spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David F. Skoll" <...@roaringpenguin.com>
Subject Re: hacked sites/ costco.com JJ
Date Fri, 05 Dec 2014 01:30:45 GMT
On Thu, 04 Dec 2014 23:40:39 +0100
Axb <axb.lists@gmail.com> wrote:

> uri    __URI_COSTCO	/costco\.com/i
> uri	__URI_PHPASKC	/\.php\?c\=/
> meta	AXB_URI_COSTCO_JJ	(__URI_COSTCO && __URI_PHPASKC)
> score	AXB_URI_COSTCO_JJ	10.0

I've seen variants purportedly from Kroger, Target and Best Buy.
We're having good luck with the following:

uri        __RP_D_00081_1 /\.php\?(?:dp|k|c|t)=[\/A-Za-z0-9=+]{25}/
header     __RP_D_00081_2 Subject =~ /\b(?:order|buying)\b/i
meta       RP_D_00081 __RP_D_00081_1 && __RP_D_00081_2
describe   RP_D_00081 Link to malware
score      RP_D_00081 30

Regards,

David.

Mime
View raw message