I do not see any X-Spam- headers in the second email. This makes me suspect that it was not scanned by SA.

Maybe but I also used mail-tester.com which I get a tiny mark down for using html but no URI_PHISH positive unless I send the multipart one.

Either way why would this link show positive for uri phishing? It's a false positive

Here is the email scanned with the link and no URI_PHISH positive:

Return-Path: <no-reply@venue2you.com>
Delivered-To: admin@nextgenappsllc.com
Received: from nextgenappsllc.com
	by grootchema.nextgenappsllc.com (Dovecot) with LMTP id WYdJKvOqgWF0HAAAQQk82Q
	for <admin@nextgenappsllc.com>; Tue, 02 Nov 2021 17:17:39 -0400
Received: by nextgenappsllc.com (Postfix, from userid 115)
	id A36853EAB6; Tue,  2 Nov 2021 17:17:39 -0400 (EDT)
Authentication-Results: nextgenappsllc.com;
	dkim=pass (2048-bit key; unprotected) header.d=venue2you.com header.i=@venue2you.com header.b="GlSrb+Fh";
	dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	grootchema.nextgenappsllc.com
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLOCKED
	autolearn=unavailable autolearn_force=no version=3.4.2
Received: from mail.venue2you.com (mail.venue2you.com [170.187.146.47])
	by nextgenappsllc.com (Postfix) with ESMTPS id 4F3F83EA16
	for <admin@nextgenappsllc.com>; Tue,  2 Nov 2021 17:17:39 -0400 (EDT)
Authentication-Results: mail.venue2you.com (amavisd-new);
	dkim=pass (2048-bit key) reason="pass (just generated, assumed good)"
	header.d=venue2you.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=venue2you.com; h=
	content-transfer-encoding:content-type:mime-version:subject
	:message-id:to:reply-to:from:date; s=dkim; t=1635887858; x=
	1638479859; bh=IAqusvlHU+Lgzu9uZEGBCanRTOVHQb0UTitiUxcIgm8=; b=G
	lSrb+FhIMnjNth8ASE2y7eNzRCNbVXqmBQWTlnztWN/G9Ah77c7ErMPlv4H95Kgm
	O4GymSiI52n3lWo3kzF5yGuRoCryvDpyu8jss6O7xA2GAXzAuhta73ZEHc9E6ASV
	iFuWOkH4WTQIu9grgltHxz5eYX6n5Xc9R8SzE2ogK5OnIO2fECwEu8TETz1BNWbU
	Q4Ysf7YqidRV8g+6DXFmVrGJwChPCu739at/gdJXlD5HL7h4o7ifW19f/yBayfLt
	mZnq+f1jywXKwBzJ3QztJ/MXzw0kWOzHege3VYw4/Sv3bVuhIReLiZVd/qged9dJ
	fNn4OtCbluZNAjQwAgmyg==
X-Virus-Scanned: Debian amavisd-new at mail.venue2you.com
Date: Tue, 02 Nov 2021 17:17:38 -0400
From: no-reply@venue2you.com
Reply-To: no-reply@venue2you.com
To: admin@nextgenappsllc.com
Message-ID: <6181aaf29a4d_12bf78c8c63d7@Joses-MacBook-Pro.local.mail>
Subject: Reset password instructions
Mime-Version: 1.0
Content-Type: text/html;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <style>
      /* Email styles need to be inline */
    </style>
  </head>

  <body>
    <p>Hello admin@nextgenappsllc.com!</p>

<p>Someone has requested a link to change your password. You can do this through the link below.</p>

<p><a href="https://venue2you.com/users/password/edit?reset_password_token=s_AUowmUQGqfkjDcvqh9">Change my password</a></p>

<p>If you didn&#39;t request this, please ignore this email.</p>
<p>Your password won&#39;t change until you access the link above and create a new one.</p>

  </body>
</html>

Ok so it seems the confirmation email gets flagged but the reset password one does not. Even though being very similar and there are no phishing urls:



URI_PHISH positive:

------------------------------------------------------------------------

Return-Path: <no-reply@venue2you.com>
Delivered-To: admin@nextgenappsllc.com
Received: from nextgenappsllc.com
	by grootchema.nextgenappsllc.com (Dovecot) with LMTP id R6KrFeGsgWEGIAAAQQk82Q
	for <admin@nextgenappsllc.com>; Tue, 02 Nov 2021 17:25:53 -0400
Received: by nextgenappsllc.com (Postfix, from userid 115)
	id 509193EAB6; Tue,  2 Nov 2021 17:25:53 -0400 (EDT)
Authentication-Results: nextgenappsllc.com;
	dkim=pass (2048-bit key; unprotected) header.d=venue2you.com header.i=@venue2you.com header.b="Of61663L";
	dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	grootchema.nextgenappsllc.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HTML_MESSAGE,SPF_HELO_PASS,URIBL_BLOCKED,URI_PHISH
	autolearn=no autolearn_force=no version=3.4.2
Received: from mail.venue2you.com (mail.venue2you.com [170.187.146.47])
	by nextgenappsllc.com (Postfix) with ESMTPS id 0E1BA3EA16
	for <admin@nextgenappsllc.com>; Tue,  2 Nov 2021 17:25:53 -0400 (EDT)
Authentication-Results: mail.venue2you.com (amavisd-new);
	dkim=pass (2048-bit key) reason="pass (just generated, assumed good)"
	header.d=venue2you.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=venue2you.com; h=
	content-transfer-encoding:content-type:mime-version:subject
	:message-id:to:reply-to:from:date; s=dkim; t=1635888352; x=
	1638480353; bh=5len7HBjhbGUzBUG4Z5WXfNH//7VPF3PKuKTaAZhloI=; b=O
	f61663LM6adU7XjPGiogs0E4FCscobb4IRY768+vcBAo1AgsrnNgEn8XU5OqLhpS
	TQ9DVG90RBgoyWPVZ9mZ5NijEC70VeneEesXnHc+IW5mMboJWwhAlBFDC9VLdzvY
	EiZvk1269SmavFeKBlnNYad4PlUECP8h8NE1GWpDQX1It3TINy7L59I4xqpjBJkE
	E/ZfIRq9VokRxqsPfUm7GYjPQrfQtHRrtQNAAN6N2C7G6/mJApNKRTNbHiLz9R8L
	nAnGNXWNezdrKKiw+spywbq3xMbyMvDNkE08BtvA0dSAo93GBffUb2tyS0bGmOEq
	u9gkBO13plXSer6fzBc+A==
X-Virus-Scanned: Debian amavisd-new at mail.venue2you.com
Date: Tue, 02 Nov 2021 17:25:52 -0400
From: no-reply@venue2you.com
Reply-To: no-reply@venue2you.com
To: admin@nextgenappsllc.com
Message-ID: <6181ace056a36_1ff210b88774@grootchema.mail>
Subject: Confirmation instructions
Mime-Version: 1.0
Content-Type: multipart/alternative;
 boundary="--==_mimepart_6181ace055fa4_1ff210b886ab";
 charset=UTF-8
Content-Transfer-Encoding: 7bit


----==_mimepart_6181ace055fa4_1ff210b886ab
Content-Type: text/plain;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

Welcome admin@nextgenappsllc.com!

You can confirm your account email through the link below:

https://venue2you.com/users/confirmation?confirmation_token=R9zBfiResWJ5iSvJihQQ


----==_mimepart_6181ace055fa4_1ff210b886ab
Content-Type: text/html;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <style>
      /* Email styles need to be inline */
    </style>
  </head>

  <body>
    <p>Welcome admin@nextgenappsllc.com!</p>

<p>You can confirm your account email through the link below:</p>

<p><a href="https://venue2you.com/users/confirmation?confirmation_token=R9zBfiResWJ5iSvJihQQ">Confirm my account</a></p>

  </body>
</html>

----==_mimepart_6181ace055fa4_1ff210b886ab--

------------------------------------------------------------------------






URI_PHISH negative:

------------------------------------------------------------------------

Return-Path: <no-reply@venue2you.com>
Delivered-To: admin@nextgenappsllc.com
Received: from nextgenappsllc.com
	by grootchema.nextgenappsllc.com (Dovecot) with LMTP id E6+lAC+tgWEbIAAAQQk82Q
	for <admin@nextgenappsllc.com>; Tue, 02 Nov 2021 17:27:11 -0400
Received: by nextgenappsllc.com (Postfix, from userid 115)
	id F1B5F3EAB6; Tue,  2 Nov 2021 17:27:10 -0400 (EDT)
Authentication-Results: nextgenappsllc.com;
	dkim=pass (2048-bit key; unprotected) header.d=venue2you.com header.i=@venue2you.com header.b="ZYq7ukiU";
	dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	grootchema.nextgenappsllc.com
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HTML_MESSAGE,SPF_HELO_PASS,URIBL_BLOCKED
	autolearn=unavailable autolearn_force=no version=3.4.2
Received: from mail.venue2you.com (mail.venue2you.com [170.187.146.47])
	by nextgenappsllc.com (Postfix) with ESMTPS id B027F3EA16
	for <admin@nextgenappsllc.com>; Tue,  2 Nov 2021 17:27:10 -0400 (EDT)
Authentication-Results: mail.venue2you.com (amavisd-new);
	dkim=pass (2048-bit key) reason="pass (just generated, assumed good)"
	header.d=venue2you.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=venue2you.com; h=
	content-transfer-encoding:content-type:mime-version:subject
	:message-id:to:reply-to:from:date; s=dkim; t=1635888430; x=
	1638480431; bh=3DmNU/jv/DuRr0CM46g83nAOX6HrY46Rcs+BDALrVy4=; b=Z
	Yq7ukiUOziHWg1BA88syoR4LuD9hphbphBVF/Bg++xc9sakajBzW0MM7ulALcMSD
	GAt54xLodhFDapW5qZQhy9t6SmbaBpl/xBd1Oi8qEcyFLxtxoxJ8B6mD56fe4sIy
	FW0HtMWEpZ6Xy64oVglYIkUWLOP613C1w8a7ALd1cEx4UavgrqBqpgGVQakDZbqL
	tVm+6aztcPVDmEPd8cHk39ecj96Bkc4i7f24Bo8hn3bgf4k0KDscowraHk6L8R/L
	GvZ0RsIJZKsSXKW3E4Bbl9SkcISXqnfDRR4zqWW8htsSoUs/16IFlR10l4RZzTVd
	3QkAoBNMjf+sopMaEG6Qw==
X-Virus-Scanned: Debian amavisd-new at mail.venue2you.com
Date: Tue, 02 Nov 2021 17:27:10 -0400
From: no-reply@venue2you.com
Reply-To: no-reply@venue2you.com
To: admin@nextgenappsllc.com
Message-ID: <6181ad2e15bb9_1ff310b88710@grootchema.mail>
Subject: Reset password instructions
Mime-Version: 1.0
Content-Type: multipart/alternative;
 boundary="--==_mimepart_6181ad2e14a65_1ff310b886e3";
 charset=UTF-8
Content-Transfer-Encoding: 7bit


----==_mimepart_6181ad2e14a65_1ff310b886e3
Content-Type: text/plain;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

Hello admin@nextgenappsllc.com!

Someone has requested a link to change your password. You can do this through the link below.

https://venue2you.com/users/password/edit?reset_password_token=S55Mvfe6fU57YpfkxtZY

If you didn't request this, please ignore this email.
Your password won't change until you access the link above and create a new one.


----==_mimepart_6181ad2e14a65_1ff310b886e3
Content-Type: text/html;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <style>
      /* Email styles need to be inline */
    </style>
  </head>

  <body>
    <p>Hello admin@nextgenappsllc.com!</p>

<p>Someone has requested a link to change your password. You can do this through the link below.</p>

<p><a href="https://venue2you.com/users/password/edit?reset_password_token=S55Mvfe6fU57YpfkxtZY">Change my password</a></p>

<p>If you didn&#39;t request this, please ignore this email.</p>
<p>Your password won&#39;t change until you access the link above and create a new one.</p>

  </body>
</html>

----==_mimepart_6181ad2e14a65_1ff310b886e3--

------------------------------------------------------------------------

> X-Spam-Status: No, score=3.6 required=5.0 

So? The test is hitting, but it isn't nearly enough to mark it as spam. 
It takes 5 points to be a spam, and this only gets 3.6 total from several rules hitting.

BTW, URIBL_BLOCKED indicates a configuration error on the system doing the mail checking.

Also: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13)

The current version of SA is 3.4.6, and is about 3 years newer than the version running on the test system. There have been quite a few fixes since 3.4.2.

It's not based on "phishing URLs" or the specific link, it's based on having body text that looks like account phishing and having a URL.

The body text that looks suspiciously like phishing is, unsurprisingly, "confirm your account".

The reason one version hits and the other does not is, the rule is looking for multiple phishing text fragments, and the repetition of that text in the plain-text and HTML body parts unfortunately counts double.

> X-Spam-Status: No, score=3.717 tagged_above=2 required=6.2

As Loren said, this is not a FP, as the total score for the message did not exceed the spam threshold. This is a single-rule hit on spammy-looking content without other signs to support it. That happens.

It is not a bug that a given rule will hit some ham.

The only suggestion I can offer is that you reword your message to make it look less like phishing. Perhaps:

  Please confirm that you created an account on our service using that email address by clicking this link: <a mumble>Confirm new account</a>

Closing as FAD. Rule discussions should take place on the Users mailing list.