spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David F. Skoll" <...@roaringpenguin.com>
Subject Re: Re-2: Hacked Wordpress sites & Cryptolocker
Date Wed, 03 Sep 2014 18:09:23 GMT
On Wed, 3 Sep 2014 18:02:31 +0000
"Spectrum CS" <spamassassin-lists@spectrumcs.net> wrote:

> Would you be able to share your regexp? I'm struggling to update my
> regexp to catch the .php :)

Ah, this is what I have.  (I've changed the rule names, but that shouldn't
matter.)

uri        __RP_D_00069_1 /\/wp-content\/(?:plugins|themes)\/.*\.php/is
uri        __RP_D_00069_2 /\/wp-includes\/.*\.php/is
meta       RP_D_00069 __RP_D_00069_1 || __RP_D_00069_2
describe   RP_D_00069 Contains URL that may point to hacked WordPress site

I am seeing the occasional false-positive.  I would hesitate to score this
at 5 without some additional rules.

Regards,

David.

Mime
View raw message