Also apparently all the SARE rulesets are gone?
What happened to SpamAssassin?
For the last few weeks, sa-update says "channel: no 'mirrors.updates.spamassassin.org' record found, channel failed", presumably because neither that nor updates.spamassassin.org resolve.
Tags: computers, firstperson, lazyweb, linux, spam
25 Responses:
Update your version of SA, then run sa-update --refreshmirrors -D
That should update your mirrors list and let sa-update rerun.
Don't use SARE, they're all horrendously out of date. For a cheap and easy way to block a huge amount of spam, use the zen.spamhaus.org DNSBL and the URIBL, that'll get you at least 90%.
I updated with "cpan -f -i Mail::SpamAssassin" (seems to be 3.4.1) but "sa-update --refreshmirrors -D" still says "no mirrors.updates.spamassassin.org".
What does "sa-update -vvvv -D" show?
This is the file you're trying to get sa-update to download. https://spamassassin.apache.org/updates/MIRRORED.BY
Lotsa junk... I also tried putting spamassassin.apache.org and updates.spamassassin.apache.org in /etc/mail/spamassassin/channels.txt, no change.
sa-update -vvvv -D
Dec 13 11:42:01.142 [14344] dbg: logger: adding facilities: all
Dec 13 11:42:01.143 [14344] dbg: logger: logging level is DBG
Dec 13 11:42:01.143 [14344] dbg: generic: SpamAssassin version 3.4.1
Dec 13 11:42:01.143 [14344] dbg: generic: Perl 5.010001, PREFIX=/usr/local, DEF_RULES_DIR=/usr/local/share/spamassassin, LOCAL_RULES_DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/var/lib/spamassassin
Dec 13 11:42:01.143 [14344] dbg: config: timing enabled
Dec 13 11:42:01.146 [14344] dbg: config: score set 0 chosen.
Dec 13 11:42:01.151 [14344] dbg: generic: sa-update version svn1652181
Dec 13 11:42:01.151 [14344] dbg: generic: using update directory: /var/lib/spamassassin/3.004001
Dec 13 11:42:01.240 [14344] dbg: diag: perl platform: 5.010001 linux
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Digest::SHA1, version 2.13
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: HTML::Parser, version 3.72
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Net::DNS, version 1.11
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: NetAddr::IP, version 4.079
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Time::HiRes, version 1.9742
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Archive::Tar, version 2.26
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: IO::Zlib, version 1.10
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Digest::SHA1, version 2.13
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: MIME::Base64, version 3.08
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: DB_File, version 1.82
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Net::SMTP, version 3.10
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module not installed: Mail::SPF ('require' failed)
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Geo::IP, version 1.50
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Net::CIDR::Lite, version 0.21
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module not installed: Razor2::Client::Agent ('require' failed)
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: IO::Socket::IP, version 0.39
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: IO::Socket::INET6, version 2.72
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: IO::Socket::SSL, version 2.049
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Compress::Zlib, version 2.074
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: Mail::DKIM, version 0.41
Dec 13 11:42:01.240 [14344] dbg: diag: [...] module installed: DBI, version 1.636
Dec 13 11:42:01.241 [14344] dbg: diag: [...] module installed: Getopt::Long, version 2.38
Dec 13 11:42:01.241 [14344] dbg: diag: [...] module installed: LWP::UserAgent, version 6.26
Dec 13 11:42:01.241 [14344] dbg: diag: [...] module installed: HTTP::Date, version 6.02
Dec 13 11:42:01.241 [14344] dbg: diag: [...] module installed: Encode::Detect::Detector, version 1.01
Dec 13 11:42:01.241 [14344] dbg: diag: [...] module installed: Net::Patricia, version 1.22
Dec 13 11:42:01.241 [14344] dbg: diag: [...] module installed: Net::DNS::Nameserver, version 1558
Dec 13 11:42:01.242 [14344] dbg: gpg: Searching for 'gpg'
Dec 13 11:42:01.242 [14344] dbg: util: current PATH is: /usr/local/bin:/opt/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
Dec 13 11:42:01.242 [14344] dbg: util: executable for gpg was found at /usr/bin/gpg
Dec 13 11:42:01.242 [14344] dbg: gpg: found /usr/bin/gpg
Dec 13 11:42:01.242 [14344] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 0C2B1D7175B852C64B3CDC716C55397824F434CE
Dec 13 11:42:01.243 [14344] dbg: util: secure_tmpfile created a temporary file /tmp/.spamassassin14344HZiEeetmp
Dec 13 11:42:01.243 [14344] dbg: channel: attempting channel updates.spamassassin.org
Dec 13 11:42:01.243 [14344] dbg: channel: using existing directory /var/lib/spamassassin/3.004001/updates_spamassassin_org
Dec 13 11:42:01.243 [14344] dbg: channel: channel cf file /var/lib/spamassassin/3.004001/updates_spamassassin_org.cf
Dec 13 11:42:01.243 [14344] dbg: channel: channel pre file /var/lib/spamassassin/3.004001/updates_spamassassin_org.pre
Dec 13 11:42:01.243 [14344] dbg: channel: metadata version = 1799552, from file /var/lib/spamassassin/3.004001/updates_spamassassin_org.cf
Dec 13 11:42:01.255 [14344] dbg: dns: query failed: 1.4.3.updates.spamassassin.org => REFUSED
DNS TXT query 1.4.3.updates.spamassassin.org failed: REFUSED
Dec 13 11:42:01.263 [14344] dbg: dns: query failed: mirrors.updates.spamassassin.org => REFUSED
DNS TXT query mirrors.updates.spamassassin.org failed: REFUSED
channel: no 'mirrors.updates.spamassassin.org' record found, channel failed
Dec 13 11:42:01.263 [14344] dbg: diag: updates complete, exiting with code 4
Update failed, exiting with code 4
There's the problem:
Dec 13 11:42:01.255 [14344] dbg: dns: query failed: 1.4.3.updates.spamassassin.org => REFUSED
DNS TXT query 1.4.3.updates.spamassassin.org failed: REFUSED
DNS server is refusing your query. Someone's getting DDOS'ed, is my guess.
Here's the result:
nslookup -type=TXT 1.4.3.updates.spamassassin.org
Server: 172.30.4.9
Address: 172.30.4.9#53
Non-authoritative answer:
1.4.3.updates.spamassassin.org canonical name = 3.3.3.updates.spamassassin.org.
3.3.3.updates.spamassassin.org text = "1817982"
Authoritative answers can be found from:
spamassassin.org nameserver = c.auth-ns.sonic.net.
spamassassin.org nameserver = b.auth-ns.sonic.net.
spamassassin.org nameserver = ns2.ena.com.
spamassassin.org nameserver = a.auth-ns.sonic.net.
spamassassin.org nameserver = ns2.pccc.com.
c.auth-ns.sonic.net internet address = 147.75.64.146
ns2.ena.com internet address = 96.5.0.35
b.auth-ns.sonic.net internet address = 184.173.92.18
ns2.pccc.com internet address = 69.171.29.37
a.auth-ns.sonic.net internet address = 184.23.168.53
It's been this way for weeks, though, and I've got the nightly cron mail proving it. Are updates working for you? For anybody?
I recently installed and am not having problems.
Will check where my install is trying to retrieve updates from later. Had similar issue in past- deleted the mirrored.by file under the var tree for SA.
Updates are working well for me-- the first line of updates_spamassassin_org.cf is this:
# UPDATE version 1817982
...which matches the TXT record from above.
Maybe change the time your cron runs? Put in a random sleep? I wonder if your box is getting denied by one of those machines just because of how that round-robin DNS is turning out for you.
Well it's failing right now and 100% of the times I have tried manually. So that's not gonna do it.
What is your DNS setup? Do you use dnsmasq or something similar?
What does
dig mirrors.updates.spamassassin.org txt +short
dig 0.4.3.updates.spamassassin.org txt +short
say?
I'm not doing anything funny, as far as I know. resolv.conf uses my ISP's server, 209.237.230.11, ns1.unitedlayer.com. Both of those dig commands produce no output. However, "host -t any mirrors.updates.spamassassin.org" says mirrors.updates.spamassassin.org descriptive text "http://spamassassin.apache.org/updates/MIRRORED.BY"
Could your public ip be on a block list somewhere?
Your guess is as good as mine. My web sites and mail server, on the same IP, appear to be functioning just fine, however.
And if by this you are saying "I am able to download updates from mirrors.updates.spamassassin.org just fine" I'd sure like to see a log of that.
I can't reply to the above for some reason.
I've not idea why 'dig' does not work but 'host' does. Anyway, try to change temporarily to another DNS, like Google's 8.8.8.8.
It is normal for the spamassassin update domains to not have an A record, since they work with CNAME and TXT. So the command
host -t cname 1.4.3.updates.spamassassin.org
should produce "1.4.3.updates.spamassassin.org is an alias for 3.3.3.updates.spamassassin.org". And
host -t txt 1.4.3.updates.spamassassin.org
should give you the same 'alias' message as well as "1817982" for the TXT record, which is the current timestamp of the ruleset.
Oh, FFS.
Ok, so without changing resolv.conf, those commands give me the output you said I should get.
But when I change resolv.conf to be 8.8.8.8, now sa-update works. Yay?
But now I still need to figure out what is wrong with my ISP's DNS, because I kinda need to use that for other reasons, so I need the words to explain to them how they have fucked it up. Any suggestions?
Erm... that's very weird and I have a hard time coming up with some technobabble that would explain this. Normally I'd say they have some stale cache, because wrong cache invalidation can explain anything. But since your DNS query in the above log is clearly REFUSED, my best guess is that they somehow rate-limited you (spamassassin does a lot of DNS queries, especially if you get a lot of mail, which I guess you do).
jwz's old skyewl and probably still has hostname lookups turned on in his httpd.conf, and is just murderfying his DNS server.
Can you run a local caching DNS server on that box? You'll still have to fix the ISP issue, but if its because of rate limiting, running it locally will stop that in the future.
I meant is your ip blacklisted on spamhaus or wherever.
My updates don't appear to be pulling from mirrors.updates.spamassassin.org. If you otherwise have the correct (just old) files for updating, maybe dropping in the new file from https://spamassassin.apache.org/updates/MIRRORED.BY will work. That file matches my current installation which is updating and working, and which is not a new install.
Right now, from a number of hosts in different places:
$ host -t any mirrors.updates.spamassassin.org
mirrors.updates.spamassassin.org descriptive text "http://spamassassin.apache.org/updates/MIRRORED.BY"
That seems...insufficient.
No, that's fine. All these spamassassin.org subdomains usually do not have an A PTR record. When you don't have an IP, you cannot get DDOSed. All you get there is the current version number of the ruleset and the URL for the mirror file as TXT records.
A general point on DNS management: I find that running my own DNS servers on my boxes rather than using someone else's is not a significant administrative load (it's pretty much "spend ten minutes once and it's over") and makes debugging weird stuff much easier (and often prevents weird things from happening in the first place). We live in an era where provider DNS servers are often "helpfully" "tweaked" in various ways that are not helpful. If you've running your own instance of bind locally, that's one less thing to have to think about, one less opaque service that might be the cause of various problems.
Agree. I use Pi-hole on an old RPi and never had any issues. If I must have something I've black-holed I temporarily point the client at 8.8.8.8.
Bonus, install with JWZ's favorite method:
curl -sSL https://install.pi-hole.net | bash