Re: [mod-security-users] Blocking
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Blocking
|
From: Terry D. <tdo...@na...> - 2005-11-29 11:23:50
|
Gerwin Krist -|- Digitalus Webhosting wrote: > Heya, > > Don't know if you guys see trends, but we see a huge trend of spammers abusing > email forms for sending spam. Is there a way of blocking these, by blocking > POST requests with email addys in it? Any help would be apreciated! I've seen a few of these attempted on a mail form I've written myself. The form script is a simple PHP mailer that's only there to save us publishing an email address on site. The usual tactic seems to be to fill in any text input fields with <short random string> @ ourdomain.com, then filling the text area field in with an attempt at RFC 2822 headers and the spam message. The hope is that the mailer will simply send the stream as two messages. I've got some preg_match() lines in the PHP for blocking these. They generally revolve around picking out message headers from the assembled body, and sanitising any email address in the fields not marked 'email address'. (I don't block these as legitiamte users can put their email adress in the strangest of places) It's usually a good idea to do this kind of checking in the script, though, as you'll find it easier to report errors to the user with some context without having to use custom rejection rules and ErrorDocuments. That said, to pick the spam out at the mod_security stage, you might want to scan specific ARGS_n values or just all of ARGS_VALUES for the basic headers like "\s*To:", "\s*From:", "\s*Cc:" and "\s*Bcc:". The \s* will match any possible leading whitespace as this can form part of a valid header. You could do this match at the start of a line ("\n\s*To:" for example) if you want to reduce the potential for false positives. Far more crudely, you could just block anything with ':' or '@' anywhere in ARGS_VALUES. Terry. |
