Thanks.
royalmail-service.co.uk is now hitting URIBL_BLACK too :)
Regards
Steve
-------- Original Message --------
Subject: Re: Re-2: Hacked Wordpress sites & Cryptolocker (03-Sep-2014 19:10)
From: David F. Skoll <d...@roaringpenguin.com>
To: spamassassin-li...@spectrumcs.net
> On Wed, 3 Sep 2014 18:02:31 +0000
> "Spectrum CS" <spamassassin-li...@spectrumcs.net> wrote:
>
> > Would you be able to share your regexp? I'm struggling to update my
> > regexp to catch the .php :)
>
> Ah, this is what I have. (I've changed the rule names, but that shouldn't
> matter.)
>
> uri __RP_D_00069_1 /\/wp-content\/(?:plugins|themes)\/.*\.php/is
> uri __RP_D_00069_2 /\/wp-includes\/.*\.php/is
> meta RP_D_00069 __RP_D_00069_1 || __RP_D_00069_2
> describe RP_D_00069 Contains URL that may point to hacked WordPress site
>
> I am seeing the occasional false-positive. I would hesitate to score this
> at 5 without some additional rules.
>
> Regards,
>
> David.
>
> To: users@spamassassin.apache.org
To: d...@roaringpenguin.com
users@spamassassin.apache.org
DISCLAIMER
This email is for the use of the intended recipient(s) only. If you have
received this email in error, please notify the sender immediately and then
delete it.
If you are not the intended recipient, you must not keep, use, disclose, copy
or distribute this email without the authors prior permission.
We have taken precautions to minimise the risk of transmitting software
viruses, but we advise you to carry out your own virus checks on any attachment
to this message.
We cannot accept liability for any loss or damage caused by software viruses.
The information contained in this communication may be confidential and may be
subject to the attorney-client privilege.
If you are the intended recipient and you do not wish to receive similar
electronic messages from us in future then please respond to the sender to this
effect.
