Hi, I hoped I could follow up on this. The issue is most certainly with the redirectors plugin from v402. # ls -l /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/Redirectors.pm -r--r--r-- 1 root root 43525 Jun 21 20:00 /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/Redirectors.pm
Jun 24 22:20:58.866 [1769470] dbg: uri: canonicalizing html uri: https://substack.com/signup?utm_source=substack&utm_medium=email&utm_content=footer&utm_campaign=autofilled-footer&[email protected]&r=to8ex Jun 24 22:20:58.866 [1769470] dbg: uri: cleaned uri: https://substack.com/signup?utm_source=substack&utm_medium=email&utm_content=footer&utm_campaign=autofilled-footer&[email protected]&r=to8ex Jun 24 22:20:58.948 [1769470] dbg: Redirectors: Found embedded uri to8ex in https://substack.com/signup?utm_source=substack&utm_medium=email&utm_content=footer&utm_campaign=autofilled-footer&[email protected]&r=to8ex Jun 24 22:20:58.948 [1769470] dbg: uri: canonicalizing parsed uri: http://to8ex Jun 24 22:20:58.948 [1769470] dbg: uri: cleaned uri: http://www.to8ex.com Jun 24 22:20:58.948 [1769470] dbg: uri: added host: www.to8ex.com domain: to8ex.com Jun 24 22:20:58.949 [1769470] dbg: uri: cleaned uri: http://to8ex Thanks, Alex On Sun, Jun 21, 2026 at 12:59 PM Alex <[email protected]> wrote: > Hi, > I tried to trace this further, and I believe it's related to the > Redirectors plugin from v402. > > When I comment this line in v402.pre: > > loadplugin Mail::SpamAssassin::Plugin::Redirectors > > SpamAssassin no longer extracts or checks to8ex / to8ex.com from: > > https://substack.com/signup?r=to8ex > > With the plugin enabled, the debug output shows: > > dbg: uri: canonicalizing html uri: > https://substack.com/signup?utm_source=substack&utm_medium=email&utm_content=footer&utm_campaign=autofilled-footer&[email protected]&r=to8ex > dbg: uri: cleaned uri: > https://substack.com/signup?utm_source=substack&utm_medium=email&utm_content=footer&utm_campaign=autofilled-footer&[email protected]&r=to8ex > dbg: uri: canonicalizing parsed uri: http://to8ex > dbg: uri: cleaned uri: http://www.to8ex.com > dbg: uri: added host: www.to8ex.com domain: to8ex.com > dbg: uri: cleaned uri: http://to8ex > dbg: uridnsbl: considering host=www.to8ex.com, domain=to8ex.com > > With Redirectors disabled, the synthetic to8ex.com URI is not generated. > > I do not have a local redirector_pattern or url_redirector entry for > substack.com/signup. The only stock rule I found appears to be: > > url_redirector substack.com/redirect/ > > So the question is whether Redirectors is treating arbitrary short query > parameter values, such as r=to8ex, as redirect targets and canonicalizing > them as hostnames. That seems unsafe because it causes URIDNSBL checks > against domains that were not actually present in the message. > > On Sat, Jun 20, 2026 at 10:49 PM John Hardin <[email protected]> wrote: > >> On Sat, 20 Jun 2026, Alex wrote: >> >> > SpamAssassin 4.0.3 appears to incorrectly promote a URL query >> > parameter value into a standalone URI hostname and then performs >> > URIDNSBL lookups against the generated domain. >> > >> > Observed behavior: >> > >> > Input message contains only the following URI: >> > >> > https://substack.com/signup?r=to8ex >> > >> > Debug output shows SpamAssassin correctly parsing the original URI: >> > >> > Jun 20 17:04:48.788 dbg: uri: canonicalizing parsed uri: >> > https://substack.com/signup?r=to8ex >> > Jun 20 17:04:48.788 dbg: uri: cleaned uri: >> https://substack.com/signup?r=to8ex >> > Jun 20 17:04:48.788 dbg: uri: added host: substack.com domain: >> substack.com >> > >> > Immediately afterward, SpamAssassin creates a second URI which does >> > not exist in the message: >> > >> > Jun 20 17:04:48.821 dbg: uri: canonicalizing parsed uri: http://to8ex >> > Jun 20 17:04:48.822 dbg: uri: cleaned uri: http://to8ex >> > Jun 20 17:04:48.822 dbg: uri: cleaned uri: http://www.to8ex.com >> > Jun 20 17:04:48.822 dbg: uri: added host: www.to8ex.com domain: >> to8ex.com >> >> I cannot reproduce this in my sandbox: >> >> jhardin@davinci ~/develop/spamassassin/testing $ grep uri: result >> Jun 20 19:42:00.009 [3067949] dbg: uri: canonicalizing parsed uri: >> https://substack.com/signup?r=to8ex >> Jun 20 19:42:00.009 [3067949] dbg: uri: cleaned uri: >> https://substack.com/signup?r=to8ex >> Jun 20 19:42:00.009 [3067949] dbg: uri: added host: substack.com domain: >> substack.com >> Jun 20 19:42:02.035 [3067949] dbg: uri: running uri_detail >> __URI_DOTCN_SPOOF: https://substack.com/signup?r=to8ex >> Jun 20 19:42:02.039 [3067949] dbg: uri: running uri_detail >> T_MXG_BING_REDIR_SUSP: https://substack.com/signup?r=to8ex >> Jun 20 19:42:02.043 [3067949] dbg: uri: running uri_detail >> __ALL_URIDETAIL_TEXT: https://substack.com/signup?r=to8ex >> Jun 20 19:42:02.044 [3067949] dbg: uri: running uri_detail >> __MXG_UNSUB_LINK01: https://substack.com/signup?r=to8ex >> Jun 20 19:42:02.051 [3067949] dbg: uri: running uri_detail >> MXG_EMAIL_FRAG: https://substack.com/signup?r=to8ex >> Jun 20 19:42:02.201 [3067949] dbg: uri: canonicalizing parsed uri: >> https://substack.com/signup?r=to8ex >> Jun 20 19:42:02.201 [3067949] dbg: uri: cleaned uri: >> https://substack.com/signup?r=to8ex >> Jun 20 19:42:02.201 [3067949] dbg: uri: added host: substack.com domain: >> substack.com >> jhardin@davinci ~/develop/spamassassin/testing $ >> >> >> Do you have a locally-defined redirector rule? There is one for substack >> in the base ruleset but it does not match that pattern: >> >> jhardin@davinci ~/develop/spamassassin/svn/trunk $ grep -r substack >> rules* >> rules/25_url_redirectors.cf: url_redirector substack.com/redirect/ >> jhardin@davinci ~/develop/spamassassin/svn/trunk $ >> >> There are no `redirector_pattern` rules for substack in the base ruleset. >> >> >> -- >> John Hardin KA7OHZ http://www.impsec.org/~jhardin/ >> [email protected] pgpk -a [email protected] >> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 >> ----------------------------------------------------------------------- >> 614 days since SpaceX caught the SuperHeavy booster on the first try >> >
