Sorry for the poor reference. I was trying to link to VT. I was getting a “Cannot post to that host” error message. I guessed it might be a problem with the link, after ensuring I was auth’ed to this site…
I will move these to the OPEN ruleset today and will update this message once I have the new SIDs.
I did a lot of searching/pivoting based on the pattern that you found in the URI. From what I can tell looks like the values within the URI and the filename (data.php) appear to be very consistent. Knowing this allows for a static content match that acts as a good fast_pattern;
These two signatures were created back in 2020 and still produce good sig hits today!
There are now out in the open ruleset!
2043008 - ET ADWARE_PUP Win32/Atshz.A Checkin (adware_pup.rules)
2043009 - ET ADWARE_PUP Win32/Atshz.A Checkin M2 (adware_pup.rules)
Sounds like this was hitting a spam rule in Discourse about linking to the same domain in multiple posts. We’ve got it fixed for ya now though. Sorry for the trouble. But, I think moving forward wrapping rules as “preformatted-text” will avoid it creating a link to the site, make it easier for copy/paste too.