# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.0.5 # Copyright (C) 2006-2010 Breach Security Inc. All rights reserved. # # The ModSecurity Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # Comment spam is an attack against blogs, guestbooks, wikis and other types of # interactive web sites that accept and display hyperlinks submitted by # visitors. The spammers automatically post specially crafted random comments # which include links that point to the spammer's web site. The links # artificially increas the site's search engine ranking and may make the site # more noticable in search results. # SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" "phase:1,t:none,pass,nolog,skipAfter:END_RBL_LOOKUP" SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" "phase:1,t:none,pass,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},setvar:ip.spammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK" SecAction "phase:1.t:none,nolog,pass,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400" SecMarker END_RBL_LOOKUP SecRule IP:SPAMMER "@eq 1" "phase:1,t:none,pass,nolog,auditlog,msg:'Request from Known SPAM Source (Previous RBL Match)',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}" SecMarker END_RBL_CHECK SecRule REQUEST_HEADERS:User-Agent "@pmFromFil modsecurity_42_comment_spam.data" \ "phase:2,rev:'2.0.5',t:none,t:lowercase,pass,nolog,auditlog,status:404,msg:'Common SPAM/Email Harvester crawler',id:'958297',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}'" # Prequalifier. Look for <http> first SecRule ARGS|ARGS_NAMES "\bhttp:" "phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,skip:1,pass,nolog,id:'999010',severity:'6'" SecAction phase:2,rev:'2.0.5',pass,nolog,skipAfter:END_COMMENT_SPAM # Look for 2 ways of posting a link SecRule ARGS|ARGS_NAMES "\[url\b" "phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,chain,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Spam',id:'950923',severity:'2'" SecRule ARGS|ARGS_NAMES "\<a" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{tx.0}'" # Look for too many links in an argument (Prone to FPs) SecRule ARGS|ARGS_NAMES "(http:\/.*?){4}" "phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Spam',id:'950020',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}'" SecMarker END_COMMENT_SPAM