Folks: https://isc.sans.edu/diary/Malicious+spam+with+links+to+CryptoWall+3.0+-+Subject%3A+Domain+%5Bname%5D+Suspension+Notice/20333
This may not do well enough in masscheck to get published, so it's probably a good idea to just put it in your local ruleset:
uri URI_MALWARE_CWALL /\/abuse_report\.php\?/i describe URI_MALWARE_CWALL Potential CryptoWall malware URL score URI_MALWARE_CWALL 6.000 -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- Perfect Security and Absolute Safety are unattainable; beware those who would try to sell them to you, regardless of the cost, for they are trying to sell you your own slavery. ----------------------------------------------------------------------- 2 days until Veterans Day