Release Notes

This document describes the changes included in each Sophos Anti-Spam Software Development Kit release. The most recent releases are described first.

Version 2.7.2 (June 2009)

This release introduces version 2.7.2 of the Sophos Anti-Spam Engine, which contains a variety of enhancements that ensure continued best protection against spam threats.

Version 2.7.1 (April 2009)

This version of the Sophos Anti-Spam Engine contains a number of fixes that ensure continued best protection against spam threats.

Version 2.7.0 (March 2009)

Version 2.7.0 of the Sophos Anti-Spam Engine contains a variety of enhancements that ensure continued best protection against spam threats. In addition, an event code and an associated core attribute have been added that provide SophosLabs with important data about the configuration of trusted relays. When the PMX_EV_FUR event code is specified, the engine determines the IP address of the first untrusted relay. This event code only takes effect if the core.event.fur attribute has also been set.

In order for this data to be useful to SophosLabs, it is recommended that you append it to an informational header, so that the IP address of the first untrusted relay is included in all false positives and false negatives submitted to Sophos. The format for this header is described in the "Event Codes" section of the Anti-Spam Engine Reference.

See the "Anti-Spam Engine Reference" and "Anti-Spam Engine Attributes" sections of the documentation for more about PMX_EV_FUR and core.event.fur.

Version 2.6.1 (September 2008)

Version 2.6.1 of the Sophos Anti-Spam Engine contains a variety of enhancements that ensure continued best protection against spam threats. In addition, specific improvements to the way in which the anti-spam engine alerts Sophos about SXL issues will result in fewer SXL-related timeouts.

For optimal performance, it is recommended that you enable the Feedback Tool. Turning on this feature provides statistical information to SophosLabs about spam that has been processed by the anti-spam engine. See the "Using the Anti-Spam Engine" section of the documentation for more information.

The following improvements have also been made:

  • Previously, when performing SXL look-ups, the engine queried DNS servers using the round robin technique. This sometimes caused delays if servers were unavailable. The engine now queries the primary DNS server first, querying secondary servers only when it is necessary. This has increased engine reliability and performance.
  • To comply with RFC 1918, the network 172.16.0.0/12 has been added to the group of private networks that are exempt from network-based tests. See the "net attributes" section of the documentation for more information.

Version 2.6.0 (November 2007)

This release contains the following improvements:

  • SXL Plug-In: Performs real-time, DNS-based queries to Sophos regarding IP addresses, URIs within messages, and image fingerprints. Queries are triggered when the anti-spam engine has been unable to determine if a message is spam. These real-time lookups provide zero latency between the time that Sophos makes new anti-spam data available and when it is available for use by the anti-spam engine. This functionality is enabled by default. For more information, see "SXL Attributes" in the Anti-Spam Attributes section.
  • Feedback Tool: This tool makes it possible to report summary statistics to Sophos about spam that has been processed by the anti-spam engine. SophosLabs uses this information to improve the engine's ability to detect spam. You are strongly encouraged to enable this feature. For more information, see "Feedback Tool" in the Using the Anti-Spam Engine section.

Version 2.5.2 (July 2007)

This release provides SophosLabs with new tools to combat spam in PDF and other attachment formats.

Version 2.5.1 (March 2007)

This release extends detection capabilities to further improve SophosLabs ability to respond to image spam campaigns.

In addition, a new core attribute has been added, core.data-version, which returns the version of the anti-spam data that the engine currently uses.

Version 2.5.0 (October 2006)

Version 2.5.0 improves the sender information available to SophosLabs for use in spam rules.

To take advantage of these enhancements, ensure that you are using the plugin.net.trusted-relays attribute.

Version 2.4.0 (May 2006)

Version 2.4.0 contains significant improvements to "spam identities" (checksum/signature-based detection) that will enable SophosLabs to respond to certain HTML and image spam campaigns more quickly.

This release no longer includes the pmx-compile utility included in previous releases of the Anti-Spam Engine.

Version 2.3.0.0 (February 2006)

This release includes the following new features:
Improvements
The character set of a message is now identified early on in message processing. Anti-spam rules can now specify which character set they apply to. This allows SophosLabs to publish language-specific rules which are used only on messages of a matching character set.

A new stop_scan option allows the engine to stop scanning a message once it is definitively determined to be either spam or not spam. This increases the efficiency of the engine. As further rules are not triggered after the scanning is stopped, the cumulative spam score may be different and the excluded rules will not appear in anti-spam reports and headers. This option is disabled by default.

The sig plugin can now be used effectively against messages larger than 10K. SophosLabs now publishes spam identities for individual paragraphs within these larger messages.

URI extraction is now much faster which has improved the throughput performance of the engine.

Version 2.2.0.0 (January 2006)

This release includes the following new features:

New Plugin
The redb plug-in works like the re plug-in by extracting certain patterns from a message and checking the extracted portions against various databases generated by SophosLabs (for example, databases of phone numbers owned by known spammers).

Version 2.1.0.0 (July 2005)

This release includes the following new features:

New Plugin
The sig plugin checks messages against "spam identities" generated by SophosLabs. Spam identities are content-based checksums generated from captured spam used to detect messages from specific spam campaigns.
Improvements
URI extraction is much more aggressive in what is considered a URI. More URI forms are recognized (for example, raw, canonicalized, path-less) including phishing targets.

The message size limit (core.max-bytes-scanned attribute) has been increased from 8K to 10K.

Improved obfuscated word and invisible text detection.

Version 2.0.3.2 (April 2005)

Bug Fixes
This release fixes a bug which caused the word_obfu plugin to produce inconsistent results.

Version 2.0.3.1 (March 2005)

Bug Fixes
This release fixes a bug which caused excessive scan times for messages containing large blocks of repeated characters.

Version 2.0.3.0 (January 2005)

This release includes the following new features:

Bug Fixes
Fixed a bug where messages containing long repeats of the same character would take a long time to scan.

Fixed a bug where comments in /etc/resolve.conf settings was being ignored.

Documentation Fixes
The documentation has been updated to reflect the changes from 1.6 to 2.0.

Version 2.0.2.0 (October 2004)

This release includes the following new features:

Heuristic Updates New Rules
Added new rules to catch 419 Nigerian spam and "unobfuscated" medical spam.
Rules Removal
Removed several rules due to false positives.
Improvements
Improved both the obfuscated word detection system and the invisible text detection system.
Bug Fixes
Major fix to the obfuscated word detection system where SDK versions 1.6.x.x would erroneously fire on "not-spam" emails.

Major fix to the SpamEngine to prevent it from crashing on complex MIME messages.

DNSBLs
Added several third party DNSBLs. These DNSBLs are disabled and in a zero weighted state. Be advised that enabling these DNSBLs may require permission from the DNSBL provider. Be aware that enabling and weighting blackhole DNSBLs causes all mail from a specified region to be caught as spam, regardless of actual content.

Version 2.0.1.0 (September 2004)

This release includes the following new features:

Rules Removal
Many rules have been removed in this release. These rules were removed due to any of the following reasons: causing false positives, having no appreciable weight, or no longer firing in spam.
Bug Fixes
Minor fixes to the obfuscated word detection system and the uri extraction system.
Heuristic Updates
Various heuristic updates and rule modifications.

Version 2.0.0.0 (August 2004)

This release includes the following new features:

Compiled Data
The anti-spam engine now reads data from a single binary file. All engines share the same binary file, reducing the CPU time and memory required to initialize the engine.
Lower Memory Usage
Each thread memory maps the same compiled data. Additionally, the per-thread memory usage is lower than previous versions due to various internal optimizations.
Faster Scanning
This engine version provides a small performance increase over previous versions.
Message Sharing Support
A PMX_MESSAGE object created in one thread can be scanned by a PMX_ENGINE object in another thread. Applications can employ a pool of threads that create PMX_MESSAGE objects, and use a different pool of scanner threads.
High-Memory Watermarks
The PMX_MESSAGE object has several layers of high water marks that prevent large or pathologically complex messages from consuming resources.
Message Size
The default maximum message is 64 KB. Once the message reaches its watermark, further calls to append() are silently ignored. Previously, large messages could cause large amounts of RAM to be allocated.
Number of MIME Parts
The maximum number of MIME parts is 128. Previously, there was no limit to the number of MIME parts.
Extended PMX_MESSAGE API
The PMX_MESSAGE object returned from the create_message() method can be cast into a PMX_MESSAGE_WRITABLE object. This exposes a new virtual function table that provides several new features.
Provide Connection Information
Application can use the PMX_MESSAGE_WRITABLE interface to set the envelope sender and envelope recipients, set the relay IP address and relay hostname, and set the SMTP HELO line.
Append From File
A PMX_MESSAGE object can be configured to read on-demand from a file:
wmsg->wvtbl->read_from_file(wmsg, "filename");
Append From Callback Function
A PMX_MESSAGE object can call an application provided callback function whenever more data needs to be read:
wmsg->wvtbl->read_from_func(wmsg, &reader);

Known Issues:

Linux threading (26724)
The Linux version of the SDK is thread safe, but recycling the engine results in a memory leak. For this reason, using the engine in a threaded application is not recommended.