The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Modsecurity ACL rules to stop spam

Discussion in 'Security' started by bsasninja, Apr 30, 2007.

  1. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    I was receiving a lot bounces at the Exim queue caused by spam posted in contact forms. So I setup this rule at /etc/httpd/conf/modsec.user.conf (also works for post made in guestbooks or forums)

    All post containing the specified words will be refused with a 406 error.

    In this case we block viagra, pharmacy, mortgage, loan, Anatrim, casino, etc words.

    SecFilter "(viagra|pharmacy|phentermine|symbol|mortgage|pills|prozac|xanax|loan|
    loans|roulette|casino|poker|blackjack|watches|valium|tramadol|carisoprodol|morta
    ge|Anatrim|FINANZINVESTOREN)"
    SecFilterSelective HTTP_REFERER "(viagra|pharmacy|phentermine|symbol|mortgage|pi
    lls|prozac|xanax|loan|loans|roulette|casino|poker|blackjack|watches|valium|trama
    dol|carisoprodol|mortage|Anatrim|FINANZINVESTOREN)"
    SecFilterSelective POST_PAYLOAD "(viagra|pharmacy|phentermine|symbol|mortgage|pi
    lls|prozac|xanax|loan|loans|roulette|casino|poker|blackjack|watches|valium|trama
    dol|carisoprodol|mortage|Anatrim|FINANZINVESTOREN)"
    SecFilterSelective HTTP_REFERER|ARGS "(natural|penis|male).*(enlarg.*|enhanc.*)"


    If anyone has more words or spam that are received frequently please post it here to help others.
    We could make a list and I can update the post with them.

    Thank you.

    BsAs Ninja
     
    #1 bsasninja, Apr 30, 2007
    Last edited: Apr 30, 2007
  2. freedman

    freedman Well-Known Member

    Joined:
    Feb 13, 2005
    Messages:
    312
    Likes Received:
    1
    Trophy Points:
    18
    lets hope none of your hosting clients are running a financial forum.. they'll be disappointed.

    I think being aggressive about spam is a great thing, but there's such a thing as too much.
    ideally, you should be watching for multiple similar posts and then multiple repeated posts from the same IP's...

    encouraging people to use forum software which has anti-spam features will be a much better solution.

    I tend to recommend phorum ( www.phorum.org ),
    there are also akismet plugins for wordpress, etc...

    this way, if someone does have a forum wherein people would legitimately discuss the things you're blocking, they wont have issues.
     
  3. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    Anyways I dont have clients running gambling, drugs, sex sites (cause i dont accept them)
    and if that was the case I just disable the rules for that specific domain.

    Here is a link with some handy rules to stop this types of referrer spam http://www.ilovejackdaniels.com/apache/block-referrer-spam/
     
Loading...

Share This Page