On 06/23/2011 05:48 PM, Noel Butler wrote: > Hrmm sa-update reports no new updates, last touch date was march 25 > > Jun 24 10:21:24.410 [30018] dbg: dns: 1.3.3.updates.spamassassin.org => > 1083704, parsed as 1083704 > Jun 24 10:21:24.410 [30018] dbg: channel: current version is 1083704, > new version is 1083704, skipping channel
Whoa, not sure how I missed that; % host -ttxt 1.3.3.updates.spamassassin.org. 1.3.3.updates.spamassassin.org descriptive text "1083704" % host -ttxt mirrors.updates.spamassassin.org. mirrors.updates.spamassassin.org descriptive text "http://spamassassin.apache.org/updates/MIRRORED.BY"; % wget -qq -O - http://spamassassin.apache.org/updates/MIRRORED.BY # test mirror: zone, cached via Coral #http://buildbot.spamassassin.org.nyud.net:8090/updatestage/ http://daryl.dostech.ca/sa-update/asf/ weight=5 http://www.sa-update.pccc.com/ weight=5 % wget -qq http://daryl.dostech.ca/sa-update/asf/1083704.tar.gz % tar -zxf 1083704.tar.gz % grep FSL_RU_URL *cf 72_active.cf:##{ FSL_RU_URL 72_active.cf:uri FSL_RU_URL /[^\/]+\.ru(?:$|\/|\?)/i 72_active.cf:#score FSL_RU_URL 0.01 72_active.cf:##} FSL_RU_URL 72_scores.cf:score FSL_RU_URL 3.499 2.271 3.499 2.271 We'll need to fix that. > I do have a few from years gone by, do you know off hand if these are > no longer needed postcards.cf rateware.cf 70_tt_drugs.cf > 99_anonwhois.cf, the others I use give us hits, but its rare that > those do. ratware (different from rateware?) and tt_drugs should be wholly obsoleted by existing rules. John Hardin wrote postcards.cf (which I had never seen before), so since he's on this list, he can comment on that (were those ever in svn?). I ran across the AnonWhois stuff (which is owned by Spam-Eating Monkey, whose DNSBL has had issues in the past) a while ago and forgot about it ... looks like it's maintained (last updated 2011-01-17), but it lacks an sa-update channel (so like Malware Patrol, you have to grab it yourself). Note that all the rules are scored 0.001 (as they should be!), so unless you're building rules from these, they are useless to you and will waste bandwidth. By the way they implement things, a lot of bandwidth (100 lookups per link per email; you just wasted 600 lookups on this message alone!). Bottom line: delete this file. >> Since FSL_RU_URL is so broad that it will match any link to any .ru >> domain, we don't really need to see an example (unless you're confident >> you have an example which lacks an actual .ru link ... this is a bug if >> that's triggering on one of the headers you're mentioning). >> > That's what prompted me to ask, it is very broad. Pastebin an example or two and link us to them.
signature.asc
Description: OpenPGP digital signature
