On Thu, 2011-06-23 at 11:16 -0700, Adam Katz wrote: > On 06/22/2011 05:42 PM, Noel Butler wrote: > > Resurrecting an old thread but.... > > Lately I see a lot of false hits on FSL_RU_URL > > The only place in the email where .ru is, is in envelope-from , from, > > and the received headers, this is supposed to be > > from 72_active.cf:uri FSL_RU_URL /[^\/]+\.ru(?:$|\/|\?)/i > > > > (those also on the c-nsp list may also be seeing the same?) > > This only started recently. > > Full rule, originating from rulesrc/sandbox/maddoc/99_fsl_testing.cf > > uri FSL_RU_URL /[^\/]+\.ru(?:$|\/|\?)/i > tflags FSL_RU_URL nopublish > score FSL_RU_URL 0.01 > > I see several problems here. > > Chiefly, it's marked "nopublish" but is in some(?) copies of > 72_active.cf (not trunk, and the rule is completely absent from the > current 3.3 and 3.2 svn branches) ... is this out of sync? IIRC, we > fixed this problem a while ago, so perhaps Noel's system isn't properly > using sa-update, it hasn't propagated yet, or he's doing something fishy. >
Hrmm sa-update reports no new updates, last touch date was march 25 Jun 24 10:21:24.410 [30018] dbg: dns: 1.3.3.updates.spamassassin.org => 1083704, parsed as 1083704 Jun 24 10:21:24.410 [30018] dbg: channel: current version is 1083704, new version is 1083704, skipping channel Nothing new to give me.... I've seen Warren's post about 3.3.2, so I'll be upgrading when our CPAN mirror offers it it. I've amended its score for time being to be very low so it cant wrongly influence. > As Ned answered, we need more information. Specifically, tell us about > your setup; what version (and package) of SpamAssassin are you using, > tell us about your sa-update configuration, any hacks, etc. > I use current versions from CPAN, I do not use distro supplied versions of any key daemon, even though slackware is pretty current in most of them, it often isn't build the way i need (eg: mysql etc) This occurs on each server, but i duplicate things so if one's wrong, the lot would be, I run it in a nightly cron as: /usr/bin/sa-update --channelfile /etc/mail/spamassassin/SAU-channel-list.txt (2 X gpg keys options removed) The /etc/mail/spamassassin/SAU-channel-list.txt file contains in this order: updates.spamassassin.org sought.rules.yerp.org 99_FVGT_Tripwire.cf.sare.sa-update.dostech.net Nothing too fancy as you see, although we do have a few local rules files, none of them have FSL in it. Whilst we on that, I do have a few from years gone by, do you know off hand if these are no longer needed postcards.cf rateware.cf 70_tt_drugs.cf 99_anonwhois.cf, the others I use give us hits, but its rare that those do. > Since FSL_RU_URL is so broad that it will match any link to any .ru > domain, we don't really need to see an example (unless you're confident > you have an example which lacks an actual .ru link ... this is a bug if > that's triggering on one of the headers you're mentioning). > That's what prompted me to ask, it is very broad. Cheers Noel
signature.asc
Description: This is a digitally signed message part
