>> ------------------------------------
>>
>> Established in 1999, The Apache Software Foundation provides
>> organizational, legal, and financial support for more than 100
>> freely-available, collaboratively-developed Open Source projects. The
>> pragmatic Apache License enables individual and commercial users to
>> easily deploy Apache software; the Foundation's intellectual property
>> framework limits the legal exposure of its 2,500+ contributors.
>>
>> For more information, visit https://www.apache.org/
>>
>> ##
>>
>> --
>> Kevin A. McGrailKMcGrail@Apache.org
>>
>> Member, Apache Software Foundation
>> Chair Emeritus Apache SpamAssassin Projecthttps://www.linkedin.com/in/kmcgrail - 703.798.0171
>>
>>
Re: ANNOUNCE: Apache SpamAssassin 3.4.3 available
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 12 Dec 2019, at 11:36, sebb wrote:
> Please don't ever use HTML for announce mails.
One might as well say "Please don't ever top-post."
Kevin's announcement message was multipart/alternative with a text/plain
part first. As superfluous as the text/html part was, this style of mail
is the default format generated by the MUAs used by the vast majority of
users.
> They are more likely to be treated as spam -- as this one was
If you are using SpamAssassin and don't locally rescore HTML_MESSAGE or
make it a sub-rule of a meta-rule with a significant score, that is
simply not true. Using the default SA ruleset & scores, that message
scored -6.0, i.e. definitely not spam.
If you are using some other spam detection tool which considers the mere
existence of a text/html part in a multipart/alternative message to be a
significant indicator of spam, that bug should be discussed with that
broken tool's developer(s).
If you simply have made a personal decision to treat such mail as spam,
as it is absolutely your right to decide, you should be reconciled by
now to the fact that a lot of legitimate mail sent by people who will
never switch to sending pure text/plain mail is misidentified by your
chosen configuration.
> -- and so may
> be overlooked by the moderators.
This mailing list is not moderated.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: ANNOUNCE: Apache SpamAssassin 3.4.3 available
Posted by Jari Fredriksson <ja...@iki.fi>.
On 12.12.2019 18.36, sebb wrote:
> Please don't ever use HTML for announce mails.
>
> They are more likely to be treated as spam -- as this one was -- and
> so may be overlooked by the moderators.
>
> Thanks.
> S.
I have whitelisted this list so that it never even gets treated anyhow
by SpamAssassin. There may occasionally be someone posting a "spample"
and that could cause havoc...
> X-Whitelisted: spamassasin lists possibly talking spammy tokens
br. jarif
>
> On Thu, 12 Dec 2019 at 16:26, Kevin A. McGrail <kmcgrail@apache.org
> <ma...@apache.org>> wrote:
>
> On behalf of the Apache SpamAssassin Project, I am proud to share the release notes for Apache SpamAssassin v3.4.3. -KAM
>
> Release Notes -- Apache SpamAssassin -- Version 3.4.3
>
> Introduction
> ------------
>
> Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we
> prepare to move to version 4.0.0 with better, native UTF-8 handling.
>
> There are a number of functional patches, improvements as well as security
> reasons to upgrade to 3.4.3. In this release, there are bug fixes for two
> CVEs.
>
> *** On March 1, 2020, we will stop publishing rulesets with SHA-1 signatures.
> If you do not update to 3.4.2 or later, you will be stuck at the last
> ruleset with SHA-1 signatures. ***
>
> Many thanks to the committers, contributors, rule testers, mass checkers,
> and code testers who have made this release possible.
>
> Happy Birthday
> --------------
> Apache SpamAssassin turned 18 on September 5th, 2019.
>
> Now in its 18th year, 15 of which as an Apache project, SpamAssassin is the
> world's most popular email anti-spam platform. Apache SpamAssassin can be
> used on a wide variety of email systems including Postfix, procmail, qmail,
> sendmail, and more.
>
> It serves as the spam-filtering and detection solution for numerous ISPs and
> hosting providers, and is integrated in commercial software including Plesk,
> cPanel, Vesta Control Panel, and many others.
>
> SpamAssassin was originally created by Justin Mason, who had maintained a
> number of patches against an earlier program named filter.plx by Mark
> Jeftovic, which began in August 1997. Mason rewrote all of Jeftovic's code
> from scratch and uploaded the resulting codebase to SourceForge on April 20,
> 2001. SpamAssassin entered the Apache Incubator in December 2003 and
> graduated as an Apache Top-Level Project in June 2004.
>
> Notable features:
> =================
>
> New plugins
> -----------
> There is 1 new plugin added with this release:
>
> # OLEVBMacro - Detects both OLE macros and VB code inside Office documents
> #
> # It tries to discern between safe and malicious code but due to the threat
> # macros present to security, many places block these type of documents
> # outright.
> #
> # For this plugin to work, Archive::Zip and IO::String modules are required.
> # loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
>
>
> This plugin is disabled by default. To enable, uncomment the loadplugin
> configuration options in file v343.pre, or add it to some local .pre file
> such as local.pre.
>
> Notable changes
> ---------------
>
> Safer and faster scanning of large emails using body_part_scan_size and
> rawbody_part_scan_size settings.
>
> New tflag "nosubject" for 'body' rules, to stop matching the Subject header
> which is part of the body text.
>
> Two CVE security bug fixes are included in this release:
>
> CVE-2019-12420 for Multipart Denial of Service Vulnerability
>
> CVE-2018-11805 for nefarious CF files can be configured to
> run system commands without any output or errors.
>
> Security updates include deprecation of the unsafe sa-update '--allowplugins'
> option, which now prints a warning that '--reallyallowplugins' is required
> to use it.
>
> New configuration options
> -------------------------
>
> A new subjprefix keyword used to add a prefix to the subject of the
> email if a rule is matched.
>
> A new template tag _SUBJPREFIX_ that maps to the subject prefix that
> has been added by the subjprefix keyword.
>
> A new template tag _SUBTESTSCOLLAPSED(,)_ that maps to subtests that
> hits with duplicated rules collapsed.
>
> A config option rbl_headers has been added to DNSEval plugin,
> this option is used to specify in which headers check_rbl_headers
> should check for content used to query the specified rbl.
>
> A new check_rbl_ns_from function has been added to check
> the dns server of the from addrs domain name against a specific rbl.
>
> A new check_rbl_rcvd function has been added to check
> all received headers domains or ip addresses against a
> specific rbl.
>
> New options has been added to check_hashbl_emails function
> has been added; it is now possible to specify in which headers
> the function should check for content used to query the
> specified rbl and an acl to filter the email addresses the rule
> should apply.
>
> A new check_hashbl_bodyre function has been added, it is now possible
> to search body for matching regexp and query the string captured
> against the specified rbl.
>
> A new check_hashbl_uris function has been added, it is now possible
> to match uris in email's body and query the uris against the
> specified rbl.
>
> Notable Internal changes
> ------------------------
>
> None noted.
>
> Other updates
> -------------
>
> None noted.
>
> Optimizations
> -------------
>
> None noted.
>
>
> Downloading and availability
> ----------------------------
>
> Downloads are available from:
>
> https://spamassassin.apache.org/downloads.cgi
>
> sha256sum of archive files:
>
> a5b8fde50e468be8b36b90f5c39b19dfea947d6184a06cbf6dd16bf97265008d Mail-SpamAssassin-3.4.3.tar.bz2
> bb3adac71b2a5b69d584ee9843460f61c62da0bb7441c4007cc741b404ad27b8 Mail-SpamAssassin-3.4.3.tar.gz
> 3f4e55e8b4f2420c6d0b30850acd6cfb8808c7e559e0a9168b93950ca5289e86 Mail-SpamAssassin-3.4.3.zip
> d4804c19c5ee2065443fa09e3940462daa48481dfa9d4a1d95e2683d75c7c7d9 Mail-SpamAssassin-rules-3.4.3.r1871124.tgz
>
> sha512sum of archive files:
>
> 4d50b30a42d318c3a4c868b4940d1f56c329cc501270df12e1a369dd7de670c30f328a5fbc37dbd3b0d06538b9500085e920939c62de80ad6d8740bc47162cb0 Mail-SpamAssassin-3.4.3.tar.bz2
> d2fd657d3c20273b0c06cb1da083d757d3f2a7f60c7ed6e6ad8f98e6df33c9c5f3824f0531abf5dbc32b0dde22979d7d671231fa2ef0d8b073ea6804c5de0c3a Mail-SpamAssassin-3.4.3.tar.gz
> 608d8db07e08475e8eba42584fbff95210539e34fdfdc62cc8112d8aa42e88a7537be5bc1c624d5dd9aadce717c459407e64f1b56592ac743051d2c31e817d14 Mail-SpamAssassin-3.4.3.zip
> 2089bd97798c64fec8dea127cc12fbd9d9647bfe42c056a7674c7e9f85bb9e29ad73f741317ec74824016192736d57f16f70ff9bfd1eac0a8de747e417e3175f Mail-SpamAssassin-rules-3.4.3.r1871124.tgz
>
> Note that the *-rules-*.tgz files are only necessary if you cannot,
> or do not wish to, run "sa-update" after install to download the latest
> fresh rules.
>
> See the INSTALL and UPGRADE files in the distribution for important
> installation notes.
>
>
> GPG Verification Procedure
> --------------------------
> The release files also have a .asc accompanying them. The file serves
> as an external GPG signature for the given release file. The signing
> key is available via thewwwkeys.pgp.net <http://wwwkeys.pgp.net> key server, as well as
> https://www.apache.org/dist/spamassassin/KEYS
>
>
>
> The following key is used to sign releases after, and including SA 3.3.0:
>
> pub 4096R/F7D39814 2009-12-02
> Key fingerprint = D809 9BC7 9E17 D7E4 9BC2 1E31 FDE5 2F40 F7D3 9814
> uid SpamAssassin Project Management Committee<pr...@spamassassin.apache.org> <ma...@spamassassin.apache.org>
> uid SpamAssassin Signing Key (Code Signing Key, replacement for 1024D/265FA05B)<de...@spamassassin.apache.org> <ma...@spamassassin.apache.org>
> sub 4096R/7B3265A5 2009-12-02
>
> The following key is used to sign rule updates:
>
> pub 4096R/5244EC45 2005-12-20
> Key fingerprint = 5E54 1DC9 59CB 8BAC 7C78 DFDC 4056 A61A 5244 EC45
> uidupdates.spamassassin.org <http://updates.spamassassin.org> Signing Key<re...@spamassassin.org> <ma...@spamassassin.org>
> sub 4096R/24F434CE 2005-12-20
>
> To verify a release file, download the file with the accompanying .asc
> file and run the following commands:
>
> gpg --verbose --keyserverwwwkeys.pgp.net <http://wwwkeys.pgp.net> --recv-key F7D39814
> gpg --verify Mail-SpamAssassin-3.4.3.tar.bz2.asc
> gpg --fingerprint F7D39814
>
> Then verify that the key matches the signature.
>
> Note that older versions of gnupg may not be able to complete the steps
> above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11
> worked flawlessly.
>
> Seehttps://www.apache.org/info/verification.html for more information
> on verifying Apache releases.
>
>
> About Apache SpamAssassin
> -------------------------
>
> Apache SpamAssassin is a mature, widely-deployed open source project
> that serves as a mail filter to identify spam. SpamAssassin uses a
> variety of mechanisms including mail header and text analysis, Bayesian
> filtering, DNS blocklists, and collaborative filtering databases. In
> addition, Apache SpamAssassin has a modular architecture that allows
> other technologies to be quickly incorporated as an addition or as a
> replacement for existing methods.
>
> Apache SpamAssassin typically runs on a server, classifies and labels
> spam before it reaches your mailbox, while allowing other components of
> a mail system to act on its results.
>
> Most of the Apache SpamAssassin is written in Perl, with heavily
> traversed code paths carefully optimized. Benefits are portability,
> robustness and facilitated maintenance. It can run on a wide variety of
> POSIX platforms.
>
> The server and the Perl library feels at home on Unix and Linux platforms
> and reportedly also works on MS Windows systems under ActivePerl.
>
> For more information, visithttps://spamassassin.apache.org/
>
>
> About The Apache Software Foundation
> ------------------------------------
>
> Established in 1999, The Apache Software Foundation provides
> organizational, legal, and financial support for more than 100
> freely-available, collaboratively-developed Open Source projects. The
> pragmatic Apache License enables individual and commercial users to
> easily deploy Apache software; the Foundation's intellectual property
> framework limits the legal exposure of its 2,500+ contributors.
>
> For more information, visithttps://www.apache.org/
>
> ##
>
> --
> Kevin A. McGrail
> KMcGrail@Apache.org <ma...@Apache.org>
>
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171
>
Re: ANNOUNCE: Apache SpamAssassin 3.4.3 available
Posted by sebb <se...@gmail.com>.
Please don't ever use HTML for announce mails.
They are more likely to be treated as spam -- as this one was -- and so may
be overlooked by the moderators.
Thanks.
S.
On Thu, 12 Dec 2019 at 16:26, Kevin A. McGrail <km...@apache.org> wrote:
> On behalf of the Apache SpamAssassin Project, I am proud to share the release notes for Apache SpamAssassin v3.4.3. -KAM
>
> Release Notes -- Apache SpamAssassin -- Version 3.4.3
>
> Introduction
> ------------
>
> Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we
> prepare to move to version 4.0.0 with better, native UTF-8 handling.
>
> There are a number of functional patches, improvements as well as security
> reasons to upgrade to 3.4.3. In this release, there are bug fixes for two
> CVEs.
>
> *** On March 1, 2020, we will stop publishing rulesets with SHA-1 signatures.
> If you do not update to 3.4.2 or later, you will be stuck at the last
> ruleset with SHA-1 signatures. ***
>
> Many thanks to the committers, contributors, rule testers, mass checkers,
> and code testers who have made this release possible.
>
> Happy Birthday
> --------------
> Apache SpamAssassin turned 18 on September 5th, 2019.
>
> Now in its 18th year, 15 of which as an Apache project, SpamAssassin is the
> world's most popular email anti-spam platform. Apache SpamAssassin can be
> used on a wide variety of email systems including Postfix, procmail, qmail,
> sendmail, and more.
>
> It serves as the spam-filtering and detection solution for numerous ISPs and
> hosting providers, and is integrated in commercial software including Plesk,
> cPanel, Vesta Control Panel, and many others.
>
> SpamAssassin was originally created by Justin Mason, who had maintained a
> number of patches against an earlier program named filter.plx by Mark
> Jeftovic, which began in August 1997. Mason rewrote all of Jeftovic's code
> from scratch and uploaded the resulting codebase to SourceForge on April 20,
> 2001. SpamAssassin entered the Apache Incubator in December 2003 and
> graduated as an Apache Top-Level Project in June 2004.
>
> Notable features:
> =================
>
> New plugins
> -----------
> There is 1 new plugin added with this release:
>
> # OLEVBMacro - Detects both OLE macros and VB code inside Office documents
> #
> # It tries to discern between safe and malicious code but due to the threat
> # macros present to security, many places block these type of documents
> # outright.
> #
> # For this plugin to work, Archive::Zip and IO::String modules are required.
> # loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
>
>
> This plugin is disabled by default. To enable, uncomment the loadplugin
> configuration options in file v343.pre, or add it to some local .pre file
> such as local.pre.
>
> Notable changes
> ---------------
>
> Safer and faster scanning of large emails using body_part_scan_size and
> rawbody_part_scan_size settings.
>
> New tflag "nosubject" for 'body' rules, to stop matching the Subject header
> which is part of the body text.
>
> Two CVE security bug fixes are included in this release:
>
> CVE-2019-12420 for Multipart Denial of Service Vulnerability
>
> CVE-2018-11805 for nefarious CF files can be configured to
> run system commands without any output or errors.
>
> Security updates include deprecation of the unsafe sa-update '--allowplugins'
> option, which now prints a warning that '--reallyallowplugins' is required
> to use it.
>
> New configuration options
> -------------------------
>
> A new subjprefix keyword used to add a prefix to the subject of the
> email if a rule is matched.
>
> A new template tag _SUBJPREFIX_ that maps to the subject prefix that
> has been added by the subjprefix keyword.
>
> A new template tag _SUBTESTSCOLLAPSED(,)_ that maps to subtests that
> hits with duplicated rules collapsed.
>
> A config option rbl_headers has been added to DNSEval plugin,
> this option is used to specify in which headers check_rbl_headers
> should check for content used to query the specified rbl.
>
> A new check_rbl_ns_from function has been added to check
> the dns server of the from addrs domain name against a specific rbl.
>
> A new check_rbl_rcvd function has been added to check
> all received headers domains or ip addresses against a
> specific rbl.
>
> New options has been added to check_hashbl_emails function
> has been added; it is now possible to specify in which headers
> the function should check for content used to query the
> specified rbl and an acl to filter the email addresses the rule
> should apply.
>
> A new check_hashbl_bodyre function has been added, it is now possible
> to search body for matching regexp and query the string captured
> against the specified rbl.
>
> A new check_hashbl_uris function has been added, it is now possible
> to match uris in email's body and query the uris against the
> specified rbl.
>
> Notable Internal changes
> ------------------------
>
> None noted.
>
> Other updates
> -------------
>
> None noted.
>
> Optimizations
> -------------
>
> None noted.
>
>
> Downloading and availability
> ----------------------------
>
> Downloads are available from:
> https://spamassassin.apache.org/downloads.cgi
>
> sha256sum of archive files:
>
> a5b8fde50e468be8b36b90f5c39b19dfea947d6184a06cbf6dd16bf97265008d Mail-SpamAssassin-3.4.3.tar.bz2
> bb3adac71b2a5b69d584ee9843460f61c62da0bb7441c4007cc741b404ad27b8 Mail-SpamAssassin-3.4.3.tar.gz
> 3f4e55e8b4f2420c6d0b30850acd6cfb8808c7e559e0a9168b93950ca5289e86 Mail-SpamAssassin-3.4.3.zip
> d4804c19c5ee2065443fa09e3940462daa48481dfa9d4a1d95e2683d75c7c7d9 Mail-SpamAssassin-rules-3.4.3.r1871124.tgz
>
> sha512sum of archive files:
>
> 4d50b30a42d318c3a4c868b4940d1f56c329cc501270df12e1a369dd7de670c30f328a5fbc37dbd3b0d06538b9500085e920939c62de80ad6d8740bc47162cb0 Mail-SpamAssassin-3.4.3.tar.bz2
> d2fd657d3c20273b0c06cb1da083d757d3f2a7f60c7ed6e6ad8f98e6df33c9c5f3824f0531abf5dbc32b0dde22979d7d671231fa2ef0d8b073ea6804c5de0c3a Mail-SpamAssassin-3.4.3.tar.gz
> 608d8db07e08475e8eba42584fbff95210539e34fdfdc62cc8112d8aa42e88a7537be5bc1c624d5dd9aadce717c459407e64f1b56592ac743051d2c31e817d14 Mail-SpamAssassin-3.4.3.zip
> 2089bd97798c64fec8dea127cc12fbd9d9647bfe42c056a7674c7e9f85bb9e29ad73f741317ec74824016192736d57f16f70ff9bfd1eac0a8de747e417e3175f Mail-SpamAssassin-rules-3.4.3.r1871124.tgz
>
> Note that the *-rules-*.tgz files are only necessary if you cannot,
> or do not wish to, run "sa-update" after install to download the latest
> fresh rules.
>
> See the INSTALL and UPGRADE files in the distribution for important
> installation notes.
>
>
> GPG Verification Procedure
> --------------------------
> The release files also have a .asc accompanying them. The file serves
> as an external GPG signature for the given release file. The signing
> key is available via the wwwkeys.pgp.net key server, as well ashttps://www.apache.org/dist/spamassassin/KEYS
>
>
>
> The following key is used to sign releases after, and including SA 3.3.0:
>
> pub 4096R/F7D39814 2009-12-02
> Key fingerprint = D809 9BC7 9E17 D7E4 9BC2 1E31 FDE5 2F40 F7D3 9814
> uid SpamAssassin Project Management Committee <pr...@spamassassin.apache.org> <pr...@spamassassin.apache.org>
> uid SpamAssassin Signing Key (Code Signing Key, replacement for 1024D/265FA05B) <de...@spamassassin.apache.org> <de...@spamassassin.apache.org>
> sub 4096R/7B3265A5 2009-12-02
>
> The following key is used to sign rule updates:
>
> pub 4096R/5244EC45 2005-12-20
> Key fingerprint = 5E54 1DC9 59CB 8BAC 7C78 DFDC 4056 A61A 5244 EC45
> uid updates.spamassassin.org Signing Key <re...@spamassassin.org> <re...@spamassassin.org>
> sub 4096R/24F434CE 2005-12-20
>
> To verify a release file, download the file with the accompanying .asc
> file and run the following commands:
>
> gpg --verbose --keyserver wwwkeys.pgp.net --recv-key F7D39814
> gpg --verify Mail-SpamAssassin-3.4.3.tar.bz2.asc
> gpg --fingerprint F7D39814
>
> Then verify that the key matches the signature.
>
> Note that older versions of gnupg may not be able to complete the steps
> above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11
> worked flawlessly.
>
> See https://www.apache.org/info/verification.html for more information
> on verifying Apache releases.
>
>
> About Apache SpamAssassin
> -------------------------
>
> Apache SpamAssassin is a mature, widely-deployed open source project
> that serves as a mail filter to identify spam. SpamAssassin uses a
> variety of mechanisms including mail header and text analysis, Bayesian
> filtering, DNS blocklists, and collaborative filtering databases. In
> addition, Apache SpamAssassin has a modular architecture that allows
> other technologies to be quickly incorporated as an addition or as a
> replacement for existing methods.
>
> Apache SpamAssassin typically runs on a server, classifies and labels
> spam before it reaches your mailbox, while allowing other components of
> a mail system to act on its results.
>
> Most of the Apache SpamAssassin is written in Perl, with heavily
> traversed code paths carefully optimized. Benefits are portability,
> robustness and facilitated maintenance. It can run on a wide variety of
> POSIX platforms.
>
> The server and the Perl library feels at home on Unix and Linux platforms
> and reportedly also works on MS Windows systems under ActivePerl.
>
> For more information, visit https://spamassassin.apache.org/
>
>
> About The Apache Software Foundation
> ------------------------------------
>
> Established in 1999, The Apache Software Foundation provides
> organizational, legal, and financial support for more than 100
> freely-available, collaboratively-developed Open Source projects. The
> pragmatic Apache License enables individual and commercial users to
> easily deploy Apache software; the Foundation's intellectual property
> framework limits the legal exposure of its 2,500+ contributors.
>
> For more information, visit https://www.apache.org/
>
> ##
>
> --
> Kevin A. McGrailKMcGrail@Apache.org
>
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Projecthttps://www.linkedin.com/in/kmcgrail - 703.798.0171
>
>