Re: Rule updates?

[Bowie Bailey]

On 11/6/2017 11:29 AM, Merijn van den Kroonenberg wrote:

I saw some messages on the list indicating that rule updates were going
to resume starting about a week ago.  I haven't heard anything since and
still have not seen any updates.  What is the current status?

Its a work in progress, there was some feedback and some changes which had
to be made. Any change requires a couple days to propagate through the
masscheck system.

Hopefully we have a working update system soon, but I would expect still
at least a week to iron out some final things and probably another round
of testing before going live.

But all in all its really going forward now.


No problem.  Since there was no announcement of the delay (that I was 
able to find) and no one else seemed to be mentioning it at all, I just 
wanted to make sure there wasn't some problem on my end preventing the 
updates from coming through.


--
Bowie

Re: Rule updates?

[Merijn van den Kroonenberg]

> I saw some messages on the list indicating that rule updates were going
> to resume starting about a week ago.  I haven't heard anything since and
> still have not seen any updates.  What is the current status?

Its a work in progress, there was some feedback and some changes which had
to be made. Any change requires a couple days to propagate through the
masscheck system.

Hopefully we have a working update system soon, but I would expect still
at least a week to iron out some final things and probably another round
of testing before going live.

But all in all its really going forward now.

>
> --
> Bowie
>

Re: Rule updates working again

[David Jones]

On 06/08/2017 05:46 AM, Reindl Harald wrote:

it worked exactly one time

Am 06.06.2017 um 17:29 schrieb David Jones:
FYI  We have the rule build scripts working for updates via sa-update. 
Default rule scores are also updating thanks to our masscheckers out 
there.


https://wiki.apache.org/spamassassin/NightlyMassCheck


[root@mail-gw:~]$ cat sa-update.log
01-Jun-2017 01:49:07: SpamAssassin: No update available
02-Jun-2017 01:15:09: SpamAssassin: No update available
03-Jun-2017 01:46:22: SpamAssassin: No update available
04-Jun-2017 00:37:18: SpamAssassin: No update available
05-Jun-2017 00:03:52: SpamAssassin: No update available
06-Jun-2017 00:02:18: SpamAssassin: No update available
06-Jun-2017 19:28:42: SpamAssassin: Update processed successfully
07-Jun-2017 00:44:05: SpamAssassin: No update available
08-Jun-2017 01:29:45: SpamAssassin: No update available


Is it possible that you have something else running sa-update and not 
logging to that sa-update.log?  The time on 06-Jun seems to indicate 
that a special manual run was done out of the normal time period of the 
other log entries.


Run this and see what your 'channel cf' file is:

sa-update -D -v

The first line in that cf file is the SVN version number that was 
installed by sa-update.


head -1 /var/lib/spamassassin/3.004001/updates_spamassassin_org.cf
# UPDATE version 1797895

The current version should be 1797895 for about 14 more hours.

--
Dave

Re: Rule updates are too old - 2016-06-03

[Kim Roar Foldøy Hauge]

If you join, you might relax a bit on rejecting spam, but saving it
for masschecks.Thats what I do... I do reject something, but not
everything I could.


That's probably not a good idea if it leads to unrepresentative spam.

In particular it may lead to botnet related tests being seriously
overscored, causing extra  FPs for little benefit to the TP rate. This
seems to be already happening.

There's could be a similar problem  with spamtrap spam too. For RBLs and
hashing it's OK to look at everything that goes to the address. SA
QA  should only use the spam that would have made it through to SA.


That would tend to *under*score those rules for sites that have SA but
few or no MTA-time DNSBL checks, wouldn't it?

Yes, I know, "proper admin"; but such sites probably do exist - should
we punish them by underscoring those rules?


Okay. Now we need a consensus on this subtopic, right? I do not want to
do harm to the project or users of it.


The spam scores should be tuned for a well-configured server. Mail that 
can be trivially rejected by greylisting, rbl, spf and similar tools isn't 
all that interesting to use as a basis for the scores.


--
Kim Roar Foldøy Hauge
Event:Presse - The Gathering 2016
webmas...@samfunnet.no
Root@HC,HX,JH,LZ,OT,P,VH

Re: Rule updates are too old - 2016-06-03

[Jari Fredriksson]

On 3.6.2016 19.21, John Hardin wrote:
> On Fri, 3 Jun 2016, RW wrote:
> 
>> On Fri, 03 Jun 2016 17:54:59 +0300
>> Jari Fredriksson wrote:
>>>
>>> If you join, you might relax a bit on rejecting spam, but saving it
>>> for masschecks.Thats what I do... I do reject something, but not
>>> everything I could.
>>
>> That's probably not a good idea if it leads to unrepresentative spam.
>>
>> In particular it may lead to botnet related tests being seriously
>> overscored, causing extra  FPs for little benefit to the TP rate. This
>> seems to be already happening.
>>
>> There's could be a similar problem  with spamtrap spam too. For RBLs and
>> hashing it's OK to look at everything that goes to the address. SA
>> QA  should only use the spam that would have made it through to SA.
> 
> That would tend to *under*score those rules for sites that have SA but
> few or no MTA-time DNSBL checks, wouldn't it?
> 
> Yes, I know, "proper admin"; but such sites probably do exist - should
> we punish them by underscoring those rules?
> 
> 

Okay. Now we need a consensus on this subtopic, right? I do not want to
do harm to the project or users of it.

-- 
jarif.bit



signature.asc
Description: OpenPGP digital signature

Re: Rule updates are too old - 2016-06-03

[John Hardin]

On Fri, 3 Jun 2016, RW wrote:


On Fri, 03 Jun 2016 17:54:59 +0300
Jari Fredriksson wrote:


If you join, you might relax a bit on rejecting spam, but saving it
for masschecks.Thats what I do... I do reject something, but not
everything I could.


That's probably not a good idea if it leads to unrepresentative spam.

In particular it may lead to botnet related tests being seriously
overscored, causing extra  FPs for little benefit to the TP rate. This
seems to be already happening.

There's could be a similar problem  with spamtrap spam too. For RBLs and
hashing it's OK to look at everything that goes to the address. SA
QA  should only use the spam that would have made it through to SA.


That would tend to *under*score those rules for sites that have SA but few 
or no MTA-time DNSBL checks, wouldn't it?


Yes, I know, "proper admin"; but such sites probably do exist - should we 
punish them by underscoring those rules?



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  There is no better measure of the unthinking contempt of the
  environmentalist movement for civilization than their call to
  turn off the lights and sit in the dark.-- Sultan Knish
---
 3 days until the 72nd anniversary of D-Day

Re: Rule updates are too old - 2016-06-03

[RW]

On Fri, 03 Jun 2016 17:54:59 +0300
Jari Fredriksson wrote:


> 
> If you join, you might relax a bit on rejecting spam, but saving it
> for masschecks.Thats what I do... I do reject something, but not
> everything I could. 

That's probably not a good idea if it leads to unrepresentative spam.

In particular it may lead to botnet related tests being seriously
overscored, causing extra  FPs for little benefit to the TP rate. This
seems to be already happening.

There's could be a similar problem  with spamtrap spam too. For RBLs and
hashing it's OK to look at everything that goes to the address. SA
QA  should only use the spam that would have made it through to SA.

Re: Rule updates are too old - 2016-06-03

[Jari Fredriksson]

3. kesäkuuta 2016 16.46.59 GMT+03:00 "Kim Roar Foldøy Hauge" 
 kirjoitti:
>On Fri, 3 Jun 2016, John Hardin wrote:
>
>> On Fri, 3 Jun 2016, dar...@chaosreigns.com wrote:
>>
>>>  20160602:  Spam or ham is below threshold of 150,000:
>>>  http://ruleqa.spamassassin.org/?daterev=20160602
>>>  20160602:  Spam: 589792, Ham: 138721
>>
>> We've been hovering *just* below the ham threshold for a week or so
>now.
>>
>> Anyone who can contribute to masscheck please get in touch with Kevin
>
>> McGrail! Non-English ham is especially welcome. Even a little.
>>
>
>I have non-english ham and spam. I sent a mail ages ago about joining
>the 
>masscheck. I don't think I got a reply.
>
>The traffic on the server isn't that high, 2500 connections per day.
>Most 
>of the mail attempts are blocked by spf, rbl and greylisting. SA does 
>however catch 5-10 norwegian UCBM per day, mostly thanks to custom
>rules.
>

If you join, you might relax a bit on rejecting spam, but saving it for 
masschecks.Thats what I do... I do reject something, but not everything I 
could. Quite low volume site, but still I think I do provide a considerable 
part of the ham we have in ruleqa.spamassassin.org. Most of that ham is finnish 
bulk, but also personal mails from several persons. I rely heavily SA 
cotegorization, but DO screen all ham and spam myself.

That said, spam is not so important anyway, as we are not short on that. 
Norwegian spam of course would be really cool!

>>
>> --
>>  John Hardin KA7OHZ   
>http://www.impsec.org/~jhardin/
>>  jhar...@impsec.orgFALaholic #11174 pgpk -a
>jhar...@impsec.org
>>  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873
>2E79
>>
>---
>>   From the Liberty perspective, it doesn't matter if it's a
>>   jackboot or a Birkenstock smashing your face. -- Robb Allen
>>
>---
>>  3 days until the 72nd anniversary of D-Day
>>
>>

-- 
Lähetetty Android-laitteestani K-9 Maililla. Pahoittelut vähäsanaisuudestani.

Re: Rule updates are too old - 2016-06-03

[Kim Roar Foldøy Hauge]

On Fri, 3 Jun 2016, John Hardin wrote:


On Fri, 3 Jun 2016, dar...@chaosreigns.com wrote:


 20160602:  Spam or ham is below threshold of 150,000:
 http://ruleqa.spamassassin.org/?daterev=20160602
 20160602:  Spam: 589792, Ham: 138721


We've been hovering *just* below the ham threshold for a week or so now.

Anyone who can contribute to masscheck please get in touch with Kevin 
McGrail! Non-English ham is especially welcome. Even a little.




I have non-english ham and spam. I sent a mail ages ago about joining the 
masscheck. I don't think I got a reply.


The traffic on the server isn't that high, 2500 connections per day. Most 
of the mail attempts are blocked by spf, rbl and greylisting. SA does 
however catch 5-10 norwegian UCBM per day, mostly thanks to custom rules.




--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  From the Liberty perspective, it doesn't matter if it's a
  jackboot or a Birkenstock smashing your face. -- Robb Allen
---
 3 days until the 72nd anniversary of D-Day




--
Kim Roar Foldøy Hauge
Event:Presse - The Gathering 2016
webmas...@samfunnet.no
Root@HC,HX,JH,LZ,OT,P,VH

Re: Rule updates are too old - 2016-06-03

[John Hardin]

On Fri, 3 Jun 2016, dar...@chaosreigns.com wrote:


20160602:  Spam or ham is below threshold of 150,000:  
http://ruleqa.spamassassin.org/?daterev=20160602
20160602:  Spam: 589792, Ham: 138721


We've been hovering *just* below the ham threshold for a week or so now.

Anyone who can contribute to masscheck please get in touch with Kevin 
McGrail! Non-English ham is especially welcome. Even a little.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  From the Liberty perspective, it doesn't matter if it's a
  jackboot or a Birkenstock smashing your face. -- Robb Allen
---
 3 days until the 72nd anniversary of D-Day

Re: Rule updates are too old - 2016-02-29

[Reindl Harald]

Am 29.02.2016 um 17:57 schrieb John Hardin:

On Mon, 29 Feb 2016, dar...@chaosreigns.com wrote:


20160228:  Spam or ham is below threshold of 150,000:
http://ruleqa.spamassassin.org/?daterev=20160228
20160228:  Spam: 108401, Ham: 191807


Masscheck is spam-starved again, rules updates will be spotty or
nonexistent this week


sounds like 150,000 is too high and should be changed to 150,000

otherwise bad rules with high score like VERY_LONG_REPTO_SHORT_MSG would 
take way too long to get fixed




signature.asc
Description: OpenPGP digital signature

Re: Rule updates are too old - 2016-02-29

[John Hardin]

On Mon, 29 Feb 2016, dar...@chaosreigns.com wrote:


20160228:  Spam or ham is below threshold of 150,000:  
http://ruleqa.spamassassin.org/?daterev=20160228
20160228:  Spam: 108401, Ham: 191807


Masscheck is spam-starved again, rules updates will be spotty or 
nonexistent this week.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Maxim IX: Never turn your back on an enemy.
---
 13 days until Albert Einstein's 137th Birthday

Re: Rule updates are too old - 2016-01-23

[John Hardin]

On Sat, 23 Jan 2016, dar...@chaosreigns.com wrote:


20160122:  Spam: 156567, Ham: 200399


Looks like we may get an update...

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Ignorance doesn't make stuff not exist.   -- Bucky Katt
---
 Today: John Moses Browning's 161st Birthday

Re: Rule updates are too old - 2016-01-21

[Axb]

On 01/21/2016 05:42 PM, John Hardin wrote:

On Thu, 21 Jan 2016, dar...@chaosreigns.com wrote:


20160120:  Spam or ham is below threshold of 150,000:
http://ruleqa.spamassassin.org/?daterev=20160120
20160120:  Spam: 131777, Ham: 142710


Oooo, so close!


My spam levels are extremely low so I've increased my corpus' retention 
time and it's helping.

(till my masschecks are not delivered in the given time window :-)

With a bit of luck on Sat we'll have enough to push rules.

Re: Rule updates are too old - 2016-01-21

[John Hardin]

On Thu, 21 Jan 2016, dar...@chaosreigns.com wrote:


20160120:  Spam or ham is below threshold of 150,000:  
http://ruleqa.spamassassin.org/?daterev=20160120
20160120:  Spam: 131777, Ham: 142710


Oooo, so close!

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Public Education: the bureaucratic process of replacing
  an empty mind with a closed one.  -- Thorax
---
 2 days until John Moses Browning's 161st Birthday

Re: Rule updates are too old - 2016-01-20

[John Hardin]

On Wed, 20 Jan 2016, dar...@chaosreigns.com wrote:


20160119:  Spam: 123699, Ham: 199560


...almost there...

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Maxim I: Pillage, _then_ burn.
---
 3 days until John Moses Browning's 161st Birthday

SARE RULEGEN, Re: Rule updates....

[Adam Katz]

Ran these against my corpus.  Here are the worst performers (lots in
common with RW's complaints):

*SPAM%   HAM%S/O  NAME*
0.013  0.153  0.080  __RULEGEN_PHISH_BLR6YY
0.006  0.286  0.022  __RULEGEN_PHISH_0ATBRI
0.008  0.334  0.023  __RULEGEN_PHISH_L3I0Z5
0.002  0.300  0.006  __RULEGEN_PHISH_LGYG7Q
0.017  1.387  0.012  __RULEGEN_PHISH_QVS6GE
0.045  2.490  0.018  __RULEGEN_PHISH_UNQ4VP
0.027  2.011  0.013  __RULEGEN_PHISH_B9HL3A

body __RULEGEN_PHISH_UNQ4VP  / may contain information that is /
body __RULEGEN_PHISH_QVS6GE  / or entity to which it is addressed/
body __RULEGEN_PHISH_B9HL3A  /The information contained in this /
body __RULEGEN_PHISH_0ATBRI  / it is addressed\. If you are n/
body __RULEGEN_PHISH_LGYG7Q  / you have received it in error. /
body __RULEGEN_PHISH_BLR6YY  /uthorised and regulated by the /
body __RULEGEN_PHISH_L3I0Z5  / is intended solely for the ..d/

A large number of the FPs come from Paypal and similar services.

Even controlling for those, I haven't found the phishing ruleset useful
at all.  The fraud rules do have limited utility.

What relationship does this have to the 10+ year-old SARE stuff?


On 12/20/2014 03:35 AM, Axb wrote:
 On 12/18/2014 06:27 PM, RW wrote:
 On Tue, 16 Dec 2014 13:10:05 +0100
 Axb wrote:

 https://sourceforge.net/projects/sare/files/

 replaces any older version.

 leech while it lasts

 adjust scores if needed..


 There are some rules that shouldn't be there. (I only tested a few that
 looked the most dubious)

 The first is a common phrase in mail from UK banks and other financial
 services companies. Note the ise spelling which is common outside
 the US.

 body __RULEGEN_PHISH_BLR6YY  /uthorised and regulated by the /


 The following are common in legal disclaimer signatures:

 body __RULEGEN_PHISH_UNQ4VP  / may contain information that is /
 body __RULEGEN_PHISH_B9HL3A  /The information contained in this /
 body __RULEGEN_PHISH_C6URDE  / do not necessarily represent those of /
 body __RULEGEN_PHISH_L3I0Z5  / is intended solely for the ..d/


 This hits some of of my ham:

 body __RULEGEN_PHISH_SRX3XZ  / apologize for any inconvenience/


 Unless there's a bug, the fact that those disclaimer phrases got through
 suggests that these rules are either intended to be very much more
 aggressive than the SOUGHT rules,  or the ham corpus isn't good enough.


 as the rules were generated with donated corpus data, you're more than
 welcome to send me an archive of ham samples to avoid these potential
 issues.








signature.asc
Description: OpenPGP digital signature

Re: SARE RULEGEN, Re: Rule updates....

[Axb]

On 01/09/2015 01:23 AM, Adam Katz wrote:

Ran these against my corpus.  Here are the worst performers (lots in
common with RW's complaints):

*SPAM%   HAM%S/O  NAME*
0.013  0.153  0.080  __RULEGEN_PHISH_BLR6YY
0.006  0.286  0.022  __RULEGEN_PHISH_0ATBRI
0.008  0.334  0.023  __RULEGEN_PHISH_L3I0Z5
0.002  0.300  0.006  __RULEGEN_PHISH_LGYG7Q
0.017  1.387  0.012  __RULEGEN_PHISH_QVS6GE
0.045  2.490  0.018  __RULEGEN_PHISH_UNQ4VP
0.027  2.011  0.013  __RULEGEN_PHISH_B9HL3A

body __RULEGEN_PHISH_UNQ4VP  / may contain information that is /
body __RULEGEN_PHISH_QVS6GE  / or entity to which it is addressed/
body __RULEGEN_PHISH_B9HL3A  /The information contained in this /
body __RULEGEN_PHISH_0ATBRI  / it is addressed\. If you are n/
body __RULEGEN_PHISH_LGYG7Q  / you have received it in error. /
body __RULEGEN_PHISH_BLR6YY  /uthorised and regulated by the /
body __RULEGEN_PHISH_L3I0Z5  / is intended solely for the ..d/

A large number of the FPs come from Paypal and similar services.


Agreed, the rules are not close to ideal.
The spam corpus is ancient, the ham corpus is too small.



Even controlling for those, I haven't found the phishing ruleset useful
at all.  The fraud rules do have limited utility.


Agreed - blam bad  stale data.


What relationship does this have to the 10+ year-old SARE stuff?


I was part of the SARE group, and saved the rules (for historical 
reasons) to SF before the web site was shutdown for good.


As I don't have the means to set up a SA update channel, putting the 
RULEGEN rules on SF was the only option I had left.

Re: Rule updates....

[RW]

On Sat, 20 Dec 2014 12:35:04 +0100
Axb wrote:

 On 12/18/2014 06:27 PM, RW wrote:

  Unless there's a bug, the fact that those disclaimer phrases got
  through suggests that these rules are either intended to be very
  much more aggressive than the SOUGHT rules,  or the ham corpus
  isn't good enough.
 
 
 as the rules were generated with donated corpus data, you're more
 than welcome to send me an archive of ham samples to avoid these
 potential issues.

Most of the hits were in mailing list folders, some were in this list.

Most of your rules are sensible, but a minority look like they are
picking-up on text lifted from legitimate mail. Some of these are
still good rules because the text contains mistakes. IIRC Justin Mason
used to check new sought sub-rules manually before releasing them. 

Re: Rule updates....

[Axb]

On 12/18/2014 06:27 PM, RW wrote:

On Tue, 16 Dec 2014 13:10:05 +0100
Axb wrote:


https://sourceforge.net/projects/sare/files/

replaces any older version.

leech while it lasts

adjust scores if needed..



There are some rules that shouldn't be there. (I only tested a few that
looked the most dubious)

The first is a common phrase in mail from UK banks and other financial
services companies. Note the ise spelling which is common outside
the US.

body __RULEGEN_PHISH_BLR6YY  /uthorised and regulated by the /


The following are common in legal disclaimer signatures:

body __RULEGEN_PHISH_UNQ4VP  / may contain information that is /
body __RULEGEN_PHISH_B9HL3A  /The information contained in this /
body __RULEGEN_PHISH_C6URDE  / do not necessarily represent those of /
body __RULEGEN_PHISH_L3I0Z5  / is intended solely for the ..d/


This hits some of of my ham:

body __RULEGEN_PHISH_SRX3XZ  / apologize for any inconvenience/


Unless there's a bug, the fact that those disclaimer phrases got through
suggests that these rules are either intended to be very much more
aggressive than the SOUGHT rules,  or the ham corpus isn't good enough.



as the rules were generated with donated corpus data, you're more than 
welcome to send me an archive of ham samples to avoid these potential 
issues.

Re: Rule updates....

[RW]

On Tue, 16 Dec 2014 13:10:05 +0100
Axb wrote:

 https://sourceforge.net/projects/sare/files/
 
 replaces any older version.
 
 leech while it lasts
 
 adjust scores if needed..


There are some rules that shouldn't be there. (I only tested a few that
looked the most dubious)

The first is a common phrase in mail from UK banks and other financial
services companies. Note the ise spelling which is common outside
the US.

body __RULEGEN_PHISH_BLR6YY  /uthorised and regulated by the / 


The following are common in legal disclaimer signatures:

body __RULEGEN_PHISH_UNQ4VP  / may contain information that is /
body __RULEGEN_PHISH_B9HL3A  /The information contained in this /
body __RULEGEN_PHISH_C6URDE  / do not necessarily represent those of /
body __RULEGEN_PHISH_L3I0Z5  / is intended solely for the ..d/


This hits some of of my ham:

body __RULEGEN_PHISH_SRX3XZ  / apologize for any inconvenience/


Unless there's a bug, the fact that those disclaimer phrases got through
suggests that these rules are either intended to be very much more
aggressive than the SOUGHT rules,  or the ham corpus isn't good enough.

Re: Rule updates....

[John Hardin]

On Thu, 18 Dec 2014, RW wrote:


Unless there's a bug, the fact that those disclaimer phrases got through
suggests that these rules are either intended to be very much more
aggressive than the SOUGHT rules,  or the ham corpus isn't good enough.


Probably the latter.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Bother, said Pooh as he struggled with /etc/sendmail.cf, it never
  does quite what I want. I wish Christopher Robin was here.
   -- Peter da Silva in a.s.r
---
 7 days until Christmas

Re: Rule updates....

[btb]

On 2014.12.16 07.10, Axb wrote:

https://sourceforge.net/projects/sare/files/


thanks for this.  it's particularly timely for us, as we've just 
recently been pretty badly phished.


is there a method which can be used to measure/report on the efficacy of 
these particular rules?


-ben

Re: Rule updates....

[Axb]

On 12/17/2014 04:08 PM, btb wrote:

On 2014.12.16 07.10, Axb wrote:

https://sourceforge.net/projects/sare/files/


thanks for this.  it's particularly timely for us, as we've just
recently been pretty badly phished.

is there a method which can be used to measure/report on the efficacy of
these particular rules?


there's SA stat scripts out there or good old grep/count through you 
maillogs.

Re: Rule updates?

[Kevin A. McGrail]

On 5/22/2014 9:04 AM, Tom Hendrikx wrote:

After checking the results of sa-update and doing some manual dns
queries, it seems that last rule updates were done more than a month
ago. This used to be an almost daily process, even when there were only
score changes due to masschecks.

Any specific reason for no new updates? Something we can assist with?


Hi Tom,

The system running the update processing failed catastrophically and 
backups were insufficient.


I've been rebuilding the box as time allows.

Regards,
KAM

Re: Rule updates?

[Tom Hendrikx]

On 05/22/2014 03:36 PM, Kevin A. McGrail wrote:
 On 5/22/2014 9:04 AM, Tom Hendrikx wrote:
 After checking the results of sa-update and doing some manual dns
 queries, it seems that last rule updates were done more than a month
 ago. This used to be an almost daily process, even when there were only
 score changes due to masschecks.

 Any specific reason for no new updates? Something we can assist with?
 
 Hi Tom,
 
 The system running the update processing failed catastrophically and
 backups were insufficient.

Ah, bugger ;

 
 I've been rebuilding the box as time allows.

Fair enough :)
Thanks fr the insight.

Kind regards,
Tom



signature.asc
Description: OpenPGP digital signature

Re: Rule updates

[Jim Popovitch]

On Wed, Oct 19, 2011 at 13:51, John Hardin jhar...@impsec.org wrote:
 On Wed, 19 Oct 2011, dar...@chaosreigns.com wrote:

 On 10/19, Jim Popovitch wrote:

 Is the missing entity one person, several people, many people?  Was
 there an untimely death?   I believe everyone is now aware that there
 exists a problem, how to we bridge the gap?

 My guess is that the only person familiar with the system is the original
 author of spamassassin, and he doesn't have time to deal with it.  There
 are 12 other people on the Project Management Committee, who I assume
 could
 all get sufficient access to the machine(s) running it:
 http://svn.apache.org/repos/asf/spamassassin/trunk/CREDITS
 And it seems they are all lacking the time to figure it out.

 I have access; getting a block of time to focus on figuring out what it's
 doing, and what it's _supposed_ to be doing, is what I'm having trouble
 with.


I just got a new update.  THANKS

Now, what can I do to contribute to providing updates?

-Jim P.

Re: Rule updates

[John Hardin]

On Sun, 30 Oct 2011, Jim Popovitch wrote:


I just got a new update.  THANKS

Now, what can I do to contribute to providing updates?


Start generating hand-classified spam and ham corpora, set up SVN to keep 
a local up-to-date snapshot of SA and the rules sandboxes, then start 
running local masschecks against your corpora and uploading the results. 
See:


  http://wiki.apache.org/spamassassin/NightlyMassCheck

The SVN sync, masscheck and upload of the results can pretty easily be 
automated, but keeping your corpora fresh will be an ongoing task.


Especially desirable are ham in non-English languages.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...the Fates notice those who buy chainsaws...
  -- www.darwinawards.com
---
 Tomorrow: Halloween

Re: Rule updates

[Robert Fitzpatrick]

On 10/5/2011 5:46 PM, Jim Popovitch wrote:
 On Wed, Oct 5, 2011 at 17:41, RW rwmailli...@googlemail.com wrote:
 The usual reason for a hiatus is that too much spam or ham has aged-out
 in the corpora, and a top-up is needed.
 
 So, how do we get it top-up'ed?
 

Anyone know if the 'usual reason' is because there are no rule updates
since Aug 27?

--Robert

Re: Rule updates

[darxus]

On 10/05, Jim Popovitch wrote:
 On Wed, Oct 5, 2011 at 17:41, RW rwmailli...@googlemail.com wrote:
  The usual reason for a hiatus is that too much spam or ham has aged-out
  in the corpora, and a top-up is needed.

I think it's more accurate to say the usual reason is that too many people
have stopped automatically submitting data via masscheck, and we need
more people to submit data.

I have a graphical representation of the problem here:
http://www.chaosreigns.com/dnswl/tot.svg
Green is spam, red is non-spam.  They both need to be above the blue line
(150,000 emails each) for score generation to run to create the rule updates.
Counts as of the last (net) run:  
Non-spams: 136261  (90.8% of the minimum)
Spams: 351950 (234.6% of the minimum)

 So, how do we get it top-up'ed?

You contribute your data:
http://wiki.apache.org/spamassassin/NightlyMassCheck
The more we have, the more accurately we can calculate optimal rule
scores, always.  Unfortunately the Project Management Committee has a habit
of never responding to requests for masscheck accounts.


But the current situation appears to be abnormal.  For some reason RuleQA
/ score generation isn't including data submitted by uploading full emails
(normally just rule hit stats are uploaded).  

There is an open bug about that problem here:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6671

It seems there is nobody with the access, knowledge of the system,
and time required to fix the problem.

There was supposed to be a SpamAssassin v3.4.0 Release Candidate released
19 days ago, which seems to be primarily held up by this rule update
problem.  Which nobody is working on.

-- 
Go forth, and be excellent to one another. - http://www.jhuger.com/fredski.php
http://www.ChaosReigns.com

Re: Rule updates

[Jim Popovitch]

On Wed, Oct 19, 2011 at 12:26,  dar...@chaosreigns.com wrote:
 On 10/05, Jim Popovitch wrote:
 On Wed, Oct 5, 2011 at 17:41, RW rwmailli...@googlemail.com wrote:
  The usual reason for a hiatus is that too much spam or ham has aged-out
  in the corpora, and a top-up is needed.

 I think it's more accurate to say the usual reason is that too many people
 have stopped automatically submitting data via masscheck, and we need
 more people to submit data.

 I have a graphical representation of the problem here:
 http://www.chaosreigns.com/dnswl/tot.svg
 Green is spam, red is non-spam.  They both need to be above the blue line
 (150,000 emails each) for score generation to run to create the rule updates.
 Counts as of the last (net) run:
 Non-spams: 136261  (90.8% of the minimum)
 Spams:     351950 (234.6% of the minimum)

 So, how do we get it top-up'ed?

 You contribute your data:
 http://wiki.apache.org/spamassassin/NightlyMassCheck
 The more we have, the more accurately we can calculate optimal rule
 scores, always.  Unfortunately the Project Management Committee has a habit
 of never responding to requests for masscheck accounts.


 But the current situation appears to be abnormal.  For some reason RuleQA
 / score generation isn't including data submitted by uploading full emails
 (normally just rule hit stats are uploaded).

 There is an open bug about that problem here:
 https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6671

 It seems there is nobody with the access, knowledge of the system,
 and time required to fix the problem.

 There was supposed to be a SpamAssassin v3.4.0 Release Candidate released
 19 days ago, which seems to be primarily held up by this rule update
 problem.  Which nobody is working on.

 --
 Go forth, and be excellent to one another. - 
 http://www.jhuger.com/fredski.php
 http://www.ChaosReigns.com

Darxus, thanks for the summation of the situation.

Is the missing entity one person, several people, many people?  Was
there an untimely death?   I believe everyone is now aware that there
exists a problem, how to we bridge the gap?

Thanks!

-Jim P.

Re: Rule updates

[darxus]

On 10/19, Jim Popovitch wrote:
 Is the missing entity one person, several people, many people?  Was
 there an untimely death?   I believe everyone is now aware that there
 exists a problem, how to we bridge the gap?

My guess is that the only person familiar with the system is the original
author of spamassassin, and he doesn't have time to deal with it.  There
are 12 other people on the Project Management Committee, who I assume could
all get sufficient access to the machine(s) running it:
http://svn.apache.org/repos/asf/spamassassin/trunk/CREDITS
And it seems they are all lacking the time to figure it out.

SpamAssassin can be pretty frustrating to try to work on.

-- 
Wash daily from nose-tip to tail-tip; drink deeply, but never too deep;
And remember the night is for hunting, and forget not the day is for sleep.
- The Law of the Jungle, Rudyard Kipling
http://www.ChaosReigns.com

Re: Rule updates

[John Hardin]

On Wed, 19 Oct 2011, dar...@chaosreigns.com wrote:


On 10/19, Jim Popovitch wrote:

Is the missing entity one person, several people, many people?  Was
there an untimely death?   I believe everyone is now aware that there
exists a problem, how to we bridge the gap?


My guess is that the only person familiar with the system is the original
author of spamassassin, and he doesn't have time to deal with it.  There
are 12 other people on the Project Management Committee, who I assume could
all get sufficient access to the machine(s) running it:
http://svn.apache.org/repos/asf/spamassassin/trunk/CREDITS
And it seems they are all lacking the time to figure it out.


I have access; getting a block of time to focus on figuring out what it's 
doing, and what it's _supposed_ to be doing, is what I'm having trouble 
with.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Politicians never accuse you of greed for wanting other people's
  money, only for wanting to keep your own money.-- Joseph Sobran
---
 314 days since the first successful private orbital launch (SpaceX)

Re: Rule updates

[Lars Jørgensen]

On 04-10-2011 15:39, Michael Scheidell wrote:

what is 'long'?


As you can see from your own example, rules were updated daily until 
august 26th. Then there hasn't been any updates since. That is 'long' 
for me.


I can also see that updates are daily for 3.4.0 currently. Does that 
mean that updates for 3.3.2 (which I am on) has stopped?



-rw-r--r-- 1 rsync rsync 170211 Oct 4 04:51 1178724.tar.gz -- 3.4.0
-rw-r--r-- 1 rsync rsync 170211 Oct 3 04:51 1178340.tar.gz
-rw-r--r-- 1 rsync rsync 170169 Oct 2 04:51 1178152.tar.gz
-rw-r--r-- 1 rsync rsync 170169 Oct 1 04:51 1177951.tar.gz
-rw-r--r-- 1 rsync rsync 170166 Sep 30 04:51 1177560.tar.gz
-rw-r--r-- 1 rsync rsync 236977 Aug 26 23:32 1162027.tar.gz -- 3.3.2
-rw-r--r-- 1 rsync rsync 236957 Aug 25 23:23 1161446.tar.gz
-rw-r--r-- 1 rsync rsync 236980 Aug 24 23:22 1161015.tar.gz
-rw-r--r-- 1 rsync rsync 236920 Aug 23 23:18 1160585.tar.gz
-rwxr--r-- 1 rsync rsync 237167 Aug 22 23:17 1160145.tar.gz



--
Lars

Re: Rule updates

[Lars Jørgensen]

On 04-10-2011 15:43, Jim Popovitch wrote:

what is 'long'?


Since 27-Aug-2011 ?


So, not just me then.


--
Lars

Re: Rule updates

[RW]

On Wed, 05 Oct 2011 09:50:08 +0200
Lars Jørgensen wrote:

 On 04-10-2011 15:39, Michael Scheidell wrote:
  what is 'long'?
 
 As you can see from your own example, rules were updated daily until 
 august 26th. Then there hasn't been any updates since. That is 'long' 
 for me.
 
 I can also see that updates are daily for 3.4.0 currently. Does that 
 mean that updates for 3.3.2 (which I am on) has stopped?

I would guess that the normal rules don't apply because 3.4.0 is a
development branch. The usual reason for a hiatus is that too much spam
or ham has aged-out in the corpora, and a top-up is needed.

Re: Rule updates

[Jim Popovitch]

On Wed, Oct 5, 2011 at 17:41, RW rwmailli...@googlemail.com wrote:
 The usual reason for a hiatus is that too much spam or ham has aged-out
 in the corpora, and a top-up is needed.

So, how do we get it top-up'ed?

-Jim P.

Re: Rule updates

[Michael Scheidell]

On 10/4/11 3:07 AM, Lars Jørgensen wrote:

Hi,

Is it me or has it been a long time since there has been an update to 
the spamassassin ruleset?




what is 'long'?

ls -lt *.tar.gz | grep 'gz$' | head
-rw-r--r--  1 rsync  rsync  170211 Oct  4 04:51 1178724.tar.gz -- 3.4.0
-rw-r--r--  1 rsync  rsync  170211 Oct  3 04:51 1178340.tar.gz
-rw-r--r--  1 rsync  rsync  170169 Oct  2 04:51 1178152.tar.gz
-rw-r--r--  1 rsync  rsync  170169 Oct  1 04:51 1177951.tar.gz
-rw-r--r--  1 rsync  rsync  170166 Sep 30 04:51 1177560.tar.gz
-rw-r--r--  1 rsync  rsync  236977 Aug 26 23:32 1162027.tar.gz -- 3.3.2
-rw-r--r--  1 rsync  rsync  236957 Aug 25 23:23 1161446.tar.gz
-rw-r--r--  1 rsync  rsync  236980 Aug 24 23:22 1161015.tar.gz
-rw-r--r--  1 rsync  rsync  236920 Aug 23 23:18 1160585.tar.gz
-rwxr--r--  1 rsync  rsync  237167 Aug 22 23:17 1160145.tar.gz


--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
*| *SECNAP Network Security Corporation

   * Best Mobile Solutions Product of 2011
   * Best Intrusion Prevention Product
   * Hot Company Finalist 2011
   * Best Email Security Product
   * Certified SNORT Integrator

__
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com/
__  
 

Re: Rule updates

[Jim Popovitch]

On Tue, Oct 4, 2011 at 09:39, Michael Scheidell
michael.scheid...@secnap.com wrote:
 On 10/4/11 3:07 AM, Lars Jørgensen wrote:

 Hi,

 Is it me or has it been a long time since there has been an update to the
 spamassassin ruleset?


 what is 'long'?

Since 27-Aug-2011 ?

$ ll /var/lib/spamassassin/3.003001/updates_spamassassin_org/MIRRORED.BY
-rw-r--r-- 1 root root 225 2011-08-27 21:25
/var/lib/spamassassin/3.003001/updates_spamassassin_org/MIRRORED.BY

~$ dig txt 1.3.3.updates.spamassassin.org
 1162027


-Jim P.

Re: Rule updates

[Frank Leonhardt]

On 04/10/2011 14:39, Michael Scheidell wrote:

On 10/4/11 3:07 AM, Lars Jørgensen wrote:

Hi,

Is it me or has it been a long time since there has been an update to 
the spamassassin ruleset?






Most common reasons for a problem (IME, on FreeBSD)

Incorrect permissions on directory
Incorrect permissions on /usr/local/share/spamassassin/sa-update-pubkey.txt
Incorrect update key

Check these - especially the permissions! Linux is laxer on the defaults.

--
--
Sent from my Cray XT5

Re: Rule updates

[Warren Togami Jr.]

On 6/27/2011 7:03 AM, dar...@chaosreigns.com wrote:

On 06/27, Lars Jørgensen wrote:

I noticed the rules for 3.3.1 were updated during the weekend (don't worry
about my workaholism, I noticed this monday morning ^-^). I was preparing
to upgrade to 3.3.2, but seeing the updated rules makes me doubt whether
the upgrade is necessary.


I expect rule updates to remain compatible throughout the 3.3.x series, so
as long as updates are happening for any 3.3.x version, you you should get
them, and they should work, with 3.3.1 (and 3.3.0, etc.).

That *could* change, I suppose, but I don't expect it.  There has been talk
of adding a rule to hit all emails for versions nolonger being maintained,
something like SPAMASSASSIN_OUT_OF_DATE:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6614


3.3.x is the first version that supports rule conditionals, so it is 
possible that 3.4.x rule updates updates could refer to plugins that do 
not exist in 3.3.x, and those sections are safely ignored by 3.3.x.


It seems the intent is to release 3.4 late this year.  I heard that the 
only compat change from 3.3.x to 3.4.x is in the spamc/spamd protocol, 
so it should theoretically be an easy upgrade.  It remains to be seen 
exactly what is decided for 3.3.x rule updates after 3.3.x is released.


Warren

Re: Rule updates

[spixx_]

The rule updates is handled by themselfs but some require certains versions
of spamassassin (see /var/lib/spamassassin) or man sa-update


Lars Jørgensen-6 wrote:
 
 Hi,
 
 I noticed the rules for 3.3.1 were updated during the weekend (don't worry
 about my workaholism, I noticed this monday morning ^-^). I was preparing
 to upgrade to 3.3.2, but seeing the updated rules makes me doubt whether
 the upgrade is necessary.
 
 Was this a one-time effort or will rules be updated frequently for 3.3.1
 from now on? Or do I need to move to 3.3.2 to get regular rule updates?
 
 
 Lars
 
 

-- 
View this message in context: 
http://old.nabble.com/Rule-updates-tp31935538p31935894.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Rule updates

[darxus]

On 06/27, Lars Jørgensen wrote:
I noticed the rules for 3.3.1 were updated during the weekend (don't worry
about my workaholism, I noticed this monday morning ^-^). I was preparing
to upgrade to 3.3.2, but seeing the updated rules makes me doubt whether
the upgrade is necessary.

I expect rule updates to remain compatible throughout the 3.3.x series, so
as long as updates are happening for any 3.3.x version, you you should get
them, and they should work, with 3.3.1 (and 3.3.0, etc.).

That *could* change, I suppose, but I don't expect it.  There has been talk
of adding a rule to hit all emails for versions nolonger being maintained,
something like SPAMASSASSIN_OUT_OF_DATE:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6614


You just noticed the update because *all* sa-updates (for 3.3.x?) were just
re-enabled.  They had been intentionally disabled for a while.  The post to
the dev list that mentioned they were re-enabled was here:
http://mail-archives.apache.org/mod_mbox/spamassassin-dev/201106.mbox/%3c4e075f47.8070...@pccc.com%3E

-- 
You only truly own what you can carry at a dead run.
http://www.ChaosReigns.com

Re: Rule Updates

[Matthias Haegele]

Patrick schrieb:
I'm a little confused on rule updates.  If you are using SA version 3.04 
and run sa-update and/or rulesdujour, will the rules be updated only to 
the 3.0 branch or will they be updated to the most current branch and 
just fail if there are dependency issues?


rulesdujour: You should not use (pre) 3.0 rules, what damage this does i 
dont know, (i assume some rules made it in later SA releases?).


hth
MH

Re: Rule Updates

[Theo Van Dinter]

On Tue, Oct 31, 2006 at 11:17:56AM -0500, Patrick wrote:
 I'm a little confused on rule updates.  If you are using SA version 3.04 
 and run sa-update and/or rulesdujour, will the rules be updated only to the 
 3.0 branch or will they be updated to the most current branch and just fail 
 if there are dependency issues?

3.0 doesn't have support for sa-update, and so there are no updates available
for 3.0.  You'd have to upgrade to 3.1.x (x0) for sa-update.

-- 
Randomly Selected Tagline:
Leela: Bender, why are you spending so much time in the bathroom? Are 
  you jacking on in there?


pgpCATqI0YyyI.pgp
Description: PGP signature

Re: Rule Updates

[Matt Kettler]

Matthias Haegele wrote:
 Patrick schrieb:
 I'm a little confused on rule updates.  If you are using SA version
 3.04 and run sa-update and/or rulesdujour, will the rules be updated
 only to the 3.0 branch or will they be updated to the most current
 branch and just fail if there are dependency issues?


In general, RDJ is just a blind update. It will download the file, test
it with spamassassin --lint, and if that passes, it will load it.

And as theo pointed out, there is no sa-update that actually works for
SA versions older than 3.1.1.

 rulesdujour: You should not use (pre) 3.0 rules, what damage this does
 i dont know, (i assume some rules made it in later SA releases?).

That or there's a 3.1 version of the ruleset that takes advantage of
newer features in the SA code, or some other feature of 3.1 made the set
obsolete.

Also of note, with RDJ, don't do Antidrug if you are using SA 3.0.0 or
higher. They're included already. (I am the author of antidrug).