What happened to SpamAssassin?

For the last few weeks, sa-update says "channel: no 'mirrors.updates.spamassassin.org' record found, channel failed", presumably because neither that nor updates.spamassassin.org resolve.

Also apparently all the SARE rulesets are gone?

Previously, previously, previously, previously.

Tags: , , , ,

25 Responses:

  1. Mark Beeson says:

    Update your version of SA, then run sa-update --refreshmirrors -D

    That should update your mirrors list and let sa-update rerun.

    Don't use SARE, they're all horrendously out of date. For a cheap and easy way to block a huge amount of spam, use the zen.spamhaus.org DNSBL and the URIBL, that'll get you at least 90%.

    • jwz says:

      I updated with "cpan -f -i Mail::SpamAssassin" (seems to be 3.4.1) but "sa-update --refreshmirrors -D" still says "no mirrors.updates.spamassassin.org".

      • Mark Beeson says:

        What does "sa-update -vvvv -D" show?

        This is the file you're trying to get sa-update to download. https://spamassassin.apache.org/updates/MIRRORED.BY

        • jwz says:

          Lotsa junk... I also tried putting spamassassin.apache.org and updates.spamassassin.apache.org in /etc/mail/spamassassin/channels.txt, no change.

          sa-update -vvvv -D
          Dec 13 11:42:01.142 [14344] dbg: logger: adding facilities: all
          Dec 13 11:42:01.143 [14344] dbg: logger: logging level is DBG
          Dec 13 11:42:01.143 [14344] dbg: generic: SpamAssassin version 3.4.1
          Dec 13 11:42:01.143 [14344] dbg: generic: Perl 5.010001, PREFIX=/usr/local, DEF_RULES_DIR=/usr/local/share/spamassassin, LOCAL_RULES_DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/var/lib/spamassassin
          Dec 13 11:42:01.143 [14344] dbg: config: timing enabled
          Dec 13 11:42:01.146 [14344] dbg: config: score set 0 chosen.
          Dec 13 11:42:01.151 [14344] dbg: generic: sa-update version svn1652181
          Dec 13 11:42:01.151 [14344] dbg: generic: using update directory: /var/lib/spamassassin/3.004001
          Dec 13 11:42:01.240 [14344] dbg: diag: perl platform: 5.010001 linux
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Digest::SHA1, version 2.13
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: HTML::Parser, version 3.72
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Net::DNS, version 1.11
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: NetAddr::IP, version 4.079
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Time::HiRes, version 1.9742
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Archive::Tar, version 2.26
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: IO::Zlib, version 1.10
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Digest::SHA1, version 2.13
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: MIME::Base64, version 3.08
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: DB_File, version 1.82
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Net::SMTP, version 3.10
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module not installed: Mail::SPF ('require' failed)
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Geo::IP, version 1.50
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Net::CIDR::Lite, version 0.21
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module not installed: Razor2::Client::Agent ('require' failed)
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: IO::Socket::IP, version 0.39
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: IO::Socket::INET6, version 2.72
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: IO::Socket::SSL, version 2.049
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Compress::Zlib, version 2.074
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Mail::DKIM, version 0.41
          Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: DBI, version 1.636
          Dec 13 11:42:01.241 [14344] dbg: diag: [...] module installed: Getopt::Long, version 2.38
          Dec 13 11:42:01.241 [14344] dbg: diag: [...] module installed: LWP::UserAgent, version 6.26
          Dec 13 11:42:01.241 [14344] dbg: diag: [...] module installed: HTTP::Date, version 6.02
          Dec 13 11:42:01.241 [14344] dbg: diag: [...] module installed: Encode::Detect::Detector, version 1.01
          Dec 13 11:42:01.241 [14344] dbg: diag: [...] module installed: Net::Patricia, version 1.22
          Dec 13 11:42:01.241 [14344] dbg: diag: [...] module installed: Net::DNS::Nameserver, version 1558
          Dec 13 11:42:01.242 [14344] dbg: gpg: Searching for 'gpg'
          Dec 13 11:42:01.242 [14344] dbg: util: current PATH is: /usr/local/bin:/opt/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
          Dec 13 11:42:01.242 [14344] dbg: util: executable for gpg was found at /usr/bin/gpg
          Dec 13 11:42:01.242 [14344] dbg: gpg: found /usr/bin/gpg
          Dec 13 11:42:01.242 [14344] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 0C2B1D7175B852C64B3CDC716C55397824F434CE
          Dec 13 11:42:01.243 [14344] dbg: util: secure_tmpfile created a temporary file /tmp/.spamassassin14344HZiEeetmp
          Dec 13 11:42:01.243 [14344] dbg: channel: attempting channel updates.spamassassin.org
          Dec 13 11:42:01.243 [14344] dbg: channel: using existing directory /var/lib/spamassassin/3.004001/updates_spamassassin_org
          Dec 13 11:42:01.243 [14344] dbg: channel: channel cf file /var/lib/spamassassin/3.004001/updates_spamassassin_org.cf
          Dec 13 11:42:01.243 [14344] dbg: channel: channel pre file /var/lib/spamassassin/3.004001/updates_spamassassin_org.pre
          Dec 13 11:42:01.243 [14344] dbg: channel: metadata version = 1799552, from file /var/lib/spamassassin/3.004001/updates_spamassassin_org.cf
          Dec 13 11:42:01.255 [14344] dbg: dns: query failed: 1.4.3.updates.spamassassin.org => REFUSED
          DNS TXT query 1.4.3.updates.spamassassin.org failed: REFUSED
          Dec 13 11:42:01.263 [14344] dbg: dns: query failed: mirrors.updates.spamassassin.org => REFUSED
          DNS TXT query mirrors.updates.spamassassin.org failed: REFUSED
          channel: no 'mirrors.updates.spamassassin.org' record found, channel failed
          Dec 13 11:42:01.263 [14344] dbg: diag: updates complete, exiting with code 4
          Update failed, exiting with code 4

          • Mark Beeson says:

            There's the problem:

            Dec 13 11:42:01.255 [14344] dbg: dns: query failed: 1.4.3.updates.spamassassin.org => REFUSED
            DNS TXT query 1.4.3.updates.spamassassin.org failed: REFUSED

            DNS server is refusing your query. Someone's getting DDOS'ed, is my guess.

            Here's the result:

            nslookup -type=TXT 1.4.3.updates.spamassassin.org
            Server: 172.30.4.9
            Address: 172.30.4.9#53

            Non-authoritative answer:
            1.4.3.updates.spamassassin.org canonical name = 3.3.3.updates.spamassassin.org.
            3.3.3.updates.spamassassin.org text = "1817982"

            Authoritative answers can be found from:
            spamassassin.org nameserver = c.auth-ns.sonic.net.
            spamassassin.org nameserver = b.auth-ns.sonic.net.
            spamassassin.org nameserver = ns2.ena.com.
            spamassassin.org nameserver = a.auth-ns.sonic.net.
            spamassassin.org nameserver = ns2.pccc.com.
            c.auth-ns.sonic.net internet address = 147.75.64.146
            ns2.ena.com internet address = 96.5.0.35
            b.auth-ns.sonic.net internet address = 184.173.92.18
            ns2.pccc.com internet address = 69.171.29.37
            a.auth-ns.sonic.net internet address = 184.23.168.53

            • jwz says:

              It's been this way for weeks, though, and I've got the nightly cron mail proving it. Are updates working for you? For anybody?

              • Paul Rain says:

                I recently installed and am not having problems.

                Will check where my install is trying to retrieve updates from later. Had similar issue in past- deleted the mirrored.by file under the var tree for SA.

              • Mark Beeson says:

                Updates are working well for me-- the first line of updates_spamassassin_org.cf is this:

                # UPDATE version 1817982

                ...which matches the TXT record from above.

                Maybe change the time your cron runs? Put in a random sleep? I wonder if your box is getting denied by one of those machines just because of how that round-robin DNS is turning out for you.

                • jwz says:

                  Maybe change the time your cron runs?

                  Well it's failing right now and 100% of the times I have tried manually. So that's not gonna do it.

                  • David says:

                    What is your DNS setup? Do you use dnsmasq or something similar?

                    What does

                    dig mirrors.updates.spamassassin.org txt +short
                    dig 0.4.3.updates.spamassassin.org txt +short

                    say?

                  • jwz says:

                    I'm not doing anything funny, as far as I know. resolv.conf uses my ISP's server, 209.237.230.11, ns1.unitedlayer.com. Both of those dig commands produce no output. However, "host -t any mirrors.updates.spamassassin.org" says mirrors.updates.spamassassin.org descriptive text "http://spamassassin.apache.org/updates/MIRRORED.BY"

  2. Jacob White says:

    Could your public ip be on a block list somewhere?

    • jwz says:

      Your guess is as good as mine. My web sites and mail server, on the same IP, appear to be functioning just fine, however.

    • jwz says:

      And if by this you are saying "I am able to download updates from mirrors.updates.spamassassin.org just fine" I'd sure like to see a log of that.

      • David says:

        I can't reply to the above for some reason.

        I've not idea why 'dig' does not work but 'host' does. Anyway, try to change temporarily to another DNS, like Google's 8.8.8.8.

        It is normal for the spamassassin update domains to not have an A record, since they work with CNAME and TXT. So the command

        host -t cname 1.4.3.updates.spamassassin.org

        should produce "1.4.3.updates.spamassassin.org is an alias for 3.3.3.updates.spamassassin.org". And

        host -t txt 1.4.3.updates.spamassassin.org

        should give you the same 'alias' message as well as "1817982" for the TXT record, which is the current timestamp of the ruleset.

        • jwz says:

          Oh, FFS.

          Ok, so without changing resolv.conf, those commands give me the output you said I should get.

          But when I change resolv.conf to be 8.8.8.8, now sa-update works. Yay?

          But now I still need to figure out what is wrong with my ISP's DNS, because I kinda need to use that for other reasons, so I need the words to explain to them how they have fucked it up. Any suggestions?

          • David says:

            Erm... that's very weird and I have a hard time coming up with some technobabble that would explain this. Normally I'd say they have some stale cache, because wrong cache invalidation can explain anything. But since your DNS query in the above log is clearly REFUSED, my best guess is that they somehow rate-limited you (spamassassin does a lot of DNS queries, especially if you get a lot of mail, which I guess you do).

            • John Bigboote says:

              jwz's old skyewl and probably still has hostname lookups turned on in his httpd.conf, and is just murderfying his DNS server.

          • Matt B says:

            Can you run a local caching DNS server on that box? You'll still have to fix the ISP issue, but if its because of rate limiting, running it locally will stop that in the future.

      • Jacob White says:

        I meant is your ip blacklisted on spamhaus or wherever.

  3. KJ says:

    My updates don't appear to be pulling from mirrors.updates.spamassassin.org. If you otherwise have the correct (just old) files for updating, maybe dropping in the new file from https://spamassassin.apache.org/updates/MIRRORED.BY will work. That file matches my current installation which is updating and working, and which is not a new install.

  4. Zygo says:

    Right now, from a number of hosts in different places:


    $ host -t any mirrors.updates.spamassassin.org
    mirrors.updates.spamassassin.org descriptive text "http://spamassassin.apache.org/updates/MIRRORED.BY"

    That seems...insufficient.

    • David says:

      No, that's fine. All these spamassassin.org subdomains usually do not have an A PTR record. When you don't have an IP, you cannot get DDOSed. All you get there is the current version number of the ruleset and the URL for the mirror file as TXT records.

  5. Perry Metzger says:

    A general point on DNS management: I find that running my own DNS servers on my boxes rather than using someone else's is not a significant administrative load (it's pretty much "spend ten minutes once and it's over") and makes debugging weird stuff much easier (and often prevents weird things from happening in the first place). We live in an era where provider DNS servers are often "helpfully" "tweaked" in various ways that are not helpful. If you've running your own instance of bind locally, that's one less thing to have to think about, one less opaque service that might be the cause of various problems.

    • margaret says:

      Agree. I use Pi-hole on an old RPi and never had any issues. If I must have something I've black-holed I temporarily point the client at 8.8.8.8.

      Bonus, install with JWZ's favorite method:
      curl -sSL https://install.pi-hole.net | bash

Leave a Reply

Your email address will not be published. But if you provide a fake email address, I will likely assume that you are a troll, and not publish your comment.

You may use these HTML tags and attributes: <a href="" title=""> <b> <blockquote cite=""> <code> <em> <i> <s> <strike> <strong> <img src="" width="" height="" style=""> <iframe src="" class=""> <video src="" class="" controls="" loop="" muted="" autoplay="" playsinline=""> <div class=""> <blink> <tt> <u>, or *italics*.