On Thu, 26 May 2016, RW wrote:
I noticed that Bayes is picking-up on very strong tokens from "eval" and
"code" in headers like this:
X-PHP-Originating-Script: 1013:global.php(1938) : eval()'d code
The "eval()'d code" part is in just over 2% of my spam, but it's
never occurred in a single ham in my corpus.
It doesn't do too well in masscheck:
http://ruleqa.spamassassin.org/20160528-r1745852-n/__PHP_ORIG_SCRIPT_EVAL/detail
The spams seem to be coming from exploited web-servers, and I'm
wondering if it might be a symptom of the exploit.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The more you believe you can create heaven on earth
the more likely you are to set up guillotines in the public square
to hasten the process. -- James Lileks
-----------------------------------------------------------------------
Tomorrow: Memorial Day - honor those who sacrificed for our liberty
