Modsecurity ACL rules to stop spam

[bsasninja]

I was receiving a lot bounces at the Exim queue caused by spam posted in contact forms. So I setup this rule at /etc/httpd/conf/modsec.user.conf (also works for post made in guestbooks or forums)

All post containing the specified words will be refused with a 406 error.

In this case we block viagra, pharmacy, mortgage, loan, Anatrim, casino, etc words.

SecFilter "(viagra|pharmacy|phentermine|symbol|mortgage|pills|prozac|xanax|loan|
loans|roulette|casino|poker|blackjack|watches|valium|tramadol|carisoprodol|morta
ge|Anatrim|FINANZINVESTOREN)"
SecFilterSelective HTTP_REFERER "(viagra|pharmacy|phentermine|symbol|mortgage|pi
lls|prozac|xanax|loan|loans|roulette|casino|poker|blackjack|watches|valium|trama
dol|carisoprodol|mortage|Anatrim|FINANZINVESTOREN)"
SecFilterSelective POST_PAYLOAD "(viagra|pharmacy|phentermine|symbol|mortgage|pi
lls|prozac|xanax|loan|loans|roulette|casino|poker|blackjack|watches|valium|trama
dol|carisoprodol|mortage|Anatrim|FINANZINVESTOREN)"
SecFilterSelective HTTP_REFERER|ARGS "(natural|penis|male).*(enlarg.*|enhanc.*)"

If anyone has more words or spam that are received frequently please post it here to help others.
We could make a list and I can update the post with them.

Thank you.

BsAs Ninja

 

[freedman]

I was receiving a lot bounces at the Exim queue caused by spam posted in contact forms. So I setup this rule at /etc/httpd/conf/modsec.user.conf (also works for post made in guestbooks or forums)

All post containing the specified words will be refused with a 406 error.

In this case we block viagra, pharmacy, mortgage, loan, Anatrim, casino, etc words.
...

lets hope none of your hosting clients are running a financial forum.. they'll be disappointed.

I think being aggressive about spam is a great thing, but there's such a thing as too much.
ideally, you should be watching for multiple similar posts and then multiple repeated posts from the same IP's...

encouraging people to use forum software which has anti-spam features will be a much better solution.

I tend to recommend phorum ( www.phorum.org ),
there are also akismet plugins for wordpress, etc...

this way, if someone does have a forum wherein people would legitimately discuss the things you're blocking, they wont have issues.

 

[bsasninja]

Anyways I dont have clients running gambling, drugs, sex sites (cause i dont accept them)
and if that was the case I just disable the rules for that specific domain.

Here is a link with some handy rules to stop this types of referrer spam http://www.ilovejackdaniels.com/apache/block-referrer-spam/