Re: Rule updates?
On 11/6/2017 11:29 AM, Merijn van den Kroonenberg wrote: I saw some messages on the list indicating that rule updates were going to resume starting about a week ago. I haven't heard anything since and still have not seen any updates. What is the current status? Its a work in progress, there was some feedback and some changes which had to be made. Any change requires a couple days to propagate through the masscheck system. Hopefully we have a working update system soon, but I would expect still at least a week to iron out some final things and probably another round of testing before going live. But all in all its really going forward now. No problem. Since there was no announcement of the delay (that I was able to find) and no one else seemed to be mentioning it at all, I just wanted to make sure there wasn't some problem on my end preventing the updates from coming through. -- Bowie
Re: Rule updates?
> I saw some messages on the list indicating that rule updates were going > to resume starting about a week ago. I haven't heard anything since and > still have not seen any updates. What is the current status? Its a work in progress, there was some feedback and some changes which had to be made. Any change requires a couple days to propagate through the masscheck system. Hopefully we have a working update system soon, but I would expect still at least a week to iron out some final things and probably another round of testing before going live. But all in all its really going forward now. > > -- > Bowie >
Re: Rule updates working again
On 06/08/2017 05:46 AM, Reindl Harald wrote: it worked exactly one time Am 06.06.2017 um 17:29 schrieb David Jones: FYI We have the rule build scripts working for updates via sa-update. Default rule scores are also updating thanks to our masscheckers out there. https://wiki.apache.org/spamassassin/NightlyMassCheck [root@mail-gw:~]$ cat sa-update.log 01-Jun-2017 01:49:07: SpamAssassin: No update available 02-Jun-2017 01:15:09: SpamAssassin: No update available 03-Jun-2017 01:46:22: SpamAssassin: No update available 04-Jun-2017 00:37:18: SpamAssassin: No update available 05-Jun-2017 00:03:52: SpamAssassin: No update available 06-Jun-2017 00:02:18: SpamAssassin: No update available 06-Jun-2017 19:28:42: SpamAssassin: Update processed successfully 07-Jun-2017 00:44:05: SpamAssassin: No update available 08-Jun-2017 01:29:45: SpamAssassin: No update available Is it possible that you have something else running sa-update and not logging to that sa-update.log? The time on 06-Jun seems to indicate that a special manual run was done out of the normal time period of the other log entries. Run this and see what your 'channel cf' file is: sa-update -D -v The first line in that cf file is the SVN version number that was installed by sa-update. head -1 /var/lib/spamassassin/3.004001/updates_spamassassin_org.cf # UPDATE version 1797895 The current version should be 1797895 for about 14 more hours. -- Dave
Re: Rule updates are too old - 2016-06-03
If you join, you might relax a bit on rejecting spam, but saving it for masschecks.Thats what I do... I do reject something, but not everything I could. That's probably not a good idea if it leads to unrepresentative spam. In particular it may lead to botnet related tests being seriously overscored, causing extra FPs for little benefit to the TP rate. This seems to be already happening. There's could be a similar problem with spamtrap spam too. For RBLs and hashing it's OK to look at everything that goes to the address. SA QA should only use the spam that would have made it through to SA. That would tend to *under*score those rules for sites that have SA but few or no MTA-time DNSBL checks, wouldn't it? Yes, I know, "proper admin"; but such sites probably do exist - should we punish them by underscoring those rules? Okay. Now we need a consensus on this subtopic, right? I do not want to do harm to the project or users of it. The spam scores should be tuned for a well-configured server. Mail that can be trivially rejected by greylisting, rbl, spf and similar tools isn't all that interesting to use as a basis for the scores. -- Kim Roar Foldøy Hauge Event:Presse - The Gathering 2016 webmas...@samfunnet.no Root@HC,HX,JH,LZ,OT,P,VH
Re: Rule updates are too old - 2016-06-03
On 3.6.2016 19.21, John Hardin wrote: > On Fri, 3 Jun 2016, RW wrote: > >> On Fri, 03 Jun 2016 17:54:59 +0300 >> Jari Fredriksson wrote: >>> >>> If you join, you might relax a bit on rejecting spam, but saving it >>> for masschecks.Thats what I do... I do reject something, but not >>> everything I could. >> >> That's probably not a good idea if it leads to unrepresentative spam. >> >> In particular it may lead to botnet related tests being seriously >> overscored, causing extra FPs for little benefit to the TP rate. This >> seems to be already happening. >> >> There's could be a similar problem with spamtrap spam too. For RBLs and >> hashing it's OK to look at everything that goes to the address. SA >> QA should only use the spam that would have made it through to SA. > > That would tend to *under*score those rules for sites that have SA but > few or no MTA-time DNSBL checks, wouldn't it? > > Yes, I know, "proper admin"; but such sites probably do exist - should > we punish them by underscoring those rules? > > Okay. Now we need a consensus on this subtopic, right? I do not want to do harm to the project or users of it. -- jarif.bit signature.asc Description: OpenPGP digital signature
Re: Rule updates are too old - 2016-06-03
On Fri, 3 Jun 2016, RW wrote: On Fri, 03 Jun 2016 17:54:59 +0300 Jari Fredriksson wrote: If you join, you might relax a bit on rejecting spam, but saving it for masschecks.Thats what I do... I do reject something, but not everything I could. That's probably not a good idea if it leads to unrepresentative spam. In particular it may lead to botnet related tests being seriously overscored, causing extra FPs for little benefit to the TP rate. This seems to be already happening. There's could be a similar problem with spamtrap spam too. For RBLs and hashing it's OK to look at everything that goes to the address. SA QA should only use the spam that would have made it through to SA. That would tend to *under*score those rules for sites that have SA but few or no MTA-time DNSBL checks, wouldn't it? Yes, I know, "proper admin"; but such sites probably do exist - should we punish them by underscoring those rules? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- There is no better measure of the unthinking contempt of the environmentalist movement for civilization than their call to turn off the lights and sit in the dark.-- Sultan Knish --- 3 days until the 72nd anniversary of D-Day
Re: Rule updates are too old - 2016-06-03
On Fri, 03 Jun 2016 17:54:59 +0300 Jari Fredriksson wrote: > > If you join, you might relax a bit on rejecting spam, but saving it > for masschecks.Thats what I do... I do reject something, but not > everything I could. That's probably not a good idea if it leads to unrepresentative spam. In particular it may lead to botnet related tests being seriously overscored, causing extra FPs for little benefit to the TP rate. This seems to be already happening. There's could be a similar problem with spamtrap spam too. For RBLs and hashing it's OK to look at everything that goes to the address. SA QA should only use the spam that would have made it through to SA.
Re: Rule updates are too old - 2016-06-03
3. kesäkuuta 2016 16.46.59 GMT+03:00 "Kim Roar Foldøy Hauge"kirjoitti: >On Fri, 3 Jun 2016, John Hardin wrote: > >> On Fri, 3 Jun 2016, dar...@chaosreigns.com wrote: >> >>> 20160602: Spam or ham is below threshold of 150,000: >>> http://ruleqa.spamassassin.org/?daterev=20160602 >>> 20160602: Spam: 589792, Ham: 138721 >> >> We've been hovering *just* below the ham threshold for a week or so >now. >> >> Anyone who can contribute to masscheck please get in touch with Kevin > >> McGrail! Non-English ham is especially welcome. Even a little. >> > >I have non-english ham and spam. I sent a mail ages ago about joining >the >masscheck. I don't think I got a reply. > >The traffic on the server isn't that high, 2500 connections per day. >Most >of the mail attempts are blocked by spf, rbl and greylisting. SA does >however catch 5-10 norwegian UCBM per day, mostly thanks to custom >rules. > If you join, you might relax a bit on rejecting spam, but saving it for masschecks.Thats what I do... I do reject something, but not everything I could. Quite low volume site, but still I think I do provide a considerable part of the ham we have in ruleqa.spamassassin.org. Most of that ham is finnish bulk, but also personal mails from several persons. I rely heavily SA cotegorization, but DO screen all ham and spam myself. That said, spam is not so important anyway, as we are not short on that. Norwegian spam of course would be really cool! >> >> -- >> John Hardin KA7OHZ >http://www.impsec.org/~jhardin/ >> jhar...@impsec.orgFALaholic #11174 pgpk -a >jhar...@impsec.org >> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 >2E79 >> >--- >> From the Liberty perspective, it doesn't matter if it's a >> jackboot or a Birkenstock smashing your face. -- Robb Allen >> >--- >> 3 days until the 72nd anniversary of D-Day >> >> -- Lähetetty Android-laitteestani K-9 Maililla. Pahoittelut vähäsanaisuudestani.
Re: Rule updates are too old - 2016-06-03
On Fri, 3 Jun 2016, John Hardin wrote: On Fri, 3 Jun 2016, dar...@chaosreigns.com wrote: 20160602: Spam or ham is below threshold of 150,000: http://ruleqa.spamassassin.org/?daterev=20160602 20160602: Spam: 589792, Ham: 138721 We've been hovering *just* below the ham threshold for a week or so now. Anyone who can contribute to masscheck please get in touch with Kevin McGrail! Non-English ham is especially welcome. Even a little. I have non-english ham and spam. I sent a mail ages ago about joining the masscheck. I don't think I got a reply. The traffic on the server isn't that high, 2500 connections per day. Most of the mail attempts are blocked by spf, rbl and greylisting. SA does however catch 5-10 norwegian UCBM per day, mostly thanks to custom rules. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- From the Liberty perspective, it doesn't matter if it's a jackboot or a Birkenstock smashing your face. -- Robb Allen --- 3 days until the 72nd anniversary of D-Day -- Kim Roar Foldøy Hauge Event:Presse - The Gathering 2016 webmas...@samfunnet.no Root@HC,HX,JH,LZ,OT,P,VH
Re: Rule updates are too old - 2016-06-03
On Fri, 3 Jun 2016, dar...@chaosreigns.com wrote: 20160602: Spam or ham is below threshold of 150,000: http://ruleqa.spamassassin.org/?daterev=20160602 20160602: Spam: 589792, Ham: 138721 We've been hovering *just* below the ham threshold for a week or so now. Anyone who can contribute to masscheck please get in touch with Kevin McGrail! Non-English ham is especially welcome. Even a little. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- From the Liberty perspective, it doesn't matter if it's a jackboot or a Birkenstock smashing your face. -- Robb Allen --- 3 days until the 72nd anniversary of D-Day
Re: Rule updates are too old - 2016-02-29
Am 29.02.2016 um 17:57 schrieb John Hardin: On Mon, 29 Feb 2016, dar...@chaosreigns.com wrote: 20160228: Spam or ham is below threshold of 150,000: http://ruleqa.spamassassin.org/?daterev=20160228 20160228: Spam: 108401, Ham: 191807 Masscheck is spam-starved again, rules updates will be spotty or nonexistent this week sounds like 150,000 is too high and should be changed to 150,000 otherwise bad rules with high score like VERY_LONG_REPTO_SHORT_MSG would take way too long to get fixed signature.asc Description: OpenPGP digital signature
Re: Rule updates are too old - 2016-02-29
On Mon, 29 Feb 2016, dar...@chaosreigns.com wrote: 20160228: Spam or ham is below threshold of 150,000: http://ruleqa.spamassassin.org/?daterev=20160228 20160228: Spam: 108401, Ham: 191807 Masscheck is spam-starved again, rules updates will be spotty or nonexistent this week. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Maxim IX: Never turn your back on an enemy. --- 13 days until Albert Einstein's 137th Birthday
Re: Rule updates are too old - 2016-01-23
On Sat, 23 Jan 2016, dar...@chaosreigns.com wrote: 20160122: Spam: 156567, Ham: 200399 Looks like we may get an update... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Ignorance doesn't make stuff not exist. -- Bucky Katt --- Today: John Moses Browning's 161st Birthday
Re: Rule updates are too old - 2016-01-21
On 01/21/2016 05:42 PM, John Hardin wrote: On Thu, 21 Jan 2016, dar...@chaosreigns.com wrote: 20160120: Spam or ham is below threshold of 150,000: http://ruleqa.spamassassin.org/?daterev=20160120 20160120: Spam: 131777, Ham: 142710 Oooo, so close! My spam levels are extremely low so I've increased my corpus' retention time and it's helping. (till my masschecks are not delivered in the given time window :-) With a bit of luck on Sat we'll have enough to push rules.
Re: Rule updates are too old - 2016-01-21
On Thu, 21 Jan 2016, dar...@chaosreigns.com wrote: 20160120: Spam or ham is below threshold of 150,000: http://ruleqa.spamassassin.org/?daterev=20160120 20160120: Spam: 131777, Ham: 142710 Oooo, so close! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Public Education: the bureaucratic process of replacing an empty mind with a closed one. -- Thorax --- 2 days until John Moses Browning's 161st Birthday
Re: Rule updates are too old - 2016-01-20
On Wed, 20 Jan 2016, dar...@chaosreigns.com wrote: 20160119: Spam: 123699, Ham: 199560 ...almost there... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Maxim I: Pillage, _then_ burn. --- 3 days until John Moses Browning's 161st Birthday
SARE RULEGEN, Re: Rule updates....
Ran these against my corpus. Here are the worst performers (lots in common with RW's complaints): *SPAM% HAM%S/O NAME* 0.013 0.153 0.080 __RULEGEN_PHISH_BLR6YY 0.006 0.286 0.022 __RULEGEN_PHISH_0ATBRI 0.008 0.334 0.023 __RULEGEN_PHISH_L3I0Z5 0.002 0.300 0.006 __RULEGEN_PHISH_LGYG7Q 0.017 1.387 0.012 __RULEGEN_PHISH_QVS6GE 0.045 2.490 0.018 __RULEGEN_PHISH_UNQ4VP 0.027 2.011 0.013 __RULEGEN_PHISH_B9HL3A body __RULEGEN_PHISH_UNQ4VP / may contain information that is / body __RULEGEN_PHISH_QVS6GE / or entity to which it is addressed/ body __RULEGEN_PHISH_B9HL3A /The information contained in this / body __RULEGEN_PHISH_0ATBRI / it is addressed\. If you are n/ body __RULEGEN_PHISH_LGYG7Q / you have received it in error. / body __RULEGEN_PHISH_BLR6YY /uthorised and regulated by the / body __RULEGEN_PHISH_L3I0Z5 / is intended solely for the ..d/ A large number of the FPs come from Paypal and similar services. Even controlling for those, I haven't found the phishing ruleset useful at all. The fraud rules do have limited utility. What relationship does this have to the 10+ year-old SARE stuff? On 12/20/2014 03:35 AM, Axb wrote: On 12/18/2014 06:27 PM, RW wrote: On Tue, 16 Dec 2014 13:10:05 +0100 Axb wrote: https://sourceforge.net/projects/sare/files/ replaces any older version. leech while it lasts adjust scores if needed.. There are some rules that shouldn't be there. (I only tested a few that looked the most dubious) The first is a common phrase in mail from UK banks and other financial services companies. Note the ise spelling which is common outside the US. body __RULEGEN_PHISH_BLR6YY /uthorised and regulated by the / The following are common in legal disclaimer signatures: body __RULEGEN_PHISH_UNQ4VP / may contain information that is / body __RULEGEN_PHISH_B9HL3A /The information contained in this / body __RULEGEN_PHISH_C6URDE / do not necessarily represent those of / body __RULEGEN_PHISH_L3I0Z5 / is intended solely for the ..d/ This hits some of of my ham: body __RULEGEN_PHISH_SRX3XZ / apologize for any inconvenience/ Unless there's a bug, the fact that those disclaimer phrases got through suggests that these rules are either intended to be very much more aggressive than the SOUGHT rules, or the ham corpus isn't good enough. as the rules were generated with donated corpus data, you're more than welcome to send me an archive of ham samples to avoid these potential issues. signature.asc Description: OpenPGP digital signature
Re: SARE RULEGEN, Re: Rule updates....
On 01/09/2015 01:23 AM, Adam Katz wrote: Ran these against my corpus. Here are the worst performers (lots in common with RW's complaints): *SPAM% HAM%S/O NAME* 0.013 0.153 0.080 __RULEGEN_PHISH_BLR6YY 0.006 0.286 0.022 __RULEGEN_PHISH_0ATBRI 0.008 0.334 0.023 __RULEGEN_PHISH_L3I0Z5 0.002 0.300 0.006 __RULEGEN_PHISH_LGYG7Q 0.017 1.387 0.012 __RULEGEN_PHISH_QVS6GE 0.045 2.490 0.018 __RULEGEN_PHISH_UNQ4VP 0.027 2.011 0.013 __RULEGEN_PHISH_B9HL3A body __RULEGEN_PHISH_UNQ4VP / may contain information that is / body __RULEGEN_PHISH_QVS6GE / or entity to which it is addressed/ body __RULEGEN_PHISH_B9HL3A /The information contained in this / body __RULEGEN_PHISH_0ATBRI / it is addressed\. If you are n/ body __RULEGEN_PHISH_LGYG7Q / you have received it in error. / body __RULEGEN_PHISH_BLR6YY /uthorised and regulated by the / body __RULEGEN_PHISH_L3I0Z5 / is intended solely for the ..d/ A large number of the FPs come from Paypal and similar services. Agreed, the rules are not close to ideal. The spam corpus is ancient, the ham corpus is too small. Even controlling for those, I haven't found the phishing ruleset useful at all. The fraud rules do have limited utility. Agreed - blam bad stale data. What relationship does this have to the 10+ year-old SARE stuff? I was part of the SARE group, and saved the rules (for historical reasons) to SF before the web site was shutdown for good. As I don't have the means to set up a SA update channel, putting the RULEGEN rules on SF was the only option I had left.
Re: Rule updates....
On Sat, 20 Dec 2014 12:35:04 +0100 Axb wrote: On 12/18/2014 06:27 PM, RW wrote: Unless there's a bug, the fact that those disclaimer phrases got through suggests that these rules are either intended to be very much more aggressive than the SOUGHT rules, or the ham corpus isn't good enough. as the rules were generated with donated corpus data, you're more than welcome to send me an archive of ham samples to avoid these potential issues. Most of the hits were in mailing list folders, some were in this list. Most of your rules are sensible, but a minority look like they are picking-up on text lifted from legitimate mail. Some of these are still good rules because the text contains mistakes. IIRC Justin Mason used to check new sought sub-rules manually before releasing them.
Re: Rule updates....
On 12/18/2014 06:27 PM, RW wrote: On Tue, 16 Dec 2014 13:10:05 +0100 Axb wrote: https://sourceforge.net/projects/sare/files/ replaces any older version. leech while it lasts adjust scores if needed.. There are some rules that shouldn't be there. (I only tested a few that looked the most dubious) The first is a common phrase in mail from UK banks and other financial services companies. Note the ise spelling which is common outside the US. body __RULEGEN_PHISH_BLR6YY /uthorised and regulated by the / The following are common in legal disclaimer signatures: body __RULEGEN_PHISH_UNQ4VP / may contain information that is / body __RULEGEN_PHISH_B9HL3A /The information contained in this / body __RULEGEN_PHISH_C6URDE / do not necessarily represent those of / body __RULEGEN_PHISH_L3I0Z5 / is intended solely for the ..d/ This hits some of of my ham: body __RULEGEN_PHISH_SRX3XZ / apologize for any inconvenience/ Unless there's a bug, the fact that those disclaimer phrases got through suggests that these rules are either intended to be very much more aggressive than the SOUGHT rules, or the ham corpus isn't good enough. as the rules were generated with donated corpus data, you're more than welcome to send me an archive of ham samples to avoid these potential issues.
Re: Rule updates....
On Tue, 16 Dec 2014 13:10:05 +0100 Axb wrote: https://sourceforge.net/projects/sare/files/ replaces any older version. leech while it lasts adjust scores if needed.. There are some rules that shouldn't be there. (I only tested a few that looked the most dubious) The first is a common phrase in mail from UK banks and other financial services companies. Note the ise spelling which is common outside the US. body __RULEGEN_PHISH_BLR6YY /uthorised and regulated by the / The following are common in legal disclaimer signatures: body __RULEGEN_PHISH_UNQ4VP / may contain information that is / body __RULEGEN_PHISH_B9HL3A /The information contained in this / body __RULEGEN_PHISH_C6URDE / do not necessarily represent those of / body __RULEGEN_PHISH_L3I0Z5 / is intended solely for the ..d/ This hits some of of my ham: body __RULEGEN_PHISH_SRX3XZ / apologize for any inconvenience/ Unless there's a bug, the fact that those disclaimer phrases got through suggests that these rules are either intended to be very much more aggressive than the SOUGHT rules, or the ham corpus isn't good enough.
Re: Rule updates....
On Thu, 18 Dec 2014, RW wrote: Unless there's a bug, the fact that those disclaimer phrases got through suggests that these rules are either intended to be very much more aggressive than the SOUGHT rules, or the ham corpus isn't good enough. Probably the latter. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Bother, said Pooh as he struggled with /etc/sendmail.cf, it never does quite what I want. I wish Christopher Robin was here. -- Peter da Silva in a.s.r --- 7 days until Christmas
Re: Rule updates....
On 2014.12.16 07.10, Axb wrote: https://sourceforge.net/projects/sare/files/ thanks for this. it's particularly timely for us, as we've just recently been pretty badly phished. is there a method which can be used to measure/report on the efficacy of these particular rules? -ben
Re: Rule updates....
On 12/17/2014 04:08 PM, btb wrote: On 2014.12.16 07.10, Axb wrote: https://sourceforge.net/projects/sare/files/ thanks for this. it's particularly timely for us, as we've just recently been pretty badly phished. is there a method which can be used to measure/report on the efficacy of these particular rules? there's SA stat scripts out there or good old grep/count through you maillogs.
Re: Rule updates?
On 5/22/2014 9:04 AM, Tom Hendrikx wrote: After checking the results of sa-update and doing some manual dns queries, it seems that last rule updates were done more than a month ago. This used to be an almost daily process, even when there were only score changes due to masschecks. Any specific reason for no new updates? Something we can assist with? Hi Tom, The system running the update processing failed catastrophically and backups were insufficient. I've been rebuilding the box as time allows. Regards, KAM
Re: Rule updates?
On 05/22/2014 03:36 PM, Kevin A. McGrail wrote: On 5/22/2014 9:04 AM, Tom Hendrikx wrote: After checking the results of sa-update and doing some manual dns queries, it seems that last rule updates were done more than a month ago. This used to be an almost daily process, even when there were only score changes due to masschecks. Any specific reason for no new updates? Something we can assist with? Hi Tom, The system running the update processing failed catastrophically and backups were insufficient. Ah, bugger ; I've been rebuilding the box as time allows. Fair enough :) Thanks fr the insight. Kind regards, Tom signature.asc Description: OpenPGP digital signature
Re: Rule updates
On Wed, Oct 19, 2011 at 13:51, John Hardin jhar...@impsec.org wrote: On Wed, 19 Oct 2011, dar...@chaosreigns.com wrote: On 10/19, Jim Popovitch wrote: Is the missing entity one person, several people, many people? Was there an untimely death? I believe everyone is now aware that there exists a problem, how to we bridge the gap? My guess is that the only person familiar with the system is the original author of spamassassin, and he doesn't have time to deal with it. There are 12 other people on the Project Management Committee, who I assume could all get sufficient access to the machine(s) running it: http://svn.apache.org/repos/asf/spamassassin/trunk/CREDITS And it seems they are all lacking the time to figure it out. I have access; getting a block of time to focus on figuring out what it's doing, and what it's _supposed_ to be doing, is what I'm having trouble with. I just got a new update. THANKS Now, what can I do to contribute to providing updates? -Jim P.
Re: Rule updates
On Sun, 30 Oct 2011, Jim Popovitch wrote: I just got a new update. THANKS Now, what can I do to contribute to providing updates? Start generating hand-classified spam and ham corpora, set up SVN to keep a local up-to-date snapshot of SA and the rules sandboxes, then start running local masschecks against your corpora and uploading the results. See: http://wiki.apache.org/spamassassin/NightlyMassCheck The SVN sync, masscheck and upload of the results can pretty easily be automated, but keeping your corpora fresh will be an ongoing task. Especially desirable are ham in non-English languages. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- Tomorrow: Halloween
Re: Rule updates
On 10/5/2011 5:46 PM, Jim Popovitch wrote: On Wed, Oct 5, 2011 at 17:41, RW rwmailli...@googlemail.com wrote: The usual reason for a hiatus is that too much spam or ham has aged-out in the corpora, and a top-up is needed. So, how do we get it top-up'ed? Anyone know if the 'usual reason' is because there are no rule updates since Aug 27? --Robert
Re: Rule updates
On 10/05, Jim Popovitch wrote: On Wed, Oct 5, 2011 at 17:41, RW rwmailli...@googlemail.com wrote: The usual reason for a hiatus is that too much spam or ham has aged-out in the corpora, and a top-up is needed. I think it's more accurate to say the usual reason is that too many people have stopped automatically submitting data via masscheck, and we need more people to submit data. I have a graphical representation of the problem here: http://www.chaosreigns.com/dnswl/tot.svg Green is spam, red is non-spam. They both need to be above the blue line (150,000 emails each) for score generation to run to create the rule updates. Counts as of the last (net) run: Non-spams: 136261 (90.8% of the minimum) Spams: 351950 (234.6% of the minimum) So, how do we get it top-up'ed? You contribute your data: http://wiki.apache.org/spamassassin/NightlyMassCheck The more we have, the more accurately we can calculate optimal rule scores, always. Unfortunately the Project Management Committee has a habit of never responding to requests for masscheck accounts. But the current situation appears to be abnormal. For some reason RuleQA / score generation isn't including data submitted by uploading full emails (normally just rule hit stats are uploaded). There is an open bug about that problem here: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6671 It seems there is nobody with the access, knowledge of the system, and time required to fix the problem. There was supposed to be a SpamAssassin v3.4.0 Release Candidate released 19 days ago, which seems to be primarily held up by this rule update problem. Which nobody is working on. -- Go forth, and be excellent to one another. - http://www.jhuger.com/fredski.php http://www.ChaosReigns.com
Re: Rule updates
On Wed, Oct 19, 2011 at 12:26, dar...@chaosreigns.com wrote: On 10/05, Jim Popovitch wrote: On Wed, Oct 5, 2011 at 17:41, RW rwmailli...@googlemail.com wrote: The usual reason for a hiatus is that too much spam or ham has aged-out in the corpora, and a top-up is needed. I think it's more accurate to say the usual reason is that too many people have stopped automatically submitting data via masscheck, and we need more people to submit data. I have a graphical representation of the problem here: http://www.chaosreigns.com/dnswl/tot.svg Green is spam, red is non-spam. They both need to be above the blue line (150,000 emails each) for score generation to run to create the rule updates. Counts as of the last (net) run: Non-spams: 136261 (90.8% of the minimum) Spams: 351950 (234.6% of the minimum) So, how do we get it top-up'ed? You contribute your data: http://wiki.apache.org/spamassassin/NightlyMassCheck The more we have, the more accurately we can calculate optimal rule scores, always. Unfortunately the Project Management Committee has a habit of never responding to requests for masscheck accounts. But the current situation appears to be abnormal. For some reason RuleQA / score generation isn't including data submitted by uploading full emails (normally just rule hit stats are uploaded). There is an open bug about that problem here: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6671 It seems there is nobody with the access, knowledge of the system, and time required to fix the problem. There was supposed to be a SpamAssassin v3.4.0 Release Candidate released 19 days ago, which seems to be primarily held up by this rule update problem. Which nobody is working on. -- Go forth, and be excellent to one another. - http://www.jhuger.com/fredski.php http://www.ChaosReigns.com Darxus, thanks for the summation of the situation. Is the missing entity one person, several people, many people? Was there an untimely death? I believe everyone is now aware that there exists a problem, how to we bridge the gap? Thanks! -Jim P.
Re: Rule updates
On 10/19, Jim Popovitch wrote: Is the missing entity one person, several people, many people? Was there an untimely death? I believe everyone is now aware that there exists a problem, how to we bridge the gap? My guess is that the only person familiar with the system is the original author of spamassassin, and he doesn't have time to deal with it. There are 12 other people on the Project Management Committee, who I assume could all get sufficient access to the machine(s) running it: http://svn.apache.org/repos/asf/spamassassin/trunk/CREDITS And it seems they are all lacking the time to figure it out. SpamAssassin can be pretty frustrating to try to work on. -- Wash daily from nose-tip to tail-tip; drink deeply, but never too deep; And remember the night is for hunting, and forget not the day is for sleep. - The Law of the Jungle, Rudyard Kipling http://www.ChaosReigns.com
Re: Rule updates
On Wed, 19 Oct 2011, dar...@chaosreigns.com wrote: On 10/19, Jim Popovitch wrote: Is the missing entity one person, several people, many people? Was there an untimely death? I believe everyone is now aware that there exists a problem, how to we bridge the gap? My guess is that the only person familiar with the system is the original author of spamassassin, and he doesn't have time to deal with it. There are 12 other people on the Project Management Committee, who I assume could all get sufficient access to the machine(s) running it: http://svn.apache.org/repos/asf/spamassassin/trunk/CREDITS And it seems they are all lacking the time to figure it out. I have access; getting a block of time to focus on figuring out what it's doing, and what it's _supposed_ to be doing, is what I'm having trouble with. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Politicians never accuse you of greed for wanting other people's money, only for wanting to keep your own money.-- Joseph Sobran --- 314 days since the first successful private orbital launch (SpaceX)
Re: Rule updates
On 04-10-2011 15:39, Michael Scheidell wrote: what is 'long'? As you can see from your own example, rules were updated daily until august 26th. Then there hasn't been any updates since. That is 'long' for me. I can also see that updates are daily for 3.4.0 currently. Does that mean that updates for 3.3.2 (which I am on) has stopped? -rw-r--r-- 1 rsync rsync 170211 Oct 4 04:51 1178724.tar.gz -- 3.4.0 -rw-r--r-- 1 rsync rsync 170211 Oct 3 04:51 1178340.tar.gz -rw-r--r-- 1 rsync rsync 170169 Oct 2 04:51 1178152.tar.gz -rw-r--r-- 1 rsync rsync 170169 Oct 1 04:51 1177951.tar.gz -rw-r--r-- 1 rsync rsync 170166 Sep 30 04:51 1177560.tar.gz -rw-r--r-- 1 rsync rsync 236977 Aug 26 23:32 1162027.tar.gz -- 3.3.2 -rw-r--r-- 1 rsync rsync 236957 Aug 25 23:23 1161446.tar.gz -rw-r--r-- 1 rsync rsync 236980 Aug 24 23:22 1161015.tar.gz -rw-r--r-- 1 rsync rsync 236920 Aug 23 23:18 1160585.tar.gz -rwxr--r-- 1 rsync rsync 237167 Aug 22 23:17 1160145.tar.gz -- Lars
Re: Rule updates
On 04-10-2011 15:43, Jim Popovitch wrote: what is 'long'? Since 27-Aug-2011 ? So, not just me then. -- Lars
Re: Rule updates
On Wed, 05 Oct 2011 09:50:08 +0200 Lars Jørgensen wrote: On 04-10-2011 15:39, Michael Scheidell wrote: what is 'long'? As you can see from your own example, rules were updated daily until august 26th. Then there hasn't been any updates since. That is 'long' for me. I can also see that updates are daily for 3.4.0 currently. Does that mean that updates for 3.3.2 (which I am on) has stopped? I would guess that the normal rules don't apply because 3.4.0 is a development branch. The usual reason for a hiatus is that too much spam or ham has aged-out in the corpora, and a top-up is needed.
Re: Rule updates
On Wed, Oct 5, 2011 at 17:41, RW rwmailli...@googlemail.com wrote: The usual reason for a hiatus is that too much spam or ham has aged-out in the corpora, and a top-up is needed. So, how do we get it top-up'ed? -Jim P.
Re: Rule updates
On 10/4/11 3:07 AM, Lars Jørgensen wrote: Hi, Is it me or has it been a long time since there has been an update to the spamassassin ruleset? what is 'long'? ls -lt *.tar.gz | grep 'gz$' | head -rw-r--r-- 1 rsync rsync 170211 Oct 4 04:51 1178724.tar.gz -- 3.4.0 -rw-r--r-- 1 rsync rsync 170211 Oct 3 04:51 1178340.tar.gz -rw-r--r-- 1 rsync rsync 170169 Oct 2 04:51 1178152.tar.gz -rw-r--r-- 1 rsync rsync 170169 Oct 1 04:51 1177951.tar.gz -rw-r--r-- 1 rsync rsync 170166 Sep 30 04:51 1177560.tar.gz -rw-r--r-- 1 rsync rsync 236977 Aug 26 23:32 1162027.tar.gz -- 3.3.2 -rw-r--r-- 1 rsync rsync 236957 Aug 25 23:23 1161446.tar.gz -rw-r--r-- 1 rsync rsync 236980 Aug 24 23:22 1161015.tar.gz -rw-r--r-- 1 rsync rsync 236920 Aug 23 23:18 1160585.tar.gz -rwxr--r-- 1 rsync rsync 237167 Aug 22 23:17 1160145.tar.gz -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 *| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Rule updates
On Tue, Oct 4, 2011 at 09:39, Michael Scheidell michael.scheid...@secnap.com wrote: On 10/4/11 3:07 AM, Lars Jørgensen wrote: Hi, Is it me or has it been a long time since there has been an update to the spamassassin ruleset? what is 'long'? Since 27-Aug-2011 ? $ ll /var/lib/spamassassin/3.003001/updates_spamassassin_org/MIRRORED.BY -rw-r--r-- 1 root root 225 2011-08-27 21:25 /var/lib/spamassassin/3.003001/updates_spamassassin_org/MIRRORED.BY ~$ dig txt 1.3.3.updates.spamassassin.org 1162027 -Jim P.
Re: Rule updates
On 04/10/2011 14:39, Michael Scheidell wrote: On 10/4/11 3:07 AM, Lars Jørgensen wrote: Hi, Is it me or has it been a long time since there has been an update to the spamassassin ruleset? Most common reasons for a problem (IME, on FreeBSD) Incorrect permissions on directory Incorrect permissions on /usr/local/share/spamassassin/sa-update-pubkey.txt Incorrect update key Check these - especially the permissions! Linux is laxer on the defaults. -- -- Sent from my Cray XT5
Re: Rule updates
On 6/27/2011 7:03 AM, dar...@chaosreigns.com wrote: On 06/27, Lars Jørgensen wrote: I noticed the rules for 3.3.1 were updated during the weekend (don't worry about my workaholism, I noticed this monday morning ^-^). I was preparing to upgrade to 3.3.2, but seeing the updated rules makes me doubt whether the upgrade is necessary. I expect rule updates to remain compatible throughout the 3.3.x series, so as long as updates are happening for any 3.3.x version, you you should get them, and they should work, with 3.3.1 (and 3.3.0, etc.). That *could* change, I suppose, but I don't expect it. There has been talk of adding a rule to hit all emails for versions nolonger being maintained, something like SPAMASSASSIN_OUT_OF_DATE: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6614 3.3.x is the first version that supports rule conditionals, so it is possible that 3.4.x rule updates updates could refer to plugins that do not exist in 3.3.x, and those sections are safely ignored by 3.3.x. It seems the intent is to release 3.4 late this year. I heard that the only compat change from 3.3.x to 3.4.x is in the spamc/spamd protocol, so it should theoretically be an easy upgrade. It remains to be seen exactly what is decided for 3.3.x rule updates after 3.3.x is released. Warren
Re: Rule updates
The rule updates is handled by themselfs but some require certains versions of spamassassin (see /var/lib/spamassassin) or man sa-update Lars Jørgensen-6 wrote: Hi, I noticed the rules for 3.3.1 were updated during the weekend (don't worry about my workaholism, I noticed this monday morning ^-^). I was preparing to upgrade to 3.3.2, but seeing the updated rules makes me doubt whether the upgrade is necessary. Was this a one-time effort or will rules be updated frequently for 3.3.1 from now on? Or do I need to move to 3.3.2 to get regular rule updates? Lars -- View this message in context: http://old.nabble.com/Rule-updates-tp31935538p31935894.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Rule updates
On 06/27, Lars Jørgensen wrote: I noticed the rules for 3.3.1 were updated during the weekend (don't worry about my workaholism, I noticed this monday morning ^-^). I was preparing to upgrade to 3.3.2, but seeing the updated rules makes me doubt whether the upgrade is necessary. I expect rule updates to remain compatible throughout the 3.3.x series, so as long as updates are happening for any 3.3.x version, you you should get them, and they should work, with 3.3.1 (and 3.3.0, etc.). That *could* change, I suppose, but I don't expect it. There has been talk of adding a rule to hit all emails for versions nolonger being maintained, something like SPAMASSASSIN_OUT_OF_DATE: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6614 You just noticed the update because *all* sa-updates (for 3.3.x?) were just re-enabled. They had been intentionally disabled for a while. The post to the dev list that mentioned they were re-enabled was here: http://mail-archives.apache.org/mod_mbox/spamassassin-dev/201106.mbox/%3c4e075f47.8070...@pccc.com%3E -- You only truly own what you can carry at a dead run. http://www.ChaosReigns.com
Re: Rule Updates
Patrick schrieb: I'm a little confused on rule updates. If you are using SA version 3.04 and run sa-update and/or rulesdujour, will the rules be updated only to the 3.0 branch or will they be updated to the most current branch and just fail if there are dependency issues? rulesdujour: You should not use (pre) 3.0 rules, what damage this does i dont know, (i assume some rules made it in later SA releases?). hth MH
Re: Rule Updates
On Tue, Oct 31, 2006 at 11:17:56AM -0500, Patrick wrote: I'm a little confused on rule updates. If you are using SA version 3.04 and run sa-update and/or rulesdujour, will the rules be updated only to the 3.0 branch or will they be updated to the most current branch and just fail if there are dependency issues? 3.0 doesn't have support for sa-update, and so there are no updates available for 3.0. You'd have to upgrade to 3.1.x (x0) for sa-update. -- Randomly Selected Tagline: Leela: Bender, why are you spending so much time in the bathroom? Are you jacking on in there? pgpCATqI0YyyI.pgp Description: PGP signature
Re: Rule Updates
Matthias Haegele wrote: Patrick schrieb: I'm a little confused on rule updates. If you are using SA version 3.04 and run sa-update and/or rulesdujour, will the rules be updated only to the 3.0 branch or will they be updated to the most current branch and just fail if there are dependency issues? In general, RDJ is just a blind update. It will download the file, test it with spamassassin --lint, and if that passes, it will load it. And as theo pointed out, there is no sa-update that actually works for SA versions older than 3.1.1. rulesdujour: You should not use (pre) 3.0 rules, what damage this does i dont know, (i assume some rules made it in later SA releases?). That or there's a 3.1 version of the ruleset that takes advantage of newer features in the SA code, or some other feature of 3.1 made the set obsolete. Also of note, with RDJ, don't do Antidrug if you are using SA 3.0.0 or higher. They're included already. (I am the author of antidrug).