On Wed, 3 Sep 2014 18:02:31 +0000 "Spectrum CS" <spamassassin-li...@spectrumcs.net> wrote:
> Would you be able to share your regexp? I'm struggling to update my > regexp to catch the .php :) Ah, this is what I have. (I've changed the rule names, but that shouldn't matter.) uri __RP_D_00069_1 /\/wp-content\/(?:plugins|themes)\/.*\.php/is uri __RP_D_00069_2 /\/wp-includes\/.*\.php/is meta RP_D_00069 __RP_D_00069_1 || __RP_D_00069_2 describe RP_D_00069 Contains URL that may point to hacked WordPress site I am seeing the occasional false-positive. I would hesitate to score this at 5 without some additional rules. Regards, David.
