You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2018/07/04 16:48:38 UTC
svn commit: r1835067 -
/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Author: jhardin
Date: Wed Jul 4 16:48:38 2018
New Revision: 1835067
URL: http://svn.apache.org/viewvc?rev=1835067&view=rev
Log:
Add malware URI rule, see https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39?gi=7ec45f2481ce
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?rev=1835067&r1=1835066&r2=1835067&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf Wed Jul 4 16:48:38 2018
@@ -1158,6 +1158,11 @@ body NOT_SPAM /\b(?:thi
describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not!
+# see https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39?gi=7ec45f2481ce
+uri URI_MALWARE_SCMS /\.SettingContent-ms\b/i
+describe URI_MALWARE_SCMS Link to malware exploit download (.SettingContent-ms file)
+tflags URI_MALWARE_SCMS publish
+
# suggested by http://isc.sans.edu/diary.html?storyid=13921
uri URI_MALWARE_BH /\.\w{2,4}\/[\d\w]{8}\/index\.html/i
describe URI_MALWARE_BH Possible BlackHole malware links / phishing