You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2014/11/17 20:55:34 UTC

svn commit: r1640216 - /spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Author: jhardin
Date: Mon Nov 17 19:55:34 2014
New Revision: 1640216

URL: http://svn.apache.org/r1640216
Log:
hacked WordPress rule tweaks

Modified:
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1640216&r1=1640215&r2=1640216&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Mon Nov 17 19:55:34 2014
@@ -1418,11 +1418,9 @@ meta        URI_WPADMIN        __URI_WPA
 describe    URI_WPADMIN        WordPress login/admin URI, possible phishing
 tflags      URI_WPADMIN        publish
 
-uri         __URI_WPCONTENT    m,/wp-content/.*\.php\b,i
-uri         __URI_WPINCLUDES   m,/wp-includes/.*\.php\b,i
-uri         __URI_WPCONTENT_W  m,/wp-content/.*\.(?:php|html?)\b,i
-uri         __URI_WPINCLUDES_W m,/wp-includes/.*\.(?:php|html?)\b,i
+uri         __URI_WPCONTENT    m,/wp-content/.*\.(?:php|html?)\b,i
 uri         __URI_WPCONTENT_L  m,/wp-content/.*\.(?:(?!gif|jpg|png|bmp|ico|eot|pdf)[a-z]{3}|(?!jpeg)[a-z]{4})\b,i
+uri         __URI_WPINCLUDES   m,/wp-includes/.*\.(?:php|html?)\b,i
 uri         __URI_WPINCLUDES_L m,/wp-includes/.*\.(?:(?!gif|jpg|png|bmp|ico|eot|pdf)[a-z]{3}|(?!jpeg)[a-z]{4})\b,i
 meta        URI_WP_HACKED      (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED 
 describe    URI_WP_HACKED      URI for compromised WordPress site, possible malware
@@ -1437,7 +1435,7 @@ tflags      URI_WP_DIRINDEX    publish
 
 # this has some overlap with URI_WP_HACKED
 uri         __PS_TEST_LOC_WP   m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,64}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf).{4}$;i
-meta        URI_WP_HACKED_2    __PS_TEST_LOC_WP && !__TO_EQ_FROM && !__THREADED 
+meta        URI_WP_HACKED_2    (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__TO_EQ_FROM && !__THREADED 
 describe    URI_WP_HACKED_2    URI for compromised WordPress site, possible malware
 score       URI_WP_HACKED_2    2.000   # limit
 tflags      URI_WP_HACKED_2    publish