RE: sa-update and SA versions

[Karsten Bräckelmann <gu...@rudersport.de>]

> > The differences between 3.2.x versions are code fixes. There 
> > is no difference in rules, when using sa-update.
> > 
> > While it is possible to publish per micro version updates, 
> > this is not necessary and thus not used for 3.2.x. They all 
> > share the very same rules and updates.
> 
> Karsten,
> 
> what about when we consider and migrate from 3.2.5 to 3.3.x once it is
> officially released ?

Smart move asking one of the more recent additions to the dev team... ;)

> will there be info from the SA Team about what rules have changes and what
> "mods" that have come from the list that most of us are using in 3.2.5 that
> should be double checked for and removed in terms of rules and otherwise?
> 
> anything you can clue us in on before hand?

Well, I joined the SA dev team about a year ago, after 3.2.0 has been
released. Since I am going entirely from memory and observations as a
user, take this with a grain of salt.

However, from what I recall when 3.2.0 was released, there was no
detailed list of modified, added or dropped rules. Frankly, it is my
understanding this would be impossible to do in a way for a human to
grok anyway. Rules have been evolving during the entire time, and the GA
run decides which rules to incorporate and about their scores.

That said, I seem to recall that at least published SARE rule-sets have
been mentioned to be added to stock and thus obsoleted.

Speaking about rules posted to the list: Those often will be changed
slightly in the sandbox after the initial post. Let alone some rules
being posted in various versions on this list -- which one do you run?


As with all custom rules and scores, it's the admin's duty to check they
are reasonable. After all, a new stock rule not posted here before might
overlap with your home-brew code, too.

Also, there's no communications channel announcing sa-update rule
updates in detail.

  guenther


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: sa-update and SA versions

[Karsten Bräckelmann <gu...@rudersport.de>]

On Wed, 2009-06-10 at 17:39 -0400, Adam Katz wrote:
> Karsten Bräckelmann wrote:
> > That said, I seem to recall that at least published SARE rule-sets
> > have been mentioned to be added to stock and thus obsoleted.
> 
> I suppose this is a point for Daryl (DOS) or whomever "maintains" SARE
> (read: runs the DNS), but they are not configured to obsolete nicely:

Err... No.  Actually, I was specifically about backhair or one of those
rule-sets. Note the "added to stock" part.

As for *all* SARE rule-sets, there is *one* definite source of status.
Rulesemporium. The very front page claims loudly the stuff is not
maintained. Each rule-set got a hint about last updated, last mass-
checked, and there are lots of sets specifically mentioning a SA version
number it is intended for.

Daryl provides a mirror of that stuff for anyone who deliberately WANTS
these rules. He is not to blame, but the admin who installs 5 years old
rules.

There is no way for sa-update to fade out or obsolete a rule-set. There
is a version number to indicate an update. Installing them is on the
discretion of the admin.

Oh, and some, well, one(?) are actually updated these days and alive.


> > Also, there's no communications channel announcing sa-update rule
> > updates in detail.
> 
> Ooh, I like the idea of an RSS feed or a bot that posts to this list
> (or the dev list), specifically for retractions/removals and security
> updates, and hopefully not for any minor score tweak (or perhaps a
> ~weekly digest of such things).  This might be as simple as a script
> monitoring SVN checkins.

There is an svn checkins list.


> > Speaking about rules posted to the list: Those often will be
> > changed slightly in the sandbox after the initial post. Let alone
> > some rules being posted in various versions on this list -- which
> > one do you run?
> 
> I'm not sure if you actually want this, but ...  Rules I've pushed to
> and taken from this list are attached.

While I'm glad to see a couple KB prefixed rules right at the top... :)

No, I did not mean you to post them. That was a remark for the reader to
*think* about the various versions posted, and how many (read all) of
them are spread around thousands of systems.

That effectively means that a note about such rules going into stock
needs to include all of the versions, mentioning their specific overlap,
fuzziness, ...  Impossible.

Let alone local tweaks to those rules. Ultimately, the admin is
responsible for ANY third-party stuff he installed.


BTW, all my RATWARE_OUTLOOK variants are super-sets of the 08 one, as I
have mentioned on this list when I first posted them here. The 08 one is
the one, the rest where meant for debugging only.

  guenther

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: sa-update and SA versions

[Adam Katz <an...@khopis.com>]

Karsten Bräckelmann wrote:
> That said, I seem to recall that at least published SARE rule-sets
> have been mentioned to be added to stock and thus obsoleted.

I suppose this is a point for Daryl (DOS) or whomever "maintains" SARE
(read: runs the DNS), but they are not configured to obsolete nicely:

$ host -t txt 0.3.3.70_sare_spoof.cf.sare.sa-update.dostech.net
0.3.3.70_sare_spoof.cf.sare.sa-update.dostech.net descriptive text
"200701151000"
$ host -t txt 4.4.4.70_sare_adult.cf.sare.sa-update.dostech.net
4.4.4.70_sare_adult.cf.sare.sa-update.dostech.net descriptive text
"200705210700"

Obsoleted rules should be ... obsoleted.  This means fixing those DNS
wildcard entries well *before* any pre/alpha releases that might
consider their versions 3.3+

> Also, there's no communications channel announcing sa-update rule
> updates in detail.

Ooh, I like the idea of an RSS feed or a bot that posts to this list
(or the dev list), specifically for retractions/removals and security
updates, and hopefully not for any minor score tweak (or perhaps a
~weekly digest of such things).  This might be as simple as a script
monitoring SVN checkins.

> Speaking about rules posted to the list: Those often will be
> changed slightly in the sandbox after the initial post. Let alone
> some rules being posted in various versions on this list -- which
> one do you run?

I'm not sure if you actually want this, but ...  Rules I've pushed to
and taken from this list are attached.  The pushed rules are a small
sub-set of those available through my publicly accessible sa-update
channels, http://khopesh.com/Anti-spam#sa-update_channels

-- 
Adam Katz
khopesh on irc://irc.freenode.net/#spamassassin
http://khopesh.com/Anti-spam

Re: sa-update and SA versions

[LuKreme <kr...@kreme.com>]

On 9-Jun-2009, at 11:36, Karsten Bräckelmann wrote:
> Smart move asking one of the more recent additions to the dev  
> team... ;)


So... how long until 3.3 is ready, then, huh? huh? how long?

... whistles innocently ...

-- 
Lisa Bonet ate no Basil