EBD spam score

As long as you set the From: to something valid then you shouldn’t have any trouble with the email not landing in the Inbox.

Most people use Postman SMTP to make sure the From: of the email gets set to what they want. You can also use the Custom Sender for Email Before Download plugin which will get you a couple of fields to set the From: (watchout that it may get wiped out if/when you resave the settings for EBD [you might have to put it back in there, if so]).

As long as the From: is good and you use the default template, then it will always land in the Inbox. If you use your own template (ie you put something in 9.1 or 9.2 in the EBD settings) then who knows…

All that said, I’ll go ahead and comment on the SpamAssassin items you listed:
1. The whole point of EBD is to make it run the EBD php program in order to get a download file, rather than directly downloading the file itself. Since your plugin is in wp-content that’s where it runs it from. I would imagine with a lot of work you could probably make it run from somewhere else, but that seems like total overkill just to get rid of one negative spamassassin marker (considering it tests like 3000 things).

2. I doubt the authors of the plugin (M&S Consulting) would add that, since it’s not really needed, but you never know… The point of the email to the user is either to give them a clickable link to the download or to attach the download file (or both). Thus, not much reason to give a text version except to try and get rid of that one spamassassin msg.

3. You can put the html code in there yourself, as you suggested. Should work.

4. I think that warning is because the To: of the email is probably just an email address (which is taken from the form on your webpage that the website visitor filled in). Spamassassin gives that warning because you didn’t do the extra stuff that you can do in the To: field where you put the guy’s name in quotes and the email address in angle brackets. Again, not really important…

Thanks for your prompt reply! I tried a few things you suggested – the Postman SMTP plugin, and the HTML tags in the email template, and the scores improved significantly. However, I’m still a little concerned by the SpamAssassin score. Previously I was getting a -5.3, now I’m getting a -4, and according to this test a score below -5 is considered spam. The biggest offenders are the URI_WP_HACKED (-2.999) and MIME_HTML_ONLY (-1.105).

I don’t think it would be an extreme amount of work to mask the /wp-content/ URI. It would still run out of the traditional folder, but perhaps using a .htaccess redirect or something like that. I haven’t looked at the plugin’s source code yet but hopefully there are some filters available that could be used to modify that. Obviously modifying source code is a last resort.

For the plain text version, I think it would be a very helpful addition not only for the SpamAssassin score, but for users whose preferences are set to receive plain text only. Do you know there an official feature request system the devs use?

Thanks again!

Wow, 2.999? That’s crazy. I can’t believe it’s that high for that. I see someone opened a bug on it last year, but they only referenced one plugin that was being affected ( https://spamassassin.1065346.n5.nabble.com/Bug-7210-New-URI-WP-HACKED-2-PS-TEST-LOC-WP-matches-legitimate-CiviCRM-emails-td116699.html ). In reality, it affects a good number of plugins I’m sure ( one example – https://www.thenewsletterplugin.com/forums/topic/spamassassin-gets-crazy-uri-for-compromised-wordpress-site-possible-malware ).

Hmmm. Well, maybe you have a good point. I can see where it would be pretty easy to get near 5 or beyond if that one is basically 3 points. Maybe M&S Consulting will need to update the plugin to try and help with this somehow….

Which website are you using to test your spamassassin score? (I want to try my email and see how it looks and I want to use the same one you’re using, if possible)

So, let’s see…. to make it get rid of the URI_WP_HACKED, the outgoing email will have to use a different URL that spamassassin doesn’t care about. Looks like that will require php changes to email-before-download.php. Currently, it makes the URL by concatenating the WP_PLUGIN_URL constant with /email-before-download/download.php. That would have to be changed. I guess you could hack in a variable a top of the program to give the URL fragment and then replace WP_PLUGIN_URL with that variable. WP_PLUGIN_URL occurs several times — you’d really only need to change the ones that have that download.php addition on the end and ignore the others (like the checkcurl.php and export.php and so forth). That would give you a hacked-in fix for the outgoing email. Then, as you said, you’d need a mod_rewrite statement in your htaccess or webserver config to make the browser go over to the correct wp-content path. That gives you a hacked in fix for now. M&S Consulting would probably want to add a setting in the Settings page to let the user specify what the new url fragment was and, of course, some explanation of what needs to happen. Kinda ugly.

The bottom answer after the “UPDATE:” line of https://wordpress.stackexchange.com/questions/210244/send-an-email-that-contains-a-html-and-plain-text-part gives an example of using wp_mail to send a multipart mime (text and html) email (though that example would need to be modified slightly to include $attachments and tested to make sure it works [since attachments are multipart mime also]). So, it looks doable, but would require some code changes. Just above the “UPDATE:” line is an example of trying to hook into phpmailer_init and setting AltBody (which would make it send multipart mime with the text version being in AltBody). However, in that example it looks like it’s going to do it for every email sent by wp_mail(), so probably not a good solution (at least not without extra code to try and limit to modifying the outgoing email only when sent by EBD).

So, all in all, a good bit of work for both of them it looks like. You could code try paying the $10 to M&S Consulting and suggest this stuff to them — they might do it since it looks like those 2 items push emails near the spam threshold. The URI_WP_HACKED looks fairly new, so it’s possible folks out there are having some of their outgoing emails ending up as spam and no one has noticed yet and reported it.

Let me know which spamassassin testing site you’re using…

Great, thanks for the detailed response! I’m using https://www.mail-tester.com for my testing.

This tool also does some server validation testing. I went through the steps to try and correct some of the verification issues (SPF, DKIM and DMARC entries). Apparently I didn’t do it correctly or the server is not accepting the DNS entries properly and now I’m back down to a -5.2 for SpamAssassin score.

So yeah, I would agree it’s a fairly large concern for the user base. I will consider paying the $10 support feature but there should be some sort of feature request system I would think. I am very reluctant to go into the plugin’s source code and modify anything there myself for obvious reasons.

Ok, I’ll check it out.

The M&S Consulting folks do read these support items sometimes. I’m not sure if they read all of them or just some. I once emailed them about an issue, but they never responded. However, you could try that. Or you could make a new support item and put “ATTN: M&S CONSULTING” as the subject (or something like that) and explain what you want and maybe point to this item or something. On the main page for the plugin (the Description tab on this site) they’ve got a link to their website and info about $10 support an so forth so maybe take a look at that & their site & figure out what you think is the best way to get their attention….

Meanwhile, I’ll try that mail-tester site and see what it thinks about mine (which does have valid SPF and DKIM). By the way, the trick on setting those up is to try and find a support article on your hosting provider’s website …. the way you enter the line of text for SPF and so forth is not exactly the same across providers, so if you’re using like some blog post some dude wrote then the syntax or steps may not be quite right for your provider.

Thanks, I’ll try the new support item like you suggested first. How did you make out with the mail-tester.com tool?