SpamAssassin identifies spam e-mail using a variety of local and network based tests.
**spamd** is a component of SpamAssassin which allows it to run as a network daemon.
When the vpopmail (-v) and paranoid (-P) options are used with
**spamd**, the user name specified by the client is included in a shell command without sufficient checking for invalid characters. This allows arbitrary command execution by remote attackers.
Upgrade to SpamAssassin 3.1.3 or higher.
This exploit will only succeed when run from an address which is explicitly allowed by