| rawbody __PDS_CPANEL_PORT_SPOOFEDURL m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\# :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5,50}:208[73]/i |
| |
| meta PDS_CPANEL_PORT_SPOOFEDURL __PDS_CPANEL_PORT_SPOOFEDURL |
| describe PDS_CPANEL_PORT_SPOOFEDURL URL using a cPanel port in text but not the href |
| score PDS_CPANEL_PORT_SPOOFEDURL 0.5 |
| |
| header __PDS_CPANEL_FROM_NAME From:name =~ /^cPanel on / |
| header __PDS_CPANEL_FROM_ADDR From:addr =~ /^cpanel/ |
| header __PDS_CPANEL_FROM_ADDR_FAKE From:addr =~ /^cPanelon/ |
| |
| header __PDS_CPANEL_CT Content-Type =~ /Cpanel::Email::Object/ |
| header __PDS_CPANEL_XICONTACT exists:X-iContact_locale |
| |
| meta __PDS_CPANEL_SPOOF_PHP (__PDS_CPANEL_FROM_NAME || __PDS_CPANEL_FROM_ADDR_FAKE) && (__PHP_MUA || __HAS_PHP_SCRIPT) |
| |
| meta __PDS_CPANEL_MISSING_HEADERS __PDS_CPANEL_FROM_NAME && !(__PDS_CPANEL_CT || __PDS_CPANEL_XICONTACT) |
| |
| meta __PDS_CONFUSED_CPANEL_FROM __PDS_CPANEL_MISSING_HEADERS && (!__PDS_CPANEL_FROM_ADDR || __PDS_CPANEL_FROM_ADDR_FAKE) |
| |
