Modsecurity ACL rules to stop spam

B

bsasninja

Well-Known Member
Sep 2, 2004
527
0
166
I was receiving a lot bounces at the Exim queue caused by spam posted in contact forms. So I setup this rule at /etc/httpd/conf/modsec.user.conf (also works for post made in guestbooks or forums)

All post containing the specified words will be refused with a 406 error.

In this case we block viagra, pharmacy, mortgage, loan, Anatrim, casino, etc words.

SecFilter "(viagra|pharmacy|phentermine|symbol|mortgage|pills|prozac|xanax|loan|
loans|roulette|casino|poker|blackjack|watches|valium|tramadol|carisoprodol|morta
ge|Anatrim|FINANZINVESTOREN)"
SecFilterSelective HTTP_REFERER "(viagra|pharmacy|phentermine|symbol|mortgage|pi
lls|prozac|xanax|loan|loans|roulette|casino|poker|blackjack|watches|valium|trama
dol|carisoprodol|mortage|Anatrim|FINANZINVESTOREN)"
SecFilterSelective POST_PAYLOAD "(viagra|pharmacy|phentermine|symbol|mortgage|pi
lls|prozac|xanax|loan|loans|roulette|casino|poker|blackjack|watches|valium|trama
dol|carisoprodol|mortage|Anatrim|FINANZINVESTOREN)"
SecFilterSelective HTTP_REFERER|ARGS "(natural|penis|male).*(enlarg.*|enhanc.*)"

If anyone has more words or spam that are received frequently please post it here to help others.
We could make a list and I can update the post with them.

Thank you.

BsAs Ninja
 
Last edited:
F

freedman

Well-Known Member
Feb 13, 2005
314
5
168
bsasninja said:
I was receiving a lot bounces at the Exim queue caused by spam posted in contact forms. So I setup this rule at /etc/httpd/conf/modsec.user.conf (also works for post made in guestbooks or forums)

All post containing the specified words will be refused with a 406 error.

In this case we block viagra, pharmacy, mortgage, loan, Anatrim, casino, etc words.
...
Click to expand...
lets hope none of your hosting clients are running a financial forum.. they'll be disappointed.

I think being aggressive about spam is a great thing, but there's such a thing as too much.
ideally, you should be watching for multiple similar posts and then multiple repeated posts from the same IP's...

encouraging people to use forum software which has anti-spam features will be a much better solution.

I tend to recommend phorum ( www.phorum.org ),
there are also akismet plugins for wordpress, etc...

this way, if someone does have a forum wherein people would legitimately discuss the things you're blocking, they wont have issues.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
M Disable ModSecurity on default vhost Security 3
H How can i Whitelist an IP address in ModSecurity on CentOS 7? Security 3
N ModSecurity update causing 403 Forbidden for PUT requests to server, requires editing tx.allowed_methods Security 7
N SOLVED ModSecurity cPanel False Info on version 92.0.4? Security 3
S SOLVED ModSecurity: IP whitelisting doesn't work Security 10
Similar threads
Disable ModSecurity on default vhost
How can i Whitelist an IP address in ModSecurity on CentOS 7?
ModSecurity update causing 403 Forbidden for PUT requests to server, requires editing tx.allowed_methods
SOLVED ModSecurity cPanel False Info on version 92.0.4?
SOLVED ModSecurity: IP whitelisting doesn't work
Top Bottom