Modsecurity ACL rules to stop spam

bsasninja

Well-Known Member
Sep 2, 2004
527
0
166
I was receiving a lot bounces at the Exim queue caused by spam posted in contact forms. So I setup this rule at /etc/httpd/conf/modsec.user.conf (also works for post made in guestbooks or forums)

All post containing the specified words will be refused with a 406 error.

In this case we block viagra, pharmacy, mortgage, loan, Anatrim, casino, etc words.

SecFilter "(viagra|pharmacy|phentermine|symbol|mortgage|pills|prozac|xanax|loan|
loans|roulette|casino|poker|blackjack|watches|valium|tramadol|carisoprodol|morta
ge|Anatrim|FINANZINVESTOREN)"
SecFilterSelective HTTP_REFERER "(viagra|pharmacy|phentermine|symbol|mortgage|pi
lls|prozac|xanax|loan|loans|roulette|casino|poker|blackjack|watches|valium|trama
dol|carisoprodol|mortage|Anatrim|FINANZINVESTOREN)"
SecFilterSelective POST_PAYLOAD "(viagra|pharmacy|phentermine|symbol|mortgage|pi
lls|prozac|xanax|loan|loans|roulette|casino|poker|blackjack|watches|valium|trama
dol|carisoprodol|mortage|Anatrim|FINANZINVESTOREN)"
SecFilterSelective HTTP_REFERER|ARGS "(natural|penis|male).*(enlarg.*|enhanc.*)"


If anyone has more words or spam that are received frequently please post it here to help others.
We could make a list and I can update the post with them.

Thank you.

BsAs Ninja
 
Last edited:

freedman

Well-Known Member
Feb 13, 2005
314
5
168
I was receiving a lot bounces at the Exim queue caused by spam posted in contact forms. So I setup this rule at /etc/httpd/conf/modsec.user.conf (also works for post made in guestbooks or forums)

All post containing the specified words will be refused with a 406 error.

In this case we block viagra, pharmacy, mortgage, loan, Anatrim, casino, etc words.
...
lets hope none of your hosting clients are running a financial forum.. they'll be disappointed.

I think being aggressive about spam is a great thing, but there's such a thing as too much.
ideally, you should be watching for multiple similar posts and then multiple repeated posts from the same IP's...

encouraging people to use forum software which has anti-spam features will be a much better solution.

I tend to recommend phorum ( www.phorum.org ),
there are also akismet plugins for wordpress, etc...

this way, if someone does have a forum wherein people would legitimately discuss the things you're blocking, they wont have issues.