Am 04.11.2014 um 02:31 schrieb David Jones:
From: Reindl Harald <h.rei...@thelounge.net> Sent: Monday, November 3, 2014 4:01 PM To: users@spamassassin.apache.org Subject: Re: Hacked sites: dropbox/googlebox/bankingAm 03.11.2014 um 22:55 schrieb John Hardin:On Mon, 3 Nov 2014, Quanah Gibson-Mount wrote:--On November 3, 2014 at 7:52:10 AM -0800 John Hardin <jhar...@impsec.org> wrote:On Mon, 3 Nov 2014, Reindl Harald wrote:in fact we can kill them all by a single rule and so extend it tofuturefilenames or foldernamesuri RH_URI_MLW_ZEROHOUR/\/(dropbox|googlebox|banking)\/(document|doc|invoice)\.php$/ score RH_URI_MLW_ZEROHOUR 100Adding a tuned version of this to my sandbox right now.Care to share the tuned version?My rule sandbox is publicly visible via the project SVN browser... http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/ But there are signs that this is too quickly-mutating for a standard rule maintained by sa-update to be usefulyes, but i guess reporting mutations in this thread after someone faces the next version could be a great improvment - the last 3 versions catched minutes later another messages to users hereCan someone post an example of this latest version to pastebin? I filter for over 90,000 mailboxes and don't seem to be experiencing this spam or either it's getting blocked by other means. No user complaints
sorry, deleted after update the rule and because just a plaintext two liner not saved for bayes-training (could have bad impact for short legit mail)
since it made it to postmaster maybe killed anyways for other users or even not would have made it to SA by PTR or other violations and until now indeed the only appearance with /banking/ - better safe than sorry
however, the typical scheme http://domain/folder/filename.php to a hacked server
signature.asc
Description: OpenPGP digital signature
