7710 – FUZZY_WALLET false positive

Bug 7710 - FUZZY_WALLET false positive

Summary: FUZZY_WALLET false positive

Status:	RESOLVED INVALID

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (show other bugs)
Version:	3.4.2
Hardware:	All Linux

Importance:	P2 normal
Target Milestone:	Undefined
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2019-04-30 12:24 UTC by Dennis Mercuriali
Modified:	2019-05-03 19:00 UTC (History)
CC List:	4 users (show)

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dennis Mercuriali 2019-04-30 12:24:18 UTC

Hi,

we encountered a strange problem with the FUZZY_WALLET rule.

This rule should try to match this regex: /<W>(?!allet)<A><L><L><E><T>/i
but in the email there is nothing matching this pattern.


I can't provide the email and i can only access to this logs:

2019-04-30 09:32:55 rawresponse: SPAMD/1.1 0 EX_OK
Content-length: 209
Spam: False ; 2.5 / 5.0

Detailed report: (2.5 scored, 5.0 requested)

 Score Rule_name Description
---- ---------------------- --------------------------------------------------
 2.5 FUZZY_WALLET           BODY: Obfuscated "Wallet"

 
2019-04-30 09:32:55 score 2.5 key FUZZY_WALLET detail BODY: Obfuscated "Wallet"
 
2019-04-30 09:32:55 procotol version: 1.1 
2019-04-30 09:32:55 headers: {Content-length=209, Spam=False ; 2.5 / 5.0} 
2019-04-30 09:32:55 threshold: 5.0 
2019-04-30 09:32:55 response message: EX_OK 
2019-04-30 09:32:56 score 2.5 key FUZZY_WALLET detail BODY: Obfuscated "Wallet"



This rule should only match a text like "<W><A><L><L><E><T>" (case insensitive) right?

Comment 1 Bill Cole 2019-04-30 14:50:08 UTC

(In reply to Dennis Mercuriali from comment #0)
> Hi,
> 
> we encountered a strange problem with the FUZZY_WALLET rule.
> 
> This rule should try to match this regex: /<W>(?!allet)<A><L><L><E><T>/i
> but in the email there is nothing matching this pattern.

If you are unwilling to provide *actual evidence* of that, this is not an actionable bug report. 

Actual evidence would be a message which matches the rule but should not. Any matching message would do, even one invented to demonstrate the problem.
 
> This rule should only match a text like "<W><A><L><L><E><T>" (case
> insensitive) right?

Wrong. 

Run "perldoc Mail::SpamAssassin::Plugin::ReplaceTags" for more information.

Comment 2 John Hardin 2019-04-30 16:19:34 UTC

Also: please take rules questions to the SA Users list first.

Comment 3 Dennis Mercuriali 2019-05-03 09:55:52 UTC

Thank you for the tip on the rule regex.

I'm unable to reproduce the problem and i can't share the original for legal reasons.

The message doesnt match the rule. Submitting to spamassassin a copy of the email produce no errors while the original keeps on producing it.
Could it be an encoding or similar error in the original message?

Anyway sorry for opening this ticket, if it happens again i'll do more tests.

Comment 4 John Hardin 2019-05-03 15:54:18 UTC

Feel free to bring it to the Users list as well.

Comment 5 RW 2019-05-03 19:00:30 UTC

(In reply to Dennis Mercuriali from comment #3)
> Submitting to spamassassin a copy of the
> email produce no errors while the original keeps on producing it.
> 
> .. if it happens again


I'm not sure what you are saying here. The wording suggests that "the original" is a single email which you can retest. Your comment about encoding suggests that "the copy" may then be rendered text from an email client.

If that's correct then, try testing it like this:

  spamassassin -D 2>&1  < original  | grep 'rule FUZZY_WALLET'