Open vertizio opened 6 years ago
@gravityrail Do you think you could take a look, since you worked on that part of subscriptions not that long ago in #8194?
Thanks!
I'm looking into this.
I noticed a couple of weird things.
One, the pixel.wp.com URL is encoding &
s as &
instead of &
- that just seems odd (and unnecessary).
Second, the Gravatar URL includes a URL-encoded URL inside it:
http://1.gravatar.com/avatar/1edc5da2c8521919811ad60ca238cd16?s=3D50&d=3Dhttp%3A%2F%2F1.gravatar.com%2Favatar%2Fad516503a11cd5ca435acc9bb6523536%3Fs%3D50&r=3DG
However neither of these trips the regex as listed in the SpamAssassin 3.4 cf file: https://apache.googlesource.com/spamassassin/+/3.4/rules/20_uri_tests.cf#56
My suspicion is that this is the gravatar URL tripping the rule, maybe a customized version of the rule, or maybe there's something wrong with the rule itself.
We could try to fix this by being less aggressive in our escaping, perhaps testing content with this rule before sending it out and logging in IRC to start with.
This issue has been marked as stale. This happened because:
No further action is needed. But it's worth checking if this ticket has clear reproduction steps and it is still reproducible. Feel free to close this issue if you think it's not valid anymore — if you do, please add a brief explanation.
Some Jetpack subscription emails trigger a 'Completely unnecessary %-escapes inside a URL' at SpamAssassin.
Spamscore might be set quite aggressive, but it should not be needed to use unnecessary %-escapes.