[AHBL] spamassassin is returning false positives by default

Bug #1412830 reported by Ante Karamatić
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
spamassassin (Debian)
Fix Released
Unknown
spamassassin (Ubuntu)
Fix Released
Critical
Robie Basak
Lucid
Fix Released
Critical
Robie Basak
Precise
Fix Released
Critical
Robie Basak
Trusty
Fix Released
Critical
Robie Basak
Utopic
Fix Released
Critical
Robie Basak

Bug Description

[Impact]

spamassassin users have a regression in behaviour in the last month or so. The AHBL DNS check is now returning a false positive. This causes mail to be more likely to be classified as spam. Depending on user configuration, this could cause emails to be rejected when they should be accepted, or placed in a spam folder when they should not, or for emails to be incorrectly discarded (data loss).

[Workaround]

Use sa-update to download the latest rules from upstream. However, not all users run sa-update and may not have noticed this bug. So given that sa-update is not run automatically by default, an SRU is appropriate to change the default installation to not use the AHBL blacklist.

[Development Fix]

Disable use of the AHBL DNS blacklist in the default rules list.

[Stable Fix]

Same as development fix.

[Test Case]

Run test.sh (attached). This reads testcase (attached) and will print whether spamassassin is affected, and return with an appropriate exit status. Due to the nature of this bug this requires Internet connectivity; problems or changes online could lead to a false negative.

[Regression Potential]

Unlikely. The highest risk is of some problem in package rebuild or that there's a mistake in the patch causing some other change in behaviour. But that seems very unlikely given that the configuration change is quite trivial.

Be aware that Internet connectivity is required when verifying this SRU.

[Original Description]

AHBL has discontinued their operations and is deliberetly marking all checks as positive:

http://www.ahbl.org/content/last-notice-wildcarding-services-jan-1st

AHBL is enabled by default in SpamAssassin in at least 10.04, 12.04 and 14.04. This means that every mail gets 2 points on spam score list.

10.04:

# grep -sr AHBL /usr/share/spamassassin/
/usr/share/spamassassin/30_text_de.cf:lang de describe DNS_FROM_AHBL_RHSBL Absenderadresse in Liste von dnsbl.ahbl.org
/usr/share/spamassassin/20_dnsbl_tests.cf:header DNS_FROM_AHBL_RHSBL eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')
/usr/share/spamassassin/20_dnsbl_tests.cf:describe DNS_FROM_AHBL_RHSBL Envelope sender listed in dnsbl.ahbl.org
/usr/share/spamassassin/20_dnsbl_tests.cf:tflags DNS_FROM_AHBL_RHSBL net
/usr/share/spamassassin/20_dnsbl_tests.cf:reuse DNS_FROM_AHBL_RHSBL
/usr/share/spamassassin/50_scores.cf:score DNS_FROM_AHBL_RHSBL 0 2.438 0 2.699 # n=0 n=2

12.04:

# grep -sr AHBL /usr/share/spamassassin/
/usr/share/spamassassin/50_scores.cf:score DNS_FROM_AHBL_RHSBL 0 2.438 0 2.699 # n=0 n=2
/usr/share/spamassassin/30_text_de.cf:lang de describe DNS_FROM_AHBL_RHSBL Absenderadresse in Liste von dnsbl.ahbl.org
/usr/share/spamassassin/20_dnsbl_tests.cf:header DNS_FROM_AHBL_RHSBL eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')
/usr/share/spamassassin/20_dnsbl_tests.cf:describe DNS_FROM_AHBL_RHSBL Envelope sender listed in dnsbl.ahbl.org
/usr/share/spamassassin/20_dnsbl_tests.cf:tflags DNS_FROM_AHBL_RHSBL net
/usr/share/spamassassin/20_dnsbl_tests.cf:reuse DNS_FROM_AHBL_RHSBL

14.04:

# grep -sr AHBL /usr/share/spamassassin/
/usr/share/spamassassin/30_text_de.cf:lang de describe DNS_FROM_AHBL_RHSBL Absenderadresse in Liste von dnsbl.ahbl.org
/usr/share/spamassassin/50_scores.cf:score DNS_FROM_AHBL_RHSBL 0 2.438 0 2.699 # n=0 n=2
/usr/share/spamassassin/30_text_pt_br.cf:lang pt_BR describe DNS_FROM_AHBL_RHSBL Envelope sender consta em dnsbl.ahbl.org
/usr/share/spamassassin/20_dnsbl_tests.cf:header DNS_FROM_AHBL_RHSBL eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')
/usr/share/spamassassin/20_dnsbl_tests.cf:describe DNS_FROM_AHBL_RHSBL Envelope sender listed in dnsbl.ahbl.org
/usr/share/spamassassin/20_dnsbl_tests.cf:tflags DNS_FROM_AHBL_RHSBL net
/usr/share/spamassassin/20_dnsbl_tests.cf:reuse DNS_FROM_AHBL_RHSBL

AHBL should be removed from SpamAssassin ASAP.

Ante Karamatić (ivoks)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in spamassassin (Ubuntu):
status: New → Confirmed
Revision history for this message
Robie Basak (racb) wrote :

I believe that sa-update will update the rules correctly in /var/lib/spamassassin, so after running this users should not be getting a false positive. Please could someone confirm?

If this is true, I'm not sure whether the right thing to do is an SRU to disable it for users who don't run sa-update, or to declare that running sa-update is the correct fix and that this is effectively a Won't Fix bug.

Feedback appreciated.

Revision history for this message
Robie Basak (racb) wrote :

15:37 <rbasak> ScottK: can I have an opinion from you on bug 1412830 please? sa-update or SRU?
15:37 <ubottu> bug 1412830 in spamassassin (Ubuntu) "[AHBL] spamassassin is returning false positives by default" [Critical,Confirmed] https://launchpad.net/bugs/1412830
15:37 <ScottK> Looking
15:38 <ScottK> rbasak: sa-update is disabled by default, so I think an SRU is appropriate.
15:38 <rbasak> ScottK: OK, thanks. I'll arrange it.
15:39 <ScottK> (Note: the Debian SA maintainer is considering changing that default for a future release)
15:39 <ScottK> great

I'm not sure exactly which releases are affected. Once I know, I'll create bug tasks.

Changed in spamassassin (Ubuntu):
status: Confirmed → Triaged
Kick In (kick-d)
Changed in spamassassin (Ubuntu):
assignee: nobody → Kick In (kick-d)
Revision history for this message
Robie Basak (racb) wrote :

Pierre-Andre has had to unexpectedly be out this week, so I'll take care of this.

Changed in spamassassin (Ubuntu):
assignee: Kick In (kick-d) → Robie Basak (racb)
Revision history for this message
Robie Basak (racb) wrote :
Revision history for this message
Robie Basak (racb) wrote :
description: updated
Robie Basak (racb)
Changed in spamassassin (Ubuntu Lucid):
status: New → Triaged
Changed in spamassassin (Ubuntu Precise):
status: New → Triaged
Changed in spamassassin (Ubuntu Trusty):
status: New → Triaged
Changed in spamassassin (Ubuntu Utopic):
status: New → Triaged
Changed in spamassassin (Ubuntu Lucid):
importance: Undecided → Critical
Changed in spamassassin (Ubuntu Precise):
importance: Undecided → Critical
Changed in spamassassin (Ubuntu Trusty):
importance: Undecided → Critical
Changed in spamassassin (Ubuntu Lucid):
assignee: nobody → Robie Basak (racb)
Changed in spamassassin (Ubuntu Utopic):
assignee: nobody → Robie Basak (racb)
importance: Undecided → Critical
Changed in spamassassin (Ubuntu Precise):
assignee: nobody → Robie Basak (racb)
Changed in spamassassin (Ubuntu Trusty):
assignee: nobody → Robie Basak (racb)
Revision history for this message
Robie Basak (racb) wrote :

Uploaded a fix for Vivid. I'll prepare an SRU for the stable releases tomorrow.

Changed in spamassassin (Ubuntu):
status: Triaged → Fix Committed
Changed in spamassassin (Debian):
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package spamassassin - 3.4.0-5ubuntu1

---------------
spamassassin (3.4.0-5ubuntu1) vivid; urgency=medium

  * d/p/disable-ahbl: disable AHBL DNS blacklist as it now returns false
    positives (LP: #1412830).
 -- Robie Basak <email address hidden> Tue, 27 Jan 2015 17:58:57 +0000

Changed in spamassassin (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Robie Basak (racb) wrote :

Uploaded SRUs for Lucid, Precise, Trusty and Utopic. Now awaiting review from the SRU team.

description: updated
Changed in spamassassin (Ubuntu Lucid):
status: Triaged → In Progress
Changed in spamassassin (Ubuntu Precise):
status: Triaged → In Progress
Changed in spamassassin (Ubuntu Trusty):
status: Triaged → In Progress
Changed in spamassassin (Ubuntu Utopic):
status: Triaged → In Progress
Revision history for this message
Adam Conrad (adconrad) wrote : Please test proposed package

Hello Ante, or anyone else affected,

Accepted spamassassin into utopic-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/spamassassin/3.4.0-3ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in spamassassin (Ubuntu Utopic):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in spamassassin (Ubuntu Trusty):
status: In Progress → Fix Committed
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Ante, or anyone else affected,

Accepted spamassassin into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/spamassassin/3.4.0-1ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in spamassassin (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Ante, or anyone else affected,

Accepted spamassassin into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/spamassassin/3.3.2-2ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in spamassassin (Ubuntu Lucid):
status: In Progress → Fix Committed
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Ante, or anyone else affected,

Accepted spamassassin into lucid-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/spamassassin/3.3.1-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Simon Déziel (sdeziel)
tags: added: verification-done-precise verification-done-trusty
Revision history for this message
Robie Basak (racb) wrote :

Thank you Simon for your verification.

I have verified all releases (Lucid, Precise, Trusty, Utopic). For Lucid, I used a VM, as I couldn't get LXC networking to work with it. For the others, I used LXC.

In each VM or container, I enabled proposed, installed spamassassin, ran my test case and verified that it said "Not affected". I also noticed that my test script doesn't check the exit status of spamassassin, so I checked every "output" file manually to verify that spamassassin is still working correctly with the other checks. Utopic needed some special manual treatment due to bug 1355343 meaning that I couldn't cat to the end of sources.list to enable proposed.

tags: added: verification-done verification-done-lucid verification-done-utopic
removed: verification-needed
Revision history for this message
Robie Basak (racb) wrote :

(I had already run my test case on every release prior to preparing my fix, and verified that they all said "Affected". I saw no need to do this again as the existing packages haven't changed)

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package spamassassin - 3.3.1-1ubuntu0.1

---------------
spamassassin (3.3.1-1ubuntu0.1) lucid; urgency=medium

  * d/p/disable-ahbl: disable AHBL DNS blacklist as it now returns false
    positives (LP: #1412830).
 -- Robie Basak <email address hidden> Wed, 28 Jan 2015 02:29:24 +0000

Changed in spamassassin (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of the Stable Release Update for spamassassin has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package spamassassin - 3.3.2-2ubuntu1.1

---------------
spamassassin (3.3.2-2ubuntu1.1) precise; urgency=medium

  * d/p/disable-ahbl: disable AHBL DNS blacklist as it now returns false
    positives (LP: #1412830).
 -- Robie Basak <email address hidden> Wed, 28 Jan 2015 02:29:29 +0000

Changed in spamassassin (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package spamassassin - 3.4.0-1ubuntu2.1

---------------
spamassassin (3.4.0-1ubuntu2.1) trusty; urgency=medium

  * d/p/disable-ahbl: disable AHBL DNS blacklist as it now returns false
    positives (LP: #1412830).
 -- Robie Basak <email address hidden> Wed, 28 Jan 2015 02:29:35 +0000

Changed in spamassassin (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package spamassassin - 3.4.0-3ubuntu2.1

---------------
spamassassin (3.4.0-3ubuntu2.1) utopic; urgency=medium

  * d/p/disable-ahbl: disable AHBL DNS blacklist as it now returns false
    positives (LP: #1412830).
 -- Robie Basak <email address hidden> Wed, 28 Jan 2015 02:29:40 +0000

Changed in spamassassin (Ubuntu Utopic):
status: Fix Committed → Fix Released
Changed in spamassassin (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.