OWASP rule set blocking smtp

Hi, we enabled OWASP ModSecurity Core Rule Set V3.0 yesterday and got people contacting support today saying they could not send email.

To get email working again we had to disable rule 949 below:

*******

REQUEST-949-BLOCKING-EVALUATION
The rules in this configuration file blocks traffic that various other configuration files request.

********

However, on Cpanels knowledgebase it states:

*********
Warning:
Other rules in the rule set depend on this configuration file to block incoming attacks. If you disable this configuration file, other rules will detect, but not block, incoming attacks.

*********

While testing in roundcube webmail we got the following when sending email:

Request:
POST /?_task=mail&_unlock=loading1529274082968&_lang=en&_framed=1
Action Description:
Access denied with code 403 (phase 2).
Justification:
Operator GE matched 5 at TX:anomaly_score.

Disabling rule 949 solved smtp from desktop/mobile clients aswell as webmail. However, as the above warning states, other rules will no longer work. I tried disabling the other rules one by one but 949 is the only one which would resolve the issue.

Anyone else has this? Any solution?

 

I think I missed this last reply from Lauren.
The ip reputation of our servers is 100% and senderscore 100. Not sure why it would block it, but saying that, do you think disabling rule 910 and enabling 949 would work.
I only realised tonight, none of the rules work with 949 off as it only generates a warning but does not block any attacks.

 

Apologies, for some reason this thread didn't tell me I had another reply after Lauren

 

@fuzzylogic thanks for your message, really appreciate you coming on here and helping.

Below is the info you wanted from the logs.

You are right, disabling 910 does not solve the issue. Some things to note: We have a branded version of roundcube installed on it's own account which all servers having access to the same webmail (outside of cpanel).

With all OWASP rules enabled accounts on the same server as the roundcube install can login and email, no issues. However, accounts from other servers can log in fine (using imap) but cannot send email. The rules below trigger.

Code:

--3d3f5278-H--
Message: Warning. Pattern match "(?i)<[^\\w<>]*(?:[^<>\"'\\s]*:)?[^\\w<>]*(?:\\W*?s\\W*?c\\W*?r\\W*?i\\W*?p\\W*?t|\\W*?f\\W*?o\\W*?r\\W*?m|\\W*?s\\W*?t\\W*?y\\W*?l\\W*?e|\\W*?s\\W*?v\\W*?g|\\W*?m\\W*?a\\W*?r\\W*?q\\W*?u\\W*?e\\W*?e|(?:\\W*?l\\W*?i\\W*?n\\W*?k|\\W*?o\\W*?b\\W*?j\\W*?e\ ..." at ARGS:_message. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "74"] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <p>test</p>\x0d\x0a<div id=\x22_rc_sig\x22>-- <br />\x0d\x0a<p><strong>...........**removed email content / signature data**...............\x22>"] [severi

Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection"] [tag "event-correlation"]

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client *********] ModSecurity: Warning. Pattern match "(?i)<[^\\\\\\\\w<>]*(?:[^<>\\\\"'\\\\\\\\s]*:)?[^\\\\\\\\w<>]*(?:\\\\\\\\W*?s\\\\\\\\W*?c\\\\\\\\W*?r\\\\\\\\W*?i\\\\\\\\W*?p\\\\\\\\W*?t|\\\\\\\\W*?f\\\\\\\\W*?o\\\\\\\\W*?r\\\\\\\\W*?m|\\\\\\\\W*?s\\\\\\\\W*?t\\\\\\\\W*?y\\\\\\\\W*?l\\\\\\\\W*?e|\\\\\\\\W*?s\\\\\\\\W*?v\\\\\\\\W*?g|\\\\\\\\W*?m\\\\\\\\W*?a\\\\\\\\W*?r\\\\\\\\W*?q\\\\\\\\W*?u\\\\\\\\W*?e\\\\\\\\W*?e|(?:\\\\\\\\W*?l\\\\\\\\W*?i\\\\\\\\W*?n\\\\\\\\W*?k|\\\\\\\\W*?o\\\\\\\\W*?b\\\\\\\\W*?j\\\\\\\\W*?e\\\\ ..." at ARGS:_message. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "74"] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <p>test</p>\\\\x0d\\\\x0a<div id=\\\\x22_rc_sig\\\\x22>-- <br />\\\\x0d\\\\x0a<p>..............**removed email content / signature data**.................\\\\x0d\\\\x0a<div id=\\\\x22_rc_sig\\\\x22>-- <br />\\\\x0d\\\\x0a<p><strong>..............**removed email content / signature data**.................\\\x22>..."] [severi [hostname "********"] [uri "/"] [unique_id "W5B-mQVRPrzYOSWj4e0IvAAAAAE"]

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client **********] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "******"] [uri "/"] [unique_id "W5B-mQVRPrzYOSWj4e0IvAAAAAE"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client *********] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection"] [tag "event-correlation"] [hostname "**********"] [uri "/"] [unique_id "W5B-mQVRPrzYOSWj4e0IvAAAAAE"]
Action: Intercepted (phase 2)
Stopwatch: 1536196505976125 18069 (- - -)
Stopwatch2: 1536196505976125 18069; combined=4945, p1=670, p2=4153, p3=0, p4=0, p5=122, sr=122, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (ModSecurity: Open Source Web Application Firewall OWASP_CRS/3.0.2.
Server: Apache
Engine-Mode: "ENABLED"

 

I have enabled al the rules on all servers apart from the one hosting the webmail account.
My testing shows that all accounts can send mail ok.

However if I enable the rule on the actual server webmail is hosted on, it blocks any remote users sending, so I guess this may just be a simple one to solve, it just looks like its triggering a rule.

I'm not sure why some users said SMTP was not working before, I'll see if I get any further reports relating to that.
The main task is to get OWASP fully active to help with wordpress attacks.

 

ok further info.... I'm wrong in saying that email works on the same server as webmail. I've narrowed it down, it's actullay because the test account I was using had no email signature with html.

It's the HTML email signature triggering the rule. (InjectionChecker: HTML Injection)

Is there any way of whitelisting webmail or bypassing this, I'll check if it happens with the cpanel built in webmail/roundcube

 

Yes, the built in roundcube seems to bypass the issue, hence because it's only for each individual account. For some reason as we host webmail independently on its own domain, the rule is trigger as if it was an online form I guess.

 

Wow, greatcreply, thanks for you time! I’ll check those logs again later for the bit you want and come back here with it, thanks again

 

apologies, first time I've really looked at those logs, so many lines and I missed A-E
Hopefully I removed all identifiable info.

We had to disable rule 949 again a short while ago due to complaints from Wordpress users. They were also being blocked by what appears to be the same rule, HTML/Injection. This was on a website which had html in the wordpress editor which could be any of them depending how the site is developed.

Is OWASPv3 widely used or does everyone have to customise it? Seems like it could be promising once set up, but I'm only leaving it activated on one server to avoid support emails for now. (Customers forget we are adding free extra security to their insecure websites!)

Appreciate your help.

Code:

--3d3f5278-A--
[06/Sep/2018:02:15:05 +0100] W5B-mQVRPrzYOSWj4e0IvAAAAAE xxxxxxxx 49654 xxxxxxxxx 443
--3d3f5278-B--
POST /?_task=mail&_unlock=loading1536196495058&_lang=en&_framed=1 HTTP/2.0
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Origin: https://xxxxxxxx
Content-Length: 729
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15
Referer: https://xxxxxxxxx/?_task=mail&_action=compose&_id=10187537285b907ec7dfe6e
Dnt: 1
Cookie: language=en; roundcube_sessauth=SduTgGMiVuuGBt5mqldB6MZ4qS-1536194700; roundcube_sessid=pqnhq1k5odhksf6lh4p104flq6
Host: xxxxxxxxxx

--3d3f5278-C--
_token=4GW3Hf1QdLBxNkV2VhUxQPohHdVPyfqx&_task=mail&_action=send&_id=10187537285b907ec7dfe6e&_attachments=&_from=495&_to=xxxxxx%40xxxxx.com&_cc=&_bcc=&_replyto=&_followupto=&_subject=test&editorSelector=html&_priority=0&_store_target=INBOX.Sent&_draft_saveid=&_draft=&_is_html=1&_framed=1&_message=%3Cp%3Etest%3C%2Fp%3E%0D%0A%3Cdiv+id%3D%22_rc_sig%22%3E--+%3Cbr+%2F%3E%0D%0A%3Cp%3E%3Cstrong%3Exxxxx+xxxxx%3Cbr+%2F%3E%3C%2Fstrong%3Exxxx+xxxxxx%3Cbr+%2F%3E%3Cspan%3E01530+242+706%3C%2Fspan%3E%3Cbr+%2F%3E07584+568+937%3Cbr+%2F%3E%3Ca+href%3D%22http%3A%2F%2Fwww.xxxxxx.co.uk%22%3Ewww.xxxxxxx.co.uk%3C%2Fa%3E%3C%2Fp%3E%0D%0A%3Cp%3E%3Cimg+src%3D%22http%3A%2F%2Fwww.xxxxxx.co.uk%2Fxx-xxxxxx.jpg%22+%2F%3E%3C%2Fp%3E%0D%0A%3C%2Fdiv%3E
--3d3f5278-F--
HTTP/1.1 403 Forbidden
Content-Length: 328
Content-Type: text/html; charset=iso-8859-1

--3d3f5278-E--

 

Great stuff, many thanks for looking at this.

Will this rule also work with the Wordpress issues mentioned? These were due to the same 949 rule.
I had to disable on a magento server too due to the same.

Seems to be mostly editors with any html so hopefully so.
cheers

 

Great stuff, many thanks for looking at this.

Will this rule also work with the Wordpress issues mentioned? These were due to the same 949 rule.
I had to disable on a magento server too due to the same.

Seems to be mostly editors with any html so hopefully so.
cheers