You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2014/11/17 20:55:34 UTC
svn commit: r1640216 -
/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Author: jhardin
Date: Mon Nov 17 19:55:34 2014
New Revision: 1640216
URL: http://svn.apache.org/r1640216
Log:
hacked WordPress rule tweaks
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1640216&r1=1640215&r2=1640216&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Mon Nov 17 19:55:34 2014
@@ -1418,11 +1418,9 @@ meta URI_WPADMIN __URI_WPA
describe URI_WPADMIN WordPress login/admin URI, possible phishing
tflags URI_WPADMIN publish
-uri __URI_WPCONTENT m,/wp-content/.*\.php\b,i
-uri __URI_WPINCLUDES m,/wp-includes/.*\.php\b,i
-uri __URI_WPCONTENT_W m,/wp-content/.*\.(?:php|html?)\b,i
-uri __URI_WPINCLUDES_W m,/wp-includes/.*\.(?:php|html?)\b,i
+uri __URI_WPCONTENT m,/wp-content/.*\.(?:php|html?)\b,i
uri __URI_WPCONTENT_L m,/wp-content/.*\.(?:(?!gif|jpg|png|bmp|ico|eot|pdf)[a-z]{3}|(?!jpeg)[a-z]{4})\b,i
+uri __URI_WPINCLUDES m,/wp-includes/.*\.(?:php|html?)\b,i
uri __URI_WPINCLUDES_L m,/wp-includes/.*\.(?:(?!gif|jpg|png|bmp|ico|eot|pdf)[a-z]{3}|(?!jpeg)[a-z]{4})\b,i
meta URI_WP_HACKED (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED
describe URI_WP_HACKED URI for compromised WordPress site, possible malware
@@ -1437,7 +1435,7 @@ tflags URI_WP_DIRINDEX publish
# this has some overlap with URI_WP_HACKED
uri __PS_TEST_LOC_WP m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,64}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf).{4}$;i
-meta URI_WP_HACKED_2 __PS_TEST_LOC_WP && !__TO_EQ_FROM && !__THREADED
+meta URI_WP_HACKED_2 (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__TO_EQ_FROM && !__THREADED
describe URI_WP_HACKED_2 URI for compromised WordPress site, possible malware
score URI_WP_HACKED_2 2.000 # limit
tflags URI_WP_HACKED_2 publish