open-whois.org is cybersquatted and its rules should be removed from Spamassassin

Thank you for taking the time to report this bug and helping to make Ubuntu better. However, I am closing it because the bug has been fixed in the latest development version of Ubuntu - Lucid Lynx.

This is a important bug in Ubuntu. If you need a fix for the bug in previous versions of Ubuntu, please do steps 1 and 2 of the SRU Procedure [1] to bring the need to a developer's attention.

[1]: https://wiki.ubuntu.com/StableReleaseUpdates#Procedure

On Tue, 30 Mar 2010 15:35:41 -0000
Mathias Gug <email address hidden> wrote:

> Thank you for taking the time to report this bug and helping to make
> Ubuntu better. However, I am closing it because the bug has been fixed
> in the latest development version of Ubuntu - Lucid Lynx.

Thanks for you reply, Mathias!

I think that closing bug I reported it's not your good decision. Ubuntu
still supports previous releases and IMHO that bug should be fixed there too,
because it's very important for all mail servers using old Spamassassin.

Do you still remember Y2010 problem in Spamassassin? Ubuntu fixed
FH_DATE_PAST_20XX test for Spamassassin in Karmic and Jaunty, because
it could create a lot of false positives. The open-whois.org rules are
false positives too. IMHO there are similar issues.

> This is a important bug in Ubuntu. If you need a fix for the bug in
> previous versions of Ubuntu, please do steps 1 and 2 of the SRU
> Procedure [1] to bring the need to a developer's attention.

I don't need a fix for that bug now. I've just removed the
open-whois.org rules on my servers where Spamassassin is running. But I
wanted to help also another Ubuntu admins. I can imagine that some of
them don't know about that problem at all.

On Tue, Mar 30, 2010 at 07:57:21PM -0000, Paweł Tęcza wrote:

> I think that closing bug I reported it's not your good decision. Ubuntu
> still supports previous releases and IMHO that bug should be fixed there too,
> because it's very important for all mail servers using old Spamassassin.
>
> Do you still remember Y2010 problem in Spamassassin? Ubuntu fixed
> FH_DATE_PAST_20XX test for Spamassassin in Karmic and Jaunty, because
> it could create a lot of false positives. The open-whois.org rules are
> false positives too. IMHO there are similar issues.
>

Yes - this is what the Stable Release Updates [1] process is made for.

[1]: https://wiki.ubuntu.com/StableReleaseUpdates

> > This is a important bug in Ubuntu. If you need a fix for the bug in
> > previous versions of Ubuntu, please do steps 1 and 2 of the SRU
> > Procedure [1] to bring the need to a developer's attention.
>
> I don't need a fix for that bug now. I've just removed the
> open-whois.org rules on my servers where Spamassassin is running. But I
> wanted to help also another Ubuntu admins. I can imagine that some of
> them don't know about that problem at all.
>

The best way to help others is to get a Stable Release Update prepared and
published. See [1] for how to conduct this.

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

If I understood Mathias' comment, he just wants somebody to do steps one and two of the update procedure to justify backporting this bug.

So, here goes:

Step 1: The bug is fixed in the latest branch, and it is flagged "fixed released" (as per above). Done.

Step 2: I am updating the bug description with the required information below.

Step 2.1: The impact is that users of 8.04 are getting false positives from SpamAssassin. I'm seeing it on an eBox system (eBox is an email system based on Ubuntu that includes SpamAssassin).

Step 2.2: The bug was addressed as per this bug report. (See above.)

Step 2.3: Patch: I don't have one, sorry. The patch is just to remove all the open-whois.org from /usr/share/spamassassin/72_active.cf ; the patch used above should suffice.

Step 2.4: To repro the bug: let SpamAssassin filter a mail and flag it (as per defaults). You'll see a header like:

    X-Spam-Status: No, score=2.431 required=5 tests=[DNS_FROM_OPENWHOIS=2.431]

    Once the fix is in place the DNS_FROM_OPENWHOIS rule (and all other open-whois.org rules) should be gone.

Step 2.5: I don't see how a regression could "inadvertently" be affected. The open-whois.org service is dead, the domain has been taken by a squatter, and 100% of all SpamAssassin installs should have these rules removed.

    I hope the lack of a patch won't prevent this from getting backported. I'm as excited about 10.4 as anyone, but I won't be upgrading my email systems for several weeks or months. (The OpenLDAP upgrade is broken, due to cn=config and bugs like #364531, so moving from 8.04 to 10.4 for my email systems will be a huge investment of time.)

Thank You,
Derek Simkowiak

On Mon, 19 Apr 2010 20:47:29 -0000
Derek Simkowiak <email address hidden> wrote:

> Step 2.3: Patch: I don't have one, sorry. The patch is just to remove
> all the open-whois.org from /usr/share/spamassassin/72_active.cf ; the
> patch used above should suffice.

Hi Derek,

Thanks a lot for your feedback! I'm attaching my patch. Please note
that I've just commented, not removed, open-whois stuff in 50_scores.cf
and 72_active.cf files of Spamassassin. If you are familiar with diff
unified format then you could fix that, but IMHO it's not necessary.

My best regards,

Pawel

An SRU for Hardy would be very nice to have. Is there anything I can do to help?

The bug could use a good test case. Please edit the main bug, start with TEST
CASE: and then describe how to show the problem exists before the upgrade and
how it's gone after (think small test procedure).

I've uploaded the proposed fix for both hardy and hardy-backports.

Accepted spamassassin into hardy-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

I'm trying to recreate the "bug" but I can't seem to get it right... Is there a sure way to get SA to show that test in the header? I'm sending all kinds of messages to my test box, but it doesn't want to do the OPENWHOIS test...

Imre, once again thanks for your work verifying these bug fixes.

TEST CASE:

zcat /usr/share/doc/spamassassin/examples/sample-nonspam.txt.gz > sample-nonspam.txt
spamassassin -t < sample-nonspam.txt | grep OPENWHOIS

Since OPENWHOIS does not exist, we should never get a positive, but we do. So you'll see:

Content analysis details: (1.2 points, 5.0 required)

 pts rule name description
---- ---------------------- --------------------------------------------------
 2.4 DNS_FROM_OPENWHOIS RBL: Envelope sender listed in bl.open-whois.org.
-1.2 AWL AWL: From: address is in the auto white-list

After installing the version from -proposed you should see something more like this:

Content analysis details: (0.6 points, 5.0 required)

 pts rule name description
---- ---------------------- --------------------------------------------------
 0.6 AWL AWL: From: address is in the auto white-list

Basically, no OPENWHOIS hit.

Right. I was trying something like this, but my test messages did not trigger the OPENWHOIS test...

With your TEST CASE I can confirm that the package from -proposed is working and it does NOT include the OPENWHOIS test.

This bug was fixed in the package spamassassin - 3.2.4-1ubuntu1.3

---------------
spamassassin (3.2.4-1ubuntu1.3) hardy-proposed; urgency=low

  * 70_remove_open-whois.org.dpatch: Remove open-whois.org (LP: #551655)
 -- Clint Byrum <email address hidden> Thu, 02 Dec 2010 00:21:30 -0800

That did the trick. Thanks.