(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog


Me, elsewhere

GitHub
parseword
Miscellaneous public code

Twitter
@parseword
I don't tweet much

XMPP chat
xmpp@shaunc.com
(Pidgin, Miranda, Swift, etc.)

SpamAssassin 3.4.2 fixes security problems, adds HashBL and phishing plugins

Posted September 16, 2018 by shaun

New SpamAssassin 3.4.2 release

Apache has released version 3.4.2 of SpamAssassin.

Important security fixes

If you're using SpamAssassin, you should upgrade as soon as possible because this release addresses four security issues:

  • CVE-2017-15705, a malformed HTML email part may cause a denial of service through resource exhaustion;

  • CVE-2016-1238, incomplete sanitization of Perl's include path;

  • CVE-2018-11780, potential remote code execution in SpamAssassin's PDFInfo plugin;

  • CVE-2018-11781, code injection in SpamAssassin meta rule definitions

The source distribution is available directly from the Apache mirrors; RPMs and other distribution-specific packages should update in the coming days.

New features

SpamAssassin 3.4.2 introduces several new features. Two of these plugins, Mail::SpamAssassin::Plugin::HashBL and Mail::SpamAssassin::Plugin::Phishing, I can't wait to play with!

HashBL support for the EBL blocklist

A HashBL is a special type of DNS blocklist. While most anti-spam DNSBLs are geared towards querying the IP address of the sending MTA, a HashBL can be created for any arbitrary data.

One of the most common HashBLs currently in use is the EBL, or Email Blocklist. It's configured to allow queries for the hash of an email address, and will respond for email addresses that are known to be associated with scams and spam campaigns. To use the EBL, you convert an email address to lowercase, remove any +tag segments, and compute the sha1sum of the result. That hash is then used as the hostname part to query the EBL DNS server.

For example, consider this 419 scam email:

    Subject: Proposal
    To: inbox <kekesne@hivatal.kispest.hu>
    From: "Ms. Ella Golan" <kekesne@hivatal.kispest.hu>
    Date: Thu, 29 Mar 2018 18:31:53 -0700
    Reply-To: ellagln03954@foxmail.com
    Message-Id: <20180330013242.AD5A46803FD7@mikulas.south.park>

While the From address in scam messages is often forged at random, the Reply-To address is likely to remain consistent. The scammer wants to hear back from potential victims, after all. Since replies to this message are directed to ellagln03954@foxmail.com, we'd query the EBL for that address:

  1. Convert the address to lowercase (here, it's already lowercase);

  2. Remove any +tag segments from the address (here, there are none);

  3. Replace googlemail.com with gmail.com (here, not applicable);

  4. Take the sha1sum of the result:
    [user@host ~]$ echo -n 'ellagln03954@foxmail.com' | sha1sum
    959e5a12ccbc20ae4fd18db5919c211f8c77c9b1
  5. Use that hash as the hostname part to query the EBL:

    [user@host ~]$ host 959e5a12ccbc20ae4fd18db5919c211f8c77c9b1.ebl.msbl.org
    959e5a12ccbc20ae4fd18db5919c211f8c77c9b1.ebl.msbl.org has address 127.0.0.2
    
    [user@host ~]$ dig +short TXT 959e5a12ccbc20ae4fd18db5919c211f8c77c9b1.ebl.msbl.org
    "AFF dropbox in Reply-to"

    The EBL returns a positive response, indicating that the 419 dropbox ellagln03954@foxmail.com is blacklisted. Addresses that aren't on the list will return NXDOMAIN.

I've been wanting to implement this for awhile (I've been meaning to blog about it for awhile, too; you can see the example message header I kept around is from 6 months ago). But until now, the only way to get EBL support in Postfix was to add yet another milter, and I have enough as it is. Now that SpamAssassin includes HashBL support, querying the EBL is as simple as turning on a plugin.

Checking PhishTank and OpenPhish

I signed up for PhishTank back in 2006, and spent some time contributing a few dozen phishing mails and verifying around 1,000 reports from other users. It's a great tool, but not something I had the inclination to keep up with by hand. Based on the usernames now submitting the majority of suspect links, most reporting to this system is now automated, and so is the ability to query it.

SpamAssassin's new Mail::SpamAssassin::Plugin::Phishing supports checking URLs found in email messages against both PhishTank and OpenPhish feeds.

Updating

If you have SpamAssassin installed through your operating system's package manager (yum, apt, etc.), it's likely that updated packages will be available this week. Otherwise, you can get the latest sources directly from the Apache SpamAssassin download page.


SpamAssassin logo by James ThompsonDidier Misson, via Wikimedia Commons



Recent articles

📰 SpamAssassin 3.4.2 fixes security problems, adds HashBL and phishing plugins

📰 Bug or turf war? ICQ via Pidgin now fails with "startOSCARSession: Request Timeout"

📰 🎂

📰 SFSQuery, a PHP class to query the StopForumSpam API and DNSBL

📰 Resolving portmaster error "pkg-static: automake-1.16.1 conflicts with automake-wrapper-20131203"

📰 Resolving LibreNMS error "RuntimeException: The only supported ciphers are AES-128-CBC and AES-256-CBC with the correct key lengths"

📰 1.1.1.1: Fast, but not so accurate (yet)

📰 autodiscover.xml as an Indicator of Attack

📰 Blocking Facebook's Tracking and Surveillance: A Comprehensive Approach

📰 Let's Encrypt Readies for Certificate Transparency with Embedded SCTs

📰 Evaluating DNSBL Effectiveness with Postfix Logs

📰 Resolving subversion error E145001: Node has unexpectedly changed kind

▲ Back to top | Permalink to this page