You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@spamassassin.apache.org by jh...@apache.org on 2018/07/04 16:48:38 UTC

svn commit: r1835067 - /spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Author: jhardin
Date: Wed Jul  4 16:48:38 2018
New Revision: 1835067

URL: http://svn.apache.org/viewvc?rev=1835067&view=rev
Log:
Add malware URI rule, see https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39?gi=7ec45f2481ce

Modified:
    spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf

Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1835067&r1=1835066&r2=1835067&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Wed Jul  4 16:48:38 2018
@@ -1158,6 +1158,11 @@ body        NOT_SPAM           /\b(?:thi
 describe    NOT_SPAM           I'm not spam! Really! I'm not, I'm not, I'm not!
 
 
+# see https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39?gi=7ec45f2481ce
+uri         URI_MALWARE_SCMS   /\.SettingContent-ms\b/i
+describe    URI_MALWARE_SCMS   Link to malware exploit download (.SettingContent-ms file)
+tflags      URI_MALWARE_SCMS   publish
+
 # suggested by http://isc.sans.edu/diary.html?storyid=13921
 uri         URI_MALWARE_BH     /\.\w{2,4}\/[\d\w]{8}\/index\.html/i
 describe    URI_MALWARE_BH     Possible BlackHole malware links / phishing