https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8214
--- Comment #6 from Jared <jared@jaredsec.com> ---
(In reply to Robert Scheck from comment #3)
> (In reply to Bill Cole from comment #2)
> > The hypothetical message seemingly quoted in this bug report DOES NOT match
> > BODY_URI_ONLY. It hits the unscored __HAS_ANY_URI, but that is not
> > meaningful (or even visible unless you scan it with debug messages.) It also
> > is formatted as a locally-submitted message that has not been transported by
> > SMTP.
>
> I am sorry, but the anonymized sample in comment #0 is from a regular
> production environment (actually copied from the bounce Postfix generated on
> the sending system).
>
> And this sample leads to SCC_BODY_URI_ONLY with 2.796 points here (the
> actual delivery attempt as well as a manual check).
>
> 3.004006/updates_spamassassin_org/72_scores.cf:score SCC_BODY_URI_ONLY
> 2.500 2.796 2.500 2.796
> 3.004006/updates_spamassassin_org/72_active.cf:##{ SCC_BODY_URI_ONLY
> 3.004006/updates_spamassassin_org/72_active.cf:meta SCC_BODY_URI_ONLY
> T_SCC_BODY_TEXT_LINE < 2 && __HAS_ANY_URI && !__SMIME_MESSAGE
> 3.004006/updates_spamassassin_org/72_active.cf:##} SCC_BODY_URI_ONLY
>
> > The attached message is NOT at all similar to that message, but rather it is
> > a DMARC report in multipart/mixed format with a one-line text part and a
> > gzip'ed XML file. It does hit BODY_URI_ONLY but because it hits nothing
> > else, it comes nowhere near the default threshold of 5.
>
> I can not speak for Jared.
DMARC reports from Google, Amazon, Mail.ru, KDD, Docomo all hit the rule:
SCC_BODY_URI_ONLY. Prior to Dec 24, this False Positive NEVER occurred in
these messages. Now it is ubiquitous.
I'll zero out the score for SCC_BODY_URI_ONLY
>
> > An effect of that is some messages hitting *_URI_* rules that in principle
> > include no URIs in their displayed bodies and in most cases do not make what
> > SA has detected clickable. If this was actually causing scores greater than
> > 5 (or really, anywhere near) on real-world messages it would be important to
> > fix. I am not convinced that this report includes any evidence of that.
>
> DEAR_SOMETHING=1.973,KAM_DMARC_STATUS=0.01,SCC_BODY_URI_ONLY=2.796,
> SPF_HELO_PASS=-0.001,SPF_PASS=-0.001,T_SCC_BODY_TEXT_LINE=-0.01 is what
> applied for the original non-anonymized message. Not exactly 5, but pretty
> close.
--
You are receiving this mail because:
You are the assignee for the bug.
--- Comment #6 from Jared <jared@jaredsec.com> ---
(In reply to Robert Scheck from comment #3)
> (In reply to Bill Cole from comment #2)
> > The hypothetical message seemingly quoted in this bug report DOES NOT match
> > BODY_URI_ONLY. It hits the unscored __HAS_ANY_URI, but that is not
> > meaningful (or even visible unless you scan it with debug messages.) It also
> > is formatted as a locally-submitted message that has not been transported by
> > SMTP.
>
> I am sorry, but the anonymized sample in comment #0 is from a regular
> production environment (actually copied from the bounce Postfix generated on
> the sending system).
>
> And this sample leads to SCC_BODY_URI_ONLY with 2.796 points here (the
> actual delivery attempt as well as a manual check).
>
> 3.004006/updates_spamassassin_org/72_scores.cf:score SCC_BODY_URI_ONLY
> 2.500 2.796 2.500 2.796
> 3.004006/updates_spamassassin_org/72_active.cf:##{ SCC_BODY_URI_ONLY
> 3.004006/updates_spamassassin_org/72_active.cf:meta SCC_BODY_URI_ONLY
> T_SCC_BODY_TEXT_LINE < 2 && __HAS_ANY_URI && !__SMIME_MESSAGE
> 3.004006/updates_spamassassin_org/72_active.cf:##} SCC_BODY_URI_ONLY
>
> > The attached message is NOT at all similar to that message, but rather it is
> > a DMARC report in multipart/mixed format with a one-line text part and a
> > gzip'ed XML file. It does hit BODY_URI_ONLY but because it hits nothing
> > else, it comes nowhere near the default threshold of 5.
>
> I can not speak for Jared.
DMARC reports from Google, Amazon, Mail.ru, KDD, Docomo all hit the rule:
SCC_BODY_URI_ONLY. Prior to Dec 24, this False Positive NEVER occurred in
these messages. Now it is ubiquitous.
I'll zero out the score for SCC_BODY_URI_ONLY
>
> > An effect of that is some messages hitting *_URI_* rules that in principle
> > include no URIs in their displayed bodies and in most cases do not make what
> > SA has detected clickable. If this was actually causing scores greater than
> > 5 (or really, anywhere near) on real-world messages it would be important to
> > fix. I am not convinced that this report includes any evidence of that.
>
> DEAR_SOMETHING=1.973,KAM_DMARC_STATUS=0.01,SCC_BODY_URI_ONLY=2.796,
> SPF_HELO_PASS=-0.001,SPF_PASS=-0.001,T_SCC_BODY_TEXT_LINE=-0.01 is what
> applied for the original non-anonymized message. Not exactly 5, but pretty
> close.
--
You are receiving this mail because:
You are the assignee for the bug.