Is the spamassassin Debian package unsafe to use in stable?

The issue is that things related to spam evolves rapidly, but
Debian stable is... stable. So its rules become obsolete, such as
those that generate

RCVD_IN_VALIDITY_CERTIFIED_BLOCKED
RCVD_IN_VALIDITY_RPBL_BLOCKED
RCVD_IN_VALIDITY_SAFE_BLOCKED

while upstream gave them zero scores in May.

--
Vincent Lef�vre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

El 9/6/25 a las 1:18, Vincent Lefevre escribió:

Is the spamassassin Debian package unsafe to use in stable?

The issue is that things related to spam evolves rapidly, but
Debian stable is... stable.

Look at the version numbers:

spamassassin | 4.0.1-1~deb12u1 | stable | source, all spamassassin | 4.0.1-3 | testing | source, all spamassassin | 4.0.1-3 | unstable | source, all

At this moment, there is not a great difference between bookworm and trixie,
as both are based on upstream version 4.0.1.

If you are worried about obsolete built-in spam rules, you can also use spamassassin as a framework to use other mechanisms (for example, razor),
and it can also do bayesian filtering.

(Disclaimer: I use razor + pyzor + bogofilter with procmail myself,
and have not used spamassassin in a long time).

Thanks.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-06-09 02:58:07 +0200, Santiago Vila wrote:

El 9/6/25 a las 1:18, Vincent Lefevre escribi�:

Is the spamassassin Debian package unsafe to use in stable?

The issue is that things related to spam evolves rapidly, but
Debian stable is... stable.

Look at the version numbers:

spamassassin | 4.0.1-1~deb12u1 | stable | source, all spamassassin | 4.0.1-3 | testing | source, all spamassassin | 4.0.1-3 | unstable | source, all

At this moment, there is not a great difference between bookworm and trixie, as both are based on upstream version 4.0.1.

The rules are changing outside the upstream version numbers.

--
Vincent Lef�vre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Jun 09, 2025 at 08:03:58AM +0000, Andy Smith wrote:

On Mon, Jun 09, 2025 at 01:18:37AM +0200, Vincent Lefevre wrote:

Is the spamassassin Debian package unsafe to use in stable?

I think so. I think the general expectation of spamassassin is that you
use a release for a long time.

Oops! That was meant to read "I DON'T think so", as I hope the rest of
my email gave the hint.

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Mon, Jun 09, 2025 at 01:18:37AM +0200, Vincent Lefevre wrote:

Is the spamassassin Debian package unsafe to use in stable?

I think so. I think the general expectation of spamassassin is that you
use a release for a long time.

The issue is that things related to spam evolves rapidly, but
Debian stable is... stable.

The scores assigned to most of the different rules are updated from the spamassassin project itself (and other places if you enable that) using sa-update, which is fully supported in Debian.

its rules become obsolete, such as those that generate

RCVD_IN_VALIDITY_CERTIFIED_BLOCKED
RCVD_IN_VALIDITY_RPBL_BLOCKED
RCVD_IN_VALIDITY_SAFE_BLOCKED

while upstream gave them zero scores in May.

sa-update already picked it up:

$ grep RCVD_IN_VALIDITY /var/lib/spamassassin/4.000001/updates_spamassassin_org/50_scores.cf
score RCVD_IN_VALIDITY_CERTIFIED 0
score RCVD_IN_VALIDITY_SAFE 0
score RCVD_IN_VALIDITY_RPBL 0
#score RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001
#score RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001
#score RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001

There was a post on the spamassassin list to warn users that these DNS
lists would stop getting points for everyone doing updates due to the zero score. This was not to alert people to make manual updates, as that's
not necessary if using sa-update.

On Debian, sa-update is called from the spamassassin-maintenance.service systemd service, which is itself called by the similarly named timer
unit. I don't recall whether that timer is enabled by default.

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Jun 09, 2025 at 08:07:37AM +0000, Andy Smith wrote:

On Mon, Jun 09, 2025 at 08:03:58AM +0000, Andy Smith wrote:

On Mon, Jun 09, 2025 at 01:18:37AM +0200, Vincent Lefevre wrote:

Is the spamassassin Debian package unsafe to use in stable?

I think so. I think the general expectation of spamassassin is that you
use a release for a long time.

Oops! That was meant to read "I DON'T think so", as I hope the rest of
my email gave the hint.

I already wanted to intervene :-)

Distributed double negation (DDN): half of it in the question, the other
in the answer.

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCaEacHgAKCRAFyCz1etHa RhTgAJsF7KqrsnOKAANiMRwoii71zDVr9wCfUgWCmjNsInpOKbZZWFyvOYrlOzU=
=X/cs
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-06-09 08:03:58 +0000, Andy Smith wrote:

sa-update already picked it up:

$ grep RCVD_IN_VALIDITY /var/lib/spamassassin/4.000001/updates_spamassassin_org/50_scores.cf
score RCVD_IN_VALIDITY_CERTIFIED 0
score RCVD_IN_VALIDITY_SAFE 0
score RCVD_IN_VALIDITY_RPBL 0
#score RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001
#score RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001
#score RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001

I also have that. Why is it ignored?

Or perhaps there is a bug in SpamAssassin, which still performs
the DNS checks even though the score is 0. FYI, I still have the
following warnings in the logs:

Jun 09 13:07:48 joooj spamd[164780]: check: dns_block_rule RCVD_IN_VALIDITY_RPBL_BLOCKED hit, creating /root/.spamassassin/dnsblock_bl.score.senderscore.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "
dns_query_restriction deny bl.score.senderscore.com" to disable queries)
Jun 09 13:07:48 joooj spamd[164780]: check: dns_block_rule RCVD_IN_VALIDITY_SAFE_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-accredit.habeas.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "
dns_query_restriction deny sa-accredit.habeas.com" to disable queries)
Jun 09 13:07:48 joooj spamd[164780]: check: dns_block_rule RCVD_IN_VALIDITY_CERTIFIED_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-trusted.bondedsender.org (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0,
or use "dns_query_restriction deny sa-trusted.bondedsender.org" to disable queries)

and the mail messages still have the RCVD_IN_VALIDITY_*_BLOCKED
in the headers.

--
Vincent Lef�vre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Vincent Lefevre (HE12025-06-09):

Jun 09 13:07:48 joooj spamd[164780]: check: dns_block_rule RCVD_IN_VALIDITY_RPBL_BLOCKED hit, creating /root/.spamassassin/dnsblock_bl.score.senderscore.com

A system service accessing files in the personal directory of root?
There is something seriously wrong here, but I cannot guess if it is in SpamAssassin's design or in the way it has been set up in this instance.

Regards,

--
Nicolas George

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Vincent Lefevre wrote:

Is the spamassassin Debian package unsafe to use in stable?

The issue is that things related to spam evolves rapidly, but
Debian stable is... stable.

Debian stable already has the current version of SpamAssassin:

| News and Announcements
|
| 2024-03-29: Apache SpamAssassin 4.0.1 has been released!
[...]
<https://spamassassin.apache.org/news.html>

| thh@angmar:~$ apt show spamassassin
| Package: spamassassin
| Version: 4.0.1-1~deb12u1

So its rules become obsolete, such as
those that generate

RCVD_IN_VALIDITY_CERTIFIED_BLOCKED
RCVD_IN_VALIDITY_RPBL_BLOCKED
RCVD_IN_VALIDITY_SAFE_BLOCKED

while upstream gave them zero scores in May.

Rules are updated by the sa-update service, started e.g. by
| systemctl enable --now spamassassin-maintenance.timer
| systemctl start spamassassin-maintenance.service

Doing that, the scores are up to date:
| thh@angmar:~$ grep RCVD_IN_VALIDITY /var/lib/spamassassin/4.000001/updates_spamassassin_org/50_scores.cf
| score RCVD_IN_VALIDITY_CERTIFIED 0
| score RCVD_IN_VALIDITY_SAFE 0
| score RCVD_IN_VALIDITY_RPBL 0
| #score RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001
| #score RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001
| #score RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001

Kind regards,
-thh

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-06-09 16:24:41 +0200, Thomas Hochstein wrote:

Rules are updated by the sa-update service, started e.g. by
| systemctl enable --now spamassassin-maintenance.timer
| systemctl start spamassassin-maintenance.service

Doing that, the scores are up to date:
| thh@angmar:~$ grep RCVD_IN_VALIDITY /var/lib/spamassassin/4.000001/updates_spamassassin_org/50_scores.cf
| score RCVD_IN_VALIDITY_CERTIFIED 0
| score RCVD_IN_VALIDITY_SAFE 0
| score RCVD_IN_VALIDITY_RPBL 0
| #score RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001
| #score RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001
| #score RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001

I have that, but this is ignored. See the mail I sent on
Mon, 9 Jun 2025 13:31:02 +0200.

--
Vincent Lef�vre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-06-09 13:50:52 +0200, Nicolas George wrote:

Vincent Lefevre (HE12025-06-09):

Jun 09 13:07:48 joooj spamd[164780]: check: dns_block_rule RCVD_IN_VALIDITY_RPBL_BLOCKED hit, creating /root/.spamassassin/dnsblock_bl.score.senderscore.com

A system service accessing files in the personal directory of root?
There is something seriously wrong here, but I cannot guess if it is in SpamAssassin's design or in the way it has been set up in this instance.

This is the default behavior.

By searching for "check: dns_block_rule", one can see that this
is a general behavior:

https://forum.proxmox.com/threads/pmg-strange-dns_block_rule-log-entries-in-mail-log.165151/

https://forum.opnsense.org/index.php?topic=40983.0

https://serverfault.com/questions/1174765/re-enabling-dns-lookup-in-spamassassin-after-moving-off-open-resolver
(this one for RCVD_IN_ZEN_BLOCKED_OPENDNS)

https://forum.directadmin.com/threads/spamd-scoring-messed-up-by-validity-rules.72710/

and so on.

--
Vincent Lef�vre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Tue, Jun 10, 2025 at 09:34:33AM +0200, Vincent Lefevre wrote:

On 2025-06-09 16:24:41 +0200, Thomas Hochstein wrote:

| thh@angmar:~$ grep RCVD_IN_VALIDITY /var/lib/spamassassin/4.000001/updates_spamassassin_org/50_scores.cf
| score RCVD_IN_VALIDITY_CERTIFIED 0
| score RCVD_IN_VALIDITY_SAFE 0
| score RCVD_IN_VALIDITY_RPBL 0
| #score RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001
| #score RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001
| #score RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001

I have that, but this is ignored.

I think you will need to ask on the spamassassin users list. It does
work for me, but there are many ways to interface with spamassassin.
Possibly whichever way you are doing it, is not picking up this config.
Or possibly you have overridden some of this stuff in custom config
files that come later.

https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=119544568#MailingLists-Users

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)