Bug 2365

Summary: need to drop Osirusoft rules ASAP
Product: Spamassassin Reporter: Justin Mason <jm>
Component: RulesAssignee: SpamAssassin Developer Mailing List <dev>
Status: RESOLVED FIXED    
Severity: blocker CC: bernd, KlausRusch
Priority: P2    
Version: 2.60   
Target Milestone: 2.60   
Hardware: Other   
OS: other   
Whiteboard:
Attachments: patch

Description Justin Mason 2003-08-26 17:36:03 UTC
apparently they're returning a match on all queries.
Comment 1 Justin Mason 2003-08-26 17:36:52 UTC
Created attachment 1281 [details]
patch

also bumps up some other rules to make up
Comment 2 Theo Van Dinter 2003-08-26 19:18:54 UTC
0.5:

"Well, at least NJABL don't"

should be "doesn't".

other than that, it looks ok.
Comment 3 Michael Bell 2003-08-27 01:28:45 UTC
I strongly recommend that a 2.56 release be made for (admittedly dull) SA 
admins. Just a thought

Comment 4 Allen Smith 2003-08-27 12:26:09 UTC
Subject: Re: [SAdev]  need to drop Osirusoft rules ASAP


A note somewhere that Osirusoft rules are removed because of their having to
(hopefully temporarily!) shut down due to a continuing spammer DDoS attack
might be a good idea - explanation to previous users of said rules.

      -Allen

Comment 5 Malte S. Stretz 2003-08-27 13:14:42 UTC
+1 get rid of em (hope the GA won't moan too much) 
Comment 6 Justin Mason 2003-08-27 14:27:08 UTC
ok, applied (with Theo's doco fix).  Allen -- I'd prefer to avoid adding more
text to the doco as there's already too much for users to wade through, and the
reason why they disappeared is already big news pretty much everywhere.
Comment 7 Brian White 2003-08-27 14:30:13 UTC
Subject: Re: [SAdev]  need to drop Osirusoft rules ASAP

> A note somewhere that Osirusoft rules are removed because of their having to
> (hopefully temporarily!) shut down due to a continuing spammer DDoS attack
> might be a good idea - explanation to previous users of said rules.

Why do the rules need to be dropped?  If the servers are down due to a DDoS,
wouldn't the rule just time-out and not get weighted?

I can see how this would affect the GA weightings (i.e. when one rule
becomes ineffective, all the others need to be adjusted), but wouldn't
it be better to adjust the GA slightly and keep the rules in so they
become active again when the rules return?

My worry is that dropping the rule because of a successful DDoS is
akin to giving in to the demands of terrorists.  It will just show them
that the attack works and is a viable weapon that may be pointed towards
other services.

Is there harm in leaving the rules in place so they become active again
when the attack ends?

                                          Brian
                                 ( bcwhite@precidia.com )

-------------------------------------------------------------------------------
     Differences are good.  If two people agree, one of them is redundant.

Comment 8 Malte S. Stretz 2003-08-27 14:47:29 UTC
Reason to remove the rules: 
| NSXDavid writes "Earlier today our site mysteriously ended up on Joe Jared's 
| Osirusoft SPAM blacklist which is used by lots of antispam software (like 
| SpamAssassin and sendmail). Since he is currently under a serious DDoS 
| attack, there was no way to appeal this decision. We contacted Mr. Jared by 
| phone who informed us that 'everyone needs to stop using Osirusoft and that 
| he's going to be shutting the service down.' Then he says he's going to 
| blacklist 'the world' (aka, ban *.*.*.*) to get his point across. Later on 
| this evening, he apparently went ahead and did just that. Succumbing to 
| lawsuits and DDoS, a once great blacklist is dead. SpamAssassin is removing 
| it from their config in the next release (rc3) and email admins around the 
| globe are reconfiguring their mail servers."  
Source: http://slashdot.org/article.pl?sid=03/08/27/0214238 
Comment 9 Justin Mason 2003-08-27 14:50:13 UTC
Subject: Re: [SAdev]  need to drop Osirusoft rules ASAP 


>Why do the rules need to be dropped?  If the servers are down due to a DDoS,
>wouldn't the rule just time-out and not get weighted?

They're not.  The servers are returning a match for every IP queried.

Most people aren't seeing this because of the DDOS, but if that lets
up, it'll be a lot more visible.

--j.

Comment 10 Malte S. Stretz 2003-08-29 03:55:01 UTC
*** Bug 2373 has been marked as a duplicate of this bug. ***
Comment 11 Malte S. Stretz 2003-08-29 13:36:25 UTC
*** Bug 2378 has been marked as a duplicate of this bug. ***