On 09/03/2014 08:09 PM, David F. Skoll wrote:
On Wed, 3 Sep 2014 18:02:31 +0000
"Spectrum CS" <spamassassin-li...@spectrumcs.net> wrote:
Would you be able to share your regexp? I'm struggling to update my
regexp to catch the .php :)
Ah, this is what I have. (I've changed the rule names, but that shouldn't
matter.)
uri __RP_D_00069_1 /\/wp-content\/(?:plugins|themes)\/.*\.php/is
uri __RP_D_00069_2 /\/wp-includes\/.*\.php/is
meta RP_D_00069 __RP_D_00069_1 || __RP_D_00069_2
describe RP_D_00069 Contains URL that may point to hacked WordPress site
I am seeing the occasional false-positive. I would hesitate to score this
at 5 without some additional rules.
try adding this to the meta (req SA 3.4)
ifplugin Mail::SpamAssassin::Plugin::BodyEval
if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
body __BODY_LENGTH_100 eval:check_body_length('100')
endif
endif
