The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Modsecurity ACL rules to stop spam

Discussion in 'Security' started by bsasninja, Apr 30, 2007.

  1. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    166
    I was receiving a lot bounces at the Exim queue caused by spam posted in contact forms. So I setup this rule at /etc/httpd/conf/modsec.user.conf (also works for post made in guestbooks or forums)

    All post containing the specified words will be refused with a 406 error.

    In this case we block viagra, pharmacy, mortgage, loan, Anatrim, casino, etc words.

    SecFilter "(viagra|pharmacy|phentermine|symbol|mortgage|pills|prozac|xanax|loan|
    loans|roulette|casino|poker|blackjack|watches|valium|tramadol|carisoprodol|morta
    ge|Anatrim|FINANZINVESTOREN)"
    SecFilterSelective HTTP_REFERER "(viagra|pharmacy|phentermine|symbol|mortgage|pi
    lls|prozac|xanax|loan|loans|roulette|casino|poker|blackjack|watches|valium|trama
    dol|carisoprodol|mortage|Anatrim|FINANZINVESTOREN)"
    SecFilterSelective POST_PAYLOAD "(viagra|pharmacy|phentermine|symbol|mortgage|pi
    lls|prozac|xanax|loan|loans|roulette|casino|poker|blackjack|watches|valium|trama
    dol|carisoprodol|mortage|Anatrim|FINANZINVESTOREN)"
    SecFilterSelective HTTP_REFERER|ARGS "(natural|penis|male).*(enlarg.*|enhanc.*)"

    If anyone has more words or spam that are received frequently please post it here to help others.
    We could make a list and I can update the post with them.

    Thank you.

    BsAs Ninja
     
    #1 bsasninja, Apr 30, 2007
    Last edited: Apr 30, 2007
  2. freedman

    freedman Well-Known Member

    Joined:
    Feb 13, 2005
    Messages:
    312
    Likes Received:
    1
    Trophy Points:
    168
    lets hope none of your hosting clients are running a financial forum.. they'll be disappointed.

    I think being aggressive about spam is a great thing, but there's such a thing as too much.
    ideally, you should be watching for multiple similar posts and then multiple repeated posts from the same IP's...

    encouraging people to use forum software which has anti-spam features will be a much better solution.

    I tend to recommend phorum ( www.phorum.org ),
    there are also akismet plugins for wordpress, etc...

    this way, if someone does have a forum wherein people would legitimately discuss the things you're blocking, they wont have issues.
     
    #2 freedman, Apr 30, 2007
  3. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    166
    Anyways I dont have clients running gambling, drugs, sex sites (cause i dont accept them)
    and if that was the case I just disable the rules for that specific domain.

    Here is a link with some handy rules to stop this types of referrer spam http://www.ilovejackdaniels.com/apache/block-referrer-spam/
     
    #3 bsasninja, Apr 30, 2007
(You must log in or sign up to post here.)
Loading...
Similar Threads - Modsecurity rules stop
  1. zoner

    SecRemoteRules - ModSecurity Vendor

    zoner, Jul 19, 2017 at 12:34 PM, in forum: Security
    Replies:
    1
    Views:
    28
    Infopro
    Jul 19, 2017 at 1:14 PM
  2. rinkleton

    ModSecurity - Edit Custom Rules

    rinkleton, May 2, 2017, in forum: Security
    Replies:
    11
    Views:
    363
    rarod
    May 5, 2017
  3. oSM

    OWASP ModSecurity v3 - Best Rulesets to use?

    oSM, Dec 26, 2016, in forum: Security
    Replies:
    2
    Views:
    636
    jfall123
    Dec 27, 2016
  4. postcd

    Several ModSecurity rules, what do You think about these?

    postcd, Apr 12, 2016, in forum: Security
    Replies:
    3
    Views:
    710
    quizknows
    Aug 24, 2016
  5. jazee

    ModSecurity Rules Backup

    jazee, Mar 1, 2016, in forum: Data Protection
    Replies:
    1
    Views:
    417
    Infopro
    Mar 1, 2016

Share This Page