You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2015/06/14 04:49:46 UTC
[Bug 7210] New: URI_WP_HACKED_2 / __PS_TEST_LOC_WP matches
legitimate CiviCRM emails
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7210
Bug ID: 7210
Summary: URI_WP_HACKED_2 / __PS_TEST_LOC_WP matches legitimate
CiviCRM emails
Product: Spamassassin
Version: 3.4.1
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Rules
Assignee: dev@spamassassin.apache.org
Reporter: chris@csamuel.org
Hi there,
A recent email from the OpenAustralia Foundation had a link that was to their
CiviCRM enabled Wordpress site and that was matched by the __PS_TEST_LOC_WP
test used by the URI_WP_HACKED_2 rule. The URL in question is (tokens
anonymised):
https://www.openaustraliafoundation.org.au/wp-content/plugins/civicrm/civicrm/extern/url.php?u=000&qid=00000
Talking to Henare Degan from OpenAustralia about it on Twitter he pointed out
that this URL is inserted by the CiviCRM Wordpress plugin and so this will be a
pretty widespread false-positive match.
I would suggest that as CiviCRM is used by a lot of non-profits it might be
useful to exclude /wp-content/plugins/civicrm/ from the __PS_TEST_LOC_WP rule.
All the best and thanks for SpamAssassin!
Chris
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7210] URI_WP_HACKED_2 / __PS_TEST_LOC_WP matches legitimate
CiviCRM emails
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7210
Kevin A. McGrail <km...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WONTFIX
--- Comment #5 from Kevin A. McGrail <km...@apache.org> ---
closing
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7210] URI_WP_HACKED_2 / __PS_TEST_LOC_WP matches legitimate
CiviCRM emails
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7210
Giovanni Bechis <gi...@paclan.it> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |giovanni@paclan.it
--- Comment #4 from Giovanni Bechis <gi...@paclan.it> ---
I agree, it is not sane to whitelist a Wordpress plugin, I think this bz can be
closed.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7210] URI_WP_HACKED_2 / __PS_TEST_LOC_WP matches legitimate
CiviCRM emails
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7210
--- Comment #2 from John Hardin <jh...@impsec.org> ---
(In reply to Kevin A. McGrail from comment #1)
> I also know that I see a lot of compromised wp installs in spam so I have a
> number of rules that hit on wp-xyz. Changing to exclude one plugin is
> likely to do just as much bad as good.
I have the same concern. If we whitelist a specific plugin then that plugin
becomes a more-attractive target for spammers.
> Additionally, based on the meta (__PS_TEST_LOC_WP && !URI_WP_HACKED) &&
> !__TO_EQ_FROM && !__THREADED, there are potentially better fixes.
Agreed.
Chris, would you be willing to zip up and email me a sample FP message
(unmodified if possible) so that I can see if there are any other
non-plugin-path signs that could be used to avoid this FP?
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7210] URI_WP_HACKED_2 / __PS_TEST_LOC_WP matches legitimate
CiviCRM emails
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7210
Chris Samuel <ch...@csamuel.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |chris@csamuel.org
--- Comment #3 from Chris Samuel <ch...@csamuel.org> ---
Hi Kevin, John,
I understand your concerns, I've emailed John the unmodified email as received
here as requested.
Thanks for looking into this.
All the best,
Chris
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7210] URI_WP_HACKED_2 / __PS_TEST_LOC_WP matches legitimate
CiviCRM emails
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7210
Kevin A. McGrail <km...@pccc.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jhardin@impsec.org,
| |kmcgrail@pccc.com
--- Comment #1 from Kevin A. McGrail <km...@pccc.com> ---
As a general rule, it's almost impossible to make a rule without false
positives which is why most rules are scored well below the 5.0 threshold.
What matters most is the ratio of spam to ham (we call it the S/O). The S/O is
the 4th column which I've added the asterisks
0 0.0048 0.0011 *0.820* 0.51 2.00 URI_WP_HACKED_2
and
0 0.0112 0.0095 *0.540* 0.52 (n/a) __PS_TEST_LOC_WP
I also know that I see a lot of compromised wp installs in spam so I have a
number of rules that hit on wp-xyz. Changing to exclude one plugin is likely
to do just as much bad as good.
And, this is a test rule and a meta rule that only scores 2.0.
Anyway, need to see the email sample to see if this merits work anyway because
if it isn't being marked over 5.0, it's general "normal" operations.
Additionally, based on the meta (__PS_TEST_LOC_WP && !URI_WP_HACKED) &&
!__TO_EQ_FROM && !__THREADED, there are potentially better fixes.
John, your thoughts?
Regards,
KAM
--
You are receiving this mail because:
You are the assignee for the bug.