WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 3 years ago

#39709 new enhancement

Add filler content to New Site Registration email to avoid space ratio spam rule

Reported by: iandunn Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Mail Keywords:
Focuses: multisite Cc:
PR Number:

Description

I noticed SpamAssassin on helpscout.net is coming very close to flagging the New Site Registration emails as spam.

The biggest rule being triggered is `TVD_SPACE_RATIO_MINFP`, with a weight of 2.5, getting the message 50% of the way to the the default threshold of 5. That rule looks for excessive whitespace in the message body, and I'm guessing it's being triggered by the high ratio of newlines to paragraph text. I uploaded a pastebin with the full headers and body.

I don't have time right now to verify whether or not helpscout.net is using the default SpamAssassin configuration, or if they've weighted this rule more heavily for some reason, but even if they have, it seems likely that others will as well. Additionally, the current message text seems like poor UX, and I think the fix for the spam issue would also fix that.

I think the fix would be to add some filler text to the message body, to decrease the ratio of newlines to paragraph text. e.g.:

Howdy, this is your WordPress multisite installation at {example.org}. I thought you'd like to know that a new site was created. The details are below:

It doesn't really matter what the text is, as long as it's a normal sentence or two, so whatever makes the most sense from a UX point of view will probably be fine.

If the new text does include the domain name, I think we should avoid entering a full URL, because that could trigger other spam rules. (As an aside, I think it's generally a bad idea to include URLs in emails, since it trains users to expect and click them, which makes them more vulnerable to phishing. That's another ticket, though.)

I think the next steps for this ticket would be:

  1. Reproduce the issue with a local SpamAssassin instance, to verify that 2.5 is the default score for this message (rather than something Help Scout modified)
  2. Test that adding some filler text will prevent the rule from being triggered. I don't think it'll really matter what the text is, for the purposes of testing.
  3. Decide on what the best text would be from a UX perspective

Change History (1)

#1 @iandunn
3 years ago

  1. Reproduce the issue with a local SpamAssassin instance, to verify that 2.5 is the default score for this message (rather than something Help Scout modified)

I checked the current message using Postmark's spam-check API and it got a score of 6.9, with the following breakdown:

 pts rule name               description
---- ---------------------- --------------------------------------------------
-0.0 NO_RELAYS              Informational: message was not relayed via SMTP
 0.4 NO_DNS_FOR_FROM        RBL: Envelope sender has no MX or A DNS records
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                            See
                            http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                             for more information.
                            [URIs: wordcamp.dev]
 2.6 URI_WPADMIN            WordPress login/admin URI, possible phishing
-0.0 NO_RECEIVED            Informational: message has no Received headers
 0.0 TVD_SPACE_RATIO        TVD_SPACE_RATIO
 1.5 PHP_ORIG_SCRIPT        Sent by bot & other signs
 2.4 TVD_SPACE_RATIO_MINFP  Space ratio

Related: I opened #40081 for the URL_WPADMIN issue.

  1. Test that adding some filler text will prevent the rule from being triggered. I don't think it'll really matter what the text is, for the purposes of testing.

Adding the Howdy... example message above dropped the message's score from 6.9 to 3.0. So, I think that's a good solution. The next step would be to settle on what the real filler message should be. Any opinions?

Note: See TracTickets for help on using tickets.