FSL's copy of RulesDuJour outdated?
Matt Kettler
mkettler at evi-inc.com
Fri Oct 26 20:27:53 IST 2007
In FSL's "resources" page, they have a link to download RDJ:
http://www.fsl.com/resources.html
However, the RDJ script contained there is out-of-date, containing Version 1.28.
The current release of RDJ is Version 1.30, as distributed at:
sandgnat.com/rdj/rules_du_jour
(Note: sandgnat.com is run by Chris Thielen, the original author of RDJ. He
doesn't have exit0.us anymore, so he hosts it at sandgnat.com).
I point the problem out because the version of RDJ distributed by FSL still
supports fetching antidrug.cf from comcast.net. Although not enabled by default,
someone might be misled into enabling it.
I no longer have control of the account on comcast that the script points to,
which would make it a very bad thing if someone tries to fetch antidrug from
there. Any spammer might be the next person who has control of that comcast
account, and they could publish any config file they wanted there, possibly
including one with a regex designed to exploit SpamAssassin itself.. Running
untrusted rules as root could possibly be dangerous...
Can someone at FSL either remove or update their RDJ packages?
You might also want to keep on top of it, as the SA devs have been trying to
encourage Chris to comment-out the support for Will Stearns's blacklist and
blacklist-uri as well.
(They're interesting for research, but are also sure-fire ways to kill
SpamAssassin due to their size. About once a week we see someone asking why SA
is so slow and it turns out they have enabled this ruleset in RDJ..).
More information about the MailScanner
mailing list