On 19 Oct 2018, at 9:37, Alex wrote:
Hi,
Should we be adding 3 points for just this, or is there never a reason
users should be using /wp-admin in their URLs?
The score is coming out of RuleQA, so the score is derived empirically,
not by a logical process based in arbitrary axioms.
That doesn't mean it's the one true score for everyone, just that it's a
useful score in the context of the spam and ham corpora submitted to
RuleQA. If it causes actual FPs (i.e. ham that is identified as spam,
NOT ham identified as ham that happens to hit a strong spam rule but
scores below the threshold) then it is probably a good idea to limit its
score in RuleQA or to examine the FPs to find ways to narrow the rule. I
see that John has the basic rigging in place to allow for narrowing via
meta conditions, so presumably he anticipated the possibility.
Oct 19 09:33:11.561 [1299] dbg: rules: ran uri rule __URI_WPADMIN
======> got hit: "/wp-admin/images/"
The rule description says possible phishing, but how would an end-user
be in a position to create a public link that involves their WP admin
directory in the first place?
Think more carefully about that question. As written it seems much more
naive than you can actually be.
2 hints:
1. WordPress is probably the most frequently compromised server software
in the history of the web, excluding Microsoft products.
2. If a website isn't built on WordPress (as most are not) there is
nothing in any way special about a 'wp-admin' token in a functioning
URL. I'd offer to demonstrate that with my own website, but I'm not in a
mood to disable the trap that converts every request for a
WordPress-like URL into a firewall rule and DNSBL entry...
