On Thu, 26 May 2016, John Hardin wrote:
On Thu, 26 May 2016, Reindl Harald wrote:Am 26.05.2016 um 20:50 schrieb RW:I noticed that Bayes is picking-up on very strong tokens from "eval" and "code" in headers like this: X-PHP-Originating-Script: 1013:global.php(1938) : eval()'d code The "eval()'d code" part is in just over 2% of my spam, but it's never occurred in a single ham in my corpus. The spams seem to be coming from exploited web-servers, and I'm wondering if it might be a symptom of the exploitlooks like worth a rule to add pointsI've asked for samples and will add a rule based on that.
FWIW,
There's a varient of that in the "KAM.cf" ruleset from March of this year.
(Look for __KAM_BADPHP1, which is meta'ed into KAM_BADPHP)
It doesn't hit a lot of stuff (only 0.08% ) but does have a high S/O (0.9984) in
my mail stream (over the last 2 months).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
smime.p7s
Description: S/MIME Cryptographic Signature
