SpamAssassin Y2K10 Bug Causes False Positives Worldwide

by

Open source leverages the creativity of thousands whilst relying on the management of a limited number of contributors to maintain and debug the software. While open source creates true positive results such as Linux, a glitch in the most widely-used free Anti-Spam software – SpamAssassin – resulted in false positives and rejection of legitimate mail.  SpamAssassin is widely used by xSPs, organizations, universities, and also vendors who integrate it into their own detection engines.

Each rule within SpamAssassin’s engine searches for specific characteristics within an email and provides a score. The combined scores provide a spam probability rating.

Until the early afternoon of January 1, 2010, SpamAssassin faced a Y2K10 issue. A specific rule checked to see if a message was sent from the future, which could be an indicator of a compromised computer. The parameter stated that messages from 2010 were “from the far future,” inappropriately giving an additional 3.2 points to each message, significantly increasing the message combined score and thus eventually raising the false positive ratio.

After reviewing the rule, I estimate that the false positive ratio generated by this bug could have topped 20% of the legitimate traffic. It might also “confuse” the Bayesian mechanism within SpamAssassin and eventually cause even more trouble.

Check out the image, which demonstrates the flow of the detection and implemented fix by the code maintainers managing this open source project. The bug was reported in March 2008 and fixed on June 2009. However, it was pushed to the beta version of SpamAssassin and not to the stable (current) version everyone is using. Eventually, the contributors fixed the problem at noon on January 1, 2010, meaning 12 hours of false positives in Europe, Asia, and Africa, but fewer missed messages in the North, Central, and South America.

SpamAssassin bug repair chain

Side note – the rule was changed to say mail after 2020 receives the 3.2 points. Therefore, if the administrators’ institutional memory does not continue through the next decade, SpamAssassin users will have a Y2K20 false positive issue, as well.

Go back