You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris <cp...@embarqmail.com> on 2008/12/09 03:00:34 UTC
sought rules updates
Has anyone seen any updates to the sought rules lately? It seems like it's
been about 4 or 5 days now since I've seen any via sa-update.
--
Chris
KeyID 0xE372A7DA98E6705C
Re: sought rules updates
Posted by LuKreme <kr...@kreme.com>.
On 9-Dec-2008, at 12:48, LuKreme wrote:
> I'm thtinking the old rules like 70_sc_top200.cf etc should all be
> removed?
Just to be clear, all I have currently active is:
-rw-r--r-- 1 root wheel 3278 Dec 9 12:30 dkim.cf
-rw-r--r-- 1 root wheel 1749 Dec 7 17:08 init.pre
drwx------ 2 root wheel 512 Dec 7 17:24 sa-update-keys
-rw-r--r-- 1 root wheel 1194 Dec 7 17:23 v312.pre
and I just installed dkim.cf
--
I used to hate the sun, because it'd shone on everything I'd done.
Made me feel that all that I had done was overfill the ashtray
of my life."
Re: sought rules updates
Posted by Kai Schaetzl <ma...@conactive.com>.
RobertH wrote on Wed, 10 Dec 2008 17:49:28 -0800:
> what ones did you keep? if you recall, any particular reason why?
Hm, I checked and it seems I was wrong, partly. I still have them in the
channels.txt for my sa-update. I removed them on some other machines
partly because of memory constraints and didn't notice ill effects. But I
didn't remove on the machine for my own mail.
I checked the rule hits on it now and the highest hitting SARE rules (in
the last 35.000 messages) for me are:
SARE_HEAD_8BIT_SPAM (6% hits on ham!)
SARE_GIF_ATTACH (20% hits on ham!)
SARE_MSGID_LONG40 (almost 100% of the hits are ham)
SARE_ADULT2 (almost no ham)
all the other rules are negligable (none hits on more than 0.02 % of
spam), so it's probably really time to remove them.
This structure might be much different on systems that accept almost every
mail for SA processing, though. There the SARE might still be very
helpful. I block 80% or more of spam at MTA level with RBL, greylisting,
access.db and tight postfix configuration.
Interestingly, I find that two of my own and very old rules are among the
top 10 scorers for spam and hit almost no ham (< 1%).
body SPAM_HEALTH_1 /pharmacy/i
score SPAM_HEALTH_1 1.0
body SPAM_BUY_9 /discount/i
score SPAM_BUY_9 1.0
Might create more false positives on systems with more legitimate English
ham traffic, though ,-)
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
RE: sought rules updates
Posted by RobertH <ro...@abbacomm.net>.
>
> Right. I removed most if not all of the SARE rules on most
> machines some months ago with no ill effects.
>
> Kai
what ones did you keep? if you recall, any particular reason why?
- rh
Re: sought rules updates
Posted by Kai Schaetzl <ma...@conactive.com>.
Mouss wrote on Wed, 10 Dec 2008 10:34:21 +0100:
> 90_2tld.cf.sare.sa-update.dostech.net
Thanks, for the tip, I wasn't aware of it. As I understand it helps URIBL
to score on subdomains that it otherwise wouldn't check at all?
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: sought rules updates
Posted by mouss <mo...@netoyen.net>.
Kai Schaetzl a écrit :
> LuKreme wrote on Tue, 9 Dec 2008 16:50:34 -0700:
>
>> Geez there's
>> a lot of them... and they look like they are very old, with last
>> updated dates in 2005-2006 and none newer than Aug 2007.
>
> Right. I removed most if not all of the SARE rules on most machines some
> months ago with no ill effects.
>
The only one I use now is
90_2tld.cf.sare.sa-update.dostech.net
Re: sought rules updates
Posted by Kai Schaetzl <ma...@conactive.com>.
LuKreme wrote on Tue, 9 Dec 2008 16:50:34 -0700:
> Geez there's
> a lot of them... and they look like they are very old, with last
> updated dates in 2005-2006 and none newer than Aug 2007.
Right. I removed most if not all of the SARE rules on most machines some
months ago with no ill effects.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: sought rules updates
Posted by mouss <mo...@netoyen.net>.
John Horne a écrit :
> On Tue, 2008-12-09 at 22:54 -0700, LuKreme wrote:
>> On 9-Dec-2008, at 17:09, John Horne wrote:
>>> Try:
>>>
>>> sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org
>> Ok, that gives me no error (where did you find/get the 6C6191E3?). It
>> sits for about 20-30 seconds and then I get a prompt back. But as far
>> as I can tell, nothing has changed. There is no new .cf file in /etc/
>> mail/spamassassin (which is a link /etc/mail/spamassassin -> ../../usr/
>> local/etc/mail/spamassassin if that matters), for example.
>>
> Look in '/var/lib/spamassassin/3*' within there there should be a new
> subdirectory and .cf file.
>
let's avoid a "linux domination fast, resistance is futile" move ;-p
the directory is
${base}/spamassassin/${version}/
where:
${base} is /var/lib on linux, /var/db on BSD, and something else
elsewhere. (who said C:\Progra~\ ?)
and
${version} is a perl-style version id (i.e. padded with zeros). so it is
3.002005 for 3.2.5.
Re: sought rules updates
Posted by John Horne <jo...@plymouth.ac.uk>.
On Tue, 2008-12-09 at 22:54 -0700, LuKreme wrote:
> On 9-Dec-2008, at 17:09, John Horne wrote:
> > Try:
> >
> > sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org
>
> Ok, that gives me no error (where did you find/get the 6C6191E3?). It
> sits for about 20-30 seconds and then I get a prompt back. But as far
> as I can tell, nothing has changed. There is no new .cf file in /etc/
> mail/spamassassin (which is a link /etc/mail/spamassassin -> ../../usr/
> local/etc/mail/spamassassin if that matters), for example.
>
Look in '/var/lib/spamassassin/3*' within there there should be a new
subdirectory and .cf file.
John.
--
---------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287
E-mail: John.Horne@plymouth.ac.uk Fax: +44 (0)1752 587001
Re: sought rules updates
Posted by James Wilkinson <sa...@aprilcottage.co.uk>.
LuKreme wrote:
> I read the man page, where there is no mention of how to obtain this
> number. In fact, I read many posts, and many webpages and have still not
> found that information. I've seen the IDs in others posts, sure, but
> where do they originate?
>
> Even searching the wiki (which just links to the previously linked
> http://taint.org/2007/08/15/004348a.html )is merely a "here's the
> random-looking digits you pass to --gpgkey" and not a "here's what the
> --gpgkey is, means, and how it's generated".
These numbers are a way of identifying those keys. They are a
cryptographically strong hash: the idea is that it’s easy for users to
use numbers that short to confirm that the key they’ve received is the
key they thought they were receiving, and very difficult for any
attacker to generate another key with the same hash.
> Why doesn't sa-learn simply trust the keys that are added to its
> keychain without this extra (and at least for me, confusing) step? I'm
> starting to think the simplest way to do this is just ignore the gpg
> flags entirely and use --nogpg. What's the downside to this (other than
> the obvious DNS hijacking to point the URL to some spammer site with bad
> data which seems a remote enough chance to ignore).
That’s your choice.
Hope this helps,
James.
--
E-mail: james@ | “Right lads, we’ve got 45 minutes to score 37 goals.
aprilcottage.co.uk | No problem with that -- the other team just did.”
Re: sought rules updates
Posted by mouss <mo...@netoyen.net>.
jidanni@jidanni.org a écrit :
> m> http://www.netoyen.net/sa/sa-update.sh.txt
> m> http://www.netoyen.net/sa/channel.conf
> They give 403 Forbidden.
should be fixed now. sorry for the annoyance.
Re: sought rules updates
Posted by ji...@jidanni.org.
m> http://www.netoyen.net/sa/sa-update.sh.txt
m> http://www.netoyen.net/sa/channel.conf
They give 403 Forbidden.
Re: sought rules updates
Posted by mouss <mo...@netoyen.net>.
LuKreme a écrit :
> On 10-Dec-2008, at 01:31, Kai Schaetzl wrote:
>> Duane Hill wrote on Wed, 10 Dec 2008 06:53:39 +0000 (UTC):
>>> Do a search for 'sought' on the SA wiki page
>>
>> and read the documentation on sa-update before you ask again ;-)
>
> I read the man page, where there is no mention of how to obtain this
> number. In fact, I read many posts, and many webpages and have still not
> found that information. I've seen the IDs in others posts, sure, but
> where do they originate?
>
> Even searching the wiki (which just links to the previously linked
> http://taint.org/2007/08/15/004348a.html )is merely a "here's the
> random-looking digits you pass to --gpgkey" and not a "here's what the
> --gpgkey is, means, and how it's generated".
>
> Why doesn't sa-learn simply trust the keys that are added to its
> keychain without this extra (and at least for me, confusing) step? I'm
> starting to think the simplest way to do this is just ignore the gpg
> flags entirely and use --nogpg. What's the downside to this (other than
> the obvious DNS hijacking to point the URL to some spammer site with bad
> data which seems a remote enough chance to ignore).
>
I use a script and a config file to do all this stuff:
http://www.netoyen.net/sa/sa-update.sh.txt
http://www.netoyen.net/sa/channel.conf
so my cron has: /usr/local/bin/sa-update.sh > /dev/null
(paths and the restart command (I use amavisd) must be adjusted).
I have been thinking of modifying sa-update directly...
Re: sought rules updates
Posted by John Hardin <jh...@impsec.org>.
On Wed, 10 Dec 2008, LuKreme wrote:
> I'm still unclear on how the --gpgkey makes it more secure. If the file
> is signed, the signature is checked against the public key that I have
> in pubring.gpg. What does the gpgkey do?
It indicates which key to use to check the signature.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It is not the place of government to make right every tragedy and
woe that befalls every resident of the nation.
-----------------------------------------------------------------------
4 days until Bill of Rights day
Re: sought rules updates
Posted by SM <sm...@resistor.net>.
At 22:19 10-12-2008, LuKreme wrote:
>I ssh to the server and then I sudo su (so I am sure I have discarded
>my own login environment, I do not normally do this)
>
>mail# gpg --list-keys /etc/mail/spamassassin/sa-update-keys/pubring.gpg
>gpg: error reading key: No public key
gpg --no-default-keyring --keyring
/etc/mail/spamassassin/sa-update-keys/pubring.gpg
>At least on my FreeBSD, there's no man page for gpg, and the --help
man gpg works for me.
>Riiight, but the public key I put in the keychain does all that, no?
>I'm still unclear on how the --gpgkey makes it more secure. If the
>file is signed, the signature is checked against the public key that I
>have in pubring.gpg. What does the gpgkey do?
There may be several keys in a keyring. When running an automated
process to verify a file, you also have to validate who signed the
file. That's where the gpgkey comes in. Simply checking the
signature is not enough.
Regards,
-sm
Re: sought rules updates
Posted by Kai Schaetzl <ma...@conactive.com>.
y>
Reply-To: users@spamassassin.apache.org
Karsten Bräckelmann wrote on Thu, 11 Dec 2008 12:48:34 +0100:
> Hmm, mine doesn't. :)
My package says gnupg-1.4.5-13.
> Instead that option's desc starts with "List all
> keys from the public keyrings, or just the keys given on the command
> line".
Yeah, and now that I know how to squeeze the keys out, I know what they mean by
the [names], e.g.
gpg --list-keys --no-default-keyring --keyring sa-update-keys/pubring.gpg 856AA88A
> It definitely doesn't tell me to dump a file-name there...
No, but the basic command syntax tells about it.
> gpg [--homedir name] [--options file]
That actually refers to a file to be signed, decrypted etc., though, and not the
keyrings. And there's also a difference between "options" and "commands". (--list
-keys i9s a command). If you don't know much about gpg it's easy to get tricked.
As I said earlier, it isn't important to know all that if one just wants to use
SA. Otherwise you may want to read the gnupg documentation before asking, indeed
;-)
>
> A quick glimpsing of the man page tells me to use this:
> gpg --list-keys --no-default-keyring --keyring sa-update-keys/pubring.gpg
For me, too. Either cd to /etc/mail/spamassassin or add it to the path, though ;-)
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: sought rules updates
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
> > mail# gpg --list-keys /etc/mail/spamassassin/sa-update-keys/pubring.gpg
> > gpg: error reading key: No public key
And another doc you didn't read before asking here, LuKreme...
> I get the same, and without the path to a file I get the keys from the
> global keyring which are non for SA. man gpg says "--list-keys [names]"
> but it's not clear which name to put there.
Hmm, mine doesn't. :) Instead that option's desc starts with "List all
keys from the public keyrings, or just the keys given on the command
line". It definitely doesn't tell me to dump a file-name there...
A quick glimpsing of the man page tells me to use this:
gpg --list-keys --no-default-keyring --keyring sa-update-keys/pubring.gpg
And it works for me. See the description for the --keyring option.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: sought rules updates
Posted by Kai Schaetzl <ma...@conactive.com>.
01729D3@kreme.com>
Reply-To: users@spamassassin.apache.org
LuKreme wrote on Wed, 10 Dec 2008 23:19:25 -0700:
> mail# gpg --list-keys /etc/mail/spamassassin/sa-update-keys/pubring.gpg
> gpg: error reading key: No public key
I get the same, and without the path to a file I get the keys from the
global keyring which are non for SA. man gpg says "--list-keys [names]"
but it's not clear which name to put there.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: sought rules updates
Posted by LuKreme <kr...@kreme.com>.
On 10-Dec-2008, at 22:18, SM wrote:
> At 20:39 10-12-2008, LuKreme wrote:
>> And the source of that number is, evidently, a complete mystery.
>> That's my point. I've seen lots of instructions like this:
>>
>> # wget http://somesite.tld/somepath/GPG.KEY
>> # sudo sa-update --import GPG.KEY
>> # sudo sa-update --gpgkey 0E28B3DC --channel uber.rule.somesite.tld
>>
>> where the '0E28B3DC' has just magically appeared as if created from
>> the ether.
>
> Once you have imported the key, you can use gpg --list-keys to find
> the key ID.
AHA! That's the crucial step I was missing and no one seemed able to
provide. Thank You! There's progress at least:
I ssh to the server and then I sudo su (so I am sure I have discarded
my own login environment, I do not normally do this)
mail# gpg --list-keys /etc/mail/spamassassin/sa-update-keys/pubring.gpg
gpg: error reading key: No public key
At least on my FreeBSD, there's no man page for gpg, and the --help
doesn't point out anything obvious. if I run it without specifying a
file, I get this:
mail# gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub 1024D/11F63C51 2002-02-28
uid Jamie Cameron <jc...@webmin.com>
sub 1024g/1B24BE83 2002-02-28
> By adding the key to the keychain, you are trusting it. The
> security part is that you can verify whether the signer generated
> the updates. Even if the host is compromised, you are "safe" as
> long as the private key is secure and the signer still has your trust.
Riiight, but the public key I put in the keychain does all that, no?
I'm still unclear on how the --gpgkey makes it more secure. If the
file is signed, the signature is checked against the public key that I
have in pubring.gpg. What does the gpgkey do?
--
I want a party where all the women wear new dresses and all the men
drink beer. -- Jason Gaes
Re: sought rules updates
Posted by SM <sm...@resistor.net>.
At 20:39 10-12-2008, LuKreme wrote:
>And the source of that number is, evidently, a complete mystery.
>That's my point. I've seen lots of instructions like this:
>
># wget http://somesite.tld/somepath/GPG.KEY
># sudo sa-update --import GPG.KEY
># sudo sa-update --gpgkey 0E28B3DC --channel uber.rule.somesite.tld
>
>where the '0E28B3DC' has just magically appeared as if created from
>the ether.
Once you have imported the key, you can use gpg --list-keys to find the key ID.
>Do you see that there is a crucial step missing there? Where did that
Yes.
>gpgkey value come from? If it wasn't provided in these instructions
>(like say you were looking for a ruleset at foo.bar.tld/GPG.KEY but
>hadn't yet discovered the page that had the magic hex code), how do
>you find it? Can you generate it. Is is simply a hash of the gpg
>keyfile, or something else?
The key ID is the low order 64 bits of the fingerprint.
>It's a bit of "hey, now just fill in this number we hopefully have
>given you. Don't worry about what it means, or how it works, or where
>it came from. Just copy&paste and you'll be fine."
>
>Strangely enough, that does not fill me with the highest degree of
>confidence. Not much more so that --nogpg.
That's not the right way to do it if we are concerned about trust
relationships. As you said, unless you have confidence in what is
published on the webpage, it's like running sa-update with the
--nogpg parameter.
>gpgkey. I've added the key to the keychain as a trusted key, that is
>enough to make it secure. How is this 8 digit hex code making
>anything any more secure?
By adding the key to the keychain, you are trusting it. The security
part is that you can verify whether the signer generated the
updates. Even if the host is compromised, you are "safe" as long as
the private key is secure and the signer still has your trust.
Regards,
-sm
Re: sought rules updates
Posted by LuKreme <kr...@kreme.com>.
On 10-Dec-2008, at 20:36, SM wrote:
> At 13:51 10-12-2008, LuKreme wrote:
>> I read the man page, where there is no mention of how to obtain this
>> number. In fact, I read many posts, and many webpages and have still
>> not found that information. I've seen the IDs in others posts, sure,
>> but where do they originate?
>
> sa-update uses GPG (GNU Privacy Guard) to verify the authenticity of
> the updates. The Sought rules webpage mentions how to download the
> GPG key. If you want to understand how GPG works or how to use GPG
> keys, you should read the GPG documentation.
Yes, downloading the key is not the issue.
>> Even searching the wiki (which just links to the previously linked http://taint.org/2007/08/15/004348a.html
>> )is merely a "here's the random-looking digits you pass to --
>> gpgkey"
>> and not a "here's what the --gpgkey is, means, and how it's
>> generated".
>
> The gpgkey parameter for sa-update specifies which GPG key ID should
> be trusted to sign the updates. You can use the gpg command to find
> out what the key ID is. That's not a random number;
I said 'random looking'
> it's a hexadecimal number which identifies the key.
And the source of that number is, evidently, a complete mystery.
That's my point. I've seen lots of instructions like this:
# wget http://somesite.tld/somepath/GPG.KEY
# sudo sa-update --import GPG.KEY
# sudo sa-update --gpgkey 0E28B3DC --channel uber.rule.somesite.tld
where the '0E28B3DC' has just magically appeared as if created from
the ether.
Do you see that there is a crucial step missing there? Where did that
gpgkey value come from? If it wasn't provided in these instructions
(like say you were looking for a ruleset at foo.bar.tld/GPG.KEY but
hadn't yet discovered the page that had the magic hex code), how do
you find it? Can you generate it. Is is simply a hash of the gpg
keyfile, or something else?
It's a bit of "hey, now just fill in this number we hopefully have
given you. Don't worry about what it means, or how it works, or where
it came from. Just copy&paste and you'll be fine."
Strangely enough, that does not fill me with the highest degree of
confidence. Not much more so that --nogpg.
> Because sa-update is designed to provide updates in a secure way.
> If you want the simplest way, you can ignore these steps and face
> the consequences when something goes wrong.
Oddly enough, I am able to encrypt emails, sign emails, verify signed
mails, login to ssh ports on remote servers and do a whole host of
secure things without ever having encountered anything like this
gpgkey. I've added the key to the keychain as a trusted key, that is
enough to make it secure. How is this 8 digit hex code making
anything any more secure?
--
I know that you believe you understand what you think I said but I
am not sure you realize that what you heard is not what I
meant.
Re: sought rules updates
Posted by SM <sm...@resistor.net>.
At 13:51 10-12-2008, LuKreme wrote:
>I read the man page, where there is no mention of how to obtain this
>number. In fact, I read many posts, and many webpages and have still
>not found that information. I've seen the IDs in others posts, sure,
>but where do they originate?
sa-update uses GPG (GNU Privacy Guard) to verify the authenticity of
the updates. The Sought rules webpage mentions how to download the
GPG key. If you want to understand how GPG works or how to use GPG
keys, you should read the GPG documentation.
>Even searching the wiki (which just links to the previously linked
>http://taint.org/2007/08/15/004348a.html )is merely a "here's the
>random-looking digits you pass to --gpgkey"
>and not a "here's what the --gpgkey is, means, and how it's generated".
The gpgkey parameter for sa-update specifies which GPG key ID should
be trusted to sign the updates. You can use the gpg command to find
out what the key ID is. That's not a random number; it's a
hexadecimal number which identifies the key.
>Why doesn't sa-learn simply trust the keys that are added to its
>keychain without this extra (and at least for me, confusing) step? I'm
>starting to think the simplest way to do this is just ignore the gpg
>flags entirely and use --nogpg. What's the downside to this (other
>than the obvious DNS hijacking to point the URL to some spammer site
>with bad data which seems a remote enough chance to ignore).
Because sa-update is designed to provide updates in a secure way. If
you want the simplest way, you can ignore these steps and face the
consequences when something goes wrong.
Regards,
-sm
Re: sought rules updates
Posted by Kai Schaetzl <ma...@conactive.com>.
4FB91FD@kreme.com>
Reply-To: users@spamassassin.apache.org
LuKreme wrote on Wed, 10 Dec 2008 14:51:47 -0700:
> I read the man page, where there is no mention of how to obtain this
> number. In fact, I read many posts, and many webpages and have still
> not found that information. I've seen the IDs in others posts, sure,
> but where do they originate?
I'm not an expert on this. You need something to identify a key. This is
probably some hash derived from the key (by means of some gpg tool).
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: sought rules updates
Posted by LuKreme <kr...@kreme.com>.
On 10-Dec-2008, at 01:31, Kai Schaetzl wrote:
> Duane Hill wrote on Wed, 10 Dec 2008 06:53:39 +0000 (UTC):
>> Do a search for 'sought' on the SA wiki page
>
> and read the documentation on sa-update before you ask again ;-)
I read the man page, where there is no mention of how to obtain this
number. In fact, I read many posts, and many webpages and have still
not found that information. I've seen the IDs in others posts, sure,
but where do they originate?
Even searching the wiki (which just links to the previously linked http://taint.org/2007/08/15/004348a.html
)is merely a "here's the random-looking digits you pass to --gpgkey"
and not a "here's what the --gpgkey is, means, and how it's generated".
Why doesn't sa-learn simply trust the keys that are added to its
keychain without this extra (and at least for me, confusing) step? I'm
starting to think the simplest way to do this is just ignore the gpg
flags entirely and use --nogpg. What's the downside to this (other
than the obvious DNS hijacking to point the URL to some spammer site
with bad data which seems a remote enough chance to ignore).
--
Advance and attack! Attack and destroy! Destroy and rejoice!
Re: sought rules updates
Posted by Kai Schaetzl <ma...@conactive.com>.
Duane Hill wrote on Wed, 10 Dec 2008 06:53:39 +0000 (UTC):
> Do a search for 'sought' on the SA wiki page
and read the documentation on sa-update before you ask again ;-)
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: sought rules updates
Posted by Duane Hill <d....@yournetplus.com>.
On Tue, 9 Dec 2008, LuKreme wrote:
>
> (where did you find/get the 6C6191E3?).
Not too hard:
Do a search for 'sought' on the SA wiki page (which is linked off of
http://spamassassin.apache.org/):
http://wiki.apache.org/spamassassin/
The very first link provided this:
http://wiki.apache.org/spamassassin/SoughtRules?highlight=%28sought%29
Following the link stating:
"Here are instructions on how to use it."
it states this:
sudo sa-update \
--gpgkey 6C6191E3 --channel sought.rules.yerp.org
Re: sought rules updates
Posted by LuKreme <kr...@kreme.com>.
On 9-Dec-2008, at 17:09, John Horne wrote:
> Try:
>
> sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org
Ok, that gives me no error (where did you find/get the 6C6191E3?). It
sits for about 20-30 seconds and then I get a prompt back. But as far
as I can tell, nothing has changed. There is no new .cf file in /etc/
mail/spamassassin (which is a link /etc/mail/spamassassin -> ../../usr/
local/etc/mail/spamassassin if that matters), for example.
--
These are the thoughts that kept me out of the really good schools. --
George Carlin
Re: sought rules updates
Posted by John Horne <jo...@plymouth.ac.uk>.
On Tue, 2008-12-09 at 16:50 -0700, LuKreme wrote:
> On 9-Dec-2008, at 12:58, Bill Landry wrote:
> > Both the official SA rules and 3rd party rules can be updated via
> > sa-update. For information and instructions, see:
> >
> > http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
>
> Ah yes, I remember a lot of those from the days run rjd. Geez there's
> a lot of them... and they look like they are very old, with last
> updated dates in 2005-2006 and none newer than Aug 2007.
>
> I tried this:
>
> $ cd /etc/mail/spamassassin
> $ wget http://yerp.org/rules/GPG.KEY
> % Total % Received % Xferd Average Speed Time Time
> Time Current
> Dload Upload Total Spent
> Left Speed
> 100 2437 100 2437 0 0 10583 0 --:--:-- --:--:--
> --:--:-- 1291k
> $ sa-update --import GPG.KEY
> $ sa-update --channel sought.rules.yerp.org
> error: GPG validation failed!
>
Try:
sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org
John.
--
---------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287
E-mail: John.Horne@plymouth.ac.uk Fax: +44 (0)1752 587001
Re: sought rules updates
Posted by LuKreme <kr...@kreme.com>.
On 9-Dec-2008, at 12:58, Bill Landry wrote:
> Both the official SA rules and 3rd party rules can be updated via
> sa-update. For information and instructions, see:
>
> http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
Ah yes, I remember a lot of those from the days run rjd. Geez there's
a lot of them... and they look like they are very old, with last
updated dates in 2005-2006 and none newer than Aug 2007.
I tried this:
$ cd /etc/mail/spamassassin
$ wget http://yerp.org/rules/GPG.KEY
% Total % Received % Xferd Average Speed Time Time
Time Current
Dload Upload Total Spent
Left Speed
100 2437 100 2437 0 0 10583 0 --:--:-- --:--:--
--:--:-- 1291k
$ sa-update --import GPG.KEY
$ sa-update --channel sought.rules.yerp.org
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed
(sa-update-keys/pubring.gpg does increase in size after I run the
import command)
--
Criticizing evolutionary theory because Darwin was limited is like
claiming computers don't work because Chuck Babbage didn't
foresee Duke Nukem 3.
Re: sought rules updates
Posted by Bill Landry <bi...@inetmsg.com>.
LuKreme wrote:
> On 9-Dec-2008, at 08:15, Karsten Bräckelmann wrote:
>> On Tue, 2008-12-09 at 08:51 +0000, Nigel Frankcom wrote:
>>> I haven't seen an update from sa-update in months. What version is
>>> current?
>>
>> Nigel, Chris wasn't talking about the stock rule-set, but the
>> third-party JM_SOUGHT rules. The latter usually are updated multiple
>> times a day, while the stock rules are updated very infrequently only,
>> when needed.
>
>
> How does one use sa-update to find/get new 3rd party rules? As I
> recall, rules-du-jour was EOLed.
>
> Or do you have to get them first, then sa-update will update them?
>
> I'm thtinking the old rules like
>
> random.cf
> tripwire.cf
> 70_sc_top200.cf
> Botnet.pm
> 70_sare_uri_eng.cf
>
> etc should all be removed?
>
Both the official SA rules and 3rd party rules can be updated via
sa-update. For information and instructions, see:
http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
Bill
Re: sought rules updates
Posted by LuKreme <kr...@kreme.com>.
On 9-Dec-2008, at 08:15, Karsten Bräckelmann wrote:
> On Tue, 2008-12-09 at 08:51 +0000, Nigel Frankcom wrote:
>> I haven't seen an update from sa-update in months. What version is
>> current?
>
> Nigel, Chris wasn't talking about the stock rule-set, but the
> third-party JM_SOUGHT rules. The latter usually are updated multiple
> times a day, while the stock rules are updated very infrequently only,
> when needed.
How does one use sa-update to find/get new 3rd party rules? As I
recall, rules-du-jour was EOLed.
Or do you have to get them first, then sa-update will update them?
I'm thtinking the old rules like
random.cf
tripwire.cf
70_sc_top200.cf
Botnet.pm
70_sare_uri_eng.cf
etc should all be removed?
--
I know that you believe you understand what you think I said but I
am not sure you realize that what you heard is not what I
meant.
Re: sought rules updates
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Tue, 2008-12-09 at 08:51 +0000, Nigel Frankcom wrote:
> I haven't seen an update from sa-update in months. What version is
> current?
Nigel, Chris wasn't talking about the stock rule-set, but the
third-party JM_SOUGHT rules. The latter usually are updated multiple
times a day, while the stock rules are updated very infrequently only,
when needed.
> >> Has anyone seen any updates to the sought rules lately? It seems like it's
> >> been about 4 or 5 days now since I've seen any via sa-update.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: sought rules updates
Posted by Leveau Stanislas <st...@ac-caen.fr>.
the current Sought version : # UPDATE version 320722979
and spamassassin : # UPDATE version 709395
> I haven't seen an update from sa-update in months. What version is
> current?
>
> I have dbg: dns: 5.2.3.updates.spamassassin.org => 709395, parsed as
> 709395 showing here.
>
> This even after a dns crash and replace.
>
> Nigel
>
> On Tue, 9 Dec 2008 09:39:11 +0100, Leveau Stanislas
> <st...@ac-caen.fr> wrote:
>
>> Hi
>>
>> I have the same "problem"
>>
>> regards
>> Stan
>>
>>> Has anyone seen any updates to the sought rules lately? It seems like it's
>>> been about 4 or 5 days now since I've seen any via sa-update.
>>>
>>> --
>>> Chris
>>> KeyID 0xE372A7DA98E6705C
>>>
>>
>>
>
Re: sought rules updates
Posted by Nigel Frankcom <ni...@blue-canoe.com>.
I haven't seen an update from sa-update in months. What version is
current?
I have dbg: dns: 5.2.3.updates.spamassassin.org => 709395, parsed as
709395 showing here.
This even after a dns crash and replace.
Nigel
On Tue, 9 Dec 2008 09:39:11 +0100, Leveau Stanislas
<st...@ac-caen.fr> wrote:
>Hi
>
>I have the same "problem"
>
>regards
>Stan
>
>> Has anyone seen any updates to the sought rules lately? It seems like it's
>> been about 4 or 5 days now since I've seen any via sa-update.
>>
>> --
>> Chris
>> KeyID 0xE372A7DA98E6705C
>>
>
>
Re: sought rules updates
Posted by Leveau Stanislas <st...@ac-caen.fr>.
Hi
I have the same "problem"
regards
Stan
> Has anyone seen any updates to the sought rules lately? It seems like it's
> been about 4 or 5 days now since I've seen any via sa-update.
>
> --
> Chris
> KeyID 0xE372A7DA98E6705C
>
Re: sought rules updates
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2008-12-08 at 20:00 -0600, Chris wrote:
> Has anyone seen any updates to the sought rules lately? It seems like it's
> been about 4 or 5 days now since I've seen any via sa-update.
I believe this is due to the recent SSL cert update for ASF svn. Changed
without a heads up in advance... :( This broke automated processes.
AFAIK Justin is aware of this, and hopefully will have fixed it
soon. :)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: sought rules updates
Posted by John Hardin <jh...@impsec.org>.
On Mon, 8 Dec 2008, Chris wrote:
> Has anyone seen any updates to the sought rules lately? It seems like it's
> been about 4 or 5 days now since I've seen any via sa-update.
Ditto here.
jhardin@ga $ ll /var/lib/spamassassin/3.001008/sought_rules_yerp_org
total 320
-rw-r--r-- 1 root root 24156 Dec 4 04:08 20_sought.cf
-rw-r--r-- 1 root root 292821 Dec 4 04:08 20_sought_fraud.cf
-rw-r--r-- 1 root root 29 Dec 4 04:08 MIRRORED.BY
SVN is still getting commits...
http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sought_fraud.cf
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Of the twenty-two civilizations that have appeared in history,
nineteen of them collapsed when they reached the moral state the
United States is in now. -- Arnold Toynbee
-----------------------------------------------------------------------
6 days until Bill of Rights day