[Bug 7067] New: TO_NO_BRKTS_HTML_ONLY + TO_NO_BRKTS_NORDNS_HTML causing FP

[bu...@bugzilla.spamassassin.org]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7067

            Bug ID: 7067
           Summary: TO_NO_BRKTS_HTML_ONLY + TO_NO_BRKTS_NORDNS_HTML
                    causing FP
           Product: Spamassassin
           Version: 3.3.2
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Rules
          Assignee: dev@spamassassin.apache.org
          Reporter: kdeugau@vianet.ca

I've just had a false-positive report due mostly to TO_NO_BRKTS_HTML_ONLY and
TO_NO_BRKTS_NORDNS_HTML.  The message is a legitimate appointment notice from
the recipient's local SPCA.

Note also the message hit BAYES_05 locally.

I'll try to get permission to attach the complete message.

TO_NO_BRKTS_HTML_ONLY and TO_NO_BRKTS_NORDNS_HTML should not have quite so high
a combined score, given that the second rule is basically an extension of the
first, and when combined with the 0.8 for RDNS_NONE and 0.7 for MIME_HTML_ONLY
push the message well over 5 points by default.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7067] TO_NO_BRKTS_HTML_ONLY + TO_NO_BRKTS_NORDNS_HTML causing FP

[bu...@bugzilla.spamassassin.org]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7067

--- Comment #3 from Kris Deugau <kd...@vianet.ca> ---
Created attachment 5223
  --> https://issues.apache.org/SpamAssassin/attachment.cgi?id=5223&action=edit
Reported FP email that led to the bug report

Attaching a lightly redacted message demonstrating this FP - please add to
someone's corpus if possible.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7067] TO_NO_BRKTS_HTML_ONLY + TO_NO_BRKTS_NORDNS_HTML causing FP

[bu...@bugzilla.spamassassin.org]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7067

Kris Deugau <kd...@vianet.ca> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kdeugau@vianet.ca

--- Comment #5 from Kris Deugau <kd...@vianet.ca> ---
(In reply to AXB from comment #4)
> why is this a FP?
> 
> score TO_NO_BRKTS_NORDNS_HTML               0.001 0.001 0.001 0.001
> score TO_NO_BRKTS_HTML_ONLY                 0.001 1.308 0.001 1.308
> 
> the rules do what they're designed for.

As of when the message was originally processed (Jul 8), and as of the rules
update from ~Friday or so:

72_scores.cf:score TO_NO_BRKTS_NORDNS_HTML    0.001 2.620 0.001 2.620
72_scores.cf:score TO_NO_BRKTS_HTML_ONLY      0.001 2.499 0.001 2.499

> Your sample clearly shows this and if anything, the senders should fix their
> sloppy msg generation as well do the right thing and get fcrdns

I don't have time to bully thousands of small senders like this into fixing
formal RFC-correctness things like this (no < > on the To: address). 
Apparently they don't send notices to GMail or AOL accounts or they would
probably have proper rDNS already.

I *have* actually tried contacting people about issues like this in the past,
and gotten one of:

1) No response, no change.  (No surprise.)
2) "uhhhh....   whut?"

Usually because the only point of contact I can find is the hosting customer
whose site the widget is on...  and they are NOT systems/server folks, so they
don't have a clue what needs fixing.

> If this msg was tagged as spam, then there were more rules involved or the
> threshold has been heavily modified

I probably should have included the full hit report originally.

I don't run with a modified threshold systemwide;  just a few on a per-user
basis.  (To be exact, 5 with a threshold under 5;  one at 5.5 due to.... yep,
rules like this causing otherwise legitimate - and unwhitelistable - website
form mail to get tagged;  5 domain accounts at 7;  a legacy hosting role
contact at 7.5;  and 5 more with a threshold of 8 which at one point or another
had FP issues.)

Content analysis details:   (5.6 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.7 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
-1.5 BAYES_05               BODY: Bayes spam probability is 1 to 5%
                            [score: 0.0493]
 1.0 BROKEN_TEXT_1          RAW: 20+ short lines
 0.8 RDNS_NONE              Delivered to internal network by a host with no
rDNS
 2.6 TO_NO_BRKTS_HTML_ONLY  To: misformatted and HTML only
 2.0 TO_NO_BRKTS_NORDNS_HTML To: misformatted and no rDNS and HTML only

No custom rules hit, no modified scores except for Bayes (as of original
processing), not even a funky Bayes hit.  I notice that if it had hit BAYES_00
instead, and I had not modified the BAYES_* scores, it *still* would have been
tagged - the stock BAYES_00 score is currently -1.9;  I have it at -3.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7067] TO_NO_BRKTS_HTML_ONLY + TO_NO_BRKTS_NORDNS_HTML causing FP

[bu...@bugzilla.spamassassin.org]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7067

John Hardin <jh...@impsec.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |jhardin@impsec.org
         Resolution|---                         |FIXED

--- Comment #1 from John Hardin <jh...@impsec.org> ---
Revision 1607893 includes a change that keeps these two rules from firing
simultaneously.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7067] TO_NO_BRKTS_HTML_ONLY + TO_NO_BRKTS_NORDNS_HTML causing FP

[bu...@bugzilla.spamassassin.org]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7067

--- Comment #2 from John Hardin <jh...@impsec.org> ---
I will also reduce the score limits a bit.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7067] TO_NO_BRKTS_HTML_ONLY + TO_NO_BRKTS_NORDNS_HTML causing FP

[bu...@bugzilla.spamassassin.org]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7067

--- Comment #4 from AXB <ax...@gmail.com> ---
why is this a FP?

score TO_NO_BRKTS_NORDNS_HTML               0.001 0.001 0.001 0.001
score TO_NO_BRKTS_HTML_ONLY                 0.001 1.308 0.001 1.308

the rules do what they're designed for.

Your sample clearly shows this and if anything, the senders should fix their
sloppy msg generation as well do the right thing and get fcrdns

Received: from www.humanesolution.com (unknown [208.74.28.197])

dig -x 208.74.28.197 +short
w-208-74-28-197.redplaid.com.


If this msg was tagged as spam, then there were more rules involved or the
threshold has been heavily modified

-- 
You are receiving this mail because:
You are the assignee for the bug.