Tomas - Welcome to my world :)  I have been using Apache/Mod_Security as a reverse proxy for Microsoft's Outlook Web Access and have run this same issue.  We you are dealing with webmail apps, it gets infinitely more difficult to fine tune your filters.  This is due in most part from the concept of mixing HTTP and SMTP.  We just have no way to forecast "expcected behavior" for what people will write in the body of their emails.
With that being said, you can try some of the following -
1) Turn off PostPayload scanning.
This would certainly stop these errors, but then you would also not be monitoring a key area where attackers target.
2) Use SecFilterSelective instead of SecFilter
SecFilter is too broad.  SecFilterSelective will allow you to focus your search to specific request locations.  The best locations to look for attacks (exluding the post payload) are THE_REQUEST, QUERY_STRING or choose some specific headers such as COOKIE_VAULES.  So, an updated filter would look like this -
SecFilterSelective "THE_REQUEST|COOKIE_VALUES" "/bin/chmod"
Hope this helps.
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
Author: Preventing Web Attacks with Apache

On 10/28/05, Tomas Hidalgo Salvador <> wrote:



I'am tunning mod_security 1.8.7 in Red Hat 3.0 Upgrade 5 (2.4.21-32.ELsmp) + apache 2.0.54 + webmail (uebimiau)


From my own webmail, if when sending a message, in the body the message, appears a chain introduced in the file of configuration, the message is rejected. For example:


In file mod_security.conf:


SecFilterDefaultAction "deny,log,status:403"

. . . . .

. . . . .

Secfilter /bin/chmod


In the body of mail message

"this is a example for the string /bin/chmod"


This generates following log.




Request: - - [28/Oct/2005:10:48:06 +0200] "POST /webmail/newmsg.php HTTP/1.0" 403 220

Handler: php-script


POST /webmail/newmsg.php HTTP/1.0

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/, application/, application/msword, */*


Accept-Language: es

Content-Type: application/x-www-form-urlencoded

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)


Content-Length: 363

Cache-Control: no-cache

Cookie: {4361E2260EA50-4361E2261386F-1130488358}=%7B4361E2260EA50-4361E2261386F-1130488358%7D

mod_security-message: Access denied with code 403. Pattern match "/bin/chmod" at POST_PAYLOAD

mod_security-action: 403





HTTP/1.0 403 Forbidden

Content-Length: 220

Connection: close

Content-Type: text/html; charset=iso-8859-1




1)       it is possible to avoid that mod_security does not verify the body of the message?

2)       He is coherent to use mod_security with a webmail? I have not found any positive or negative reference


Many thanks for you help.




Tomás Hidalgo Salvador

Dpto. Sistemas Unix

DSF Almariya

Almeria – Andalucia - Spain