|
|
Log in / Subscribe / Register

Security

Keeping current with SpamAssassin rules

December 6, 2006

This article was contributed by Jake Edge.

Anyone who pays attention to their spam knows that its character changes frequently; spammers are always adding new tricks to try and evade spam filters. There is an arms race of sorts going on; the filters get better at recognizing the latest evasion attempts and so the spammers come up with new ones and the cycle repeats. To reduce the effectiveness of this spam evolution, frequent updates of the filter rulesets are needed. For users of SpamAssassin (SA), the sa-update tool makes it very easy to pick up the latest ruleset and keep that unwanted spam out of the inbox.

Before sa-update, official SA rulesets updates were only available by installing an updated version of SA. Because the release cycle was often lengthy (measured in months), the developers added the ability to easily update the rulesets over the internet. At its core, sa-update communicates with a server or servers picking up rule and score files and installs them in a directory that SA uses for its updates. SA will immediately start using the new rules, though restarting spamd will be required if SA is configured that way.

sa-update is configured by default to use the official 'channel' (updates.spamassassin.org), but that can be altered to tune into other SA rules repositories. The SpamAssassin Rules Emporium (SARE) is one collection of rules and scores that sa-update can use. There are multiple channels available each of which handles a different type of spam and one can mix and match the rulesets to tune the filter for the kinds of spam being seen.

There are some security implications to consider: injecting bad rules or scores could lead to worse spam filtering, for example. More worrisome, however, is the fact that the update mechanism allows for plugins to be distributed, leading to potential arbitrary code execution. SA plugins are arbitrary Perl code that will be run by the filter; because it generally runs as root or another privileged user, that can be quite dangerous. sa-update uses GPG signatures on the updates to reduce this hazard, as long as the signer is really trustworthy (and the recent GPG security problem has been patched). The official channel will not distribute plugins, thereby eliminating that problem.

The rulesets available change frequently and automating the sa-update process via cron can bring the system up to date on a daily or weekly basis. Another tool, rule-get is available which uses the update mechanism and provides a command line syntax based on apt-get.

This is an excellent tool for helping to reduce the ever-evolving spam problem. As long as one is careful about which GPG keys to trust, it should be secure as well. Spammers are, no doubt, taking advantage of this tool to tune their spam to avoid the new rules, but using it can reduce the false negatives from the older evasion schemes or from those who have yet to test their stock scam email with the latest rules.

More information and additional channels are available from the SA wiki, a good starting point is here.

Comments (7 posted)

Brief items

A severe, remotely-exploitable GnuPG vulnerability

The GnuPG developers have sent out an advisory regarding a rather unpleasant vulnerability which has surfaced: "Using malformed OpenPGP packets an attacker is able to modify and dereference a function pointer in GnuPG. This is a remotely exploitable bug and affects any use of GnuPG where an attacker can control the data processed by GnuPG. It is not necessary limited to encrypted data, also signed data may be affected." It would be prudent to be very careful about feeding messages to gpg until you have a fix installed.

Full Story (comments: 4)

New vulnerabilities

gnupg: buffer overflow

Package(s):gnupg CVE #(s):CVE-2006-6169
Created:November 30, 2006 Updated:December 11, 2006
Description: GnuPG has a buffer overflow vulnerability. If a user can be tricked into running gpg interactively on a specially crafted message, arbitrary code can be executed with the user's privileges.
Alerts:
Gentoo 200612-03:02 gnupg 2006-12-10
Gentoo 200612-03 gnupg 2006-12-10
Debian DSA-1231-1 gnupg 2006-12-09
Slackware SSA:2006-340-01b gnupg 2006-12-08
OpenPKG OpenPKG-SA-2006.037 gnupg 2006-12-08
Ubuntu USN-393-2 gnupg2 2006-12-07
Ubuntu USN-393-1 gnupg 2006-12-07
Slackware SSA:2006-340-01 gnupg 2006-12-07
rPath rPSA-2006-0227-1 gnupg 2006-12-06
Fedora FEDORA-2006-1406 gnupg 2006-12-06
Fedora FEDORA-2006-1405 gnupg 2006-12-06
Red Hat RHSA-2006:0754-01 GnuPG 2006-12-06
Trustix TSLSA-2006-0068 gnupg, tar 2006-12-01
Mandriva MDKSA-2006:221 gnupg 2006-11-30
rPath rPSA-2006-0224-1 gnupg 2006-11-30
Ubuntu USN-389-1 gnupg 2006-11-29

Comments (none posted)

kernel: bridging code buffer overflow

Package(s):kernel CVE #(s):CVE-2006-5751
Created:December 6, 2006 Updated:January 3, 2007
Description: A buffer overflow in the bridging code in kernels through 2.6.18.3 can lead to a denial of service or potential code execution. The 2.6.18.4 kernel contains the fix.
Alerts:
Mandriva MDKSA-2007:002 kernel 2007-01-02
SuSE SUSE-SA:2006:079 kernel 2006-12-21
Fedora FEDORA-2006-1471 kernel 2006-12-18
Fedora FEDORA-2006-1470 kernel 2006-12-18
Ubuntu USN-395-1 kernel 2006-12-13
Debian DSA-1233-1 kernel-source-2.6.8 2006-12-10
rPath rPSA-2006-0226-1 kernel 2006-12-06

Comments (none posted)

koffice: integer overflow

Package(s):koffice CVE #(s):CVE-2006-6120
Created:November 30, 2006 Updated:February 20, 2007
Description: The KOffice office suite has an integer overflow vulnerability. If an attacker can trick a user into opening a specially crafted PowerPoint (PPT) file, KOffice can be caused to crash or possibly execute arbitrary code with the user's privileges.
Alerts:
Red Hat RHSA-2007:0010-01 KOffice 2007-02-20
Slackware SSA:2006-357-04 koffice 2006-12-25
Gentoo 200612-05 koffice-libs 2006-12-10
Mandriva MDKSA-2006:222 koffice 2006-12-01
Ubuntu USN-388-1 koffice 2006-11-29

Comments (none posted)

libgsf: heap buffer overflow

Package(s):libgsf CVE #(s):CVE-2006-4514
Created:November 30, 2006 Updated:January 11, 2007
Description: The GNOME library libgsf, which is used for writing structured file formats, has a heap buffer overflow that can be exploited for the purpose of executing arbitrary code.
Alerts:
Red Hat RHSA-2007:0011-01 libgsf 2007-01-11
SuSE SUSE-SA:2006:076 libgsf 2006-12-14
rPath rPSA-2006-0232-1 libgsf 2006-12-14
Gentoo 200612-13 libgsf 2006-12-12
Fedora FEDORA-2006-1417 libgsf 2006-12-07
Fedora FEDORA-2006-1399 libgsf 2006-12-05
Ubuntu USN-391-1 libgsf 2006-12-04
Mandriva MDKSA-2006:220 libgsf 2006-11-30
Debian DSA-1221-1 libgsf 2006-11-30

Comments (none posted)

xine-lib: buffer overflow

Package(s):xine-lib CVE #(s):CVE-2006-6172
Created:December 5, 2006 Updated:June 5, 2007
Description: A buffer overflow was discovered in the Real Media input plugin in xine-lib. If a user were tricked into loading a specially crafted stream from a malicious server, the attacker could execute arbitrary code with the user's privileges.
Alerts:
Mandriva MDKSA-2007:112 mplayer 2007-06-04
Gentoo 200702-11 mplayer 2007-02-27
Debian DSA-1244-1 xine-lib 2006-12-28
Gentoo 200612-02 xine-lib 2006-12-09
SuSE SUSE-SR:2006:028 xine-lib, texinfo, wv, libpng 2006-12-08
Mandriva MDKSA-2006:224 xine-lib 2006-12-05
Ubuntu USN-392-1 xine-lib 2006-12-04

Comments (none posted)

Resources

Sourcefire launches free security tool to protect Microsoft Office applications

Sourcefire has announced the availability of the free "OfficeCat" tool, which scans Microsoft Office files for hostile content.

Full Story (comments: 2)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds