Bug in SpamAssassin over New Year led to emails being incorrectly flagged as spam

News by Dan Raywood

A bug in SpamAssassin over the New Year led to many emails incorrectly being flagged as spam and blocked.

A bug in SpamAssassin over the New Year led to many emails incorrectly being flagged as spam and blocked.

Daniel Axsäter, chief executive officer of CronLab, claimed that this was a fairly serious incident that was causing problems for the email filtering community. He explained that many filtering companies and internet service providers use SpamAssassin as a base but create their own rules and their own and/or use third party blacklists.

However he said that the bug, which CronLab was able to avoid, caused emails to be erroneously flagged as spam due to a date stamp bug which made all emails with a date stamp in 2010 more likely to be flagged as spam.

He said: “If I received an email that was dated 2014 it would sit at the top of my inbox until 2014 and this obviously needs to be prevented. The scoring system in the SpamAssassin rule-set started labelling more emails as ‘spam'. With this erroneous rule in place there could easily be a false positive rate of five to ten per cent rather than the industry norm of less than one in a million.”

He said that a change to the rule from emails marked as 2010 to e.g. 2015 would have prevented the problem, as emails with forged date headers still need to be stopped, but obviously 2010 was no more a forged date as of a week ago.

In terms of the impact, Axsäter admitted that there would be a possible downturn for online companies who rely on newsletters for promotion who would have had their emails flagged as spam.

“Maybe the newsletter is suspicious and as it comes through it has three points added to it, the rule is to start treating an email as spam at over six points, and this can stop newsletters coming through,” he said.

“Many ISPs and email filtering providers immediately delete all spam and then they can't do a post mortem analysis in a situation like this. Instead we store all spam for 30 days so even if we had been affected by this bug we could have checked the spam over again to have the legitimate emails delivered. This is obviously impossible if you delete all spam straight away.”

“Numerous both large and small ISPs around the world were affected by this bug and lost their clients' emails. Clients should demand more from their ISPs and spam filtering providers; not only should the filters be continuously updated, but spam needs to be stored for a period of time as well.

“In addition to this, borderline spam should be made visible to the end-user through a quarantine to ensure that no real emails are mistakenly caught. By adhering to these three principles we not only avoided this situation, but we even had two further backup plans in place even if the first one failed.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike