On 11/04/2014 02:31 AM, David Jones wrote:
________________________________________
From: Reindl Harald <h.rei...@thelounge.net>
Sent: Monday, November 3, 2014 4:01 PM
To: users@spamassassin.apache.org
Subject: Re: Hacked sites: dropbox/googlebox/banking
Am 03.11.2014 um 22:55 schrieb John Hardin:
On Mon, 3 Nov 2014, Quanah Gibson-Mount wrote:
--On November 3, 2014 at 7:52:10 AM -0800 John Hardin
<jhar...@impsec.org> wrote:
On Mon, 3 Nov 2014, Reindl Harald wrote:
in fact we can kill them all by a single rule and so extend it to
future
filenames or foldernames
uri RH_URI_MLW_ZEROHOUR
/\/(dropbox|googlebox|banking)\/(document|doc|invoice)\.php$/
score RH_URI_MLW_ZEROHOUR 100
Adding a tuned version of this to my sandbox right now.
Care to share the tuned version?
My rule sandbox is publicly visible via the project SVN browser...
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/
But there are signs that this is too quickly-mutating for a standard
rule maintained by sa-update to be useful
yes, but i guess reporting mutations in this thread after someone faces
the next version could be a great improvment - the last 3 versions
catched minutes later another messages to users here
Can someone post an example of this latest version to pastebin?
I filter for over 90,000 mailboxes and don't seem to be experiencing
this spam or either it's getting blocked by other means. No user complaints.
just sighted:
http://structuresgroup[.]com/dropbox/document[.]php
structuresgroup.com listed on black.uribl.com
structuresgroup.com listed on uri.invaluement.com
http://www[.]sunderlandscouts[.]org[.]uk/dropbox/document[.]php
sunderlandscouts.org.uk listed on black.uribl.com
sunderlandscouts.org.uk listed on uri.invaluement.com
http://spschile[.]com/dropbox/document[.]php
spschile.com listed on black.uribl.com
spschile.com listed on uri.invaluement.com
