Apache SpamAssassin Leads A Growing List of Open-Source Projects Taking Steps to Correct Instances of Racism and White Privilege
- by Brittany Day
Over the past few weeks, a heated debate has arisen on the Apache SpamAssassin users list regarding the replacement of racially charged terms like “whitelist” and “blacklist” used in the Apache Spamassassin Project’s code with more inclusive language. Certain community members have been very supportive of Apache SpamAssassin’s efforts to remove racially insensitive language from the project, while others have loudly voiced their disapproval.
Guardian Digital, the open source cloud email security company, is committed to the open-source development model and the core values of transparency and inclusion that it embodies. We felt it was important to speak with members of the community about this critical issue and share this story with other leaders and those not directly involved - hopefully inspiring them to take similar action in their communities.
A Movement Is Underway in the Open-Source Community
Racial tensions in the US are higher than they have been in over 50 years, spotlighting instances of racial injustice and white privilege that have been systematically ignored far too long. Interestingly, a social movement - which began prior to this recently heightened awareness of racial injustice - has already been underway to address racially charged language and conventions online. In light of the current environment, this movement is now gaining momentum and a growing number of organizations are stepping back and rethinking whether the messaging conveyed in their products could be deemed stereotypical or offensive. These organizations are now analyzing the potential changes to make their products and environments more accurate and inclusive.
Virtually all significant open-source projects and various tech giants who have adopted open-source software and programs including IBM, Microsoft, Amazon Web Services (AWS), Python and Drupal have already removed language that is potentially racially insensitive, and have found that doing so hasn’t been a significant impediment to their development efforts. Many other companies and projects are following suit, as the open-source community is faced with the reality that “the future is open source” - as long as open-source projects and initiatives continue to prove that they value equality and moral integrity.
Apache SpamAssassin Speaks Out Against Racial Insensitivity and White Privilege
Well before the tragic death of George Floyd on May 25th, which sparked heightened awareness of racial inequality around the globe, the Apache Spamassassin Project was actively working on improving the language used in its spam filtration framework by replacing “whitelist” and “blacklist” with terms such as “block”, “deny” and “allow”. For almost a decade, the project had been ahead of its time - using the term “blocklist” at least as early as 2011. After a vote on May 3rd, the Apache SpamAssassin Project Management Committee (PMC) formally decided to remove all racially charged language from Apache SpamAssassin. The first test of this work is already done with “allowlist_to” replacing “whitelist_to” in the 4.0.0 codebase, with no timeline for this release at the moment. Sites running the current "bleeding-edge" development code can expect to see this new language sooner.
Kevin A. McGrail, who has been personally been involved with the Apache SpamAssassin Project for nearly two decades and is a member and past chair of the Project Management Committee and past VP of Fundraising and Assistant Treasurer for the foundation, explains from his perspective why the project has chosen to replace “whitelist” and “blacklist” with “welcomelist” and “blocklist”: “Using ‘welcomelist’ and ‘blocklist’ is non-offensive, more descriptive and, since ‘welcome’ and ‘block’ start with ‘W’ and ‘B’, we avoid having to rename things like RBLs, WLBL, DNSBL, etc. This should help minimize the disruption when version 4.0 is released with the renamed configuration options.”
Like all proposed changes to the status quo, this transition has already stirred up great controversy among Apache SpamAssassin contributors and users. A message posted to the Apache Spamassassin users list on July 9th, 2020, by Kevin A. McGrail has already exploded with both supportive and highly critical comments. A host of vocal developers and users opposed to these changes argue that the sole motive behind this transition is political correctness. However, the loudest objection is that there is no technical reason for making these changes, and that doing so risks destabilizing what has been stable code and breaking existing production third-party tools and site-local configurations and customizations for no good technical reason, and according to one user, "If it ain't broke, don't fix it."
That being said, McGrail has clearly addressed concerns regarding backwards compatibility: “We went to the trouble to make rules and configuration lines work with aliases and feature checks so nothing breaks because of this. Moreover, the project is committed to backwards compatibility for at least one year after version 4.0.0 is released AND not removing the backwards compatibility until 4.1.0 is released.” McGrail adds, “This change is not being made for engineering reasons. Rather, it is solely driven by morality. As an open-source project, we are part of a movement built on a foundation of inclusion, and any engineering concerns are outweighed by the social benefits of making this change. Regardless, we are taking measures to ensure that things run as smoothly as possible, such as notifying the community and projects that build on Apache SpamAssassin at least a year in advance so they have adequate time to implement the coming changes.”
If we look to history for an indication of the risk that Apache SpamAssassin contributors and users face with these proposed changes, it appears that the chance of “breaking something” is very small. Further, examining the outcome of similar changes implemented by other significant projects and organizations including the UK National Cyber Security Centre (NCSC) and Chromium suggests that changes in the terminology used in their code hasn’t negatively impacted their development efforts. The experience from these groups suggest that, in general, very positive results can come from implementing inclusive, descriptive language, and any possible negative effects resulting from this shift will likely only be short-lived.
Strength in Diversity
Transitioning from metaphorical, connotative, and potentially offensive terminology to explicitly descriptive language seems like a logical move for the Apache SpamAssassin Project on many levels. Bill Cole, an Apache SpamAssassin Project contributor, Senior System Administrator at CipherSpace, LLC, and strong supporter of the elimination of racially charged language from Apache SpamAssassin’s software, offers a great explanation of how this transition will benefit the project - morality aside:
The Apache SpamAssassin Project has a particular self-interest in attracting contributors from a diversity of cultures, because we are always at risk of mislabelling a pattern of letters or words as 'spammy' when in fact it is entirely normal in a cultural context other than those of the existing contributors to the project. Continuing to use 'black' and 'white' as indicators of value in code and configuration directives leaves in place a minor nuisance for some potential contributors and users who are understandably tired of being on the bad side of this semantic collision, where the most common word for their ethnic identity is constantly being used as a label for things which are bad, undesirable, malfeasant, etc. The naming collision is a problem and because the inanimate entities for which we use black and white do not in fact have any color we can both eliminate the collision AND improve the quality of the names we use.
Cole goes on to explain how the low level of diversity seen among the Apache SpamAssassin Project’s developers is a significant hurdle that must be addressed. He elaborates on the issue: “None of us has the time and skills to make a focused recruiting effort to get a more diverse set of contributors or even just more contributors. Changing a few labels in the code is something we CAN do.”
From an ethical perspective - this formal acknowledgement of an instance of racial insensitivity in its messaging is something the project CAN and SHOULD do, regardless of the current political environment. McGrail explains:
While this may appear to be a response to racial tensions in the US of late, you might be surprised to learn that the project has been working on this type of change for quite some time. We start using “Blocklist” at least as early as 2011. So this isn't about US politics and it isn't rash. This is about doing the right thing and getting rid of racially charged language. If this symbolic gesture helps even one person feel more included, that’s a win in my book.
The Tide is Turning Against Systemic Racism
In the words of Dr. Martin Luther King, Jr., "It's never the wrong time to do the right thing." Apache SpamAssassin and numerous other open-source community projects clearly recognize this, and are doing what they can to correct previous generations’ wrongs - as opposed to reinforcing, legitimizing, and perpetuating them. The tide is turning in our social culture. Change needs to come from the majority; however “the majority” is made up of individuals, organizations and communities, whose actions additively have the potential to create significant, positive societal shifts.
The recently heightened awareness of systemic racism and white privilege in our society provides a great opportunity for the open-source community to demonstrate leadership and morality in the midst of the turbulent times we’re currently living in. Guardian Digital CEO and LinuxSecurity Founder Dave Wreski reflects on the matter:
No single open-source project - or even the open-source community as a whole - isn’t necessarily going to have a monumental impact on this worldwide social movement, but does an open-source project, which supposedly embodies transparency and the inclusion of all ideas, perspectives and backgrounds, really want to contradict its core values simply to avoid minor inconveniences and small, calculated risks? It is our duty to make pronouncements against hate and take action within our communities to rectify instances of racial insensitivity and white privilege.
From the software and technology the company uses to the services it provides, Guardian Digital is committed to ensuring that every customer knows that he or she is valued and respected. Wreski elaborates: “I truly admire the initiative and leadership that Apache SpamAssassin and an expanding group of open-source community projects are demonstrating in their response to this global issue and, now more than ever, I am extremely proud to be a member of the open-source community.”
- Thinking Strategically about Email Security in 2021 and Beyond
- There’s a Lot to be Gained with Effective Email Security
- Behind the Shield: EnGarde Cloud Email Security Explained
- Open Source: A Powerful, Yet Underutilized Weapon against Phishing & Zero-Day Attacks
- Buyer's Guide: What to Prioritize in an Email Security Solution
- Buyer's Guide to Office 365 & Workspace Email Security
- EnGarde Cloud Email Security: The Logical Solution to Cyber Risk in Office 365
- Exchange Servers Are Vulnerable - Learn How To Secure Your Email Server Now
- Top Email Security Risks in 2021 - How To Set Your Business Up for Safety & Success
- Ransomware By The Numbers: How Big Is My Risk?
- SMB Ransomware Warnings & How To Prevent an Attack
- Apache SpamAssassin 3.4.6 Release Fixes Two Potentially Aggravating Bugs
- Top Tips and Advice for Staying Safe Online in a Work-from-Home World
- Demystifying Phishing Attacks: How to Protect Yourself Now
- Why Your Business Needs Better Email Security
- Why Ransomware is a Threat to Business
- How to Protect Sensitive Data & Maintain Client Trust in Financial Services Industry
- Why Office 365 Users Are Moving Away from Relying on Default Email Protection Alone
- What You Need to Know to Shield Your Business from Ransomware
- Why You Need DMARC to Secure Email against Spoofing Attacks & Sender Fraud
- Biden's Cybersecurity Efforts Highlight the Power of this Key Technology
- Shortcomings of Endpoint Security in Securing Business Email
- Open Source Utilization in Email Security Demystified
- Limitations of Microsoft 365 Email Security & How To Close These Dangerous Gaps
- DMARC Quarantine vs. Reject: Which Should You Implement to Secure Business Email against Sender Fraud?
- Think Like A Criminal: What You Need to Know About Social Engineering Attacks in 2021
- TLS Email Encryption Explained - How To Encrypt Email with TLS
- Effectively Securing Business Email Accounts: Are Employees the Weakest Link?
- Encryption: An Essential Yet Highly Controversial Component of Digital Security
- Business Email Security Redefined: Key Benefits of Securing Your Business Email with Guardian Digital
- 8 Business Email Security Best Practices
- Demystifying Email Encryption: Stop Sender Fraud
- Demystifying Tax Fraud: How to Avoid Falling Victim to Deceptive, Costly Scams This Tax Season
- Coronavirus Phishing Scams are On the Rise - Is Your Business Email at Risk of Infection?
- Dave Wreski: A Passionate Engineer Brings the Power of Open Source to Business Email Security
- FBI: Existing Cloud Email Protection Inadequate Against Phishing, Ransomware
- Email Risk is Universal: Securing Business Email in Every Industry Sector
- The Remote Worker's Guide to Safely Navigating Office 365
- Why Your Business Needs Superior Email Protection
- Defending Against COVID Email Spoofing Attacks with DMARC
- You’ve Got Mail: How To Tell If It’s Fraud
- Open-Source Security Is Opening Eyes
- Think Like A Criminal: How To Write A Phishing Email
- The Four Biggest Email Threats Your Business Faces Today
- Everything On DocuSign Phishing Attacks in 3 Minutes
- Understanding Payload-Less Email Attacks in Under 3 Minutes
- Demystifying Fileless Malware in Less than 3 Minutes
- Apache SpamAssassin Leads A Growing List of Open-Source Projects Taking Steps to Correct Instances of Racism and White Privilege
- Cyber Risk Is Greater than Ever in the Legal Industry
- Understanding Malicious URL Protection - And Why You Need It to Secure Your Email
- Email Security for SMBs Beyond COVID-19
- Email Risk Is BIG for SMBs - How To Protect Your Business Now
- Why Email Security Is More Important Than Ever in This 'New Reality'
- The Threat of CEO Fraud Extends Beyond the C-Suite
- Top Email Security Trends Putting Your Business at Risk of Attack
- Managed Services: A Key Element of Effective Email Security that Even Modern Solutions Lack
- How to maintain security when employees work remotely: Advice from Leading Security Experts
- FBI: The 2020 Presidential Election Is Under Attack by Email Scammers
- AT&T Security Researchers Identify a Correlation between Strong Cybersecurity and Business Success
- The Aftermath of a Cyberattack Pt. 1: Phishing Recovery Basics
- It Pays to be Prepared! Ransomware Preparedness & Recovery Basics
- Breaking Down Fileless Malware: Anatomy of an Attack
- Keep the Holidays Merry & Bright - Beware of These Sneaky Seasonal Phishing Scams
- Migrating Business Email: The Hidden Complexities You Need To Know
- SPF, DKIM & DMARC: Definition & How They Secure Email Against Sender Fraud?
- Your Current Approach to Email Security May Not Be Enough
- Ways to Prevent Email Account being compromised in a Breach
- Celebrating 20 Years of Revolutionizing Digital Security
- IBM Closes its $34 Billion Acquisition of Red Hat
- Interview with Security Expert and Author Ira Winkler
- What is Phishing Email? How to prevent Phishing email scams?
- Ways Our Business Email Exceed Your Expectations
- Spear Phishing Protection - Definition & How To Recognize Spear Phishing Email
- What is Whaling (Whaling Phishing)? & How to Prevent Whaling attacks?
- Business Email Compromise (BEC) - Definition & Prevention From BEC Attacks
- Wire Transfer Scams Involving Real Estate Transactions: How to Prevent Fraud with Effective Email Security
- Guardian Digital and Mautic: A Dynamic Open-Source Duo
- Email Malware - How to Recognize & Prevent Malware Email Attack
- An Open-Source Success Story: Apache SpamAssassin Celebrates 18 Years of Effectively Combating Spam Email
- What is Spam Email - Types & How to Prevent Spam Emails?
- 2020: A New Decade of Digital Threats - Is Your Business Email Secure?
- Linux: An OS Capable of Effectively Meeting the US Government’s Security Needs Heading into 2020
- Complete Guide on Email Security & Threats Faced by Organizations
- Email Virus - Complete Guide to Email Viruses Plus Best Practices
- What Are Zero-Day Attacks & How Can I Prevent Them?
- Guardian Digital Keeps its Customers Protected from Intel Design Flaw
- Security Spotlight: Open Source Email Security Solutions
- Top Six Advantages of Open Source Development/Products
- Python and Bash - Contenders for the most used scripting language
- Guardian Digital Outlines Top 4 Benefits of Choosing Cloud
- Unrivaled Protection Against Today’s Most Dangerous Threats
- Guard Your Email Accounts Against Today’s Most Dangerous Threats
- Security Highlights from Defcon 26
- Linux / Open Source FAQs: Common Myths / Misconceptions
- Email Security FAQs Answered by Guardian Digital
- Guardian Digital Mail Systems: Designed to be Secure Without Fail