Re: [mod-security-users] Blocking
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Blocking
|
From: Gerwin K. -|- D. W. <ge...@di...> - 2005-11-30 11:21:15
|
Guys, The things you proposed didn't worked you, but found out it has to be=20 something like this?=20 SecFilterSelective "POST_PAYLOAD" "\s*bcc:" Please tell me that it safe to use this :) Is this=20 Regards, Gerwin On Tuesday 29 November 2005 12:23, Terry Dooher wrote: > Gerwin Krist -|- Digitalus Webhosting wrote: > > Heya, > > > > Don't know if you guys see trends, but we see a huge trend of spammers > > abusing email forms for sending spam. Is there a way of blocking these, > > by blocking POST requests with email addys in it? Any help would be > > apreciated! > > I've seen a few of these attempted on a mail form I've written myself. The > form script is a simple PHP mailer that's only there to save us publishing > an email address on site. > > The usual tactic seems to be to fill in any text input fields with <short > random string> @ ourdomain.com, then filling the text area field in with = an > attempt at RFC 2822 headers and the spam message. The hope is that the > mailer will simply send the stream as two messages. > > I've got some preg_match() lines in the PHP for blocking these. They > generally revolve around picking out message headers from the assembled > body, and sanitising any email address in the fields not marked 'email > address'. (I don't block these as legitiamte users can put their email > adress in the strangest of places) > > It's usually a good idea to do this kind of checking in the script, thoug= h, > as you'll find it easier to report errors to the user with some context > without having to use custom rejection rules and ErrorDocuments. > > That said, to pick the spam out at the mod_security stage, you might want > to scan specific ARGS_n values or just all of ARGS_VALUES for the basic > headers like "\s*To:", "\s*From:", "\s*Cc:" and "\s*Bcc:". The \s* will > match any possible leading whitespace as this can form part of a valid > header. You could do this match at the start of a line ("\n\s*To:" for > example) if you want to reduce the potential for false positives. > > Far more crudely, you could just block anything with ':' or '@' anywhere = in > ARGS_VALUES. > > Terry. > > > > > > > > > > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_id=3D7637&alloc_id=3D16865&op=3Dclick > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users =2D-=20 Met vriendelijke groet/With kind regards, Gerwin Krist Digitalus =46irst-class Internet Webhosting (w) http://www.digitalus.nl (e) gerwin at digitalus.nl (p) PGP-ID: 79B325D4 (t) +31 (0) 598 630000 (f) +31 (0) 598 631860 ***************************************************************************= ************ This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. ***************************************************************************= ************ |
