Remove wp-admin links from all Core emails

[iandunn]

SpamAssassin has an undocumented rule called URI_WPADMIN, which is triggered when it sees a wp-admin URL in a message. If the rule is triggered, the message's spam score is bumped by 2.6 points (by default), which gets the message 50% of the way to being flagged as spam. This can be reproduced easily with ​Postmark's spam-checker API.

SpamAssassin also has a PHP_ORIG_SCRIPT rule that is assigned to all messages that are sent with the default PHP mail() agent. It has a score of 1.5, which brings the vast majority of Core emails sent by WordPress installations up to a score of 4.1, which is 80% of the way to being flagged. That's not counting any other rules that may be triggered based on message content, server configuration, etc.

From a UX perspective, it's very helpful to include links in messages that take the user directly to any actions that we can reasonably assume they'll want to perform on a message. However, from a security perspective, I think the best practice is to not include those links, because doing so trains users to expect and trust them, which makes them vulnerable to phishing attacks.

So, I think we should consider removing all links to wp-admin, and replace them with a message asking users to log in to their site instead. We can give them navigation breadcrumbs like, To disable these notifications, log in to WordPress at example.org and navigate to: My Sites > Network Admin > Settings.

Related #39709

[SergeyBiryukov]

So, I think we should consider removing all links to wp-admin, and replace them with a message asking users to log in to their site instead.

I don't think that would work for comment moderation links​. They could probably be replaced with non-admin links.

[skithund]

Replying to SergeyBiryukov:

So, I think we should consider removing all links to wp-admin, and replace them with a message asking users to log in to their site instead.

I don't think that would work for comment moderation links​. They could probably be replaced with non-admin links.

The full regexp for URI_WPADMIN is ,/wp-admin/\w+/,i so it shouldn't match /wp-admin/comment.php?action=approve…

[iandunn]

The full regexp for URI_WPADMIN is ,/wp-admin/\w+/,i so it shouldn't match /wp-admin/comment.php?action=approve…

Ah, that's a great catch. It doesn't look like that regex will match example.org/wp-admin/ either, only URLs with a subdirectory, like example.org/wp-admin/network/settings.php. That's odd that they'd only try to catch network-admin emails, but :shrug:

So, maybe the scope of this ticket should narrow to only remove network-admin URLs? I still think it's a bad practice to include any admin URLs, though, because it trains users to follow the insecure practice of clicking links in emails. What does everyone else think?

[SirLouen]

URI_WPADMIN was introduced in SpamAssassin mostly to hinder pishing attempts. So I totally agree with @iandunn with the fact that we should avoid any wp-admin URLs at all costs, regardless of the current filter (in fact given that we have identified that the filter is only affecting to network sites, this should be actually reported to SpamAssassin to improve their attempts to stop this).

About the PHP_ORIG_SCRIPT this is not applying any more for most of the modern configurations and local MTA. See related examples in #39709 of not applying this with the provided emails (that used to trigger this according to your report). Although this is being triggered by X-PHP-Script and X-PHP-Originating-Script and I can't really see any of them in your sample emails nor, they weren't triggered by postmark API when I copied the raw email. Not sure why they got triggered back in the day

I'm going to do a little audit on all the emails being sent atm to see which could be potentially flagged/are mistakenly using wp-admin (in your sample, you were sending this emails from a MS config, hence the network thing for the pattern).

[johnbillion]

This ticket went eight years without any further interest. Is this really an issue?

[SirLouen]

Replying to johnbillion:

This ticket went eight years without any further interest. Is this really an issue?

I've not checked yet the format of every single email being sent by the system, only spotted one case that triggers this, the new site registration email.

But its kind of weird, because there is an ongoing bug with block themes that throw a couple warning messages when you go into the new site registration form. So here we can probably find out, that probably this feature is being used by, around -10% of the total users.

And maybe this is the sole email that includes the /wp-admin/networtk/... part that triggers this antispam rule. This is why I switched the severity to Minor until I trigger all emails in the system and see if its relevant or not.

Finally let's be aware that prob, most MS users are not newbs with WP because, overall its a pretty advanced feature (from that 40% reported share I would like to know how much of MS are, prob less than 0.1%, not MS users, but MS administrators) and they might have already heavily personalized their emails so it might not be happening to them.

Still, as suggested by SpamAssassin, adding wp-admin to emails overall is a bad practice as it has been spotted as a classic pishing technique. So maybe, we should consider it just in case we have some dangling emails that should be doing this just for the health and security of the project, right?

Let me get some findings and I will report back as soon as I have them.

[johnbillion]

I don't think it's a good use of time working on this ticket. Removing links to wp-admin from emails is not going to happen because it's a significant UX degradation.

[SirLouen]

Replying to johnbillion:

I don't think it's a good use of time working on this ticket. Removing links to wp-admin from emails is not going to happen because it's a significant UX degradation.

I've been also thinking on this. The fact that some email could provide a valid useful wp-admin link goes against that fact. On the other side, there could be the problematic that spam filters can simply be ditching these emails rendering slightly useless and forcing people to simply edit those emails manually to make them pass.

From an admin perspective, this is pretty straightforward: whitelisting the From: is the best way to go. So I agree I would not be touching those.

But what I want to do is an analysis, is to see if there are any Subscriber-level emails sending emails with a wp-admin of any sort and if there are potential workarounds or not. Subscribers going into spam could be a big loss.