On Sun, Sep 26, 2010 at 4:47 AM, Michael Warchut <mwarchut@comcast.net> wrote:
I have a website that has a contact page on it that can reach out 20k or so members individually.  Lately spammers have been posting to that page to each member individually.  It is always the same message to each of them.  Is there an easy way to block this restricting it to the know posting URL and by scanning the posting for a know value that shows up every time. Like an email address per se.

Hi Michael,

Say for example the email address was attacker@example.com, something like the following rule should work:

SecRule ARGS "attacker@example.com" phase:2,t:none,t:lowercase,t:compressWhitespace,deny
 
You could further tighten this up to only look in the appropriate parameter name as well.

--
 - Josh