You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2015/06/14 15:36:13 UTC

[Bug 7210] URI_WP_HACKED_2 / __PS_TEST_LOC_WP matches legitimate CiviCRM emails

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7210

Kevin A. McGrail <km...@pccc.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jhardin@impsec.org,
                   |                            |kmcgrail@pccc.com

--- Comment #1 from Kevin A. McGrail <km...@pccc.com> ---
As a general rule, it's almost impossible to make a rule without false
positives which is why most rules are scored well below the 5.0 threshold.

What matters most is the ratio of spam to ham (we call it the S/O).  The S/O is
the 4th column which I've added the asterisks

0     0.0048     0.0011     *0.820*     0.51     2.00     URI_WP_HACKED_2 

and

0     0.0112     0.0095     *0.540*     0.52     (n/a)     __PS_TEST_LOC_WP     



I also know that I see a lot of compromised wp installs in spam so I have a
number of rules that hit on wp-xyz.  Changing to exclude one plugin is likely
to do just as much bad as good.

And, this is a test rule and a meta rule that only scores 2.0.

Anyway, need to see the email sample to see if this merits work anyway because
if it isn't being marked over 5.0, it's general "normal" operations.

Additionally, based on the meta (__PS_TEST_LOC_WP && !URI_WP_HACKED) &&
!__TO_EQ_FROM && !__THREADED, there are potentially better fixes.

John, your thoughts?

Regards,
KAM

-- 
You are receiving this mail because:
You are the assignee for the bug.