[Bug 8337] New: SpamAssassin creates malformed X-Ham-Report header (Content preview) with unescaped Unicode BOM

Tue, 15 Jul 2025 02:29:56 -0700 

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8337

            Bug ID: 8337
           Summary: SpamAssassin creates malformed X-Ham-Report header
                    (Content preview) with unescaped Unicode BOM
           Product: Spamassassin
           Version: unspecified
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: spamc/spamd
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: Undefined

Created attachment 6023
  --> https://bz.apache.org/SpamAssassin/attachment.cgi?id=6023&action=edit
example bounce message including the malformed header

Note this is NOT about a false positive spam detection!!!  This is about a
message that passes spam detection but then is labeled with a malformed
X-Ham-Report header.

When checking a message that has a Unicode BOM (=EF=BB=BF) near the start of
the message body, SpamAssassin adds a X-Ham-Report header saying:

> X-Ham-Report: Spam detection software, running on the system 
> "st3.supportedns.com",
>  has NOT identified this incoming email as spam.  The original
>  message has been attached to this so you can view it or label
>  similar future email.  If you have any questions, see
>  root\@localhost for details.
>  Content preview:  Amazing! I always seem to hit them square on. Peter > On 14
>     Jul 2025, at 22:40, Chris Pirazzi wrote: > >  > > missed it by that 
> much...

Note on that last line, right before " > > missed it by that" there is an
unescaped Unicode BOM, which came from the message body.  It shows up as 3
squiggly characters 

spamassassin needs to escape or omit the BOM character, as it is illegal to
include in SMTP headers.

This causes subsequent mail handlers that access the message to (correctly)
reject the message with "550 Headers contain illegal byte order mark (BOM)"

So there is a bug in the spamassassin code that generates the "Content preview"
snippet that goes into the X-Ham-Report header.

I would imagine this bug applies to all sorts of other characters too that are
outside the character set required for SMTP, not just BOM.

This is running on my shared hosting provider's CloudLinux v8.10.0 server with
cpanel.  I do not know the SpamAssassin version (I do not have root access on
the server), but my provider is usually excellent with updating all packages
that are available via dnf.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to