SpamTitan Release Notes
The latest version of SpamTitan contains new features and enhancements that provide you with even better email security. To keep your SpamTitan solution as efficient as possible we recommend you update to the latest version, providing you with the very latest updates and fixes. You can do this for free today!
The release notes below outline the upgrades and improvements for each SpamTitan release.
If you are a SpamTitan Cloud customer, your updates are managed automatically.
If you are a SpamTitan Gateway customer, take a look at Guidelines for Updating SpamTitan Gateway before you update.
When you are ready, go to System Setup > System Updates to manage updates. See System Update Settings for more information.

SpamTitan 7.09
Released: September 2020
What's new?
SpamTitan can now generate Let’s Encrypt certificates. This allows customers to deploy free, trusted and secure certificates and will also support automatic renewal.
What has been improved?
The terms Whitelist and Blacklist have been replaced with Allow List and Block List.
The terms Master/Slave have been replaced with Primary/Secondary.
Improve performance for large mails in the SpamTitan milter.
Backups are now encrypted to prevent tampering. Encrypted backups can't be tampered with or deleted.
Thank you to Miroslaw Menard and Felipe Molina for reporting the security vulnerability.
What has been fixed?
A number of issues with sandboxing have been fixed:
Sandboxed mail can now be released, as expected, assuming the user/admin has the rights to release a virus.
Sandboxed mail automatically release if they fail to process up to 5 times.
Sandboxed mail now scans all attachments in parallel.
Fixed issues with backups.
Fixed regressions introduced in 7.08.

SpamTitan 7.08
Released: May 2020
Fixed Vulnerabilities
CVE-2020-24046: Restricted shell escape through a manipulated backup file.
CVE-2020-24045: Restricted shell escape through a fake VMWare ISO.
CVE-2020-11804: Improper sanitization of the quid mail queue parameter.
CVE-2020-11803: Improper sanitization of the jaction mail queue parameter.
CVE-2020-11700: Improper sanitization of certificates parameter allowing retrieval of arbitrary files.
CVE-2020-11699: Improper sanitization on certificates page allowing execution of code.
CVE-2020-11698: Improper sanitization on SNMP page that could allow attacker gain root shell.
What's new?
Two-factor authentication (2FA) is now available in SpamTitan. This adds a layer of protection by denying access with just a password. Go to Settings > User Management > Two-Factor Authentication (2FA) to enable 2FA.
An option is now available to reject SPF failures when a DMARC policy is set to none.
The following endpoints have been added to the SpamTitan API set:
history search/trace
support connection management
license management.
See api-spamtitan.titanhq.com for more information on SpamTitan APIs.
What has been improved?
The spam catch rate has improved with an update to the spam rulesets. This also helps reduce false positives.
Quarantined emails can now be retrieved using SpamTitan APIs.
What has been fixed?
No longer re-enable Spam/Virus/Banned checking when fixing license issues if they were previously disabled.
Resolved issue where rate controls rules for internal networks may not work correctly.
Fix regression: updating the admin password now updates the CLI password again.
Two input sanitization vulnerabilities described above (reported by Felipe Molina de la Torre).

SpamTitan 7.07
Released: March 2020
What's new?
Quarantine reports are now available in Hungarian.
What has been improved?
The SpamTitan Outlook Plugin has been updated to version 3.2.0.
The minimum password length for new passwords is now 10 characters.
ClamAV has been updated to 0.102. This resolves a denial-of-service vulnerability (CVE-2019-15961) which may occur when scanning a specially crafted email file resulting in excessively long scan times.
Include security patches for packages including OpenSSL (CVE-2019-1551), PHP, Sudo (CVE-2019-18634), file (CVE-2019-18218) and SpamAssassin (CVE-2020-1931).
What has been fixed?
The correct rule name for pattern filters with headers containing a colon is now being generated.
API issue where a license report could produce an error.
LDAP recipient verification ignoring the port being used.
API issue updating a user role.
API issue requesting quarantine items from clustered appliances.
Impersonating doesn't change the active user for API requests, allowing the RestAPI tokens to be visible.
Resolved issue which prevented the option to mark clean archived messages as spam.
False positives issues with anti-spoofing.
Sandboxed messages not being allowed to release from quarantine.
The output of the tools command was not displayed until the command had completed.
Resolved issue where the logo may appear twice on quarantine reports.
Additional cookie security attributes are now applied to prevent session stealing.
Quarantine API endpoint issue where the start date was being ignored.
Empty report for a cluster in the Domain Group Summary report.
Potential persistent XSS vulnerability when uploading a new logo.
Potential reflected XSS vulnerability with certain cookie values.
Potential reset of database time zone setting on reboot.
Issue of adding domains via the API which were specified with round-robin destination servers.

SpamTitan 7.06
Released: November 2019
What's new?
This release sees the introduction of the new RestAPI for SpamTitan. See api-spamtitan.titanhq.com for full details.
You can now filter email addresses when using list-based recipient verification.
What has been improved?
Included security patches for packages including OpenSSL, OpenSSH, PHP, ClamAV and Sudo.
Disabled support for SSLv3 and disabled weak ciphers.
Patches, spam rule updates and hotfixes are now retrieved over HTTPS.
What has been fixed?
The following issues have been resolved in this release:
Rate controls not tracking the correct email address.
Domain group pattern filters not adding to the correct domain group if the domain group admin is an admin for two or more domain groups.
From Name impersonation may falsely trigger.
Issue generating domain summary reports.
The issue with importing list recipients.
Issue generating quarantine reports in the correct language.
Potential issue generating quarantine reports in a clustered environment.
Issue viewing pattern filters that included meta-rules.
Rate control notification issues.
Emails in Russian may be marked as executables and blocked as banned attachments.
Issue delivering multiple daily scheduled reports.
A cosmetic issue where UI OLEMacro option would specify 'Nothing' when actually set to 'Send to Sandbox'.
An issue with whitelisted IPs when IP is also listed in Trusted networks.
An issue with per-domain attachment filtering.
Bitdefender daemon potentially consuming 100% CPU.

SpamTitan 7.05
Released: July 2019
What's new?
A user's full name can now be added to their policy, allowing for the prevention of impersonation attacks.
Pass and Tag Banned Attachments can now tag the subject.
ClamAV Link Detection using Google's Safe Browsing database is now included. This adds a score of 3 to any email with a link on the Safe Browsing database.
What has been improved?
You can now search the trusted networks table by using the comment field.
Address shortening for Quarantine Reports is now disabled by default and can be enabled by Support.
Future patches (starting in SpamTitan 7.06) will only be allowed to install if all nodes in a cluster are capable of installing the patch.
Punycode support to whitelists and blacklists for IDNAs.
The anti-spoof tool now triggers - with a reduced score - on similar domains that aren't exact matches (fuzzy matching).
What has been fixed?
Rate Controls no longer cause a large spike in CPU usage.
Display of the anti-spoofing page in French.
Outbound mail with no envelope from (bounce back mail) will now be DKIM signed.
Fixed issue where SPF rejection wasn't working if DMARC compliance was disabled.
Fixed issue where SPF best guess was applying even if DMARC compliance was disabled.
Quarantine report tokens were being invalidated too early.
Tagged subjects in non-UTF8-compliant languages such as Japanese, Chinese or Arabic were being rewritten as question marks.
Performance of domain management.
Deleting domains via API took a long period of time.
Clusters with a large number of domains across a large number of nodes were slow to finish licensing.
Releasing issue on a sandboxed file for multiple recipients.
Issue when adding an IPv6 address to internal networks.
The anti-spoof tool occasionally stops triggering.
Importing a list of aliases by file now converts to lowercase before importing.
If blacklist is enabled in the header, the blacklist button now properly adds to the blacklist.
Quarantine report footer text may display twice.
Filtering history issue with a subject containing an apostrophe.

SpamTitan 7.04
Released: March 2019
Fixed Vulnerabilities
CVE-2019-6800: the hotfix mechanism using the HTTP protocol rather than HTTPS. Reporting credit: Patrik Forslind, Sentor SOC.
What's new?
With this release, we introduced sandboxing. SpamTitan can now detect if an attachment needs to be sandboxed. If it does, SpamTitan will put the mail on hold while it tests each attachment in a sandboxed environment.
SpamTitan now supports DMARC conformance and reporting. Mail will be DMARC tested and will be quarantined/rejected according to the DMARC policy. Reports will be sent daily.
Mail released from DMARC quarantine will then go through the standard anti-spam process and may be returned to quarantine.
Mail quarantined by DMARC will not appear in Quarantine Reports by default. This can be enabled under Quarantine > Settings > Advanced.
SpamTitan now supports ARC signing and authentication of inbound mail.
What has been improved?
Spam mail released from Quarantine will be re-scanned for a virus upon release, and thus may be re-quarantined (if containing a virus).
Future updates (after 7.04) will have a confirmation popup when attempting to install.
Archive clean mail has been modified to Archive mail; Pass and tagged mail will now be quarantined as well if Archive Mail is enabled, in addition to being delivered.
Very long email addresses now get shortened in quarantine reports.
If the Quarantine Report subject contains %u, the %u will be replaced with the recipient's email address.
What has been fixed?
Fixed issue where domains still get a relay denied after adding them to the system.
CVE-2019-6800: vulnerability with hotfix mechanism using HTTP protocol rather than HTTPS.

SpamTitan 7.03
Released: January 2019
What's new?
Resetting the password of the system admin account will send the new password to the email address on the license.
What has been improved?
Ignoring a line using a content filter will now be logged.
The global and domain group interface has been updated to manage antispoof settings.
If you add an alias entry that does not contain the primary email address as an alias, SpamTitan now automatically adds the primary email address as an alias.
What has been fixed?
Reporting of errors for greylisting Sender Name Exemptions.
An issue where if a user has a user policy, they can now request a password using the "Forgot my password" feature.
Fixed issue where adding a top-level administrator failure makes the "Role" dropdown empty.
Quarantine reports no longer show 'too many items to display' when they do not have too many items to display.
Email quarantined as spam for one recipient, but marked as clean for another, no longer prevents the message from being released.
'Include Subdomains' not toggling when editing multiple blacklist and whitelist entries.
LDAP auth settings are now being saved properly.
Clustering display issue with Internal Networks table.
Editing a pattern filter causes it to not take effect immediately.
Reject Unknown Sender Domain not being recorded in statistics.
Backups missing data.
LDAP SASL Authentication not using email addresses.
Editing banned attachment rules.
Issue disabling banned attachments globally.
Display issue for banned items in quarantine reports.

SpamTitan 7.02
Released: November 2018
What's new?
Attachment filters can now be managed on a per domain-group and per-domain basis.
Pattern Filters have been improved and you can now:
manage pattern filters on a per domain-group and per-domain basis.
define a score for your pattern filters.
create pattern filters without having to use regular expressions.
create meta-rule pattern filters which allow you to create a pattern filter that triggers on multiple rules.
You can now restrict roles from reading mail in the History and Quarantine tabs.
ClamAV has additional features:
Third-Party Databases - Allows ClamAV to utilize additional databases such as YARA and Sanesecurity to block viruses.
Block OLE Macros - Allows ClamAV to block all .doc and .xls files with OLE macros.
A domain admins can now specify valid locations to receive mail from to prevent From: header spoofing.
You can now blacklist IPs if they are in the Top 10 Virus or Spam relays.
Client certificates can be sent to servers that request it from SpamTitan.
Senders can now be blacklisted from your quarantine reports. This option needs to be turned on in Quarantine > Settings > Advanced.
What has been improved?
Content Filtering can now be searched.
Content Filter that triggered on the mail is now displayed on the Mail Details page.
What has been fixed?
You can no longer add an alias IP that is the same as the primary IP.
Mail marked as "Passed Unchecked" is now archived if archiving is enabled.
Fixed issues related to reporting of whether messages were delivered or not.
Archived email deleted from quarantine has a 'blocked' delivery status.
Quarantine report tokens may be missing in a cluster environment.
Resolved issue where SpamTitan would respond to SNMP queries from anywhere even when the Allowed hosts' list is empty.

SpamTitan 7.01
Released: July 2018
Fixed Vulnerabilities
CVE-2018-15136: Possible to disable filtering for specific users.
What's new?
There is a new API for managing domain group whitelists and blacklists.
Option to use SNMPv3 and disable SNMPv2.
You are now able to set the port for Remote Syslog.
A new policy management option to send NDRs if mail is quarantined.
You can now allow SpamTitan to follow URL Shortener links and detect dangerous links behind them. This option needs to be enabled in Anti-Spam Engine > Settings.
You can now export aliases in Quarantine > Aliases.
You can now specify the domain group when importing domains.
Line wrapping in regular expression matching is now optional in content filtering.
A global administrator can now schedule domain group summary reports.
Outbound relay can be restricted to domains filtered by SpamTitan.
Trusted networks can be synchronized in a clustered environment.
A cluster environment can be set up over NAT.
What has been improved?
The login link in a quarantine report now automatically logs you in.
Quarantine report links are now tokenized and have a maximum life span (reported by Pablo Lorenzo).
Added missing Amazon S3 bucket locations.
Added option to set up a cluster environment over NAT.
What has been fixed?
RBL and SPF checks were not being bypassed for whitelisted IPs.
Pattern and content filtering issue that removed everything after angle brackets.
SNMP log is not getting rotated.
The error generated saving HTTPS settings when using a custom port and updating the SSL certificate.
Special characters being treated as regular expression functions when content filters were set to 'contains.
DKIM validation did not follow CNAME records.
Certain characters were being incorrectly encoded in notification emails.
Automated backups encoding certain characters in the SFTP password.
The error generated when manually running SFTP backups from the UI.
SMTP HELO name reset by a bulk update in cluster environments.
Quarantine reports being issued if a mail is blocked by a content filter, even though displaying content filters in quarantine reports is disabled.
Line count display issue in PDF reports.
Content filters intended to trigger on headers sometimes triggering on attachments.
API reports on Kaspersky instead of Bitdefender.
Certain characters being encoded in LDAP Recipient Verification settings.
History does not load when a user sign-in has capitalization in the username.
IP delivery pools show as being used by domains, but don't exist on the system.
'Access denied' message when releasing or deleting mail from history.
HTTPS not enabling after an attempt to enable is made.
Empty file downloading when downloading a self-signed certificate's private key.
SASL authentication not starting when using LDAP authentication.

SpamTitan 7.00
Released: March 2018
What's new?
Bitdefender is now SpamTitan's primary anti-virus engine.
What has been improved?
ClamAV is updated to version 0.99.3. This is a security release resolving potential denial of service attacks:
ClamAV UAF (use-after-free) vulnerabilities (CVE-2017-12374).
ClamAV buffer overflow vulnerability (CVE-2017-12375).
ClamAV buffer overflow in handle_pdfname vulnerability (CVE-2017-12376).
ClamAV mew packet heap overflow vulnerability (CVE-2017-12377).
ClamAV buffer over-read vulnerability (CVE-2017-12378).
ClamAV buffer overflow in messageAddArgument vulnerability (CVE-2017-12379).
ClamAV null dereference vulnerability (CVE-2017-12380).
Include security patches for packages including OpenSSL, OpenSSH, PHP, and Wget.