SpamTitan

Built-in Web Application Firewall to provide additional protection against cross-site scripting and SQL injection amongst other attack vectors.

Sender Reputation management has been updated to provide a more complete analysis with more accurate detection of spam and clean senders.

Display name anti-spoof logic matches that of SpamTitan 9 for consistency in results across SpamTitan implementations.

Domain anti-spoof logic focusses on local domains to help determine if someone is spoofing domain(s) you own.

Improved attachment, archive and document scanning.

Quarantine report links now need user confirmation to prevent automated link analyzers from following them.

Security fixes include:

Mail no longer marked as 'sent to sandbox' in history when clean.

Sandboxing now working correctly with DMARC quarantined mail.

Users no longer receive blank quarantine reports.

Resolved an issue where Disclaimers may break attachments in emails.

ClamAV performance improvements when updating definitions has been resolved.

Issue fixed where geoblocking rules and exemptions were not getting clustered.

Virus name now getting populated in history.

Spam NDRs no longer sent for internal email.

Single Quote problem with Quarantine Reports is resolved.

Issue fixed where LinkLock scheduled reports were not delivered when a token was expired or invalid.

An issue causing rewritten links in S/MIME signed emails to break has been fixed.

REST-API: Dynamic Recipient Verification Server not being replicated to all nodes.

An additional test has been introduced for additional spoofing detection, ANTISPOOF_EMAIL_ADDRESS.

Anti-spoofing tests now check local domains only to help determine if someone is spoofing your own domain(s).

All five anti-spoofing tests may trigger on a single email.

Spam scores accumulate for each test that triggers on a single email.

The ANTISPOOF_DOMAIN_FUZZY test has been renamed to ANTISPOOF_FUZZY_DOMAIN and ANTISPOOF_NAME_FUZZY has been renamed to ANTISPOOF_FUZZY_NAME.

Top Geoblocked Countries column now appearing in the relevant view, and not independent of context.

Generated time on SpamTitan reports no longer incorrect.

Quarantine and History pages loading correctly for multibyte charset corner case.

Color scheme on the Link Lock services tab is no longer hard coded.

Sundry security vulnerabilities have been resolved.

A number of items have been fixed in relation to SpamTitan APIs:

New reports are now available to provide you with Link Lock data. From these reports, you will be able to understand the volume of links clicked that were assessed as malicious, the people who clicked on the links and the domain(s) that sent them.

Your Link Lock block page can now be customized to include your own logo, header and messaging.

Customers can now opt to have Link Lock follow redirected URLs, protecting against the commonly used phishing technique of URL redirection.

Anti-spoof logic now uses alternative To header when mime encoded To is not populated.

ANTISPOOF_NAME now supports UTF8 encoding.

White space is being correctly handled in the display name for Anti-Spoof.

Fuzzy matching deals with display names more accurately.

Display name spoofing applies to more than just the To header attribute.

Anti-spoof now ensures that the CC header is checked if items are present and fuzzy matching is applied if necessary.

Variables modified to ensure Anti-spoof attributed values in a fuzzy match are correctly considered during rule assessment logic.

ANTISPOOF_NAME triggering correctly for name-spoofed mails.

Anti-spoof logic is enhanced to achieve some performance benefits.

Fuzzy matching score increased to ensure the rule has impact.

Multiple issues causing broken URLs have been resolved.

Improved handling of URLs related to certain chars, including '|', space & Unicode.

Improved how Link Lock aproaches URLs in HTML <a> and <base> tags.

Enhanced our URL processing to use a more accurate system for parsing URLs.

Links in inline RTF content types are now being rewritten.

We now verify that links within the sender field are processed.

Links in the subject header are now rewritten.

Multipart emails are now being managed correctly.

Additional space being consumed in the mailog by Link Lock errors has been freed up.

Link Lock API improvements:

Security fixes:  

New rules were pushed out to manage spam mails.

The impersonate.php roletype parameter has been sanitized and now checks and validates for correct input.

Duplicate domain entries can no longer be created by the API.

IPv6 default route is now stored so that it's picked up after a restart.

RAR files with an EXE file extension are now being blocked when set to 'blocked' within archives.

History page loading correctly as a multibyte character issue is now being more gracefully handled.

Link Lock is now rewriting links in emails where the original length is greater than the rewritten length.

Encoded subject lines containing a URL no longer get stuck in the mail queue.

Scheduled Domain Summary and Group Summary reports in text format are now sending as expected.

Mail history export is now showing the correct TLS value when both inbound and outbound channels are encrypted.

SpamTitan now includes Link Lock, which provides protection against phishing, business email compromise, and zero day attacks by removing the possibility of a user clicking on a malicious link in an email. SpamTitan does this by rewriting all links in every email. Subsequently, when a link is clicked, SpamTitan can verify if the destination URL is safe or malicious. If the link is malicious, the user is presented with a block page indicating that there is a security risk.

With Link Lock, links always remain rewritten, ensuring that if a malicious email is forwarded to other employees within your company, or to other firms with which you do business, those recipients are also protected. Links are checked in real-time once clicked.

SpamTitan allows you to exclude URLs from Link Lock by adding them to an allowed URLs list, which can be done at the global, domain and user levels. See Link Lock for more information.

Link Lock is an enhancement to SpamTitan and is available after the purchase of a SpamTitan Plus license. If you wish to purchase a SpamTitan Plus license, please contact your Account Manager or email sales@titanhq.com.

Geoblocking enhancement: additional countries added.

Omission of ‘spam_tag’ in API documentation corrected.

Improved API sorting functionality.

OVA file configuration issue.

Typos and similar changes that were reported.

DKIM signed mails following the correct redirect path.

Removed quarantine report recipient issues.

Fixed issue with quarantine report scheduling.

QR reports broken in nightly tests.

API vulnerabilities patched.

Resolved SpamTitan Outlook Add-In allow list error.

Recipient Verification synchronization across clusters.

DB housekeeping fixes.

SpamTitan anti-virus rate limiting issue fixed.

Quarantine report scheduling issues resolved.

UI bug on User Policy page, Global Policies page, Allow Lists, solved.

Potential Mac vulnerability from email attachments mitigated.

Geoblocking: pagination problems fixed.

Geoblocking: domain matching bug resolved.

AV binaries updated to the latest.

API sorting issue resolved.

Internal packages updated to the latest versions.

SpamTitan now includes Geoblocking, allowing you to restrict email based on a sender's geographic location. Our Geoblocking functionality enables you to define rules that allow you to restrict email from a selected country. It also allows exemptions to geoblocking rules in order to exclude mail based on a sender's IP, domain, or email address.

Geoblocking can be enabled or disabled at a global level and once enabled, it can be managed at the admin, domain group, domain, and user levels. See Geoblocking for more information.

The Bitdefender software developer kit (SDK) has been upgraded to version 3.0.1, offering improvements to sandboxing and pre-filtering.

Country names have been reviewed and updated for user selection options, including geoblocking, top virus category, and spam relays.

Email rendering in Mail Viewer has been improved to address formatting issues.

The quarantine report token expiry can now be disabled.

OCR (Optical Character Recognition) has been removed as an Anti-Spam Engine setting due to the large number of false positives being generated.

Score filtering support has been added inside History and Quarantine API calls.

Domain verification is now available for a more secure experience, allowing you to verify domains with either a change to your MX records or by email. See Domain Verification for steps to enable domain verification.

An issue with uppercase letters in admin emails that were causing role assignment replication to fail is fixed.

Users can now release quarantined emails with the & symbol in the sender's email.

An issue causing some users to be unable to view quarantined emails in a cluster is resolved.

Mail viewer is now displaying emails with duplicate headers correctly.

An issue with user role permissions in a cluster environment has been resolved.

API POST to SASL now updating on cluster peer nodes.

The API call to update Trusted Network is now replicating to peer cluster nodes correctly.

Improved security in the UI and API.

An issue with broken multibyte characters causing problems inside the mail viewer is fixed.

A 500 Error is no longer been given when trying to delete multiple IP controls.

RAR5 type attachments are now being unpacked correctly.

IP Aliases are now being correctly stored in configuration files for all cases.

A domain administrator can now see outbound email details in the history log.

Empty X-Envelope-From headers are now displaying correctly.

Sandbox mail is no longer appearing as undefined.

Sandbox delivery status no longer displaying Blocked OTHER on a released sandbox mail.

Email addresses with multiple @ symbols are now being handled correctly.

2FA is now working correctly for some users who were experiencing an issue.

Blocked mail counting towards deleted mails in the quarantine report Delete All link on a single node instance has been corrected.

Fixed 500 error when updating domain policy via API.

Issues with the API Pattern Filter creating filters for Domains and Domain Groups is resolved.

Updated or deleted user roles are now replicated to all clustered nodes.

Where an email can not be sent to a license owner, Let's Encrypt is no longer producing a 500 error.

When an allow list entry is deleted, and that entry had include_subdomains set, that deletion propagates through a cluster.

The correct content type is now being returned for emails from other nodes in a cluster.

Cluster replication of the PUT API call to restapi/users/policy with sandbox param failing is resolved.

Cluster replication of PUT API call to restapi/outbound/smarthost/sender/ not working is resolved.

Access Control vulnerabilities have been removed from the Domain Admin configuration and the SpamTitan API.

Cross-site scripting vulnerabilities have been removed.

Privilege escalation vulnerabilities on User, Domain Admin, and Domain Group Admin account levels have been removed.

Removed an LDAP Authentication Bypass vulnerability (reported by Cedric Van Bockhaven, Deloitte).

Removed an SQL injection vulnerability (reported by Cedric Van Bockhaven, Deloitte).

Removed a code execution vulnerability in the backup process (reported by Cedric Van Bockhaven, Deloitte).

You can now view if users have Two-Factor Authentication enabled or not in Anti-Spam Engine > User Policies. This allows admins to easily view at a glance which users need to enable 2FA. See Two-Factor Authentication.

Older versions of TLS can now be enabled or disabled separately in Settings > TLS. See Enabling TLS.

Weak TLS ciphers can now be enabled or disabled in Settings > TLS. See Enabling TLS.

Dashboard and reporting graphs have been enhanced.

The Mail History log performance has been improved, with now nearly instantaneous updating on servers with high traffic.

The PHP framework version has been updated to resolve some security vulnerabilities.

Security patches have been included for the following packages that address a number of vulnerabilities:

An SQL injection vulnerability that may have caused the database to come down is resolved.

A potential Cross-Site Scripting (Reflected) vulnerability when viewing mail is fixed.

An authenticated SQL injection vulnerability on the Quarantine page is resolved.

Issues with link management in quarantine reports are fixed.

Domain group admins being unable to view some mails is now resolved.

A cross-site scripting (XSS) vulnerability caused by an invalid content-type is fixed.

An insecure direct object reference (IDOR) vulnerability in Filter Rules is resolved.

Unauthenticated access to generated graphs is no longer allowed.

An issue allowing any unauthenticated user to retrieve a list of log files is resolved.

A command injection vulnerability in the DNS lookup tool is resolved.

Mail previewing in Quarantine and Mail History has been improved.

An issue with the Lets Encrypt automatic certificate renewal process is resolved.

The processing of large mail queues in the UI had issues that are now resolved.

Improved support for Unicode characters inside Outbound Disclaimers editors.

Missing settings have been added to the backup.

Can now set a user's first name or last name to an empty string via API after it has been set.

Issues with the AntiSpoof plugin are resolved.

Invalid certificate handling is improved.

An issue deleting a domain that was added by API and could not be deleted in the UI is fixed.

The correct number of entries now showing in allow list and block list.

CPU temperature on the dashboard now correctly calculating and displaying.

Performance is improved when importing a large list to allow lists and block lists that contain existing entries.

Minor API issues related to caching and incorrect return values are now resolved.

An issue with generating pattern filter meta-rules is fixed.

Inconsistent memory usage statistics between the Dashboard and Reporting page are now consistent.

An issue with some cases of Amazon S3 backups failing has been resolved.

A system health check issue causing it to fail for slower SMPT servers is fixed.

An ampersand issue with SASL LDAP queries is now resolved.

A trusted network sometimes not replicating across a cluster is now working.

An issue where the removal of LDAP recipient verification for a domain sometimes led to MTA misconfiguration is resolved.

An issue causing Read Mails permission to not be disabled in some cases has been fixed.

The anti-spoof settings issue with mass editing and saving not working properly is resolved.

Relay Denied is now correctly logging in Report History.

SpamTitan can now generate Let’s Encrypt certificates. This allows customers to deploy free, trusted and secure certificates and will also support automatic renewal.

The terms Whitelist and Blacklist have been replaced with Allow List and Block List.

The terms Master/Slave have been replaced with Primary/Secondary.

Improve performance for large mails in the SpamTitan milter.

Backups are now encrypted to prevent tampering. Encrypted backups can't be tampered with or deleted.

A number of issues with sandboxing have been fixed:

Fixed issues with backups.

Fixed regressions introduced in 7.08.

CVE-2020-24046: Restricted shell escape through a manipulated backup file.

CVE-2020-24045: Restricted shell escape through a fake VMWare ISO.

CVE-2020-11804: Improper sanitization of the quid mail queue parameter.

CVE-2020-11803: Improper sanitization of the jaction mail queue parameter.

CVE-2020-11700: Improper sanitization of certificates parameter allowing retrieval of arbitrary files.

CVE-2020-11699: Improper sanitization on certificates page allowing execution of code.

CVE-2020-11698: Improper sanitization on SNMP page that could allow attacker gain root shell.

Two-factor authentication (2FA) is now available in SpamTitan. This adds a layer of protection by denying access with just a password. Go to Settings > User Management > Two-Factor Authentication (2FA) to enable 2FA.

An option is now available to reject SPF failures when a DMARC policy is set to none.

The following endpoints have been added to the SpamTitan API set:

See api-spamtitan.titanhq.com for more information on SpamTitan APIs.

The spam catch rate has improved with an update to the spam rulesets. This also helps reduce false positives.

Quarantined emails can now be retrieved using SpamTitan APIs.

No longer re-enable Spam/Virus/Banned checking when fixing license issues if they were previously disabled.

Resolved issue where rate controls rules for internal networks may not work correctly.

Fix regression: updating the admin password now updates the CLI password again.

Two input sanitization vulnerabilities described above (reported by Felipe Molina de la Torre).

Quarantine reports are now available in Hungarian.

The SpamTitan Outlook Plugin has been updated to version 3.2.0.

The minimum password length for new passwords is now 10 characters.

ClamAV has been updated to 0.102. This resolves a denial-of-service vulnerability (CVE-2019-15961) which may occur when scanning a specially crafted email file resulting in excessively long scan times.

Include security patches for packages including OpenSSL (CVE-2019-1551), PHP, Sudo (CVE-2019-18634), file (CVE-2019-18218) and SpamAssassin (CVE-2020-1931).

The correct rule name for pattern filters with headers containing a colon is now being generated.

API issue where a license report could produce an error.

LDAP recipient verification ignoring the port being used.

API issue updating a user role.

API issue requesting quarantine items from clustered appliances.

Impersonating doesn't change the active user for API requests, allowing the RestAPI tokens to be visible.

Resolved issue which prevented the option to mark clean archived messages as spam.

False positives issues with anti-spoofing.

Sandboxed messages not being allowed to release from quarantine.

The output of the tools command was not displayed until the command had completed.

Resolved issue where the logo may appear twice on quarantine reports.

Additional cookie security attributes are now applied to prevent session stealing.

Quarantine API endpoint issue where the start date was being ignored.

Empty report for a cluster in the Domain Group Summary report.

Potential persistent XSS vulnerability when uploading a new logo.

Potential reflected XSS vulnerability with certain cookie values.

Potential reset of database time zone setting on reboot.

Issue of adding domains via the API which were specified with round-robin destination servers.

This release sees the introduction of the new RestAPI for SpamTitan. See api-spamtitan.titanhq.com for full details.

You can now filter email addresses when using list-based recipient verification.

Included security patches for packages including OpenSSL, OpenSSH, PHP, ClamAV and Sudo.

Disabled support for SSLv3 and disabled weak ciphers.

Patches, spam rule updates and hotfixes are now retrieved over HTTPS.

Rate controls not tracking the correct email address.

Domain group pattern filters not adding to the correct domain group if the domain group admin is an admin for two or more domain groups.

From Name impersonation may falsely trigger.

Issue generating domain summary reports.

The issue with importing list recipients.

Issue generating quarantine reports in the correct language.

Potential issue generating quarantine reports in a clustered environment.

Issue viewing pattern filters that included meta-rules.

Rate control notification issues.

Emails in Russian may be marked as executables and blocked as banned attachments.

Issue delivering multiple daily scheduled reports.

A cosmetic issue where UI OLEMacro option would specify 'Nothing' when actually set to 'Send to Sandbox'.

An issue with allowed IPs when IP is also listed in Trusted networks.

An issue with per-domain attachment filtering.

Bitdefender daemon potentially consuming 100% CPU.

A user's full name can now be added to their policy, allowing for the prevention of impersonation attacks.

Pass and Tag Banned Attachments can now tag the subject.

ClamAV Link Detection using Google's Safe Browsing database is now included. This adds a score of 3 to any email with a link on the Safe Browsing database.

You can now search the trusted networks table by using the comment field.

Address shortening for Quarantine Reports is now disabled by default and can be enabled by Support.

Future patches (starting in SpamTitan 7.06) will only be allowed to install if all nodes in a cluster are capable of installing the patch.

Punycode support to allow and block lists for IDNAs.

The anti-spoof tool now triggers - with a reduced score - on similar domains that aren't exact matches (fuzzy matching).

Rate Controls no longer cause a large spike in CPU usage.

Display of the anti-spoofing page in French.

Outbound mail with no envelope from (bounce back mail) will now be DKIM signed.

Fixed issue where SPF rejection wasn't working if DMARC compliance was disabled.

Fixed issue where SPF best guess was applying even if DMARC compliance was disabled.

Quarantine report tokens were being invalidated too early.

Tagged subjects in non-UTF8-compliant languages such as Japanese, Chinese or Arabic were being rewritten as question marks.

Performance of domain management.

Deleting domains via API took a long period of time.

Clusters with a large number of domains across a large number of nodes were slow to finish licensing.

Releasing issue on a sandboxed file for multiple recipients.

Issue when adding an IPv6 address to internal networks.

The anti-spoof tool occasionally stops triggering.

Importing a list of aliases by file now converts to lowercase before importing.

If block list is enabled in the header, the block list button now properly adds to the block list.

Quarantine report footer text may display twice.

Filtering history issue with a subject containing an apostrophe.

CVE-2019-6800: the hotfix mechanism using the HTTP protocol rather than HTTPS. Reporting credit: Patrik Forslind, Sentor SOC.

With this release, we introduced sandboxing. SpamTitan can now detect if an attachment needs to be sandboxed. If it does, SpamTitan will put the mail on hold while it tests each attachment in a sandboxed environment.

SpamTitan now supports DMARC conformance and reporting. Mail will be DMARC tested and will be quarantined/rejected according to the DMARC policy. Reports will be sent daily.

SpamTitan now supports ARC signing and authentication of inbound mail.

Spam mail released from Quarantine will be re-scanned for a virus upon release, and thus may be re-quarantined (if containing a virus).

Future updates (after 7.04) will have a confirmation popup when attempting to install.

Archive clean mail has been modified to Archive mail; Pass and tagged mail will now be quarantined as well if Archive Mail is enabled, in addition to being delivered.

Very long email addresses now get shortened in quarantine reports.

If the Quarantine Report subject contains %u, the %u will be replaced with the recipient's email address.

Fixed issue where domains still get a relay denied after adding them to the system.

CVE-2019-6800: vulnerability with hotfix mechanism using HTTP protocol rather than HTTPS.

Resetting the password of the system admin account will send the new password to the email address on the license.

Ignoring a line using a content filter will now be logged.

The global and domain group interface has been updated to manage antispoof settings.

If you add an alias entry that does not contain the primary email address as an alias, SpamTitan now automatically adds the primary email address as an alias.

Reporting of errors for greylisting Sender Name Exemptions.

An issue where if a user has a user policy, they can now request a password using the "Forgot my password" feature.

Fixed issue where adding a top-level administrator failure makes the "Role" dropdown empty.

Quarantine reports no longer show 'too many items to display' when they do not have too many items to display.

Email quarantined as spam for one recipient, but marked as clean for another, no longer prevents the message from being released.

'Include Subdomains' not toggling when editing multiple allow and block list entries.

LDAP auth settings are now being saved properly.

Clustering display issue with Internal Networks table.

Editing a pattern filter causes it to not take effect immediately.

Reject Unknown Sender Domain not being recorded in statistics.

Backups missing data.

LDAP SASL Authentication not using email addresses.

Editing banned attachment rules.

Issue disabling banned attachments globally.

Display issue for banned items in quarantine reports.

Attachment filters can now be managed on a per domain-group and per-domain basis.

Pattern Filters have been improved and you can now:

You can now restrict roles from reading mail in the History and Quarantine tabs.

ClamAV has additional features:

A domain admins can now specify valid locations to receive mail from to prevent From: header spoofing.

You can now block IPs if they are in the Top 10 Virus or Spam relays.

Client certificates can be sent to servers that request it from SpamTitan.

Senders can now be blocked from your quarantine reports. This option needs to be turned on in Quarantine > Settings > Advanced.

Content Filtering can now be searched.

Content Filter that triggered on the mail is now displayed on the Mail Details page.

You can no longer add an alias IP that is the same as the primary IP.

Mail marked as "Passed Unchecked" is now archived if archiving is enabled.

Fixed issues related to reporting of whether messages were delivered or not.

Archived email deleted from quarantine has a 'blocked' delivery status.

Quarantine report tokens may be missing in a cluster environment.

Resolved issue where SpamTitan would respond to SNMP queries from anywhere even when the Allowed hosts' list is empty.

CVE-2018-15136: Possible to disable filtering for specific users.

There is a new API for managing domain group allow and block lists.

Option to use SNMPv3 and disable SNMPv2.

You are now able to set the port for Remote Syslog.

A new policy management option to send NDRs if mail is quarantined.

You can now allow SpamTitan to follow URL Shortener links and detect dangerous links behind them. This option needs to be enabled in Anti-Spam Engine > Settings.

You can now export aliases in Quarantine > Aliases.

You can now specify the domain group when importing domains.

Line wrapping in regular expression matching is now optional in content filtering.

A global administrator can now schedule domain group summary reports.

Outbound relay can be restricted to domains filtered by SpamTitan.

Trusted networks can be synchronized in a clustered environment.

A cluster environment can be set up over NAT.

The login link in a quarantine report now automatically logs you in.

Quarantine report links are now tokenized and have a maximum life span (reported by Pablo Lorenzo).

Added missing Amazon S3 bucket locations.

Added option to set up a cluster environment over NAT.

RBL and SPF checks were not being bypassed for allowed IPs.

Pattern and content filtering issue that removed everything after angle brackets.

SNMP log is not getting rotated.

The error generated saving HTTPS settings when using a custom port and updating the SSL certificate.

Special characters being treated as regular expression functions when content filters were set to 'contains.

DKIM validation did not follow CNAME records.

Certain characters were being incorrectly encoded in notification emails.

Automated backups encoding certain characters in the SFTP password.

The error generated when manually running SFTP backups from the UI.

SMTP HELO name reset by a bulk update in cluster environments.

Quarantine reports being issued if a mail is blocked by a content filter, even though displaying content filters in quarantine reports is disabled.

Line count display issue in PDF reports.

Content filters intended to trigger on headers sometimes triggering on attachments.

API reports on Kaspersky instead of Bitdefender.

Certain characters being encoded in LDAP Recipient Verification settings.

History does not load when a user sign-in has capitalization in the username.

IP delivery pools show as being used by domains, but don't exist on the system.

'Access denied' message when releasing or deleting mail from history.

HTTPS not enabling after an attempt to enable is made.

Empty file downloading when downloading a self-signed certificate's private key.

SASL authentication not starting when using LDAP authentication.

Bitdefender is now SpamTitan's primary anti-virus engine.

ClamAV is updated to version 0.99.3. This is a security release resolving potential denial of service attacks:

Include security patches for packages including OpenSSL, OpenSSH, PHP, and Wget.