SA Bugzilla – Bug 7940
URI_PHISH false positive
Last modified: 2021-11-03 01:51:21 UTC
I am getting the following result in confirmation emails URI_PHISH=3.717 when I include both text and html. When I just do html I do not get the URI_PHISH positive. From my understanding this is to prevent links with text that tries to trick the user like: <a href="http://evil-website.com/some_phishing_form">https://paypal.com</a> Mine does not do that. The same exact link does not get marked as URI_PHISH if I exclude the text template. See below example email: ------------------------------------------------------------------------ Return-Path: <no-reply@venue2you.com> Delivered-To: admin@nextgenappsllc.com Received: from nextgenappsllc.com by grootchema.nextgenappsllc.com (Dovecot) with LMTP id 6OSXMsWLgWGuEgAAQQk82Q for <admin@nextgenappsllc.com>; Tue, 02 Nov 2021 15:04:37 -0400 Received: by nextgenappsllc.com (Postfix, from userid 115) id C8D8C3EAB6; Tue, 2 Nov 2021 15:04:37 -0400 (EDT) Authentication-Results: nextgenappsllc.com; dkim=pass (2048-bit key; unprotected) header.d=venue2you.com header.i=@venue2you.com header.b="h0fAIUmz"; dkim-atps=neutral Received: from mail.venue2you.com (mail.venue2you.com [170.187.146.47]) by nextgenappsllc.com (Postfix) with ESMTPS id C2AD93EA16 for <admin@nextgenappsllc.com>; Tue, 2 Nov 2021 15:04:35 -0400 (EDT) Authentication-Results: mail.venue2you.com (amavisd-new); dkim=pass (2048-bit key) reason="pass (just generated, assumed good)" header.d=venue2you.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=venue2you.com; h= content-transfer-encoding:content-type:mime-version:subject :message-id:to:reply-to:from:date; s=dkim; t=1635879875; x= 1638471876; bh=UYIN8kVY626mO7//mPbnMdEQY/Sp1tkN39zd4pqfBBs=; b=h 0fAIUmz8A6i0JpsRktulCUJC08POzOXbjhNrHpi9xGi006y+vbRT6FNJY/4M7pRC C4cWsmyrBaOvckIreRb8DETa873RwS95XM5bYIDGpPmW4RAJFNoPaA8nRBPA92Z8 K87xfozAa7chXojLRpQjMSX9byI0KCwp8J/bcYXuYfM6WltI79sEZFN8iW7A2p9r ouJzYWI64gRmDm9A+9TXjoA88IhQqKZkOpSOp3DvRMYDVUXy4cixa+OxJSHojw6/ HoCSjpqQM7ovASFxXRTvVPpBrNxa2W+1FCRh1Y6PK8AHeWqXLzvry7aNxuv8j980 e6nCutPJzXkCEvtbjkNEA== X-Virus-Scanned: Debian amavisd-new at mail.venue2you.com X-Spam-Flag: NO X-Spam-Score: 3.717 X-Spam-Level: *** X-Spam-Status: No, score=3.717 tagged_above=2 required=6.2 tests=[HTML_MESSAGE=0.001, NO_RECEIVED=-0.001, NO_RELAYS=-0.001, URIBL_BLOCKED=0.001, URI_PHISH=3.717] autolearn=no autolearn_force=no Date: Tue, 02 Nov 2021 15:04:34 -0400 From: no-reply@venue2you.com Reply-To: no-reply@venue2you.com To: admin@nextgenappsllc.com Message-ID: <61818bc2c12ad_12bf7404c55cc@Joses-MacBook-Pro.local.mail> Subject: Confirmation instructions Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_61818bc2c05f3_12bf7404c54a6"; charset=UTF-8 Content-Transfer-Encoding: 7bit ----==_mimepart_61818bc2c05f3_12bf7404c54a6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Welcome admin@nextgenappsllc.com! You can confirm your account email through the link below: ------------------------------------------------------------------------ ----==_mimepart_61818bc2c05f3_12bf7404c54a6 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <style> /* Email styles need to be inline */ </style> </head> <body> <p>Welcome admin@nextgenappsllc.com!</p> <p>You can confirm your account email through the link below:</p> <p><a href="https://venue2you.com/users/confirmation?confirmation_token=yJwJKQM2t5UcNtCzqDz1">Confirm my account</a></p> </body> </html> ----==_mimepart_61818bc2c05f3_12bf7404c54a6-- ------------------------------------------------------------------------ This is an example of the email with the same link not showing up positive: ------------------------------------------------------------------------ Return-Path: <no-reply@venue2you.com> Delivered-To: admin@nextgenappsllc.com Received: from nextgenappsllc.com by grootchema.nextgenappsllc.com (Dovecot) with LMTP id KE0vA0aMgWHXEgAAQQk82Q for <admin@nextgenappsllc.com>; Tue, 02 Nov 2021 15:06:46 -0400 Received: by nextgenappsllc.com (Postfix, from userid 115) id 070D43EAB6; Tue, 2 Nov 2021 15:06:46 -0400 (EDT) Authentication-Results: nextgenappsllc.com; dkim=pass (2048-bit key; unprotected) header.d=venue2you.com header.i=@venue2you.com header.b="DlpwO/Ka"; dkim-atps=neutral Received: from mail.venue2you.com (mail.venue2you.com [170.187.146.47]) by nextgenappsllc.com (Postfix) with ESMTPS id 0008F3EA16 for <admin@nextgenappsllc.com>; Tue, 2 Nov 2021 15:06:43 -0400 (EDT) Authentication-Results: mail.venue2you.com (amavisd-new); dkim=pass (2048-bit key) reason="pass (just generated, assumed good)" header.d=venue2you.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=venue2you.com; h= content-transfer-encoding:content-type:mime-version:subject :message-id:to:reply-to:from:date; s=dkim; t=1635880003; x= 1638472004; bh=VE8ZAPuNjTT1faRccAt119zMTZvdcnz9fY48iK26ngc=; b=D lpwO/Ka27qkAaQJJyVpGaBqiLhd2DW/HdTgZtlEqHV+zbrcyuSEODQ/IPqAreilF zi/IqQYcOvTY5+8xdqOeVQo6DBin0W40qvYNKF0fu9YrBC9azN8MApxWuhrZbrja ucpSjdX1P4CWCniH6R1mBtVsoh7SYLXzR8MbOvjOYqTSGVin5kIsCZhoj4wVGvoW ZYqxvEUmuykIa1ur0ZGJZCkQUY5XyyPYvCMrjSZF1Y1msPQKjJYzi4fPKcf5WrqX nJm3aLJ93zlUGkGV+cwxb+8SEgB1MpQ+k+WWfXznvFpD20l2aqQEc0RN6GLR9guK NIXnsZxcpFflNk6ApJrsg== X-Virus-Scanned: Debian amavisd-new at mail.venue2you.com Date: Tue, 02 Nov 2021 15:06:42 -0400 From: no-reply@venue2you.com Reply-To: no-reply@venue2you.com To: admin@nextgenappsllc.com Message-ID: <61818c42cc31b_12bf7582056e8@Joses-MacBook-Pro.local.mail> Subject: Confirmation instructions Mime-Version: 1.0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <style> /* Email styles need to be inline */ </style> </head> <body> <p>Welcome admin@nextgenappsllc.com!</p> <p>You can confirm your account email through the link below:</p> <p><a href="https://venue2you.com/users/confirmation?confirmation_token=yJwJKQM2t5UcNtCzqDz1">Confirm my account</a></p> </body> </html> ------------------------------------------------------------------------
I do not see any X-Spam- headers in the second email. This makes me suspect that it was not scanned by SA.
Maybe but I also used mail-tester.com which I get a tiny mark down for using html but no URI_PHISH positive unless I send the multipart one. Either way why would this link show positive for uri phishing? It's a false positive
Here is the email scanned with the link and no URI_PHISH positive: Return-Path: <no-reply@venue2you.com> Delivered-To: admin@nextgenappsllc.com Received: from nextgenappsllc.com by grootchema.nextgenappsllc.com (Dovecot) with LMTP id WYdJKvOqgWF0HAAAQQk82Q for <admin@nextgenappsllc.com>; Tue, 02 Nov 2021 17:17:39 -0400 Received: by nextgenappsllc.com (Postfix, from userid 115) id A36853EAB6; Tue, 2 Nov 2021 17:17:39 -0400 (EDT) Authentication-Results: nextgenappsllc.com; dkim=pass (2048-bit key; unprotected) header.d=venue2you.com header.i=@venue2you.com header.b="GlSrb+Fh"; dkim-atps=neutral X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on grootchema.nextgenappsllc.com X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HTML_MESSAGE,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail.venue2you.com (mail.venue2you.com [170.187.146.47]) by nextgenappsllc.com (Postfix) with ESMTPS id 4F3F83EA16 for <admin@nextgenappsllc.com>; Tue, 2 Nov 2021 17:17:39 -0400 (EDT) Authentication-Results: mail.venue2you.com (amavisd-new); dkim=pass (2048-bit key) reason="pass (just generated, assumed good)" header.d=venue2you.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=venue2you.com; h= content-transfer-encoding:content-type:mime-version:subject :message-id:to:reply-to:from:date; s=dkim; t=1635887858; x= 1638479859; bh=IAqusvlHU+Lgzu9uZEGBCanRTOVHQb0UTitiUxcIgm8=; b=G lSrb+FhIMnjNth8ASE2y7eNzRCNbVXqmBQWTlnztWN/G9Ah77c7ErMPlv4H95Kgm O4GymSiI52n3lWo3kzF5yGuRoCryvDpyu8jss6O7xA2GAXzAuhta73ZEHc9E6ASV iFuWOkH4WTQIu9grgltHxz5eYX6n5Xc9R8SzE2ogK5OnIO2fECwEu8TETz1BNWbU Q4Ysf7YqidRV8g+6DXFmVrGJwChPCu739at/gdJXlD5HL7h4o7ifW19f/yBayfLt mZnq+f1jywXKwBzJ3QztJ/MXzw0kWOzHege3VYw4/Sv3bVuhIReLiZVd/qged9dJ fNn4OtCbluZNAjQwAgmyg== X-Virus-Scanned: Debian amavisd-new at mail.venue2you.com Date: Tue, 02 Nov 2021 17:17:38 -0400 From: no-reply@venue2you.com Reply-To: no-reply@venue2you.com To: admin@nextgenappsllc.com Message-ID: <6181aaf29a4d_12bf78c8c63d7@Joses-MacBook-Pro.local.mail> Subject: Reset password instructions Mime-Version: 1.0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <style> /* Email styles need to be inline */ </style> </head> <body> <p>Hello admin@nextgenappsllc.com!</p> <p>Someone has requested a link to change your password. You can do this through the link below.</p> <p><a href="https://venue2you.com/users/password/edit?reset_password_token=s_AUowmUQGqfkjDcvqh9">Change my password</a></p> <p>If you didn't request this, please ignore this email.</p> <p>Your password won't change until you access the link above and create a new one.</p> </body> </html>
Ok so it seems the confirmation email gets flagged but the reset password one does not. Even though being very similar and there are no phishing urls: URI_PHISH positive: ------------------------------------------------------------------------ Return-Path: <no-reply@venue2you.com> Delivered-To: admin@nextgenappsllc.com Received: from nextgenappsllc.com by grootchema.nextgenappsllc.com (Dovecot) with LMTP id R6KrFeGsgWEGIAAAQQk82Q for <admin@nextgenappsllc.com>; Tue, 02 Nov 2021 17:25:53 -0400 Received: by nextgenappsllc.com (Postfix, from userid 115) id 509193EAB6; Tue, 2 Nov 2021 17:25:53 -0400 (EDT) Authentication-Results: nextgenappsllc.com; dkim=pass (2048-bit key; unprotected) header.d=venue2you.com header.i=@venue2you.com header.b="Of61663L"; dkim-atps=neutral X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on grootchema.nextgenappsllc.com X-Spam-Level: *** X-Spam-Status: No, score=3.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HTML_MESSAGE,SPF_HELO_PASS,URIBL_BLOCKED,URI_PHISH autolearn=no autolearn_force=no version=3.4.2 Received: from mail.venue2you.com (mail.venue2you.com [170.187.146.47]) by nextgenappsllc.com (Postfix) with ESMTPS id 0E1BA3EA16 for <admin@nextgenappsllc.com>; Tue, 2 Nov 2021 17:25:53 -0400 (EDT) Authentication-Results: mail.venue2you.com (amavisd-new); dkim=pass (2048-bit key) reason="pass (just generated, assumed good)" header.d=venue2you.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=venue2you.com; h= content-transfer-encoding:content-type:mime-version:subject :message-id:to:reply-to:from:date; s=dkim; t=1635888352; x= 1638480353; bh=5len7HBjhbGUzBUG4Z5WXfNH//7VPF3PKuKTaAZhloI=; b=O f61663LM6adU7XjPGiogs0E4FCscobb4IRY768+vcBAo1AgsrnNgEn8XU5OqLhpS TQ9DVG90RBgoyWPVZ9mZ5NijEC70VeneEesXnHc+IW5mMboJWwhAlBFDC9VLdzvY EiZvk1269SmavFeKBlnNYad4PlUECP8h8NE1GWpDQX1It3TINy7L59I4xqpjBJkE E/ZfIRq9VokRxqsPfUm7GYjPQrfQtHRrtQNAAN6N2C7G6/mJApNKRTNbHiLz9R8L nAnGNXWNezdrKKiw+spywbq3xMbyMvDNkE08BtvA0dSAo93GBffUb2tyS0bGmOEq u9gkBO13plXSer6fzBc+A== X-Virus-Scanned: Debian amavisd-new at mail.venue2you.com Date: Tue, 02 Nov 2021 17:25:52 -0400 From: no-reply@venue2you.com Reply-To: no-reply@venue2you.com To: admin@nextgenappsllc.com Message-ID: <6181ace056a36_1ff210b88774@grootchema.mail> Subject: Confirmation instructions Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_6181ace055fa4_1ff210b886ab"; charset=UTF-8 Content-Transfer-Encoding: 7bit ----==_mimepart_6181ace055fa4_1ff210b886ab Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Welcome admin@nextgenappsllc.com! You can confirm your account email through the link below: https://venue2you.com/users/confirmation?confirmation_token=R9zBfiResWJ5iSvJihQQ ----==_mimepart_6181ace055fa4_1ff210b886ab Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <style> /* Email styles need to be inline */ </style> </head> <body> <p>Welcome admin@nextgenappsllc.com!</p> <p>You can confirm your account email through the link below:</p> <p><a href="https://venue2you.com/users/confirmation?confirmation_token=R9zBfiResWJ5iSvJihQQ">Confirm my account</a></p> </body> </html> ----==_mimepart_6181ace055fa4_1ff210b886ab-- ------------------------------------------------------------------------ URI_PHISH negative: ------------------------------------------------------------------------ Return-Path: <no-reply@venue2you.com> Delivered-To: admin@nextgenappsllc.com Received: from nextgenappsllc.com by grootchema.nextgenappsllc.com (Dovecot) with LMTP id E6+lAC+tgWEbIAAAQQk82Q for <admin@nextgenappsllc.com>; Tue, 02 Nov 2021 17:27:11 -0400 Received: by nextgenappsllc.com (Postfix, from userid 115) id F1B5F3EAB6; Tue, 2 Nov 2021 17:27:10 -0400 (EDT) Authentication-Results: nextgenappsllc.com; dkim=pass (2048-bit key; unprotected) header.d=venue2you.com header.i=@venue2you.com header.b="ZYq7ukiU"; dkim-atps=neutral X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on grootchema.nextgenappsllc.com X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HTML_MESSAGE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail.venue2you.com (mail.venue2you.com [170.187.146.47]) by nextgenappsllc.com (Postfix) with ESMTPS id B027F3EA16 for <admin@nextgenappsllc.com>; Tue, 2 Nov 2021 17:27:10 -0400 (EDT) Authentication-Results: mail.venue2you.com (amavisd-new); dkim=pass (2048-bit key) reason="pass (just generated, assumed good)" header.d=venue2you.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=venue2you.com; h= content-transfer-encoding:content-type:mime-version:subject :message-id:to:reply-to:from:date; s=dkim; t=1635888430; x= 1638480431; bh=3DmNU/jv/DuRr0CM46g83nAOX6HrY46Rcs+BDALrVy4=; b=Z Yq7ukiUOziHWg1BA88syoR4LuD9hphbphBVF/Bg++xc9sakajBzW0MM7ulALcMSD GAt54xLodhFDapW5qZQhy9t6SmbaBpl/xBd1Oi8qEcyFLxtxoxJ8B6mD56fe4sIy FW0HtMWEpZ6Xy64oVglYIkUWLOP613C1w8a7ALd1cEx4UavgrqBqpgGVQakDZbqL tVm+6aztcPVDmEPd8cHk39ecj96Bkc4i7f24Bo8hn3bgf4k0KDscowraHk6L8R/L GvZ0RsIJZKsSXKW3E4Bbl9SkcISXqnfDRR4zqWW8htsSoUs/16IFlR10l4RZzTVd 3QkAoBNMjf+sopMaEG6Qw== X-Virus-Scanned: Debian amavisd-new at mail.venue2you.com Date: Tue, 02 Nov 2021 17:27:10 -0400 From: no-reply@venue2you.com Reply-To: no-reply@venue2you.com To: admin@nextgenappsllc.com Message-ID: <6181ad2e15bb9_1ff310b88710@grootchema.mail> Subject: Reset password instructions Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_6181ad2e14a65_1ff310b886e3"; charset=UTF-8 Content-Transfer-Encoding: 7bit ----==_mimepart_6181ad2e14a65_1ff310b886e3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Hello admin@nextgenappsllc.com! Someone has requested a link to change your password. You can do this through the link below. https://venue2you.com/users/password/edit?reset_password_token=S55Mvfe6fU57YpfkxtZY If you didn't request this, please ignore this email. Your password won't change until you access the link above and create a new one. ----==_mimepart_6181ad2e14a65_1ff310b886e3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <style> /* Email styles need to be inline */ </style> </head> <body> <p>Hello admin@nextgenappsllc.com!</p> <p>Someone has requested a link to change your password. You can do this through the link below.</p> <p><a href="https://venue2you.com/users/password/edit?reset_password_token=S55Mvfe6fU57YpfkxtZY">Change my password</a></p> <p>If you didn't request this, please ignore this email.</p> <p>Your password won't change until you access the link above and create a new one.</p> </body> </html> ----==_mimepart_6181ad2e14a65_1ff310b886e3-- ------------------------------------------------------------------------
> X-Spam-Status: No, score=3.6 required=5.0 So? The test is hitting, but it isn't nearly enough to mark it as spam. It takes 5 points to be a spam, and this only gets 3.6 total from several rules hitting. BTW, URIBL_BLOCKED indicates a configuration error on the system doing the mail checking. Also: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) The current version of SA is 3.4.6, and is about 3 years newer than the version running on the test system. There have been quite a few fixes since 3.4.2.
It's not based on "phishing URLs" or the specific link, it's based on having body text that looks like account phishing and having a URL. The body text that looks suspiciously like phishing is, unsurprisingly, "confirm your account". The reason one version hits and the other does not is, the rule is looking for multiple phishing text fragments, and the repetition of that text in the plain-text and HTML body parts unfortunately counts double. > X-Spam-Status: No, score=3.717 tagged_above=2 required=6.2 As Loren said, this is not a FP, as the total score for the message did not exceed the spam threshold. This is a single-rule hit on spammy-looking content without other signs to support it. That happens. It is not a bug that a given rule will hit some ham. The only suggestion I can offer is that you reword your message to make it look less like phishing. Perhaps: Please confirm that you created an account on our service using that email address by clicking this link: <a mumble>Confirm new account</a>
Closing as FAD. Rule discussions should take place on the Users mailing list.