[Bug 8214] __HAS_ANY_URI matches non-URI

Thu, 01 Feb 2024 21:22:34 -0800 

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8214

--- Comment #6 from Jared <ja...@jaredsec.com> ---
(In reply to Robert Scheck from comment #3)
> (In reply to Bill Cole from comment #2)
> > The hypothetical message seemingly quoted in this bug report DOES NOT match
> > BODY_URI_ONLY. It hits the unscored __HAS_ANY_URI, but that is not
> > meaningful (or even visible unless you scan it with debug messages.) It also
> > is formatted as a locally-submitted message that has not been transported by
> > SMTP.
> 
> I am sorry, but the anonymized sample in comment #0 is from a regular
> production environment (actually copied from the bounce Postfix generated on
> the sending system).
> 
> And this sample leads to SCC_BODY_URI_ONLY with 2.796 points here (the
> actual delivery attempt as well as a manual check).
> 
> 3.004006/updates_spamassassin_org/72_scores.cf:score SCC_BODY_URI_ONLY      
> 2.500 2.796 2.500 2.796
> 3.004006/updates_spamassassin_org/72_active.cf:##{ SCC_BODY_URI_ONLY
> 3.004006/updates_spamassassin_org/72_active.cf:meta   SCC_BODY_URI_ONLY     
> T_SCC_BODY_TEXT_LINE < 2 && __HAS_ANY_URI && !__SMIME_MESSAGE
> 3.004006/updates_spamassassin_org/72_active.cf:##} SCC_BODY_URI_ONLY
> 
> > The attached message is NOT at all similar to that message, but rather it is
> > a DMARC report in multipart/mixed format with a one-line text part and a
> > gzip'ed XML file. It does hit BODY_URI_ONLY but because it hits nothing
> > else, it comes nowhere near the default threshold of 5. 
> 
> I can not speak for Jared.

DMARC reports from Google, Amazon, Mail.ru, KDD, Docomo all hit the rule:
SCC_BODY_URI_ONLY.  Prior to Dec 24, this False Positive NEVER occurred in
these messages.  Now it is ubiquitous.

I'll zero out the score for SCC_BODY_URI_ONLY

> 
> > An effect of that is some messages hitting *_URI_* rules that in principle
> > include no URIs in their displayed bodies and in most cases do not make what
> > SA has detected clickable. If this was actually causing scores greater than
> > 5 (or really, anywhere near) on real-world messages it would be important to
> > fix. I am not convinced that this report includes any evidence of that.
> 
> DEAR_SOMETHING=1.973,KAM_DMARC_STATUS=0.01,SCC_BODY_URI_ONLY=2.796,
> SPF_HELO_PASS=-0.001,SPF_PASS=-0.001,T_SCC_BODY_TEXT_LINE=-0.01 is what
> applied for the original non-anonymized message. Not exactly 5, but pretty
> close.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to