On 11/09/2015 06:09 PM, John Hardin wrote:
Folks:https://isc.sans.edu/diary/Malicious+spam+with+links+to+CryptoWall+3.0+-+Subject%3A+Domain+%5Bname%5D+Suspension+Notice/20333 This may not do well enough in masscheck to get published, so it's probably a good idea to just put it in your local ruleset: uri URI_MALWARE_CWALL /\/abuse_report\.php\?/i describe URI_MALWARE_CWALL Potential CryptoWall malware URL score URI_MALWARE_CWALL 6.000
I'd score that 15 - better safe than sorry.