Bug 593452 - spamassassin: open-whois.org rules should be removed due to domain cybersquatting
Summary: spamassassin: open-whois.org rules should be removed due to domain cybersquat...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-18 19:46 UTC by Vincent Danen
Modified: 2022-11-30 09:33 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-07-24 23:20:15 UTC
Embargoed:

Attachments (Terms of Use)

Description Vincent Danen 2010-05-18 19:46:25 UTC 
The open-whois.org domain is used by SpamAssassin to get WHOIS information, but the domain is no longer active as a WHOIS and is cybersquatted.  The concern is that the squatter could potentially influence SpamAssassin's spam scoring and accuracy (causing false positives, or allowing more spam through).

References:

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6157
http://svn.apache.org/viewvc?view=revision&revision=758225
Comment 1 Vincent Danen 2010-05-18 19:48:46 UTC 
Just to note, I'm not convinced we would consider this a security issue, and if we do, it is a low impact issue at best.

Upstream 3.3.1 has these checks removed, which is the version as provided currently by Fedora.
Comment 2 Vincent Danen 2010-05-18 20:41:17 UTC 
Running sa-update will correct this.  New rules are downloaded to /var/lib/spamassassin/3.002005/updates_spamassassin_org/ and these don't include the open-whois.org stuff.  In Red Hat Enterprise Linux 5, we do have a cron job to run sa-update, but it is not enabled by default, so users who are impacted by this issue have the option of running sa-update to get the updated rules in the event that an update is not provided.

I presume that the .cf files in /var/lib/spamassassin/... will override the defaults in /usr/share/spamassassin/.  Can someone verify this (I don't use spamassassin myself so I'm not sure how to test it quickly).  Thanks.
Comment 3 Nick Bebout 2010-07-24 23:20:15 UTC 
Resolving as CLOSED CURRENTRELEASE, since 3.3.0 and up (including 3.3.1 which is in all current versions of Fedora) do not have these rules.  Running sa-update on any 3.2.x versions will remove it also.
Comment 4 Tomas Hoger 2010-07-30 13:43:05 UTC 
(In reply to comment #2)
> Running sa-update will correct this.  New rules are downloaded to
> /var/lib/spamassassin/3.002005/updates_spamassassin_org/ and these don't
> include the open-whois.org stuff.  In Red Hat Enterprise Linux 5, we do have a
> cron job to run sa-update, but it is not enabled by default, so users who are
> impacted by this issue have the option of running sa-update to get the updated
> rules in the event that an update is not provided.

Users running spamassassin on RHEL-4 or RHEL-5 need to use sa-update anyway to get newer rules.  Otherwise, all their mails will by hit by year 2010 bug of the FH_DATE_PAST_20XX rule:

  https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6269

which adds 3.4 points by default.  All DNS BL requests to bl.open-whois.org seem to returned "listed in BL" as reply.  So the package rules are not really usable today and need to be sa-updated.

There's an existing request to update to newer 3.3.x to make benefit of newer rules that are not provided for 3.2.x - see bug #601948.
Note You need to log in before you can comment on or make changes to this bug.