Hi,
I tried to trace this further, and I believe it's related to the
Redirectors plugin from v402.

When I comment this line in v402.pre:

loadplugin Mail::SpamAssassin::Plugin::Redirectors

SpamAssassin no longer extracts or checks to8ex / to8ex.com from:

https://substack.com/signup?r=to8ex

With the plugin enabled, the debug output shows:

dbg: uri: canonicalizing html uri:
https://substack.com/signup?utm_source=substack&utm_medium=email&utm_content=footer&utm_campaign=autofilled-footer&[email protected]&r=to8ex
dbg: uri: cleaned uri:
https://substack.com/signup?utm_source=substack&utm_medium=email&utm_content=footer&utm_campaign=autofilled-footer&[email protected]&r=to8ex
dbg: uri: canonicalizing parsed uri: http://to8ex
dbg: uri: cleaned uri: http://www.to8ex.com
dbg: uri: added host: www.to8ex.com domain: to8ex.com
dbg: uri: cleaned uri: http://to8ex
dbg: uridnsbl: considering host=www.to8ex.com, domain=to8ex.com

With Redirectors disabled, the synthetic to8ex.com URI is not generated.

I do not have a local redirector_pattern or url_redirector entry for
substack.com/signup. The only stock rule I found appears to be:

url_redirector substack.com/redirect/

So the question is whether Redirectors is treating arbitrary short query
parameter values, such as r=to8ex, as redirect targets and canonicalizing
them as hostnames. That seems unsafe because it causes URIDNSBL checks
against domains that were not actually present in the message.

On Sat, Jun 20, 2026 at 10:49 PM John Hardin <[email protected]> wrote:

> On Sat, 20 Jun 2026, Alex wrote:
>
> > SpamAssassin 4.0.3 appears to incorrectly promote a URL query
> > parameter value into a standalone URI hostname and then performs
> > URIDNSBL lookups against the generated domain.
> >
> > Observed behavior:
> >
> > Input message contains only the following URI:
> >
> > https://substack.com/signup?r=to8ex
> >
> > Debug output shows SpamAssassin correctly parsing the original URI:
> >
> > Jun 20 17:04:48.788 dbg: uri: canonicalizing parsed uri:
> > https://substack.com/signup?r=to8ex
> > Jun 20 17:04:48.788 dbg: uri: cleaned uri:
> https://substack.com/signup?r=to8ex
> > Jun 20 17:04:48.788 dbg: uri: added host: substack.com domain:
> substack.com
> >
> > Immediately afterward, SpamAssassin creates a second URI which does
> > not exist in the message:
> >
> > Jun 20 17:04:48.821 dbg: uri: canonicalizing parsed uri: http://to8ex
> > Jun 20 17:04:48.822 dbg: uri: cleaned uri: http://to8ex
> > Jun 20 17:04:48.822 dbg: uri: cleaned uri: http://www.to8ex.com
> > Jun 20 17:04:48.822 dbg: uri: added host: www.to8ex.com domain:
> to8ex.com
>
> I cannot reproduce this in my sandbox:
>
> jhardin@davinci ~/develop/spamassassin/testing $ grep uri: result
> Jun 20 19:42:00.009 [3067949] dbg: uri: canonicalizing parsed uri:
> https://substack.com/signup?r=to8ex
> Jun 20 19:42:00.009 [3067949] dbg: uri: cleaned uri:
> https://substack.com/signup?r=to8ex
> Jun 20 19:42:00.009 [3067949] dbg: uri: added host: substack.com domain:
> substack.com
> Jun 20 19:42:02.035 [3067949] dbg: uri: running uri_detail
> __URI_DOTCN_SPOOF: https://substack.com/signup?r=to8ex
> Jun 20 19:42:02.039 [3067949] dbg: uri: running uri_detail
> T_MXG_BING_REDIR_SUSP: https://substack.com/signup?r=to8ex
> Jun 20 19:42:02.043 [3067949] dbg: uri: running uri_detail
> __ALL_URIDETAIL_TEXT: https://substack.com/signup?r=to8ex
> Jun 20 19:42:02.044 [3067949] dbg: uri: running uri_detail
> __MXG_UNSUB_LINK01: https://substack.com/signup?r=to8ex
> Jun 20 19:42:02.051 [3067949] dbg: uri: running uri_detail MXG_EMAIL_FRAG:
> https://substack.com/signup?r=to8ex
> Jun 20 19:42:02.201 [3067949] dbg: uri: canonicalizing parsed uri:
> https://substack.com/signup?r=to8ex
> Jun 20 19:42:02.201 [3067949] dbg: uri: cleaned uri:
> https://substack.com/signup?r=to8ex
> Jun 20 19:42:02.201 [3067949] dbg: uri: added host: substack.com domain:
> substack.com
> jhardin@davinci ~/develop/spamassassin/testing $
>
>
> Do you have a locally-defined redirector rule? There is one for substack
> in the base ruleset but it does not match that pattern:
>
> jhardin@davinci ~/develop/spamassassin/svn/trunk $ grep -r substack rules*
> rules/25_url_redirectors.cf:    url_redirector substack.com/redirect/
> jhardin@davinci ~/develop/spamassassin/svn/trunk $
>
> There are no `redirector_pattern` rules for substack in the base ruleset.
>
>
> --
>   John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
>   [email protected]                         pgpk -a [email protected]
>   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
>   614 days since SpaceX caught the SuperHeavy booster on the first try
>

Reply via email to