Anyone who pays attention to their spam knows that its character changes
frequently; spammers are always adding new tricks to try and evade spam
filters. There is an arms race of sorts going on; the filters get better
at recognizing the latest evasion attempts and so the spammers come up
with new ones and the cycle repeats. To reduce the effectiveness of this
spam evolution, frequent updates of the filter rulesets are needed. For
users of SpamAssassin (SA), the
sa-update tool makes it very easy to pick up the latest ruleset and
keep that unwanted spam out of the inbox.
Before sa-update, official SA rulesets updates were only available
by installing an updated version of SA. Because the release cycle was often
lengthy (measured in months), the developers added the ability to easily
update the rulesets over the internet. At its core, sa-update
communicates with a server or servers picking up rule and score files
and installs them in a directory that SA uses for its updates. SA will
immediately start using the new rules, though restarting spamd
will be required if SA is configured that way.
sa-update is configured by default to use the official 'channel'
(updates.spamassassin.org), but that can be altered to tune into other
SA rules repositories. The
Emporium (SARE) is one collection of rules and scores that
sa-update can use. There are multiple channels
available each of which handles a different type of spam and one can
mix and match the rulesets to tune the filter for the kinds of spam
There are some security implications to consider: injecting bad rules or scores
could lead to worse spam filtering, for example. More worrisome, however,
is the fact that the update mechanism allows for
plugins to be distributed, leading to potential arbitrary code execution.
SA plugins are arbitrary Perl code that will be run by the filter; because
it generally runs as root or another privileged user, that can be quite
dangerous. sa-update uses
GPG signatures on the updates to reduce
this hazard, as long as the signer is really trustworthy (and the recent GPG security problem has been patched). The official
channel will not distribute plugins, thereby eliminating that problem.
The rulesets available change frequently and automating the sa-update process
via cron can bring the system up to date on a daily or weekly basis. Another
is available which uses the update mechanism and provides a command line
syntax based on apt-get.
This is an excellent tool for helping to reduce the ever-evolving
spam problem. As long
as one is careful about which GPG keys to trust, it should be secure as
well. Spammers are, no doubt, taking advantage of this tool to tune their
spam to avoid the new rules, but using it can reduce the false negatives
from the older evasion schemes or from those who have yet to test their
stock scam email with the latest rules.
More information and additional channels are available from the SA wiki, a
good starting point is
to post comments)