You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@spamassassin.apache.org on 2021/11/02 19:21:25 UTC
[Bug 7940] New: URI_PHISH false positive
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7940
Bug ID: 7940
Summary: URI_PHISH false positive
Product: Spamassassin
Version: unspecified
Hardware: PC
OS: Mac OS X
Status: NEW
Severity: normal
Priority: P2
Component: spamassassin
Assignee: dev@spamassassin.apache.org
Reporter: nextgenappsllc@gmail.com
Target Milestone: Undefined
I am getting the following result in confirmation emails URI_PHISH=3.717 when I
include both text and html. When I just do html I do not get the URI_PHISH
positive. From my understanding this is to prevent links with text that tries
to trick the user like:
<a href="http://evil-website.com/some_phishing_form">https://paypal.com</a>
Mine does not do that. The same exact link does not get marked as URI_PHISH if
I exclude the text template. See below example email:
------------------------------------------------------------------------
Return-Path: <no...@venue2you.com>
Delivered-To: admin@nextgenappsllc.com
Received: from nextgenappsllc.com
by grootchema.nextgenappsllc.com (Dovecot) with LMTP id
6OSXMsWLgWGuEgAAQQk82Q
for <ad...@nextgenappsllc.com>; Tue, 02 Nov 2021 15:04:37 -0400
Received: by nextgenappsllc.com (Postfix, from userid 115)
id C8D8C3EAB6; Tue, 2 Nov 2021 15:04:37 -0400 (EDT)
Authentication-Results: nextgenappsllc.com;
dkim=pass (2048-bit key; unprotected) header.d=venue2you.com
header.i=@venue2you.com header.b="h0fAIUmz";
dkim-atps=neutral
Received: from mail.venue2you.com (mail.venue2you.com [170.187.146.47])
by nextgenappsllc.com (Postfix) with ESMTPS id C2AD93EA16
for <ad...@nextgenappsllc.com>; Tue, 2 Nov 2021 15:04:35 -0400 (EDT)
Authentication-Results: mail.venue2you.com (amavisd-new);
dkim=pass (2048-bit key) reason="pass (just generated, assumed good)"
header.d=venue2you.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=venue2you.com; h=
content-transfer-encoding:content-type:mime-version:subject
:message-id:to:reply-to:from:date; s=dkim; t=1635879875; x=
1638471876; bh=UYIN8kVY626mO7//mPbnMdEQY/Sp1tkN39zd4pqfBBs=; b=h
0fAIUmz8A6i0JpsRktulCUJC08POzOXbjhNrHpi9xGi006y+vbRT6FNJY/4M7pRC
C4cWsmyrBaOvckIreRb8DETa873RwS95XM5bYIDGpPmW4RAJFNoPaA8nRBPA92Z8
K87xfozAa7chXojLRpQjMSX9byI0KCwp8J/bcYXuYfM6WltI79sEZFN8iW7A2p9r
ouJzYWI64gRmDm9A+9TXjoA88IhQqKZkOpSOp3DvRMYDVUXy4cixa+OxJSHojw6/
HoCSjpqQM7ovASFxXRTvVPpBrNxa2W+1FCRh1Y6PK8AHeWqXLzvry7aNxuv8j980
e6nCutPJzXkCEvtbjkNEA==
X-Virus-Scanned: Debian amavisd-new at mail.venue2you.com
X-Spam-Flag: NO
X-Spam-Score: 3.717
X-Spam-Level: ***
X-Spam-Status: No, score=3.717 tagged_above=2 required=6.2
tests=[HTML_MESSAGE=0.001, NO_RECEIVED=-0.001, NO_RELAYS=-0.001,
URIBL_BLOCKED=0.001, URI_PHISH=3.717] autolearn=no autolearn_force=no
Date: Tue, 02 Nov 2021 15:04:34 -0400
From: no-reply@venue2you.com
Reply-To: no-reply@venue2you.com
To: admin@nextgenappsllc.com
Message-ID: <61...@Joses-MacBook-Pro.local.mail>
Subject: Confirmation instructions
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_61818bc2c05f3_12bf7404c54a6";
charset=UTF-8
Content-Transfer-Encoding: 7bit
----==_mimepart_61818bc2c05f3_12bf7404c54a6
Content-Type: text/plain;
charset=UTF-8
Content-Transfer-Encoding: 7bit
Welcome admin@nextgenappsllc.com!
You can confirm your account email through the link below:
------------------------------------------------------------------------
----==_mimepart_61818bc2c05f3_12bf7404c54a6
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: 7bit
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style>
/* Email styles need to be inline */
</style>
</head>
<body>
<p>Welcome admin@nextgenappsllc.com!</p>
<p>You can confirm your account email through the link below:</p>
<p><a
href="https://venue2you.com/users/confirmation?confirmation_token=yJwJKQM2t5UcNtCzqDz1">Confirm
my account</a></p>
</body>
</html>
----==_mimepart_61818bc2c05f3_12bf7404c54a6--
------------------------------------------------------------------------
This is an example of the email with the same link not showing up positive:
------------------------------------------------------------------------
Return-Path: <no...@venue2you.com>
Delivered-To: admin@nextgenappsllc.com
Received: from nextgenappsllc.com
by grootchema.nextgenappsllc.com (Dovecot) with LMTP id
KE0vA0aMgWHXEgAAQQk82Q
for <ad...@nextgenappsllc.com>; Tue, 02 Nov 2021 15:06:46 -0400
Received: by nextgenappsllc.com (Postfix, from userid 115)
id 070D43EAB6; Tue, 2 Nov 2021 15:06:46 -0400 (EDT)
Authentication-Results: nextgenappsllc.com;
dkim=pass (2048-bit key; unprotected) header.d=venue2you.com
header.i=@venue2you.com header.b="DlpwO/Ka";
dkim-atps=neutral
Received: from mail.venue2you.com (mail.venue2you.com [170.187.146.47])
by nextgenappsllc.com (Postfix) with ESMTPS id 0008F3EA16
for <ad...@nextgenappsllc.com>; Tue, 2 Nov 2021 15:06:43 -0400 (EDT)
Authentication-Results: mail.venue2you.com (amavisd-new);
dkim=pass (2048-bit key) reason="pass (just generated, assumed good)"
header.d=venue2you.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=venue2you.com; h=
content-transfer-encoding:content-type:mime-version:subject
:message-id:to:reply-to:from:date; s=dkim; t=1635880003; x=
1638472004; bh=VE8ZAPuNjTT1faRccAt119zMTZvdcnz9fY48iK26ngc=; b=D
lpwO/Ka27qkAaQJJyVpGaBqiLhd2DW/HdTgZtlEqHV+zbrcyuSEODQ/IPqAreilF
zi/IqQYcOvTY5+8xdqOeVQo6DBin0W40qvYNKF0fu9YrBC9azN8MApxWuhrZbrja
ucpSjdX1P4CWCniH6R1mBtVsoh7SYLXzR8MbOvjOYqTSGVin5kIsCZhoj4wVGvoW
ZYqxvEUmuykIa1ur0ZGJZCkQUY5XyyPYvCMrjSZF1Y1msPQKjJYzi4fPKcf5WrqX
nJm3aLJ93zlUGkGV+cwxb+8SEgB1MpQ+k+WWfXznvFpD20l2aqQEc0RN6GLR9guK
NIXnsZxcpFflNk6ApJrsg==
X-Virus-Scanned: Debian amavisd-new at mail.venue2you.com
Date: Tue, 02 Nov 2021 15:06:42 -0400
From: no-reply@venue2you.com
Reply-To: no-reply@venue2you.com
To: admin@nextgenappsllc.com
Message-ID: <61...@Joses-MacBook-Pro.local.mail>
Subject: Confirmation instructions
Mime-Version: 1.0
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: 7bit
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style>
/* Email styles need to be inline */
</style>
</head>
<body>
<p>Welcome admin@nextgenappsllc.com!</p>
<p>You can confirm your account email through the link below:</p>
<p><a
href="https://venue2you.com/users/confirmation?confirmation_token=yJwJKQM2t5UcNtCzqDz1">Confirm
my account</a></p>
</body>
</html>
------------------------------------------------------------------------
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7940] URI_PHISH false positive
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7940
nextgenappsllc@gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |nextgenappsllc@gmail.com
--- Comment #2 from nextgenappsllc@gmail.com ---
Maybe but I also used mail-tester.com which I get a tiny mark down for using
html but no URI_PHISH positive unless I send the multipart one.
Either way why would this link show positive for uri phishing? It's a false
positive
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7940] URI_PHISH false positive
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7940
--- Comment #3 from nextgenappsllc@gmail.com ---
Here is the email scanned with the link and no URI_PHISH positive:
Return-Path: <no...@venue2you.com>
Delivered-To: admin@nextgenappsllc.com
Received: from nextgenappsllc.com
by grootchema.nextgenappsllc.com (Dovecot) with LMTP id
WYdJKvOqgWF0HAAAQQk82Q
for <ad...@nextgenappsllc.com>; Tue, 02 Nov 2021 17:17:39 -0400
Received: by nextgenappsllc.com (Postfix, from userid 115)
id A36853EAB6; Tue, 2 Nov 2021 17:17:39 -0400 (EDT)
Authentication-Results: nextgenappsllc.com;
dkim=pass (2048-bit key; unprotected) header.d=venue2you.com
header.i=@venue2you.com header.b="GlSrb+Fh";
dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
grootchema.nextgenappsllc.com
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLOCKED
autolearn=unavailable autolearn_force=no version=3.4.2
Received: from mail.venue2you.com (mail.venue2you.com [170.187.146.47])
by nextgenappsllc.com (Postfix) with ESMTPS id 4F3F83EA16
for <ad...@nextgenappsllc.com>; Tue, 2 Nov 2021 17:17:39 -0400 (EDT)
Authentication-Results: mail.venue2you.com (amavisd-new);
dkim=pass (2048-bit key) reason="pass (just generated, assumed good)"
header.d=venue2you.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=venue2you.com; h=
content-transfer-encoding:content-type:mime-version:subject
:message-id:to:reply-to:from:date; s=dkim; t=1635887858; x=
1638479859; bh=IAqusvlHU+Lgzu9uZEGBCanRTOVHQb0UTitiUxcIgm8=; b=G
lSrb+FhIMnjNth8ASE2y7eNzRCNbVXqmBQWTlnztWN/G9Ah77c7ErMPlv4H95Kgm
O4GymSiI52n3lWo3kzF5yGuRoCryvDpyu8jss6O7xA2GAXzAuhta73ZEHc9E6ASV
iFuWOkH4WTQIu9grgltHxz5eYX6n5Xc9R8SzE2ogK5OnIO2fECwEu8TETz1BNWbU
Q4Ysf7YqidRV8g+6DXFmVrGJwChPCu739at/gdJXlD5HL7h4o7ifW19f/yBayfLt
mZnq+f1jywXKwBzJ3QztJ/MXzw0kWOzHege3VYw4/Sv3bVuhIReLiZVd/qged9dJ
fNn4OtCbluZNAjQwAgmyg==
X-Virus-Scanned: Debian amavisd-new at mail.venue2you.com
Date: Tue, 02 Nov 2021 17:17:38 -0400
From: no-reply@venue2you.com
Reply-To: no-reply@venue2you.com
To: admin@nextgenappsllc.com
Message-ID: <61...@Joses-MacBook-Pro.local.mail>
Subject: Reset password instructions
Mime-Version: 1.0
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: 7bit
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style>
/* Email styles need to be inline */
</style>
</head>
<body>
<p>Hello admin@nextgenappsllc.com!</p>
<p>Someone has requested a link to change your password. You can do this
through the link below.</p>
<p><a
href="https://venue2you.com/users/password/edit?reset_password_token=s_AUowmUQGqfkjDcvqh9">Change
my password</a></p>
<p>If you didn't request this, please ignore this email.</p>
<p>Your password won't change until you access the link above and create a
new one.</p>
</body>
</html>
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7940] URI_PHISH false positive
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7940
John Hardin <jh...@impsec.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WONTFIX
--- Comment #7 from John Hardin <jh...@impsec.org> ---
Closing as FAD. Rule discussions should take place on the Users mailing list.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7940] URI_PHISH false positive
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7940
--- Comment #4 from nextgenappsllc@gmail.com ---
Ok so it seems the confirmation email gets flagged but the reset password one
does not. Even though being very similar and there are no phishing urls:
URI_PHISH positive:
------------------------------------------------------------------------
Return-Path: <no...@venue2you.com>
Delivered-To: admin@nextgenappsllc.com
Received: from nextgenappsllc.com
by grootchema.nextgenappsllc.com (Dovecot) with LMTP id
R6KrFeGsgWEGIAAAQQk82Q
for <ad...@nextgenappsllc.com>; Tue, 02 Nov 2021 17:25:53 -0400
Received: by nextgenappsllc.com (Postfix, from userid 115)
id 509193EAB6; Tue, 2 Nov 2021 17:25:53 -0400 (EDT)
Authentication-Results: nextgenappsllc.com;
dkim=pass (2048-bit key; unprotected) header.d=venue2you.com
header.i=@venue2you.com header.b="Of61663L";
dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
grootchema.nextgenappsllc.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HTML_MESSAGE,SPF_HELO_PASS,URIBL_BLOCKED,URI_PHISH
autolearn=no autolearn_force=no version=3.4.2
Received: from mail.venue2you.com (mail.venue2you.com [170.187.146.47])
by nextgenappsllc.com (Postfix) with ESMTPS id 0E1BA3EA16
for <ad...@nextgenappsllc.com>; Tue, 2 Nov 2021 17:25:53 -0400 (EDT)
Authentication-Results: mail.venue2you.com (amavisd-new);
dkim=pass (2048-bit key) reason="pass (just generated, assumed good)"
header.d=venue2you.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=venue2you.com; h=
content-transfer-encoding:content-type:mime-version:subject
:message-id:to:reply-to:from:date; s=dkim; t=1635888352; x=
1638480353; bh=5len7HBjhbGUzBUG4Z5WXfNH//7VPF3PKuKTaAZhloI=; b=O
f61663LM6adU7XjPGiogs0E4FCscobb4IRY768+vcBAo1AgsrnNgEn8XU5OqLhpS
TQ9DVG90RBgoyWPVZ9mZ5NijEC70VeneEesXnHc+IW5mMboJWwhAlBFDC9VLdzvY
EiZvk1269SmavFeKBlnNYad4PlUECP8h8NE1GWpDQX1It3TINy7L59I4xqpjBJkE
E/ZfIRq9VokRxqsPfUm7GYjPQrfQtHRrtQNAAN6N2C7G6/mJApNKRTNbHiLz9R8L
nAnGNXWNezdrKKiw+spywbq3xMbyMvDNkE08BtvA0dSAo93GBffUb2tyS0bGmOEq
u9gkBO13plXSer6fzBc+A==
X-Virus-Scanned: Debian amavisd-new at mail.venue2you.com
Date: Tue, 02 Nov 2021 17:25:52 -0400
From: no-reply@venue2you.com
Reply-To: no-reply@venue2you.com
To: admin@nextgenappsllc.com
Message-ID: <61...@grootchema.mail>
Subject: Confirmation instructions
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_6181ace055fa4_1ff210b886ab";
charset=UTF-8
Content-Transfer-Encoding: 7bit
----==_mimepart_6181ace055fa4_1ff210b886ab
Content-Type: text/plain;
charset=UTF-8
Content-Transfer-Encoding: 7bit
Welcome admin@nextgenappsllc.com!
You can confirm your account email through the link below:
https://venue2you.com/users/confirmation?confirmation_token=R9zBfiResWJ5iSvJihQQ
----==_mimepart_6181ace055fa4_1ff210b886ab
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: 7bit
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style>
/* Email styles need to be inline */
</style>
</head>
<body>
<p>Welcome admin@nextgenappsllc.com!</p>
<p>You can confirm your account email through the link below:</p>
<p><a
href="https://venue2you.com/users/confirmation?confirmation_token=R9zBfiResWJ5iSvJihQQ">Confirm
my account</a></p>
</body>
</html>
----==_mimepart_6181ace055fa4_1ff210b886ab--
------------------------------------------------------------------------
URI_PHISH negative:
------------------------------------------------------------------------
Return-Path: <no...@venue2you.com>
Delivered-To: admin@nextgenappsllc.com
Received: from nextgenappsllc.com
by grootchema.nextgenappsllc.com (Dovecot) with LMTP id
E6+lAC+tgWEbIAAAQQk82Q
for <ad...@nextgenappsllc.com>; Tue, 02 Nov 2021 17:27:11 -0400
Received: by nextgenappsllc.com (Postfix, from userid 115)
id F1B5F3EAB6; Tue, 2 Nov 2021 17:27:10 -0400 (EDT)
Authentication-Results: nextgenappsllc.com;
dkim=pass (2048-bit key; unprotected) header.d=venue2you.com
header.i=@venue2you.com header.b="ZYq7ukiU";
dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
grootchema.nextgenappsllc.com
X-Spam-Level:
X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HTML_MESSAGE,SPF_HELO_PASS,URIBL_BLOCKED
autolearn=unavailable autolearn_force=no version=3.4.2
Received: from mail.venue2you.com (mail.venue2you.com [170.187.146.47])
by nextgenappsllc.com (Postfix) with ESMTPS id B027F3EA16
for <ad...@nextgenappsllc.com>; Tue, 2 Nov 2021 17:27:10 -0400 (EDT)
Authentication-Results: mail.venue2you.com (amavisd-new);
dkim=pass (2048-bit key) reason="pass (just generated, assumed good)"
header.d=venue2you.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=venue2you.com; h=
content-transfer-encoding:content-type:mime-version:subject
:message-id:to:reply-to:from:date; s=dkim; t=1635888430; x=
1638480431; bh=3DmNU/jv/DuRr0CM46g83nAOX6HrY46Rcs+BDALrVy4=; b=Z
Yq7ukiUOziHWg1BA88syoR4LuD9hphbphBVF/Bg++xc9sakajBzW0MM7ulALcMSD
GAt54xLodhFDapW5qZQhy9t6SmbaBpl/xBd1Oi8qEcyFLxtxoxJ8B6mD56fe4sIy
FW0HtMWEpZ6Xy64oVglYIkUWLOP613C1w8a7ALd1cEx4UavgrqBqpgGVQakDZbqL
tVm+6aztcPVDmEPd8cHk39ecj96Bkc4i7f24Bo8hn3bgf4k0KDscowraHk6L8R/L
GvZ0RsIJZKsSXKW3E4Bbl9SkcISXqnfDRR4zqWW8htsSoUs/16IFlR10l4RZzTVd
3QkAoBNMjf+sopMaEG6Qw==
X-Virus-Scanned: Debian amavisd-new at mail.venue2you.com
Date: Tue, 02 Nov 2021 17:27:10 -0400
From: no-reply@venue2you.com
Reply-To: no-reply@venue2you.com
To: admin@nextgenappsllc.com
Message-ID: <61...@grootchema.mail>
Subject: Reset password instructions
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_6181ad2e14a65_1ff310b886e3";
charset=UTF-8
Content-Transfer-Encoding: 7bit
----==_mimepart_6181ad2e14a65_1ff310b886e3
Content-Type: text/plain;
charset=UTF-8
Content-Transfer-Encoding: 7bit
Hello admin@nextgenappsllc.com!
Someone has requested a link to change your password. You can do this through
the link below.
https://venue2you.com/users/password/edit?reset_password_token=S55Mvfe6fU57YpfkxtZY
If you didn't request this, please ignore this email.
Your password won't change until you access the link above and create a new
one.
----==_mimepart_6181ad2e14a65_1ff310b886e3
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: 7bit
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style>
/* Email styles need to be inline */
</style>
</head>
<body>
<p>Hello admin@nextgenappsllc.com!</p>
<p>Someone has requested a link to change your password. You can do this
through the link below.</p>
<p><a
href="https://venue2you.com/users/password/edit?reset_password_token=S55Mvfe6fU57YpfkxtZY">Change
my password</a></p>
<p>If you didn't request this, please ignore this email.</p>
<p>Your password won't change until you access the link above and create a
new one.</p>
</body>
</html>
----==_mimepart_6181ad2e14a65_1ff310b886e3--
------------------------------------------------------------------------
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7940] URI_PHISH false positive
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7940
Loren Wilton <lw...@earthlink.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |lwilton@earthlink.net
--- Comment #1 from Loren Wilton <lw...@earthlink.net> ---
I do not see any X-Spam- headers in the second email. This makes me suspect
that it was not scanned by SA.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7940] URI_PHISH false positive
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7940
John Hardin <jh...@impsec.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jhardin@impsec.org
--- Comment #6 from John Hardin <jh...@impsec.org> ---
It's not based on "phishing URLs" or the specific link, it's based on having
body text that looks like account phishing and having a URL.
The body text that looks suspiciously like phishing is, unsurprisingly,
"confirm your account".
The reason one version hits and the other does not is, the rule is looking for
multiple phishing text fragments, and the repetition of that text in the
plain-text and HTML body parts unfortunately counts double.
> X-Spam-Status: No, score=3.717 tagged_above=2 required=6.2
As Loren said, this is not a FP, as the total score for the message did not
exceed the spam threshold. This is a single-rule hit on spammy-looking content
without other signs to support it. That happens.
It is not a bug that a given rule will hit some ham.
The only suggestion I can offer is that you reword your message to make it look
less like phishing. Perhaps:
Please confirm that you created an account on our service using that email
address by clicking this link: <a mumble>Confirm new account</a>
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7940] URI_PHISH false positive
Posted by bu...@spamassassin.apache.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7940
--- Comment #5 from Loren Wilton <lw...@earthlink.net> ---
> X-Spam-Status: No, score=3.6 required=5.0
So? The test is hitting, but it isn't nearly enough to mark it as spam.
It takes 5 points to be a spam, and this only gets 3.6 total from several rules
hitting.
BTW, URIBL_BLOCKED indicates a configuration error on the system doing the mail
checking.
Also: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13)
The current version of SA is 3.4.6, and is about 3 years newer than the version
running on the test system. There have been quite a few fixes since 3.4.2.
--
You are receiving this mail because:
You are the assignee for the bug.