Probably this comes from the fact that Apache does not use them (see MULTIPART_CHARS in
I've been testing ModSec with a webmail system (Zimbra) and found that the rules to validate a multipart boundary are too strict.
The function multipart_boundary_characters_valid() (apache2/msc_multipart.c) excludes the following characters that are legal indeed:
( ) , : / ? =