Mailing List Archive

[Bug 7940] URI_PHISH false positive
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7940

Loren Wilton <lwilton@earthlink.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |lwilton@earthlink.net

--- Comment #1 from Loren Wilton <lwilton@earthlink.net> ---
I do not see any X-Spam- headers in the second email. This makes me suspect
that it was not scanned by SA.

--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7940] URI_PHISH false positive [ In reply to ]
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7940

nextgenappsllc@gmail.com changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |nextgenappsllc@gmail.com

--- Comment #2 from nextgenappsllc@gmail.com ---
Maybe but I also used mail-tester.com which I get a tiny mark down for using
html but no URI_PHISH positive unless I send the multipart one.

Either way why would this link show positive for uri phishing? It's a false
positive

--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7940] URI_PHISH false positive [ In reply to ]
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7940

--- Comment #3 from nextgenappsllc@gmail.com ---
Here is the email scanned with the link and no URI_PHISH positive:

Return-Path: <no-reply@venue2you.com>
Delivered-To: admin@nextgenappsllc.com
Received: from nextgenappsllc.com
by grootchema.nextgenappsllc.com (Dovecot) with LMTP id
WYdJKvOqgWF0HAAAQQk82Q
for <admin@nextgenappsllc.com>; Tue, 02 Nov 2021 17:17:39 -0400
Received: by nextgenappsllc.com (Postfix, from userid 115)
id A36853EAB6; Tue, 2 Nov 2021 17:17:39 -0400 (EDT)
Authentication-Results: nextgenappsllc.com;
dkim=pass (2048-bit key; unprotected) header.d=venue2you.com
header.i=@venue2you.com header.b="GlSrb+Fh";
dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
grootchema.nextgenappsllc.com
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLOCKED
autolearn=unavailable autolearn_force=no version=3.4.2
Received: from mail.venue2you.com (mail.venue2you.com [170.187.146.47])
by nextgenappsllc.com (Postfix) with ESMTPS id 4F3F83EA16
for <admin@nextgenappsllc.com>; Tue, 2 Nov 2021 17:17:39 -0400 (EDT)
Authentication-Results: mail.venue2you.com (amavisd-new);
dkim=pass (2048-bit key) reason="pass (just generated, assumed good)"
header.d=venue2you.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=venue2you.com; h=
content-transfer-encoding:content-type:mime-version:subject
:message-id:to:reply-to:from:date; s=dkim; t=1635887858; x=
1638479859; bh=IAqusvlHU+Lgzu9uZEGBCanRTOVHQb0UTitiUxcIgm8=; b=G
lSrb+FhIMnjNth8ASE2y7eNzRCNbVXqmBQWTlnztWN/G9Ah77c7ErMPlv4H95Kgm
O4GymSiI52n3lWo3kzF5yGuRoCryvDpyu8jss6O7xA2GAXzAuhta73ZEHc9E6ASV
iFuWOkH4WTQIu9grgltHxz5eYX6n5Xc9R8SzE2ogK5OnIO2fECwEu8TETz1BNWbU
Q4Ysf7YqidRV8g+6DXFmVrGJwChPCu739at/gdJXlD5HL7h4o7ifW19f/yBayfLt
mZnq+f1jywXKwBzJ3QztJ/MXzw0kWOzHege3VYw4/Sv3bVuhIReLiZVd/qged9dJ
fNn4OtCbluZNAjQwAgmyg==
X-Virus-Scanned: Debian amavisd-new at mail.venue2you.com
Date: Tue, 02 Nov 2021 17:17:38 -0400
From: no-reply@venue2you.com
Reply-To: no-reply@venue2you.com
To: admin@nextgenappsllc.com
Message-ID: <6181aaf29a4d_12bf78c8c63d7@Joses-MacBook-Pro.local.mail>
Subject: Reset password instructions
Mime-Version: 1.0
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style>
/* Email styles need to be inline */
</style>
</head>

<body>
<p>Hello admin@nextgenappsllc.com!</p>

<p>Someone has requested a link to change your password. You can do this
through the link below.</p>

<p><a
href="https://venue2you.com/users/password/edit?reset_password_token=s_AUowmUQGqfkjDcvqh9">Change
my password</a></p>

<p>If you didn&#39;t request this, please ignore this email.</p>
<p>Your password won&#39;t change until you access the link above and create a
new one.</p>

</body>
</html>

--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7940] URI_PHISH false positive [ In reply to ]
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7940

--- Comment #4 from nextgenappsllc@gmail.com ---
Ok so it seems the confirmation email gets flagged but the reset password one
does not. Even though being very similar and there are no phishing urls:



URI_PHISH positive:

------------------------------------------------------------------------

Return-Path: <no-reply@venue2you.com>
Delivered-To: admin@nextgenappsllc.com
Received: from nextgenappsllc.com
by grootchema.nextgenappsllc.com (Dovecot) with LMTP id
R6KrFeGsgWEGIAAAQQk82Q
for <admin@nextgenappsllc.com>; Tue, 02 Nov 2021 17:25:53 -0400
Received: by nextgenappsllc.com (Postfix, from userid 115)
id 509193EAB6; Tue, 2 Nov 2021 17:25:53 -0400 (EDT)
Authentication-Results: nextgenappsllc.com;
dkim=pass (2048-bit key; unprotected) header.d=venue2you.com
header.i=@venue2you.com header.b="Of61663L";
dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
grootchema.nextgenappsllc.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HTML_MESSAGE,SPF_HELO_PASS,URIBL_BLOCKED,URI_PHISH
autolearn=no autolearn_force=no version=3.4.2
Received: from mail.venue2you.com (mail.venue2you.com [170.187.146.47])
by nextgenappsllc.com (Postfix) with ESMTPS id 0E1BA3EA16
for <admin@nextgenappsllc.com>; Tue, 2 Nov 2021 17:25:53 -0400 (EDT)
Authentication-Results: mail.venue2you.com (amavisd-new);
dkim=pass (2048-bit key) reason="pass (just generated, assumed good)"
header.d=venue2you.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=venue2you.com; h=
content-transfer-encoding:content-type:mime-version:subject
:message-id:to:reply-to:from:date; s=dkim; t=1635888352; x=
1638480353; bh=5len7HBjhbGUzBUG4Z5WXfNH//7VPF3PKuKTaAZhloI=; b=O
f61663LM6adU7XjPGiogs0E4FCscobb4IRY768+vcBAo1AgsrnNgEn8XU5OqLhpS
TQ9DVG90RBgoyWPVZ9mZ5NijEC70VeneEesXnHc+IW5mMboJWwhAlBFDC9VLdzvY
EiZvk1269SmavFeKBlnNYad4PlUECP8h8NE1GWpDQX1It3TINy7L59I4xqpjBJkE
E/ZfIRq9VokRxqsPfUm7GYjPQrfQtHRrtQNAAN6N2C7G6/mJApNKRTNbHiLz9R8L
nAnGNXWNezdrKKiw+spywbq3xMbyMvDNkE08BtvA0dSAo93GBffUb2tyS0bGmOEq
u9gkBO13plXSer6fzBc+A==
X-Virus-Scanned: Debian amavisd-new at mail.venue2you.com
Date: Tue, 02 Nov 2021 17:25:52 -0400
From: no-reply@venue2you.com
Reply-To: no-reply@venue2you.com
To: admin@nextgenappsllc.com
Message-ID: <6181ace056a36_1ff210b88774@grootchema.mail>
Subject: Confirmation instructions
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_6181ace055fa4_1ff210b886ab";
charset=UTF-8
Content-Transfer-Encoding: 7bit


----==_mimepart_6181ace055fa4_1ff210b886ab
Content-Type: text/plain;
charset=UTF-8
Content-Transfer-Encoding: 7bit

Welcome admin@nextgenappsllc.com!

You can confirm your account email through the link below:

https://venue2you.com/users/confirmation?confirmation_token=R9zBfiResWJ5iSvJihQQ


----==_mimepart_6181ace055fa4_1ff210b886ab
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style>
/* Email styles need to be inline */
</style>
</head>

<body>
<p>Welcome admin@nextgenappsllc.com!</p>

<p>You can confirm your account email through the link below:</p>

<p><a
href="https://venue2you.com/users/confirmation?confirmation_token=R9zBfiResWJ5iSvJihQQ">Confirm
my account</a></p>

</body>
</html>

----==_mimepart_6181ace055fa4_1ff210b886ab--

------------------------------------------------------------------------






URI_PHISH negative:

------------------------------------------------------------------------

Return-Path: <no-reply@venue2you.com>
Delivered-To: admin@nextgenappsllc.com
Received: from nextgenappsllc.com
by grootchema.nextgenappsllc.com (Dovecot) with LMTP id
E6+lAC+tgWEbIAAAQQk82Q
for <admin@nextgenappsllc.com>; Tue, 02 Nov 2021 17:27:11 -0400
Received: by nextgenappsllc.com (Postfix, from userid 115)
id F1B5F3EAB6; Tue, 2 Nov 2021 17:27:10 -0400 (EDT)
Authentication-Results: nextgenappsllc.com;
dkim=pass (2048-bit key; unprotected) header.d=venue2you.com
header.i=@venue2you.com header.b="ZYq7ukiU";
dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
grootchema.nextgenappsllc.com
X-Spam-Level:
X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HTML_MESSAGE,SPF_HELO_PASS,URIBL_BLOCKED
autolearn=unavailable autolearn_force=no version=3.4.2
Received: from mail.venue2you.com (mail.venue2you.com [170.187.146.47])
by nextgenappsllc.com (Postfix) with ESMTPS id B027F3EA16
for <admin@nextgenappsllc.com>; Tue, 2 Nov 2021 17:27:10 -0400 (EDT)
Authentication-Results: mail.venue2you.com (amavisd-new);
dkim=pass (2048-bit key) reason="pass (just generated, assumed good)"
header.d=venue2you.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=venue2you.com; h=
content-transfer-encoding:content-type:mime-version:subject
:message-id:to:reply-to:from:date; s=dkim; t=1635888430; x=
1638480431; bh=3DmNU/jv/DuRr0CM46g83nAOX6HrY46Rcs+BDALrVy4=; b=Z
Yq7ukiUOziHWg1BA88syoR4LuD9hphbphBVF/Bg++xc9sakajBzW0MM7ulALcMSD
GAt54xLodhFDapW5qZQhy9t6SmbaBpl/xBd1Oi8qEcyFLxtxoxJ8B6mD56fe4sIy
FW0HtMWEpZ6Xy64oVglYIkUWLOP613C1w8a7ALd1cEx4UavgrqBqpgGVQakDZbqL
tVm+6aztcPVDmEPd8cHk39ecj96Bkc4i7f24Bo8hn3bgf4k0KDscowraHk6L8R/L
GvZ0RsIJZKsSXKW3E4Bbl9SkcISXqnfDRR4zqWW8htsSoUs/16IFlR10l4RZzTVd
3QkAoBNMjf+sopMaEG6Qw==
X-Virus-Scanned: Debian amavisd-new at mail.venue2you.com
Date: Tue, 02 Nov 2021 17:27:10 -0400
From: no-reply@venue2you.com
Reply-To: no-reply@venue2you.com
To: admin@nextgenappsllc.com
Message-ID: <6181ad2e15bb9_1ff310b88710@grootchema.mail>
Subject: Reset password instructions
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_6181ad2e14a65_1ff310b886e3";
charset=UTF-8
Content-Transfer-Encoding: 7bit


----==_mimepart_6181ad2e14a65_1ff310b886e3
Content-Type: text/plain;
charset=UTF-8
Content-Transfer-Encoding: 7bit

Hello admin@nextgenappsllc.com!

Someone has requested a link to change your password. You can do this through
the link below.

https://venue2you.com/users/password/edit?reset_password_token=S55Mvfe6fU57YpfkxtZY

If you didn't request this, please ignore this email.
Your password won't change until you access the link above and create a new
one.


----==_mimepart_6181ad2e14a65_1ff310b886e3
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style>
/* Email styles need to be inline */
</style>
</head>

<body>
<p>Hello admin@nextgenappsllc.com!</p>

<p>Someone has requested a link to change your password. You can do this
through the link below.</p>

<p><a
href="https://venue2you.com/users/password/edit?reset_password_token=S55Mvfe6fU57YpfkxtZY">Change
my password</a></p>

<p>If you didn&#39;t request this, please ignore this email.</p>
<p>Your password won&#39;t change until you access the link above and create a
new one.</p>

</body>
</html>

----==_mimepart_6181ad2e14a65_1ff310b886e3--

------------------------------------------------------------------------

--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7940] URI_PHISH false positive [ In reply to ]
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7940

--- Comment #5 from Loren Wilton <lwilton@earthlink.net> ---
> X-Spam-Status: No, score=3.6 required=5.0

So? The test is hitting, but it isn't nearly enough to mark it as spam.
It takes 5 points to be a spam, and this only gets 3.6 total from several rules
hitting.

BTW, URIBL_BLOCKED indicates a configuration error on the system doing the mail
checking.

Also: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13)

The current version of SA is 3.4.6, and is about 3 years newer than the version
running on the test system. There have been quite a few fixes since 3.4.2.

--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7940] URI_PHISH false positive [ In reply to ]
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7940

John Hardin <jhardin@impsec.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |jhardin@impsec.org

--- Comment #6 from John Hardin <jhardin@impsec.org> ---
It's not based on "phishing URLs" or the specific link, it's based on having
body text that looks like account phishing and having a URL.

The body text that looks suspiciously like phishing is, unsurprisingly,
"confirm your account".

The reason one version hits and the other does not is, the rule is looking for
multiple phishing text fragments, and the repetition of that text in the
plain-text and HTML body parts unfortunately counts double.

> X-Spam-Status: No, score=3.717 tagged_above=2 required=6.2

As Loren said, this is not a FP, as the total score for the message did not
exceed the spam threshold. This is a single-rule hit on spammy-looking content
without other signs to support it. That happens.

It is not a bug that a given rule will hit some ham.

The only suggestion I can offer is that you reword your message to make it look
less like phishing. Perhaps:

Please confirm that you created an account on our service using that email
address by clicking this link: <a mumble>Confirm new account</a>

--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7940] URI_PHISH false positive [ In reply to ]
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7940

John Hardin <jhardin@impsec.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WONTFIX

--- Comment #7 from John Hardin <jhardin@impsec.org> ---
Closing as FAD. Rule discussions should take place on the Users mailing list.

--
You are receiving this mail because:
You are the assignee for the bug.