Since this pertains to the OWASP ModSecurity CRS, I am cc'ing that list as well. In the future, please sign-up for and send OWASP CRS question to that list.
That malware.data file is old and should be removed. At one point, we were testing some outbound rules to detect known malicious URLs that were captured by Snort/VRT team and were listed on their
labs site here - http://labs.snort.org/iplists/
We discontinued it as the lists would need to be updated daily so they wouldn't be stale and SourceFire has stopped posting these files.
In OWASP_CRS/2.7.7, cannot find any .conf file referencing modsecurity_50_outbound_malware.data
I would like to know the rationale behind the scene, and how this file should be used to be useful.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information
contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.