Re: checkSAupdateMirrors.sh on sa-vm.apache.org - 1 mirror DOWN, 0 mirrors STALE
I've seen sa-update.space-pro.be not returning any IPs occasionally on my private mirror check script too. I guess there's some random name server problems. On Sun, May 01, 2022 at 12:21:04AM -0400, Kevin A. McGrail wrote: > I emailed M.Eng. René Schwarz to see if there was a > status on his mirror. > > On 5/1/2022 12:18 AM, aut...@sa-vm.apache.org wrote: > > https://sa-update.mailfud.org/ (5.196.88.134): UP (CURRENT) > > > > http://sa-update.dnswl.org/ (116.203.4.105): UP (CURRENT) > > > > https://www.sa-update.pccc.com/ (69.171.29.42): UP (CURRENT) > > > > Failed to dig IPs for sa-update.space-pro.be > > > > http://sa-update.ena.com/ (96.4.1.5): UP (CURRENT) > > > > http://sa-update.ena.com/ (96.5.1.5): UP (CURRENT) > > > > https://sa-update.razx.cloud/ (104.21.69.80): UP (CURRENT) > > > > https://sa-update.razx.cloud/ (172.67.206.130): UP (CURRENT) > > > > http://sa-update.fossies.org/ (144.76.163.196): UP (CURRENT) > > > > http://sa-update.verein-clean.net/ (37.252.124.130): UP (CURRENT) > > > > http://sa-update.verein-clean.net/ (37.252.120.157): UP (CURRENT) > > > > https://sa-update-asf.snb.it/ (151.80.178.91): UP (CURRENT) > > > > http://sa-update.spamassassin.org/ (64.142.56.146): UP (CURRENT) > > -- > Kevin A. McGrail > kmcgr...@apache.org > > Member, Apache Software Foundation > Chair Emeritus Apache SpamAssassin Project > https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: checkSAupdateMirrors.sh on sa-vm.apache.org - 1 mirror DOWN, 0 mirrors STALE
I emailed M.Eng. René Schwarz to see if there was a status on his mirror. On 5/1/2022 12:18 AM, aut...@sa-vm.apache.org wrote: https://sa-update.mailfud.org/ (5.196.88.134): UP (CURRENT) http://sa-update.dnswl.org/ (116.203.4.105): UP (CURRENT) https://www.sa-update.pccc.com/ (69.171.29.42): UP (CURRENT) Failed to dig IPs for sa-update.space-pro.be http://sa-update.ena.com/ (96.4.1.5): UP (CURRENT) http://sa-update.ena.com/ (96.5.1.5): UP (CURRENT) https://sa-update.razx.cloud/ (104.21.69.80): UP (CURRENT) https://sa-update.razx.cloud/ (172.67.206.130): UP (CURRENT) http://sa-update.fossies.org/ (144.76.163.196): UP (CURRENT) http://sa-update.verein-clean.net/ (37.252.124.130): UP (CURRENT) http://sa-update.verein-clean.net/ (37.252.120.157): UP (CURRENT) https://sa-update-asf.snb.it/ (151.80.178.91): UP (CURRENT) http://sa-update.spamassassin.org/ (64.142.56.146): UP (CURRENT) -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
checkSAupdateMirrors.sh on sa-vm.apache.org - 1 mirror DOWN, 0 mirrors STALE
https://sa-update.mailfud.org/ (5.196.88.134): UP (CURRENT) http://sa-update.dnswl.org/ (116.203.4.105): UP (CURRENT) https://www.sa-update.pccc.com/ (69.171.29.42): UP (CURRENT) Failed to dig IPs for sa-update.space-pro.be http://sa-update.ena.com/ (96.4.1.5): UP (CURRENT) http://sa-update.ena.com/ (96.5.1.5): UP (CURRENT) https://sa-update.razx.cloud/ (104.21.69.80): UP (CURRENT) https://sa-update.razx.cloud/ (172.67.206.130): UP (CURRENT) http://sa-update.fossies.org/ (144.76.163.196): UP (CURRENT) http://sa-update.verein-clean.net/ (37.252.124.130): UP (CURRENT) http://sa-update.verein-clean.net/ (37.252.120.157): UP (CURRENT) https://sa-update-asf.snb.it/ (151.80.178.91): UP (CURRENT) http://sa-update.spamassassin.org/ (64.142.56.146): UP (CURRENT)
Re: HTTPS for mirrors
Thanks, Henrik. I'm agnostic on this change but I thought it was interesting it took Dave some trouble to setup http vs https. On 4/30/2022 11:46 PM, Henrik K wrote: If you look at current MIRRORED.BY, that's how it already done. Only 3.3 skips any non-http:// lines. So 3.3 rule updates need to be officially deprecated before changing last http-mirror. And amazingly there are still active users as seen from the "if has()" reports.. I'll leave general timetable for the list consensus, it's up to the volunteers.. On Sat, Apr 30, 2022 at 09:55:26PM -0400, Kevin A. McGrail wrote: That's quite interesting, Dave. Thanks. Henrik, do we have a way of supporting both http and https? So like one config line is http and another is https? Then we can ask mirrors to start moving to https with a goal perhaps of next May? Regards, KAM On 4/29/2022 12:27 AM, Dave Warren wrote: On 2022-04-28 07:30, Bill Cole wrote: I see no reason to make HTTPS mandatory for mirrors at this point. It does mean an extra layer that can break and the impersonation attacks that it enables would be extremely complicated to mount, so may be entirely theoretical. I would rather keep unencrypted mirrors for the sake of availability than drive away helpful collaborators just because they haven't had a free hour recently to make HTTPS work. I don't care either way, but it is literally more work for me to maintain a HTTP mirror than not. Why? My web server configuration all starts with a default "HTTP? 301 redirect to HTTPS" rule, so getting HTTP content to bypass that is literally more lines of configuration, and extra testing when upgrading software or moving stuff around. It isn't a big deal. The "work" is already done, and I mirror torbrowser and sometimes tails as well and there is a stronger use-case for maintaining HTTP indefinitely there, so adding one more hostname to the "okay, serve it with http too" list isn't even on my radar of things to care about. I do care about encryption in general though. HTTPS is an inconsequential amount of overhead and has been for a decade or so (from my perspective). And I have trouble imagining any machine that is simultaneously powerful enough to run SpamAssassin and also finds the overhead of HTTPS as consequential. As noted elsewhere in the thread, I'm one of the mirrors that offers HTTPS already, this is because it is already part of my provisioning system when I add a site and like allowing HTTP at all, it would be more work to carve out an exception. I have no preference or vote in either direction here specifically, but for my part I consider HTTP legacy and am a strong believer in replacing HTTP services with a static 301 response and calling it a day. -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: HTTPS for mirrors
If you look at current MIRRORED.BY, that's how it already done. Only 3.3 skips any non-http:// lines. So 3.3 rule updates need to be officially deprecated before changing last http-mirror. And amazingly there are still active users as seen from the "if has()" reports.. I'll leave general timetable for the list consensus, it's up to the volunteers.. On Sat, Apr 30, 2022 at 09:55:26PM -0400, Kevin A. McGrail wrote: > That's quite interesting, Dave. Thanks. > > Henrik, do we have a way of supporting both http and https? So like one > config line is http and another is https? Then we can ask mirrors to start > moving to https with a goal perhaps of next May? > > Regards, > > KAM > > On 4/29/2022 12:27 AM, Dave Warren wrote: > > On 2022-04-28 07:30, Bill Cole wrote: > > > I see no reason to make HTTPS mandatory for mirrors at this point. > > > It does mean an extra layer that can break and the impersonation > > > attacks that it enables would be extremely complicated to mount, so > > > may be entirely theoretical. I would rather keep unencrypted > > > mirrors for the sake of availability than drive away helpful > > > collaborators just because they haven't had a free hour recently to > > > make HTTPS work. > > > > I don't care either way, but it is literally more work for me to > > maintain a HTTP mirror than not. > > > > Why? My web server configuration all starts with a default "HTTP? 301 > > redirect to HTTPS" rule, so getting HTTP content to bypass that is > > literally more lines of configuration, and extra testing when upgrading > > software or moving stuff around. > > > > It isn't a big deal. The "work" is already done, and I mirror > > torbrowser and sometimes tails as well and there is a stronger use-case > > for maintaining HTTP indefinitely there, so adding one more hostname to > > the "okay, serve it with http too" list isn't even on my radar of > > things to care about. > > > > I do care about encryption in general though. > > > > HTTPS is an inconsequential amount of overhead and has been for a > > decade or so (from my perspective). And I have trouble imagining any > > machine that is simultaneously powerful enough to run SpamAssassin and > > also finds the overhead of HTTPS as consequential. > > > > As noted elsewhere in the thread, I'm one of the mirrors that offers > > HTTPS already, this is because it is already part of my provisioning > > system when I add a site and like allowing HTTP at all, it would be > > more work to carve out an exception. > > > > I have no preference or vote in either direction here specifically, but > > for my part I consider HTTP legacy and am a strong believer in > > replacing HTTP services with a static 301 response and calling it a > > day. > > -- > Kevin A. McGrail > kmcgr...@apache.org > > Member, Apache Software Foundation > Chair Emeritus Apache SpamAssassin Project > https://www.linkedin.com/in/kmcgrail - 703.798.0171
checkSAupdateMirrors.sh on sa-vm.apache.org - 1 mirror DOWN, 0 mirrors STALE
https://sa-update.mailfud.org/ (5.196.88.134): UP (CURRENT) http://sa-update.dnswl.org/ (116.203.4.105): UP (CURRENT) https://www.sa-update.pccc.com/ (69.171.29.42): UP (CURRENT) Failed to dig IPs for sa-update.space-pro.be http://sa-update.ena.com/ (96.5.1.5): UP (CURRENT) http://sa-update.ena.com/ (96.4.1.5): UP (CURRENT) https://sa-update.razx.cloud/ (104.21.69.80): UP (CURRENT) https://sa-update.razx.cloud/ (172.67.206.130): UP (CURRENT) http://sa-update.fossies.org/ (144.76.163.196): UP (CURRENT) http://sa-update.verein-clean.net/ (37.252.120.157): UP (CURRENT) http://sa-update.verein-clean.net/ (37.252.124.130): UP (CURRENT) https://sa-update-asf.snb.it/ (151.80.178.91): UP (CURRENT) http://sa-update.spamassassin.org/ (64.142.56.146): UP (CURRENT)
Re: HTTPS for mirrors
That's quite interesting, Dave. Thanks. Henrik, do we have a way of supporting both http and https? So like one config line is http and another is https? Then we can ask mirrors to start moving to https with a goal perhaps of next May? Regards, KAM On 4/29/2022 12:27 AM, Dave Warren wrote: On 2022-04-28 07:30, Bill Cole wrote: I see no reason to make HTTPS mandatory for mirrors at this point. It does mean an extra layer that can break and the impersonation attacks that it enables would be extremely complicated to mount, so may be entirely theoretical. I would rather keep unencrypted mirrors for the sake of availability than drive away helpful collaborators just because they haven't had a free hour recently to make HTTPS work. I don't care either way, but it is literally more work for me to maintain a HTTP mirror than not. Why? My web server configuration all starts with a default "HTTP? 301 redirect to HTTPS" rule, so getting HTTP content to bypass that is literally more lines of configuration, and extra testing when upgrading software or moving stuff around. It isn't a big deal. The "work" is already done, and I mirror torbrowser and sometimes tails as well and there is a stronger use-case for maintaining HTTP indefinitely there, so adding one more hostname to the "okay, serve it with http too" list isn't even on my radar of things to care about. I do care about encryption in general though. HTTPS is an inconsequential amount of overhead and has been for a decade or so (from my perspective). And I have trouble imagining any machine that is simultaneously powerful enough to run SpamAssassin and also finds the overhead of HTTPS as consequential. As noted elsewhere in the thread, I'm one of the mirrors that offers HTTPS already, this is because it is already part of my provisioning system when I add a site and like allowing HTTP at all, it would be more work to carve out an exception. I have no preference or vote in either direction here specifically, but for my part I consider HTTP legacy and am a strong believer in replacing HTTP services with a static 301 response and calling it a day. -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
pushDNStoSVN.sh on sa-vm.apache.org - 1 DNS zone updated
spamassassin.org: pdnsutil list-zone spamassassin.org OK (use 'load-zone spamassassin.org FILE' to restore) svn status /usr/local/spamassassin/automc/svn/dns M /usr/local/spamassassin/automc/svn/dns/spamassassin.org OK svn commit -m 'DNS updates' /usr/local/spamassassin/automc/svn/dns Sendingsvn/dns/spamassassin.org Transmitting file data .done Committing transaction... Committed revision 1900433.
checkSAupdateMirrors.sh on sa-vm.apache.org - 1 mirror DOWN, 0 mirrors STALE
https://sa-update.mailfud.org/ (5.196.88.134): UP (CURRENT) http://sa-update.dnswl.org/ (116.203.4.105): UP (CURRENT) https://www.sa-update.pccc.com/ (69.171.29.42): UP (CURRENT) Failed to dig IPs for sa-update.space-pro.be http://sa-update.ena.com/ (96.5.1.5): UP (CURRENT) http://sa-update.ena.com/ (96.4.1.5): UP (CURRENT) https://sa-update.razx.cloud/ (104.21.69.80): UP (CURRENT) https://sa-update.razx.cloud/ (172.67.206.130): UP (CURRENT) http://sa-update.fossies.org/ (144.76.163.196): UP (CURRENT) http://sa-update.verein-clean.net/ (37.252.124.130): UP (CURRENT) http://sa-update.verein-clean.net/ (37.252.120.157): UP (CURRENT) https://sa-update-asf.snb.it/ (151.80.178.91): UP (CURRENT) http://sa-update.spamassassin.org/ (64.142.56.146): UP (CURRENT)
Cron /usr/local/spamassassin/automc/svn/trunk/build/mkupdates/run_nightly 2>&1 | tee /var/www/automc.spamassassin.org/mkupdates/mkupdates.txt
+ promote_active_rules + pwd /usr/local/spamassassin/automc/svn/trunk + svn co https://svn.apache.org/repos/asf/spamassassin/trunk/rules https://svn.apache.org/repos/asf/spamassassin/trunk/rulesrc Checked out revision 1900416. Checked out revision 1900416. + /usr/bin/perl build/mkupdates/listpromotable HTTP get: https://ruleqa.spamassassin.org/last-net?xml=1 HTTP get: https://ruleqa.spamassassin.org/1-days-ago?xml=1 HTTP get: https://ruleqa.spamassassin.org/2-days-ago?xml=1 HTTP get: https://ruleqa.spamassassin.org/3-days-ago?xml=1 HTTP get: https://ruleqa.spamassassin.org/4-days-ago?xml=1 HTTP get: https://ruleqa.spamassassin.org/5-days-ago?xml=1 + mv rules/active.list.new rules/active.list + svn diff rules + cat /var/www/ruleqa.spamassassin.org/reports/LATEST Index: rules/active.list === --- rules/active.list (revision 1900416) +++ rules/active.list (working copy) @@ -1,6 +1,6 @@ # DO NOT EDIT: file generated by build/mkupdates/listpromotable # active ruleset list, automatically generated from https://ruleqa.spamassassin.org/ -# with results from: last-net: net-darxus net-ena-week0 net-ena-week1 net-ena-week2 net-ena-week3 net-ena-week4 net-giovanni-ham net-giovanni-spam net-giovanni-spammy net-grenier net-hege net-jhardin net-llanga net-mmiroslaw-mails-ham net-mmiroslaw-mails-spam net-pds net-spamsponge net-thendrikx; day 1: darxus ena-week0 ena-week1 ena-week2 ena-week3 ena-week4 giovanni-ham giovanni-spam giovanni-spammy grenier hege jhardin llanga mmiroslaw-mails-ham mmiroslaw-mails-spam pds thendrikx; day 2: darxus ena-week0 ena-week1 ena-week2 ena-week3 ena-week4 giovanni-ham giovanni-spam giovanni-spammy grenier hege jhardin llanga mmiroslaw-mails-ham mmiroslaw-mails-spam pds thendrikx; day 3: darxus ena-week0 ena-week1 ena-week2 ena-week3 ena-week4 giovanni-ham giovanni-spam giovanni-spammy grenier hege jhardin llanga mmiroslaw-mails-ham mmiroslaw-mails-spam pds thendrikx; day 4: darxus ena-week0 ena-week1 ena-week2 ena-week3 ena-week4 giovanni-ham giovanni-spam giovanni-spammy grenier hege jhardi n llanga mmiroslaw-mails-ham mmiroslaw-mails-spam pds spamsponge thendrikx; day 5: darxus ena-week0 ena-week1 ena-week2 ena-week3 ena-week4 giovanni-ham giovanni-spam giovanni-spammy grenier hege jhardin llanga mmiroslaw-mails-ham mmiroslaw-mails-spam spamsponge thendrikx +# with results from: last-net: net-darxus net-ena-week0 net-ena-week1 net-ena-week2 net-ena-week3 net-ena-week4 net-giovanni-ham net-giovanni-spam net-giovanni-spammy net-grenier net-hege net-jhardin net-llanga net-mmiroslaw-mails-ham net-mmiroslaw-mails-spam net-pds net-spamsponge net-thendrikx; day 1: darxus ena-week0 ena-week1 ena-week2 ena-week3 ena-week4 grenier hege jhardin llanga mmiroslaw-mails-ham mmiroslaw-mails-spam pds thendrikx; day 2: darxus ena-week0 ena-week1 ena-week2 ena-week3 ena-week4 giovanni-ham giovanni-spam giovanni-spammy grenier hege jhardin llanga mmiroslaw-mails-ham mmiroslaw-mails-spam pds thendrikx; day 3: darxus ena-week0 ena-week1 ena-week2 ena-week3 ena-week4 giovanni-ham giovanni-spam giovanni-spammy grenier hege jhardin llanga mmiroslaw-mails-ham mmiroslaw-mails-spam pds thendrikx; day 4: darxus ena-week0 ena-week1 ena-week2 ena-week3 ena-week4 giovanni-ham giovanni-spam giovanni-spammy grenier hege jhardin llanga mmiroslaw-mails-ham mmiroslaw-mail s-spam pds thendrikx; day 5: darxus ena-week0 ena-week1 ena-week2 ena-week3 ena-week4 giovanni-ham giovanni-spam giovanni-spammy grenier hege jhardin llanga mmiroslaw-mails-ham mmiroslaw-mails-spam pds spamsponge thendrikx # tflags publish AC_BR_BONANZA @@ -125,9 +125,6 @@ # good enough AXB_XMAILER_MIMEOLE_OL_1ECD5 -# good enough -BASE64_LENGTH_79_INF - # tflags learn BAYES_00 @@ -248,7 +245,7 @@ # good enough BODY_SINGLE_URI -# tflags net +# tflags publish BODY_URI_ONLY # tflags publish @@ -470,7 +467,7 @@ # tflags net FORM_FRAUD -# tflags net +# tflags publish FORM_FRAUD_3 # tflags publish @@ -848,7 +845,7 @@ # tflags publish HTML_SHRT_CMNT_OBFU_MANY -# tflags net +# tflags publish HTML_SINGLET_MANY # good enough @@ -873,9 +870,6 @@ JH_SPAMMY_PATTERN02 # tflags net -KHOP_FAKE_EBAY - -# tflags net KHOP_HELO_FCRDNS # tflags publish @@ -1101,9 +1095,6 @@ PDS_DBL_URL_TNB_RUNON # tflags net -PDS_FROM_2_EMAILS - -# tflags net PDS_HELO_SPF_FAIL # good enough @@ -1476,6 +1467,9 @@ REPTO_419_FRAUD_YN # good enough +SCC_BODY_URI_ONLY + +# good enough SCC_CANSPAM_2 # tflags publish @@ -1584,9 +1578,6 @@ SUBJ_BRKN_WORDNUMS # tflags net -SUBJ_UNNEEDED_HTML - -# tflags net SURBL_BLOCKED # good enough @@ -1673,12 +1664,6 @@ # good enough TVD_RCVD_SPACE_BRACKET -# tflags net -TVD_SPACE_RATIO_MINFP - -# tflags net -TVD_SUBJ_NUM_OBFU_MINFP - # good enough TVD_VISIT_PHARMA @@ -1850,7 +1835,7 @@ # good enough URI_OBFU_DOM -# tflags net +# tflags publish URI_ONLY_MSGID_MALF # tflags