The open-whois.org domain is used by SpamAssassin to get WHOIS information, but the domain is no longer active as a WHOIS and is cybersquatted. The concern is that the squatter could potentially influence SpamAssassin's spam scoring and accuracy (causing false positives, or allowing more spam through). References: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6157 http://svn.apache.org/viewvc?view=revision&revision=758225
Just to note, I'm not convinced we would consider this a security issue, and if we do, it is a low impact issue at best. Upstream 3.3.1 has these checks removed, which is the version as provided currently by Fedora.
Running sa-update will correct this. New rules are downloaded to /var/lib/spamassassin/3.002005/updates_spamassassin_org/ and these don't include the open-whois.org stuff. In Red Hat Enterprise Linux 5, we do have a cron job to run sa-update, but it is not enabled by default, so users who are impacted by this issue have the option of running sa-update to get the updated rules in the event that an update is not provided. I presume that the .cf files in /var/lib/spamassassin/... will override the defaults in /usr/share/spamassassin/. Can someone verify this (I don't use spamassassin myself so I'm not sure how to test it quickly). Thanks.
Resolving as CLOSED CURRENTRELEASE, since 3.3.0 and up (including 3.3.1 which is in all current versions of Fedora) do not have these rules. Running sa-update on any 3.2.x versions will remove it also.
(In reply to comment #2) > Running sa-update will correct this. New rules are downloaded to > /var/lib/spamassassin/3.002005/updates_spamassassin_org/ and these don't > include the open-whois.org stuff. In Red Hat Enterprise Linux 5, we do have a > cron job to run sa-update, but it is not enabled by default, so users who are > impacted by this issue have the option of running sa-update to get the updated > rules in the event that an update is not provided. Users running spamassassin on RHEL-4 or RHEL-5 need to use sa-update anyway to get newer rules. Otherwise, all their mails will by hit by year 2010 bug of the FH_DATE_PAST_20XX rule: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6269 which adds 3.4 points by default. All DNS BL requests to bl.open-whois.org seem to returned "listed in BL" as reply. So the package rules are not really usable today and need to be sa-updated. There's an existing request to update to newer 3.3.x to make benefit of newer rules that are not provided for 3.2.x - see bug #601948.