Re: [mod-security-users] Blocking
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Blocking
|
From: Terry D. <tdo...@na...> - 2005-11-29 16:45:53
|
Gerwin Krist -|- Digitalus Webhosting wrote: > He Terry, > > I do know how to code safe code, it's just these damn customers you know :D So > I think mod_security is the best way to do. Could you tell me what code to > use in mod_security for checking posts with bcc: (case insensitive) Understandable. Keeping one's own code safe is enough work without having to maintain a number of customers' along with it. Assuming you can't know any of your customers' code, then it's best to scan ARGS_VALUES for any infringing text. The following rule should match 0 or mroe whitespae characters followed by "bcc:" at the start of a line: SecFilterSelective ARGS_VALUES "\n\s*[Bb][Cc][Cc]:" I thought there was a way of ignoring case in signatures, but I can't seem to find it, so I've covered all of the bases with single character matches. As far as I know, The above will match the only valid way of presenting a bcc: header. There may be some way of masking newlines that would fool this filter, but still be a valid header. I'm not aware of one, however. It should be fairly obvious how to tailor this to match To:, From: etc... It's also worth creating an audit log of infringing requests, at least to begin with. Hope this helps, Terry. > Thanks in advance :) > > > On Tuesday 29 November 2005 12:23, Terry Dooher wrote: > >>Gerwin Krist -|- Digitalus Webhosting wrote: >> >>>Heya, >>> >>>Don't know if you guys see trends, but we see a huge trend of spammers >>>abusing email forms for sending spam. Is there a way of blocking these, >>>by blocking POST requests with email addys in it? Any help would be >>>apreciated! >> >>I've seen a few of these attempted on a mail form I've written myself. The >>form script is a simple PHP mailer that's only there to save us publishing >>an email address on site. >> >>The usual tactic seems to be to fill in any text input fields with <short >>random string> @ ourdomain.com, then filling the text area field in with an >>attempt at RFC 2822 headers and the spam message. The hope is that the >>mailer will simply send the stream as two messages. >> >>I've got some preg_match() lines in the PHP for blocking these. They >>generally revolve around picking out message headers from the assembled >>body, and sanitising any email address in the fields not marked 'email >>address'. (I don't block these as legitiamte users can put their email >>adress in the strangest of places) >> >>It's usually a good idea to do this kind of checking in the script, though, >>as you'll find it easier to report errors to the user with some context >>without having to use custom rejection rules and ErrorDocuments. >> >>That said, to pick the spam out at the mod_security stage, you might want >>to scan specific ARGS_n values or just all of ARGS_VALUES for the basic >>headers like "\s*To:", "\s*From:", "\s*Cc:" and "\s*Bcc:". The \s* will >>match any possible leading whitespace as this can form part of a valid >>header. You could do this match at the start of a line ("\n\s*To:" for >>example) if you want to reduce the potential for false positives. >> >>Far more crudely, you could just block anything with ':' or '@' anywhere in >>ARGS_VALUES. >> >>Terry. >> >> >> >> >> >> >> >> >> >> >> >> >> >>------------------------------------------------------- >>This SF.net email is sponsored by: Splunk Inc. Do you grep through log >>files for problems? Stop! Download the new AJAX search engine that makes >>searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! >>http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click >>_______________________________________________ >>mod-security-users mailing list >>mod...@li... >>https://lists.sourceforge.net/lists/listinfo/mod-security-users > > |
