Validation emails are being spamcanned again

[ara4n]

We seem to have reintroduced the "HTML_IMAGE_ONLY_28" rule again, presumably when rebranding for Riot :(

X-Spam-Report: 
        *  3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
        *      [score: 1.0000]
        * -0.0 SPF_PASS SPF: sender matches SPF record
        *  0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
        *      [score: 1.0000]
        *  1.4 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words
        *  0.0 HTML_MESSAGE BODY: HTML included in message
        *  1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
        * -0.4 AWL AWL: Adjusted score from AWL reputation of From: address

[ara4n]

this is still true on arasphere:

X-Spam-Report: 
    *  3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
    *      [score: 1.0000]
    *  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
    *       See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    *      for more information.
    *      [URIs: vector.im]
    * -0.0 SPF_PASS SPF: sender matches SPF record
    *  0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
    *      [score: 1.0000]
    *  1.4 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words
    *  0.0 HTML_MESSAGE BODY: HTML included in message
    *  1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
    *  0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
    * -0.3 AWL AWL: Adjusted score from AWL reputation of From: address

[lukebarnard1]

According to http://serverfault.com/a/174022, the email needs to have more text in it! This could be quite simple to fix. We just have to decide what text to put in it. FTR the text at the moment reads:

Hello,

We have received a request to register this email address on riot.im. If this
was you who made this request, you may use the following link to complete 
the verification of your email address:

Complete email verification

Please note that Riot requires Chrome, Firefox or Safari on the web, or iOS 
or Android on mobile.

If you aren't aware of making such a request, please disregard this email.

thanks,

Riot

2400-2800 bytes of words refers to the HTML content I think, which is ~ 2500 bytes (and bizarrely not the actual textual content).

[ara4n]

@lampholder can you bulk out the verbiage a bit please? they live in https://github.com/matrix-org/sydent/tree/master/res and Dave can deploy when done (or show you how)

[lampholder]

Heh, did we trigger this by removing the (broken) reference to the IP address?

/me takes a crack at the wording.

[ara4n]

it was a problem before, but it probably got exacerbated by removing the IP address. Worst case, just chuck a more detailed "You're receiving this because..." section at the bottom.

[lampholder]

I've bulked it out significantly by borrowing some of the blurb from riot.im:

https://github.com/matrix-org/sydent/tree/registration_wording_change

@ara4n / @AmandineLP would you like to review the content? I conflated bulking out the word count with addressing a pet peeve about the email's somewhat robotic tone, because I'm a nuisance.

/me intends to fix up the matrix version of the file too after verifying that this change does indeed do the needful.

[lampholder]

Our SpamAssassin score is now 0.0/5 (according to https://spamscorechecker.com/check anyway)

[lampholder]

We're still triggering HTML_IMAGE_ONLY_20 on the matrix validation token email.

[lampholder]

That's now fixed too.

[ara4n]

this looks good but is there a reason we don't think that invite mails won't be suffering the same problem too?

[lampholder]

We haven't changed invite emails recently AFAIK.

...but a quick check reveals they're every bit as bad:

* 1.6 HTML_IMAGE_ONLY_24 BODY:HTML: images with 2000-2400 bytes of words.

[lampholder]

Are there any other categories of email we send? Notification emails might be affected too?

[lampholder]

I can confirm that I have not received notification emails (though my email setup is now... complicated so it's not super obvious where it might be being canned).

[ara4n]

as a first cut please let's fix invite emails? they may not have been changed, but they were borderline problematic in the first place...

[lampholder]

More words here: matrix-org/sydent#44

[lampholder]

Cool; changes merged for invites - I'll test against the spamwhatsit when they've been pushed live (which won't happen last thing on a Friday)

[ara4n]

just to confirm, invites are indeed failing right now, with:

X-Spam-Status: Yes, score=6.0 required=5.0 tests=AWL,BAYES_99,BAYES_999,
    HTML_IMAGE_ONLY_28,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,URIBL_BLOCKED autolearn=no
    autolearn_force=no version=3.4.1
X-Spam-Report: 
    *  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
    *       See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    *      for more information.
    *      [URIs: matrix.org]
    * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
    *      trust
    *      [83.166.64.11 listed in list.dnswl.org]
    *  3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
    *      [score: 1.0000]
    *  1.4 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words
    *  0.0 HTML_MESSAGE BODY: HTML included in message
    *  0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
    *      [score: 1.0000]
    *  0.9 AWL AWL: Adjusted score from AWL reputation of From: address

[lampholder]

spamscoreschecker.com is down, but I can verify that invite emails are now coming through to gmail successfully (from both riot and matrix).