1
2 c-nocem - NoCeM for C News and INN
3
4 This is a program for the easy and efficient application of the NoCeM
5 protocol on the news spool. Which means, articles for which a NoCeM
6 with "action=hide" is accepted, will be deleted from your news system
7 as if they had been cancelled. With the installation described below,
8 these will be processed as fast as possible and should work like real
9 cancels.
10
11 Unlike the standard implementation of NoCeM, this version is optimized
12 for the most common case of "spam cancels". In fact, it can do nothing
13 else. It can not be run by a normal user, it does not need or
14 manipulate state like .newsrc files, it processes only "hide" actions,
15 and that only by actually deleting the articles.
16
17 c-nocem is designed for easy setup and fast run and needs no
18 maintenance.
19
20Installation
21
22 This describes c-nocem version 3.7.
23
24 You need:
25 * Perl version 4 or 5.
26 * PGP version MIT 2.6 or 2.6i, or GnuPG version 0.9.1 or later.
27 * A running news system, and knowledge on how to configure it. This
28 program supports C News and INN.
29 * The compiled source code for the news system. c-nocem needs the
30 libraries and configuration files used for building the news
31 system.
32 * A customized PGP public keyring containing the keys of all people
33 from whom you accept NoCeM notices. See below.
34
35 Run the configure script. Give it the --with-cnews=dir or
36 --with-inn=dir options to point to the top of the news system's source
37 tree. Run make install. Copy ncmperm into the right place. Create
38 ncmgroups there if needed, see below. Look at the top of c-nocem and
39 correct any wrong parameters. Make sure the programs created by the
40 make, as well as pgp are in the news system's PATH (configure usually
41 gets that right). Create a temp directory as indicated in c-nocem, if
42 you don't have it already. Do not use /tmp or any other globally
43 writable directory for this purpose - that would be a serious security
44 problem. Note for users of previous versions: The programs are now
45 installed in the main news binary directory. Make sure to correct any
46 wrong paths. For INN 2.0 and newer, the configuration files like
47 ncmperm belong into the etc directory.
48
49 C News special
50
51 Arrange for the NoCeM newsgroups to be feeded to the c-nocem program.
52 The means for this is the standard batching system. (The setup below
53 is for the Cleanup Release of C News, older versions use a different
54 batchparms file format.)
55 * Set up a feed in the sys file:
56 nocem-extractor:alt.nocem.misc,news.lists.filters/all:F:
57 Insert the newsgroups containing relevant NoCeM notices.
58 * Create a batch directory $NEWSARTS/out.going/nocem-extractor.
59 * Set up a special batching method in the batchparms file:
60 nocem-extractor N 1000000- - c-nocem -b -s
61 (note: no "batcher" invocation here). Make sure the class letter
62 "N" is unique. You can use any letter, but use the same one in the
63 next step.
64 * Replace the command "newsrun" in your crontab with "newsrun;
65 sendbatches -c N -p".
66
67 That's it. Now incoming news will be processed by NoCeM as soon as
68 possible. You may want to watch the progress, at least at the
69 beginning. For this purpose, change the batchparms line to:
70 nocem-extractor N 100000 - c-nocem -b | report "NoCeM"
71
72 INN special
73
74 Arrange for the NoCeM newsgroups to be feeded to the c-nocem program.
75 The means for this is a channel feed.
76 * Set up a feed in the newsfeeds file:
77 nocem!:!*,alt.nocem.misc,news.lists.filters\
78 :Tc,Wn:/var/lib/news/bin/c-nocem -c200 -t600 -s
79 * If you want logging, replace the -s with
80 >>/var/log/news/nocem.log.
81 * If running under INN 2.4 (currently in beta testing), use the
82 following instead:
83 nocem!:!*,alt.nocem.misc,news.lists.filters\
84 :Tc,Wn:/var/lib/news/bin/c-nocem -C
85
86 That's it. Now incoming news will be processed by NoCeM as soon as
87 possible.
88
89Configuration
90
91 Configuration consists of the permissions file and the public key
92 ring. Every NoCeM notice is checked for a PGP signature with the NoCeM
93 key ring (usually $NEWSLIB/ncmring.pgp). If no known and valid
94 signature is found, the notice is ignored entirely. If the signature
95 is good, the NCM headers are checked:
96 * Version: must be 0.9 or 0.9x (for any x)
97 * Action: must be "hide"
98 * Type and Issuer: must be allowed by the permissions file.
99
100 The key ring
101
102 Every NoCeM notice carries a PGP signature. A public key ring is
103 needed to check the validity and integrity. This key ring should
104 contain exactly the keys of those people from whom you want to accept
105 NoCeM notices. You should use a version of PGP which supports the
106 "+pubring=filename" argument (MIT, 2.6i, 2.6in do; 2.6ui does not).
107
108 The c-nocem distribution contains some keys of frequent NoCeM issuers.
109 Check for yourself from whom you want to accept the NoCeM notices, and
110 try to verify the keys e.g. via a public key server instead of blindly
111 trusting them.
112
113 Create the key ring or add a key to it with a command like
114 pgp +pubring=ncmring.pgp -ka ncmring.asc
115 Be sure to specify the right key ring file, i.e. the same as in the
116 c-nocem script.
117
118 The permissions file
119
120 ncmperm contains a permission table, similar to
121 "controlperm"/"control.ctl". Each entry in this table consists of
122 three whitespace-separated fields: issuer, type, permission. "Issuer"
123 is a string that is checked against the Issuer NCM header, "type" is
124 checked against the Type NCM header. If both match, the permission is
125 determined from the third field as "yes" or "no". First match wins. If
126 no entry matches, it defaults to "no". Only a NoCeM notice with "yes"
127 permission is processed.
128
129 The issuer field of the ncmperm file may contain a substring of the
130 actual Issuer header (e.g. "clewis@ferret" matches Chris Lewis' spam
131 cancels). The type field may be "*" which means "everything".
132
133 c-nocem re-reads this file when it changes immediately.
134
135 The groups file
136
137 You can control for which groups you accept NoCeMs, i.e. articles in
138 which groups are cancelled by NoCeM notices. This is useful to limit
139 NoCeM processing to the groups you actually get from your feeds.
140 (Example: if you have excluded alt.binaries, you don't need NoCeMs for
141 alt.binaries either.) To implement this restriction, you need a file
142 $NEWSLIB/ncmgroups which contains a subscription list.
143
144 For C News
145 The subscription list is a sys file pattern. Whitespace,
146 newline etc. are equivalent to a comma. Example:
147 all,!alt.binaries
148
149 For INN
150 The subscription list is a list of wildmat patterns, like a GUP
151 subscription list. The patterns are separated with commas,
152 whitespace or newlines. Example: *,!alt.binaries.*
153
154 You can add an -a option to the c-nocem command to ignore groups which
155 are not in your active file.
156
157 Using GnuPG
158
159 c-nocem can run with GnuPG instead of PGP. The configure script checks
160 for gpg and uses it if available. Because NoCeM issuers use PGP 2.6
161 keys, you have to install an RSA extension to GnuPG. It is available
162 from the GnuPG Web page (under "More crypto") as a file rsa.c, which
163 has to be compiled according to a comment in the file and placed in
164 the extensions directory (default /usr/local/lib/gnupg). Then put the
165 following line in ~/.gnupg/options:
166 load-extension rsa
167
168How it works
169
170 c-nocem does its work in two stages: first, it reads the NoCeM notices
171 and checks the permissions as described above. It collects all
172 Message-IDs mentioned in the accepted notices, (if the associated
173 newsgroups list matches active and ncmgroups if that check is
174 requested), into a batch file (tmp/nocem). In the second stage, these
175 IDs are processed: for each Message-ID, if the article is on the
176 system, the article is deleted. If it is not there, a history entry is
177 generated which prevents later arrival. A log file entry is emitted
178 for each of these entries. The result is like that from a regular
179 cancel.
180
181 When getting end-of-input in channel mode (i.e. after a flush or
182 shutdown) c-nocem writes a batch file tmp/nocem.input of all
183 unprocessed input lines (NoCeM notice file names/tokens) and quits
184 immediately. The next invocation of c-nocem will pick up this batch
185 file, a la "innfeed".
186
187 Invocation
188
189 c-nocem must be run under the news UID. For C News, it takes on
190 standard input either a single NoCeM notice (in unbatched mode) or a
191 batch file (in batched mode). For INN, it runs in channel mode. The
192 possible arguments to c-nocem are:
193 -b: run in batched mode.
194 -cn: run in channel mode. Spawn delete process every (n) articles.
195 -ts: timeout. Spawn delete process every (s) seconds.
196 -n: testing. Don't delete articles or manipulate the history.
197 -s: silent. Do not give any output except for fatal errors.
198 -dn: delay. See below.
199 -k: kill cancels. See below.
200 -l: no logging. Don't emit logfile entries.
201 -r: remove only. Don't add history entries.
202 -a: active-file check. Don't cancel articles in groups not in the
203 active file.
204 -zf: Leave list of deleted articles in file (f) (relative to spool
205 directory). This can be fed into expireover -z.
206 -C: Run in channel mode and use cancelfeed. See below. Do not use
207 -b, -c, -t with this.
208
209 Do not use unbatched mode except for testing. Batching saves on
210 resources.
211 On INN, use only channel mode - the -c or -C flag tells c-nocem that
212 it runs under INN.
213
214 Helper programs
215
216 c-nocem comes with three little C programs that it calls to do part of
217 its work. Each of them is only compiled on systems where it is needed.
218
219 The "fastcancel" program takes a list of Message-IDs and locally
220 cancels them, i.e. deletes the article files or notes the IDs in the
221 history file. It must run with the news system locked/paused. On INN,
222 fastcancel emits a list of articles to remove which c-nocem feeds to
223 "fastrm". This keeps the actual article deletion out of the paused
224 time, like with "news.daily delayrm".
225
226 The "groupcheck" program takes a list of Message-IDs with newsgroups
227 and checks them against a subscription list. This is only needed for
228 INN; C News uses the "gngp" program (part of C News) instead.
229
230 The "cancelfeed" program works with the special cancel mode NNTP
231 channel found in INN 2.4 and above. It works like "groupcheck" and
232 instructs the server to cancel the matching articles, eliminating the
233 need for "fastcancel".
234
235 Logging
236
237 The "fastcancel" program emits logfile entries for every processed
238 Message-ID which look just like the news system's logfile entries.
239 Here the "+" mark is used for added IDs, the "-" mark for removed
240 articles. This matches C News' behaviour for cancels. Note: INN's log
241 analyzer counts the "-" entries as "bad articles", so the cancelled
242 articles (not the NoCeM notices) show up in the daily log summary as
243 "bad articles sent by '(NoCeM)'". The "fastcancel" program also logs
244 statistics via syslog. c-nocem itself logs debugging messages and
245 performance statistics on stdout, if called without the -s flag.
246
247 Delay mode
248
249 Delay mode helps spreading out the load c-nocem generates over an
250 extended period of time. This helps to keep system load low when news
251 traffic comes in bursts, e.g. for UUCP sites. Call c-nocem with the -d
252 n parameter, where n is an estimate on the numbers of NoCeM notices
253 received per day. (You can find this number by running c-nocem for at
254 least two days in undelayed mode, then do a grep nocem-extractor
255 /var/log/news/OLD/log.1.gz | wc -l, or whatever the right feed name
256 and file location is.) In channel mode, c-nocem will count the actual
257 NoCeM notices received and adjust the delay dynamically.
258
259 Kill cancel mode
260
261 With "kill cancel" mode, for any article that is cancelled by NoCeM,
262 the corresponding "canonical cancel" will be added to the history file
263 so that any regular spam cancel arriving later is ignored. This can
264 help to cut down on the size of the control.cancel newsgroup, but it
265 can also disturb the propagation of regular cancels. (Ultimately they
266 should all be replaced by NoCeM, but by now it depends on your site's
267 position in the network whether this is a problem.)
268
269 System dependencies
270
271 c-nocem needs the flock() system call and a correctly compiled version
272 of perl which supports that call. If your system does not have the
273 select() system call (INN systems must have this call, but perhaps
274 your perl is broken), the -t option won't work correctly.
275
276Getting the software
277
278 The c-nocem package is available from my Web page
279 http://sites.inka.de/~bigred/sw/c-nocem-3.7.tar.gz. The software is in
280 the public domain.
281
282 Since release 3.3, c-nocem comes with the default permissions file and
283 public key ring from The NoCeM Registry at
284 http://www.xs4all.nl/~rosalind/nocemreg/nocemreg.html. Look there and
285 in the news.admin.nocem newsgroup for updates.
286 _________________________________________________________________
287
288
289 2001-05-24 Olaf Titz
290 http://sites.inka.de/~bigred/
291