8000 – AMAZON_IMG_NOT_RCVD_AMZN rule producing false positives

Bug 8000 - AMAZON_IMG_NOT_RCVD_AMZN rule producing false positives

Summary: AMAZON_IMG_NOT_RCVD_AMZN rule producing false positives

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (show other bugs)
Version:	3.4.0
Hardware:	PC Linux

Importance:	P2 normal
Target Milestone:	Undefined
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-05-30 17:58 UTC by Dennis Gerasimov
Modified:	2022-05-31 07:45 UTC (History)
CC List:	2 users (show)

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
Example of false positive	message/rfc822			None	Dennis Gerasimov
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dennis Gerasimov 2022-05-30 17:58:31 UTC

Created attachment 5786 [details]
Example of false positive

Every legit email from amazon ordering system produces this false positive for me. Example attached

Comment 1 John Hardin 2022-05-31 03:18:37 UTC

I cannot reproduce this FP in my SA test environment with the attached example.

May 30 20:07:11.714 [21295] dbg: rules-all: running header rule __HDR_RCVD_AMAZON
May 30 20:07:11.714 [21295] dbg: rules: ran header rule __HDR_RCVD_AMAZON ======> got hit: " rdns=a13-123.smtp-out.amazonses.com "
...
May 30 20:07:12.731 [21295] dbg: rules-all: ran meta rule __AMAZON_IMG_NOT_RCVD_AMZN, no hit
...
May 30 20:07:12.742 [21295] dbg: rules-all: ran meta rule AMAZON_IMG_NOT_RCVD_AMZN, no hit


It's possible that the local-MTA Received header which prevents it from hitting is not being added to the message by your MTA before it's being passed to SpamAssassin for scanning. How is SpamAssassin glued onto your MTA?

Recommendations:
(1) whitelist Amazon (see below), these messages pass DKIM
(2) look into rule LOCAL_RND_SUBJ, that contributed more to the FP than AMAZON_IMG_NOT_RCVD_AMZN did
(3) follow up the MTA glue question on the SpamAssasssin Users mailing list, you'll get better results for rules questions there.

Suggested Amazon authenticated whitelisting:

whitelist_auth		*@amazon.com
blacklist_from		*@amazon.com
whitelist_auth		*@*.amazon.com
blacklist_from		*@*.amazon.com

Comment 2 Giovanni Bechis 2022-05-31 07:45:24 UTC

The submitted email hits UNPARSEABLE_RELAY, this probably makes __HDR_RCVD_AMAZON fail.
Updating to a more recent SpamAssassin version will probably fix the issue.