spamassassin-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin A. McGrail" <>
Subject [ANNOUNCE] Apache SpamAssassin 3.4.2 available
Date Sun, 16 Sep 2018 15:03:50 GMT
Good Morning,

On behalf of the Apache SpamAssassin Project Management Committee, I am
very pleased to announce the release of Apache SpamAssassin v3.4.2. 
This release contains security bug fixes.  A security announcement will
follow within the next 24 hours.

Apache SpamAssassin can be downloaded from and via cpan

Our project website is

Our DOAP is available at

Questions?  Please post on our Users mailing list.  More information on
joining our mailing lists is available at


Release Notes -- Apache SpamAssassin -- Version 3.4.2


Apache SpamAssassin 3.4.2 contains numerous tweaks and bug fixes over the
past three and 1/2 years.  As we release 3.4.2, we are preparing 4.0.0
will move us into a full UTF-8 environment.  We expect one final 3.4.3

As with any release there are a number of functional patches,
improvements as
well as security reasons to upgrade to 3.4.2.  In this case we have over 3
years of issues being resolved at once.  And we are laying thr
groundwork for
version 4.0 which is is designed to more natively handle UTF-8.

However, there is one specific pressing reason to upgrade. 
Specifically, we
will stop producing SHA-1 signatures for rule updates.  This means that
we produce rule updates with the focus on them working for any release from
v3.3.2 forward, they will start failing SHA-1 validation for sa-update. 

*** If you do not update to 3.4.2, you will be stuck at the last ruleset
    with SHA-1 signatures in the near future. ***

Many thanks to the committers, contributors, rule testers, mass checkers,
and code testers who have made this release possible. 

Thanks to David Jones for stepping up and helping us found our SpamAssassin
SysAdmin's group. 

And thanks to cPanel for helping making this release possible and
to the continued development of SpamAssassin.  Please visit
with any issues involving cPanel & WHM's integration with SpamAssassin.

Notable features:

New plugins
There are four new plugins added with this release:


The HashBL plugin is the interface to The Email Blocklist (EBL).
The EBL is intended to filter spam that is sent from IP addresses
and domains that cannot be blocked without causing significant
numbers of false positives.


This plugin leverages BSD::Resource to assure your spamd child processes
do not exceed specified CPU or memory limit. If this happens, the child
process will die. See the BSD::Resource for more details.


This plugin allows for detection of the From:name field being used to
recipients into thinking an email is from another address.  The man page
includes examples and we expect to put test rules for this plugin into
rulesrc soon!


This plugin finds uris used in phishing campaigns detected by
OpenPhish ( or PhishTank (

These plugins are disabled by default. To enable, uncomment
the loadplugin configuration options in file v342.pre, or add it to
some local .pre file such as local.pre .

Notable changes

For security reasons SSLv3 support has been removed from spamc(1).

The spamd(1) daemon now is faster to start, thanks to code optimizations.

Four CVE security bug fixes are included in this release for and
the SA core:
 CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781

In sa-update script, optional support for SHA-256 / SHA-512 in addition
to or instead of SHA1 has been added for better validation of rules.
See for information
on the end of SHA-1 signatures which will be the end of rule updates for
releases prior to 3.4.2.

Security updates include security improvements for TxRep, tmp file creation
was hardened, the group list and setuid is hardened for spamd workers,
eval tests have been hardened (Thanks to the cPanel Security Team!),
a bug in earlier Perl versions that caused URIs to be skipped has been
identified, and UTF-16 support is improved.

GeoIP2 support has been added to RelayCountry and URILocalBL plugins due
to GeoIP legacy API deprecations.

New configuration options

A new template tag _DKIMSELECTOR_ that maps to the DKIM selector (the
's' tag)
from valid signatures has been added.

A 'uri_block_cont' option to URILocalBL plugin to score uris per
continent has been added.
Possible continent codes are:
af, as, eu, na, oc, sa for Africa, Asia, Europe, North America,
Oceania and South America.

The 'country_db_type' and 'country_db_path' options has been added to be
to choose in RelayCountry plugin between GeoIP legacy
(discontinued from 04/01/2018), GeoIP2, IP::Country::Fast
and IP::Country::DB_File.
GeoIP legacy is still the default option but it will be deprecated
in future releases.

A config option 'uri_country_db_path' has been added to be able to choose
in URILocalBL plugin between GeoIP legacy and new GeoIP2 api.

A config option 'resource_limit_cpu' (default: 0 or no limit) has been added
to configure how many cpu cycles are allowed on a child process before
it dies.

A config option 'resource_limit_mem' (default: 0 or no limit) has been added
to configure the maximum number of bytes of memory allowed both for
(virtual) address space bytes and resident set size.

A new config option 'report_wrap_width' (default: 70) has been added
to set the wrap width for description lines in the X-Spam-Report header.

Notable Internal changes

SpamAssassin can cope with new Net::DNS module versions.
The "bytes" pragma has been remove from both core modules and plugins for
better utf-8 compatibility, there has been also some other utf-8 related
The spamc(1) client can now be build against OpenSSL 1.1.0.
The test framework has been switched to Test::More module.

Other updates

Documentation was updated or enhanced. Project's testing and evaluation
hosts and tools running on the ASF infrastructure were updated.

A list of top-level domains in registrar boundaries was updated.


Faster startup of the SpamAssassin daemon.
Spamc client now correctly free(3) all the memory it uses.

Downloading and availability

Downloads are available from:

sha256sum of archive files:


sha512sum of archive files:


Note that the *-rules-*.tgz files are only necessary if you cannot,
or do not wish to, run "sa-update" after install to download the latest
fresh rules.

See the INSTALL and UPGRADE files in the distribution for important
installation notes.

GPG Verification Procedure
The release files also have a .asc accompanying them.  The file serves
as an external GPG signature for the given release file.  The signing
key is available via the key server, as well as

The key information is:

pub   4096R/F7D39814 2009-12-02
       Key fingerprint = D809 9BC7 9E17 D7E4 9BC2  1E31 FDE5 2F40 F7D3 9814
uid                  SpamAssassin Project Management Committee
uid                  SpamAssassin Signing Key (Code Signing Key,
replacement for 1024D/265FA05B) <>
sub   4096R/7B3265A5 2009-12-02

To verify a release file, download the file with the accompanying .asc
file and run the following commands:

  gpg --verbose --keyserver --recv-key F7D39814
  gpg --verify Mail-SpamAssassin-3.4.1.tar.bz2.asc
  gpg --fingerprint F7D39814

Then verify that the key matches the signature.

Note that older versions of gnupg may not be able to complete the steps
above. Specifically, GnuPG v1.0.6, 1.0.7 & 1.2.6 failed while v1.4.11
worked flawlessly.

See for more information
on verifying Apache releases.

About Apache SpamAssassin

Apache SpamAssassin is a mature, widely-deployed open source project
that serves as a mail filter to identify spam. SpamAssassin uses a
variety of mechanisms including mail header and text analysis, Bayesian
filtering, DNS blocklists, and collaborative filtering databases. In
addition, Apache SpamAssassin has a modular architecture that allows
other technologies to be quickly incorporated as an addition or as a
replacement for existing methods.

Apache SpamAssassin typically runs on a server, classifies and labels
spam before it reaches your mailbox, while allowing other components of
a mail system to act on its results.

Most of the Apache SpamAssassin is written in Perl, with heavily
traversed code paths carefully optimized. Benefits are portability,
robustness and facilitated maintenance. It can run on a wide variety of
POSIX platforms.

The server and the Perl library feels at home on Unix and Linux platforms
and reportedly also works on MS Windows systems under ActivePerl.

For more information, visit

About The Apache Software Foundation

Established in 1999, The Apache Software Foundation provides
organizational, legal, and financial support for more than 100
freely-available, collaboratively-developed Open Source projects. The
pragmatic Apache License enables individual and commercial users to
easily deploy Apache software; the Foundation's intellectual property
framework limits the legal exposure of its 2,500+ contributors.

For more information, visit

Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project - 703.798.0171

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message