1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
|
c-nocem - NoCeM for C News and INN
This is a program for the easy and efficient application of the NoCeM
protocol on the news spool. Which means, articles for which a NoCeM
with "action=hide" is accepted, will be deleted from your news system
as if they had been cancelled. With the installation described below,
these will be processed as fast as possible and should work like real
cancels.
Unlike the standard implementation of NoCeM, this version is optimized
for the most common case of "spam cancels". In fact, it can do nothing
else. It can not be run by a normal user, it does not need or
manipulate state like .newsrc files, it processes only "hide" actions,
and that only by actually deleting the articles.
c-nocem is designed for easy setup and fast run and needs no
maintenance.
Installation
This describes c-nocem version 3.4.
You need:
* Perl version 4 or 5.
* PGP version MIT 2.6 or 2.6i, or GnuPG version 0.9.1 or later.
* A running news system, and knowledge on how to configure it. This
program supports C News and INN.
* The compiled source code for the news system. c-nocem needs the
libraries and configuration files used for building the news
system.
* A customized PGP public keyring containing the keys of all people
from whom you accept NoCeM notices. See below.
Run the configure script. Give it the --with-cnews=dir or
--with-inn=dir options to point to the top of the news system's source
tree. Run make install. Copy ncmperm into the right place. Create
ncmgroups there if needed, see below. Look at the top of c-nocem and
correct any wrong parameters. Make sure the programs created by the
make, as well as pgp are in the news system's PATH (configure usually
gets that right). Create a temp directory as indicated in c-nocem, if
you don't have it already. Do not use /tmp or any other globally
writable directory for this purpose - that would be a serious security
problem. Note for users of previous versions: The programs are now
installed in the main news binary directory. Make sure to correct any
wrong paths. For INN 2.0 and newer, the configuration files like
ncmperm belong into the etc directory.
C News special
Arrange for the NoCeM newsgroups to be feeded to the c-nocem program.
The means for this is the standard batching system. (The setup below
is for the Cleanup Release of C News, older versions use a different
batchparms file format.)
* Set up a feed in the sys file:
nocem-extractor:alt.nocem.misc,news.lists.filters/all:F:
Insert the newsgroups containing relevant NoCeM notices.
* Create a batch directory $NEWSARTS/out.going/nocem-extractor.
* Set up a special batching method in the batchparms file:
nocem-extractor N 1000000- - c-nocem -b -s
(note: no "batcher" invocation here). Make sure the class letter
"N" is unique. You can use any letter, but use the same one in the
next step.
* Replace the command "newsrun" in your crontab with "newsrun;
sendbatches -c N -p".
That's it. Now incoming news will be processed by NoCeM as soon as
possible. You may want to watch the progress, at least at the
beginning. For this purpose, change the batchparms line to:
nocem-extractor N 100000 - c-nocem -b | report "NoCeM"
INN special
Arrange for the NoCeM newsgroups to be feeded to the c-nocem program.
The means for this is a channel feed.
* Set up a feed in the newsfeeds file:
nocem!:!*,alt.nocem.misc,news.lists.filters\
:Tc,Wn:/var/lib/news/bin/c-nocem -c200 -t600 -s
* If you want logging, replace the -s with
>>/var/log/news/nocem.log.
That's it. Now incoming news will be processed by NoCeM as soon as
possible.
Configuration
Configuration consists of the permissions file and the public key
ring. Every NoCeM notice is checked for a PGP signature with the NoCeM
key ring (usually $NEWSLIB/ncmring.pgp). If no known and valid
signature is found, the notice is ignored entirely. If the signature
is good, the NCM headers are checked:
* Version: must be 0.9 or 0.9x (for any x)
* Action: must be "hide"
* Type and Issuer: must be allowed by the permissions file.
The key ring
Every NoCeM notice carries a PGP signature. A public key ring is
needed to check the validity and integrity. This key ring should
contain exactly the keys of those people from whom you want to accept
NoCeM notices. You should use a version of PGP which supports the
"+pubring=filename" argument (MIT, 2.6i, 2.6in do; 2.6ui does not).
The c-nocem distribution contains some keys of frequent NoCeM issuers.
Check for yourself from whom you want to accept the NoCeM notices, and
try to verify the keys e.g. via a public key server instead of blindly
trusting them.
Create the key ring or add a key to it with a command like
pgp +pubring=ncmring.pgp -ka ncmring.asc
Be sure to specify the right key ring file, i.e. the same as in the
c-nocem script.
The permissions file
ncmperm contains a permission table, similar to
"controlperm"/"control.ctl". Each entry in this table consists of
three whitespace-separated fields: issuer, type, permission. "Issuer"
is a string that is checked against the Issuer NCM header, "type" is
checked against the Type NCM header. If both match, the permission is
determined from the third field as "yes" or "no". First match wins. If
no entry matches, it defaults to "no". Only a NoCeM notice with "yes"
permission is processed.
The issuer field of the ncmperm file may contain a substring of the
actual Issuer header (e.g. "clewis@ferret" matches Chris Lewis' spam
cancels). The type field may be "*" which means "everything".
c-nocem re-reads this file when it changes immediately.
The groups file
You can control for which groups you accept NoCeMs, i.e. articles in
which groups are cancelled by NoCeM notices. This is useful to limit
NoCeM processing to the groups you actually get from your feeds.
(Example: if you have excluded alt.binaries, you don't need NoCeMs for
alt.binaries either.) To implement this restriction, you need a file
$NEWSLIB/ncmgroups which contains a subscription list.
For C News
The subscription list is a sys file pattern. Whitespace,
newline etc. are equivalent to a comma. Example:
all,!alt.binaries
For INN
The subscription list is a list of wildmat patterns, like a GUP
subscription list. The patterns are separated with commas,
whitespace or newlines. Example: *,!alt.binaries.*
You can add an -a option to the c-nocem command to ignore groups which
are not in your active file.
Using GnuPG
c-nocem can run with GnuPG instead of PGP. The configure script checks
for gpg and uses it if available. Because NoCeM issuers use PGP 2.6
keys, you have to install an RSA extension to GnuPG. It is available
from the GnuPG Web page (under "More crypto") as a file rsa.c, which
has to be compiled according to a comment in the file and placed in
the extensions directory (default /usr/local/lib/gnupg). Then put the
following line in ~/.gnupg/options:
load-extension rsa
How it works
c-nocem does its work in two stages: first, it reads the NoCeM notices
and checks the permissions as described above. It collects all
Message-IDs mentioned in the accepted notices, (if the associated
newsgroups list matches active and ncmgroups if that check is
requested), into a batch file (tmp/nocem). In the second stage, these
IDs are processed: for each Message-ID, if the article is on the
system, the article is deleted. If it is not there, a history entry is
generated which prevents later arrival. A log file entry is emitted
for each of these entries. The result is like that from a regular
cancel.
When getting end-of-input in channel mode (i.e. after a flush or
shutdown) c-nocem writes a batch file tmp/nocem.input of all
unprocessed input lines (NoCeM notice file names/tokens) and quits
immediately. The next invocation of c-nocem will pick up this batch
file, a la "innfeed".
Invocation
c-nocem must be run under the news UID. For C News, it takes on
standard input either a single NoCeM notice (in unbatched mode) or a
batch file (in batched mode). For INN, it runs in channel mode. The
possible arguments to c-nocem are:
-b: run in batched mode.
-cn: run in channel mode. Spawn delete process every (n) articles.
-ts: timeout. Spawn delete process every (s) seconds.
-n: testing. Don't delete articles or manipulate the history.
-s: silent. Do not give any output except for fatal errors.
-dn: delay. See below.
-k: kill cancels. See below.
-l: no logging. Don't emit logfile entries.
-r: remove only. Don't add history entries.
-a: active-file check. Don't cancel articles in groups not in the
active file.
-zf: Leave list of deleted articles in file (f) (relative to spool
directory). This can be fed into expireover -z.
Do not use unbatched mode except for testing. Batching saves on
resources.
On INN, use only channel mode - the -c flag tells c-nocem that it runs
under INN.
Helper programs
c-nocem comes with two little C programs that it calls to do part of
its work. The "fastcancel" program takes a list of Message-IDs and
locally cancels them, i.e. deletes the article files or notes the IDs
in the history file. It must run with the news system locked/paused.
On INN, fastcancel emits a list of articles to remove which c-nocem
feeds to "fastrm". This keeps the actual article deletion out of the
paused time, like with "news.daily delayrm".
The "groupcheck" program takes a list of Message-IDs with newsgroups
and checks them against a subscription list. This is only needed for
INN; C News uses the "gngp" program (part of C News) instead.
Logging
The "fastcancel" program emits logfile entries for every processed
Message-ID which look just like the news system's logfile entries.
Here the "+" mark is used for added IDs, the "-" mark for removed
articles. This matches C News' behaviour for cancels. Note: INN's log
analyzer counts the "-" entries as "bad articles", so the cancelled
articles (not the NoCeM notices) show up in the daily log summary as
"bad articles sent by '(NoCeM)'". The "fastcancel" program also logs
statistics via syslog. c-nocem itself logs debugging messages and
performance statistics on stdout, if called without the -s flag.
Delay mode
Delay mode helps spreading out the load c-nocem generates over an
extended period of time. This helps to keep system load low when news
traffic comes in bursts, e.g. for UUCP sites. Call c-nocem with the -d
n parameter, where n is an estimate on the numbers of NoCeM notices
received per day. (You can find this number by running c-nocem for at
least two days in undelayed mode, then do a grep nocem-extractor
/var/log/news/OLD/log.1.gz | wc -l, or whatever the right feed name
and file location is.) In channel mode, c-nocem will count the actual
NoCeM notices received and adjust the delay dynamically.
Kill cancel mode
With "kill cancel" mode, for any article that is cancelled by NoCeM,
the corresponding "canonical cancel" will be added to the history file
so that any regular spam cancel arriving later is ignored. This can
help to cut down on the size of the control.cancel newsgroup, but it
can also disturb the propagation of regular cancels. (Ultimately they
should all be replaced by NoCeM, but by now it depends on your site's
position in the network whether this is a problem.)
System dependencies
c-nocem needs the flock() system call and a correctly compiled version
of perl which supports that call. If your system does not have the
select() system call (INN systems must have this call, but perhaps
your perl is broken), the -t option won't work correctly.
Getting the software
The c-nocem package is posted in alt.sources and archived on my Web
page ready for download. The software is in the public domain.
Since release 3.3, c-nocem comes with the default permissions file and
public key ring from The NoCeM Registry at
http://www.xs4all.nl/~rosalind/nocemreg/nocemreg.html. Look there and
in the news.admin.nocem newsgroup for updates.
_________________________________________________________________
1999-06-13 Olaf Titz
http://sites.inka.de/~bigred/
|
