From owner-mailman@chiark.greenend.org.uk Wed Oct 20 13:28:31 1999 Return-path: Envelope-to: sauce-announce@chiark.greenend.org.uk Received: from ian by chiark.greenend.org.uk with local (Exim 2.05 #1) id 11dur1-0007As-00 (Debian); Wed, 20 Oct 1999 13:28:31 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14349.46447.5273.223369@chiark.greenend.org.uk> Date: Wed, 20 Oct 1999 13:28:30 +0100 (BST) From: sauce-maint@chiark.greenend.org.uk (Ian Jackson) To: info-gnu@gnu.org, sauce-announce@chiark.greenend.org.uk, debian-devel@lists.debian.org, spamtools@abuse.net Subject: SAUCE (paranoid anti-spam mailserver) 0.5.0 ALPHA released X-Mailer: VM 6.62 under Emacs 19.34.1 Sender: Ian Jackson -----BEGIN PGP SIGNED MESSAGE----- I am pleased to announce the first public release of GNU SAUCE, version 0.5.0 ALPHA. SAUCE (Software Against Unsolicited Commercial Email) is an SMTP server that sits between the Internet and your actual mail software. It was originally written to help in the fight against spam, but it also helps encourage good configuration and administration in general. It has various tactics for reducing incoming spam: * Extremely aggressive checks on incoming email and its sources. If any problems are discovered the mail is not accepted. * Spambait addresses: when mail is sent to a bait address its sources are blacklisted. * Mail from previously-unknown sources is delayed to give them a chance to try a bait address or get their account cancelled. Pros: * SAUCE is very sucessful. It can cut spam by an order of magnitude. * Administrators using SAUCE have to deal with much less bounced mail. * SAUCE never bounces legitimate mail from correct, non-spamming sites. Cons: * Hardly any documentation at the moment - for mail experts only ! * Most spam sources are misconfigured, but many other sites are too, and SAUCE will bounce their mail. SAUCE is not for you if clueless strangers often send you mail that's important to you. * SAUCE delays mail from new senders and sites (configurable, though). * SAUCE is something of a resource hog. * SAUCE is hard to install, especially if you're not using Debian. SAUCE is not a mailer. You need existing SMTP software, which must have standard anti-spam features such as relay prevention, checking recipients during the SMTP conversation, etc. Currently you must be using Exim, though support for other mailers could be added. You also need Tcl 8.1 or later. Software which will make SAUCE easier to install or more functional: * authbind (as from Debian GNU/Linux). * userv (`you-serve', www.chiark.greenend.org.uk/~ian/userv/). * Linux 2.2 ipchains firewalling. See also: The Exim Internet Mailer (www.exim.org) The Mail Abuse Protection System (http://maps.vix.com/) The Coalition Against Unsolicited Commercial Email (www.cauce.org) For more information, including details of the mailing lists, CVS repository, and distribution files, visit http://www.chiark.greenend.org.uk/~ian/sauce/ SAUCE is also available via the GNU FTP site and its mirrors, listed below. 0.5.0 ALPHA should soon be available at most mirrors. If you have queries, please join the sauce-discuss mailing list in preference to mailing the author. Thank you. MD5 checksum: 8b88d1510ed297a999603ca1bdf971de sauce-0.5.0.tar.gz -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBOA21YcMWjroj9a3bAQGOzgQAytZPHjMS9ihQvPCWFTy82yEA2mKNWH1O yTTp5XgtWU93aNVsS1U0qmVw+4I7tp9CXMEN2Ac3/qQnVGkmWc6m3ObwRrO6AuM3 PfpLiRGX+3IJ6Z3GHOUdt+LiLSaAC1hyJJLPtoCYXxnUujZ3T8qwObTSj/mm2pxk DAukdzxJ/w4= =dAnI -----END PGP SIGNATURE----- From owner-mailman@chiark.greenend.org.uk Thu Mar 22 01:02:07 2001 Return-path: Envelope-to: sauce-announce@chiark.greenend.org.uk Received: from (davenant.greenend.org.uk) [172.31.80.6] by chiark.greenend.org.uk with esmtp (Exim 3.12 #2) id 14ftUN-0000eE-00 (Debian); Thu, 22 Mar 2001 01:02:07 +0000 Received: from ian by davenant.greenend.org.uk with local (Exim 3.12 #2) id 14ftUM-0000cy-00 (Debian); Thu, 22 Mar 2001 01:02:06 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15033.20238.909170.3572@davenant.relativity.greenend.org.uk> Date: Thu, 22 Mar 2001 01:02:06 +0000 (GMT) From: sauce-maint@chiark.greenend.org.uk (Ian Jackson) To: sauce-announce@chiark.greenend.org.uk Subject: SAUCE (paranoid anti-spam mailserver) 0.7.7 BETA released X-Mailer: VM 6.75 under Emacs 19.34.1 Sender: Ian Jackson -----BEGIN PGP SIGNED MESSAGE----- I am pleased to announce the first public BETA release of GNU SAUCE, version 0.7.7. This is the first version to be announced publicly for some time; 0.7.x is much improved from previous 0.5.x and 0.6.x releases. The changes from 0.6.1 to 0.7.7 are below: Important new features and improvements: * SAUCE now does not normally reject until it sees RCPT. This makes it possible to mix SAUCEd and effectively un-SAUCEd addresses at the same domain. * Policy strictness, and the delay feature, are now much more configurable, and the possible recipient classes have been improved, clarified and documented. The configuration can be per recipient address, including taking into account the local-part, as well as details of the sending site or user. Policy can be configured by users using userv. * Rejection log entries are much improved. They now nearly always include: - the sending site name (or address) and envelope sender; - the recipient(s), and the SMTP response code given to each; - any RBL domains hit, as a separate item; - all the reasons why the rejection or deferral happened. * Now we try to be generous at `accepting' mails to bait addresses. We return 250, but throw the message away. * For mails we'd like to reject, but policy says to accept, we add an X-SAUCE-Warning to the headers saying what was wrong. Minor improvements and new features: * Count avf MAIL FROM:<> => 5xx as a definite failure. * Irritation amount strings as displayed in SMTP responses are configurable. * When stalling due to anger (teergrube), fill up with anger_stallwith messages, not repeats. These messages are configurable. * Transaction IDs are improved and appear in some visible outputs. * configurable notifybl from, default sauce-bounces@canonical_hostname. * When doing recipient verifications, we pause before accepting most of the header, rather than at final dot. This may slightly reduce message duplication under pathological conditions. * Default blmessage.text simplified and now uses 1st person plural. * Debug messages are now indended by procedure call level. * Default set-firewall script included. * Internal syntax changes and cleanups. Many bugfixes: * If avf fails (except for 5xx), try again on a fresh connection. * Debian init.d stop script uses start-stop-daemon to ensure death. * When we shut down, catch_close_cleardesc the mtachan to abort any teergrube output currently happening. * Don't let the SMTP thread hang around after caller goes away. * Properly kill subthreads in when we finish an SMTP thread. * Originator header syntax checking uses its own errorCode to avoid 550 due to internal errors. * Copyright dates updated. * Assorted other bugfixes. Debian packaging changes: * Now `extra' rather than `experimental'. * Depends on libadns1-bin. * Maintainer address corrected. Previous 0.7.x releases have been for internal alpha testing only (though they have been available via my CVS mirror, of course.) For more information, including details of the mailing lists, CVS repository, and distribution files, visit http://www.chiark.greenend.org.uk/~ian/sauce/ The source code is also available via the GNU FTP site and its mirrors. 0.7.7 BETA should soon be available at most GNU mirrors. If you have queries, please join the sauce-discuss mailing list in preference to mailing the author. Thank you. Debian users should be able to acquire the current version of SAUCE from the Debian unstable distribution, and can use usual Debian support channels. MD5 checksums: f9910122f695ed2696c593ab1765a089 sauce-0.7.7.tar.gz 5c4c7c317e5a436a2c4a493bbc6e6fea sauce_0.7.7.dsc f19dc954d2ce731dc9f6a3e8b7b8b132 sauce_0.7.7_all.deb a03aa5eea3b81867fcdebd55ed118d8a sauce_0.7.7_i386.changes -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBOrlPCcMWjroj9a3bAQG2fQQAqmD7N6V/bOCaP3XNx7mkho3Q8x3+4PFB HhYhNE1OgTzvvVG++TnbZVy2uk2tVu4ncmeGGOl7+rr+wDon4nu3xoyiz7WFwbhP zGkIyRTNzpc3Vy8yYhGfe/Pwfoa9zpGp4dJy2ppl/f2jmtWFpvoXKDilcDc9ey+Q VFgCsSNkoz8= =OliQ -----END PGP SIGNATURE----- From owner-mailman@chiark.greenend.org.uk Sun Jun 15 19:45:41 2003 Return-path: Envelope-to: sauce-announce@chiark.greenend.org.uk Received: from [172.18.45.6] (helo=davenant.greenend.org.uk ident=mail) by chiark.greenend.org.uk (Debian Exim 3.35 #1) with esmtp for sauce-announce@chiark.greenend.org.uk id 19RcVZ-0005qy-00; Sun, 15 Jun 2003 19:45:41 +0100 Received: from ian by davenant.greenend.org.uk with local (Exim 3.35 #1) id 19RcVW-00039b-00 (Debian); Sun, 15 Jun 2003 19:45:38 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16108.48850.175293.236306@davenant.relativity.greenend.org.uk> Date: Sun, 15 Jun 2003 19:45:38 +0100 From: Ian Jackson To: sauce-announce@chiark.greenend.org.uk Subject: SAUCE (paranoid anti-spam mailserver) 0.7.14 BETA released X-Mailer: VM 7.03 under Emacs 19.34.1 Sender: sauce-announce-admin@chiark.greenend.org.uk Errors-To: sauce-announce-admin@chiark.greenend.org.uk X-BeenThere: sauce-announce@chiark.greenend.org.uk X-Mailman-Version: 2.0.11 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: SAUCE receiver-SMTP - announcements List-Unsubscribe: , List-Archive: -----BEGIN PGP SIGNED MESSAGE----- I am pleased to announce a new public BETA release of GNU SAUCE, version 0.7.14. This is the first version to be announced publicly for some time; 0.7.14 is much improved from previous releases and contains many bugfixes as well as some new features. I recommend that you upgrade as soon as practical. 0.7.14 is not currently available via ftp.gnu.org, but is available via my own server at http://www.chiark.greenend.org.uk/~ian/sauce/ along with more information about SAUCE, including details of the mailing lists, CVS repository, and of course the distribution files. When 0.7.14 is available via ftp.gnu.org there will be an announcement on info-gnu. Debian users should be able to acquire the current version of SAUCE from the Debian unstable distribution shortly, and can use usual Debian support channels. MD5 checksums: d88be80aaa96a96c145e7a2717cd7cd0 sauce_0.7.14.dsc 5fb418bd39fe4fdf3028159844c45a97 sauce_0.7.14.tar.gz e9a4e9b2c60fdf77ebed04c8274afa99 sauce_0.7.14_all.deb 7db3546a9ad783715393f1cb127a6f98 sauce_0.7.14_i386.changes -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPuy+zsMWjroj9a3bAQHj/wQAsroFdqtqrCzEOasjg6EsWGiCgz3oi7NA atc0+SUnF4KMICjrMJNqP8j4stfGOTUZ1IRoa3NlgUyr2DtirUwbipLoW4G0wDBF IvzZ/zgPdd8SVd20dAZm/ml+hqZLPVYdgQjsSKApGVdwMUbkJVvxaZXaTsZcHtYB 8MA3dKtKOm8= =W9KQ -----END PGP SIGNATURE----- From owner-mailman@chiark.greenend.org.uk Thu Jan 15 03:08:08 2004 Return-path: Envelope-to: sauce-announce@chiark.greenend.org.uk Received: from [172.18.45.6] (helo=davenant.greenend.org.uk ident=mail) by chiark.greenend.org.uk (Debian Exim 3.35 #1) with esmtp id 1Agxrb-0002Ke-00; Thu, 15 Jan 2004 03:08:07 +0000 Received: from ian by davenant.greenend.org.uk with local (Exim 3.35 #1) id 1AgvpD-0008Iy-00 (Debian); Thu, 15 Jan 2004 00:57:31 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16389.58747.227987.364714@davenant.relativity.greenend.org.uk> Date: Thu, 15 Jan 2004 00:57:31 +0000 From: Ian Jackson To: sauce-announce@chiark.greenend.org.uk, info-gnu@gnu.org, Subject: SAUCE (paranoid anti-spam mailserver) 0.7.15, 0.8.1 BETA released X-Mailer: VM 7.03 under Emacs 19.34.1 Sender: sauce-announce-admin@chiark.greenend.org.uk Errors-To: sauce-announce-admin@chiark.greenend.org.uk X-BeenThere: sauce-announce@chiark.greenend.org.uk X-Mailman-Version: 2.0.11 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: SAUCE receiver-SMTP - announcements List-Unsubscribe: , List-Archive: -----BEGIN PGP SIGNED MESSAGE----- Introduction ============ I am pleased to announce a new public BETA release of GNU SAUCE, version 0.8.1. This contains new features, bugfixes, and some changes to the default settings and policies (to cope with new spam patterns). However, I also regret to inform you that there is moderately serious time-dependent bug in GNU SAUCE before 0.7.16. All users are encouraged to upgrade, either to the bugfix release 0.7.16, or to the newer version 0.8.1, or to apply the immediate remedy below. Please read the information below about the time-dependent bug. 0.7.16 and 0.8.1 are not currently available via ftp.gnu.org, but they are available via my own server at http://www.chiark.greenend.org.uk/~ian/sauce/ http://www.chiark.greenend.org.uk/~ian/sauce/ftp/ along with more information about SAUCE, including details of the mailing lists, CVS repository, and of course the distribution files. Debian users should be able to acquire the current version of SAUCE (0.8.1) from the Debian unstable distribution shortly, and can use usual Debian support channels. Changes in 0.8.1 ================ Bugfixes: * site-annoy database expires properly (NB you must clean it when you upgrade!) * Fix descriptor leak in ic msg_checkeof. * More sensible debug.log entries for firewall commands. * Display ipchains/iptables commands in debug.log. New features: * Support Linux 2.4 iptables. * Sobig.F shibboleth implemented (taboo_virus_hack, default=off). * New X-SAUCE-Notice header informs receiving user of anger towards sending site. * busyfury_firewall has new value `immed' meaning firewall for every `421 too busy' or `421 excessive concurrency', not just when maximally furious. * New `errok-' policy option for stopping SAUCE from getting too upset with .forward-upstreams and mailing list hosts. Untested yet. * Stalling pure-teergrube server for over-aggressive callers. * Reinvoking thread_typedefine made safe: doesn't reset id counter. (Means you can patch the running SAUCE more easily.) Changes to autoblacklisting: * blmessage.text split into blmessage-site.text and -addr.text. * blmessage.text updated from chiark (no unblacklist policy). * Update blacklist timeouts. (2mth/2mth -> 7d/12mth) MD5 checksums ============= 53de5879aa4162f1b111c76da471a29d sauce-0.7.14-0.7.16.diff.gz daab7a3e61a33a2e596227e3683008f5 sauce_0.7.16.dsc 445366bf12284f33533ce4a0c91a454a sauce_0.7.16.tar.gz 0a1167bff75c368946815538070ed77c sauce_0.7.16_all.deb 235fe0eb1d594d367ecd6d383ba1660a sauce_0.7.16_i386.changes 64c5651645461cfb626eaaf4f838ad0b sauce_0.8.1.dsc 52f473d24eb80acdd0503b21ca3dc893 sauce_0.8.1.tar.gz a5f68900c6ba1384ea56e3131fde083e sauce_0.8.1_all.deb 3b14d09e3780573112075283bc642537 sauce_0.8.1_i386.changes Time-dependent bug ================== SAUCE maintains a database known as `site-annoy', in which it records its current `opinion' about calling IP addresses. This information is used for various purposes, including capacity reservation and teergrube. Each site's entry is supposed to be kept for a certain length of time and then to expire. All previous versions of SAUCE have had a bug which means that the expiry time was calculated incorrectly. The expiry time is converted from an elapsed interval in seconds to an absolute time as a time_t, by adding the current time - however, buggy versions of SAUCE perform this calculation twice. This has two effects: Firstly, entries created before some time around the 10th of January 2004 (or all entries on 64-bit machines) have a ridiculously large expiry time. This is a performance and disk space problem (the site-annoy decay algorithm means that the very old data is not acted on erroneously). Secondly, entries created (on 32-bit machines) after approximately the 10th of January 2004 expire immediately (since on the 10th of January time_t reached 0x40000000, so that 2*time_t overflows a signed integer). This effectively lobotomises SAUCE, so that it forgets which sites are `friendly' and which `hostile'. I recommend correcting the bug, and I also recommend cleaning the site-annoy database to remove the overly-persistent entries. Depending on your circumstances, the following routes may be followed for a fix: A. Debian users: Download the replacement 0.7.16 .deb package (or 0.8.1) and install it with dpkg -i. (Alternatively, Debian users can take one of the approaches below.) The package (or a derivative) may go into the next update of Debian stable, but this is not certain. B. Install new version: 1. Download the 0.7.16 or 0.8.1 source, or fetch and apply the 0.7.14-0.7.16 patch. 2. Build the new version (`make'). 3. Stop SAUCE. 4. make install 5. Either run /usr/local/share/sauce/clean-site-annoy, or delete /var/lib/sauce/db-site.annoy.* [1] 6. Restart SAUCE. C. Minimal fix by hand: 1. Stop SAUCE. 2. Apply the patch below to the installed /usr/local/share/sauce/smtp. 3. Delete /var/lib/sauce/db-site.annoy.* [1] 4. Restart SAUCE. [1] Cleaning the site-annoy database can be postponed. You can either run the supplied cleaning script, which deletes only entries with implausible expiry times, or you can delete the whole database (which is fairly harmless, and in any case no worse than the effects of the bug). But, you must not mess with the site-annoy database while SAUCE is running, or it will probably undo your changes. Patch ===== The following patch fixes the actual problem, and can be applied to the source code smtp.tcl, or to the installed file (usually /usr/local/share/sauce/smtp). diff -u -u -r1.14 -r1.14.2.1 --- smtp.tcl 15 Jun 2003 15:46:40 -0000 1.14 +++ smtp.tcl 14 Jan 2004 22:56:33 -0000 1.14.2.1 @@ -274,7 +274,7 @@ if {$cv < -$annoy_love_max} { set cv -$annoy_love_max } ds_set site-annoy $ra \ [string map {{ } a - m} [list $now $cv]] \ - [expr {$now + 3*$annoy_halflife}] + [expr {3*$annoy_halflife}] if {$cv <= -$annoy_love_max/2 && $cv <= -($annoy_grumpy+$annoy_actout_max)} { set irritamt Ecstatic } elseif {$cv <= 0} { This is not the complete diff between 0.7.14 and 0.7.16. 0.7.16 also contains the clean-site-annoy script, Debian packaging to invoke it, plus of course new-release administrivia. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBQAXlScMWjroj9a3bAQHX5QQAhs22Y+gNm/vMHLUZ/YjmCZd0h+Z4vHbH myLrc0hz2tRC2jtW6+KbLtbSgu52iKthz4YgSEB1Fw/ua2EqeO7+uRyiRK04Kc3U ZRX6PLuBSx6cbMj1YXXn61wPW7uZGbtJ+Yk9bfQ1B/ULQjAXldwSec/NuAQd++Te gPy1xBTipPA= =CZb9 -----END PGP SIGNATURE-----