Thread: [mod-security-users] Blocking referer spam

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

I've been running mod_security for a while now to successfully block
referer spam, comment spam, and trackback spam from my blog. I'm
running on a shared server and thus am forced to use my .htaccess
file.  I've asked about including the mod_security rules in a rules
file, and my hosting provider will not allow that use. Thus, here's
the start of my mod_security configuration from the .htaccess in the
root directory of my website.

<IfModule mod_security.c>
    # Turn the filtering engine On or Off
    #SecFilterEngine DynamicOnly
    SecFilterEngine On

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # Unicode encoding check
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    SecFilterForceByteRange 0 255

    # Only log suspicious requests
    SecAuditEngine RelevantOnly

    #sane defaults
    SecFilterCheckCookieFormat Off
    SecFilterCheckUnicodeEncoding Off

    # The name of the audit log file
    SecAuditLog /home/kmcgladr/security/audit.log

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # By default log and deny suspicious requests
    # with HTTP status 403
    SecFilterDefaultAction "deny,log,status:403"

    # Only accept request encodings we know how to handle
    # we exclude GET requests from this because some (automated)
    # clients supply "text/html" as Content-Type
    SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
    #SecFilterSelective HTTP_Content-Type
"!(^application/x-www-form-urlencoded$|^multipart/form-data;)"

    # Require Content-Length to be provided with
    # every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"

    # Don't accept transfer encodings we know we don't handle
    # (and you don't need it anyway)
    SecFilterSelective HTTP_Transfer-Encoding "!^$"

   # RULES GO HERE

</IfModule>

Where it says "RULES GO HERE" there are a series of rules to block
spamvertised websites. My .htaccess is about 160k because of all the
rules. Last month, I added the following line:

    SecFilterSelective HTTP_Referer|ARGS "doobu.com"

This is intended to block referer spam from doobu.com. This has been
working for roughly a month. Beginning yesterday, I began seeing the
rat bastards from doobu.com start filling up my logfile again:

80.13.20.133 - - [05/Mar/2005:02:18:02 -0500] "GET
/kayne/archives/2004/07/20/dell_vs_the_usps HTTP/1.1" 200 15371
"http://www.doobu.com/mortgag
e-rate.html" "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
212.138.47.21 - - [05/Mar/2005:02:21:04 -0500] "GET
/kayne/archives/2003/08/01/mailing_dining_room_tables?action=results&poll_ident=11
HTTP/1.0"
 200 20236 "http://www.doobu.com/best-mortgage-rates.html"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)"
148.244.150.57 - - [05/Mar/2005:02:21:15 -0500] "GET
/kayne/archives/2003/07/02/free_hot_tub HTTP/1.1" 200 16301
"http://www.doobu.com/home-equi
ty.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)"
166.114.30.40 - - [05/Mar/2005:02:21:18 -0500] "GET
/kayne/archives/2003/01/26/two_towers_review_by_dave_barry?action=results&poll_ident=10
HTTP
/1.0" 200 14982 "http://www.doobu.com/mortgage-quote.html"
"Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1)"
81.80.153.241 - - [05/Mar/2005:02:21:19 -0500] "GET
/kayne/archives/2004/08/15/doorbelling_with_jeff_griffin HTTP/1.0" 200
14223 "http://www.doo
bu.com/personal-loan.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; iOpus-I-M)"
212.138.47.17 - - [05/Mar/2005:02:22:29 -0500] "GET
/kayne/archives/2004/06/10/back_on_icq?action=results&poll_ident=10
HTTP/1.0" 200 15091 "htt
p://www.doobu.com/home-loans.html" "Mozilla/4.0 (compatible; MSIE 5.0;
Windows ME) Opera 5.11 [en]"
212.138.47.16 - - [05/Mar/2005:02:29:23 -0500] "GET
/kayne/archives/2003/01/25/spicy_chicken HTTP/1.0" 200 14756
"http://www.doobu.com/mortgage-
loans.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET
CLR 1.1.4322)"
212.199.249.206 - - [05/Mar/2005:02:30:58 -0500] "GET
/kayne/archives/2004/08/08/vacation_photos_now_online HTTP/1.1" 200
16348 "http://www.doob
u.com/mortgage-refinance.html" "Mozilla/4.0 (compatible; MSIE 5.0;
Windows ME) Opera 5.11 [en]"
212.47.27.194 - - [05/Mar/2005:02:32:07 -0500] "GET
/kayne/archives/2004/06/06/at_large_delegate HTTP/1.1" 200 18120
"http://www.doobu.com/home-
loan.html" "Mozilla/4.0 (compatible; MSIE 5.0; Mac_PowerPC; AtHome021)"

Just to focus on those examples, I don't have a .htaccess defined in
each of the directories referenced.

I do not understand how my configuration is now failing to block spam
from this one referer spammer.

Please advise on how to adjust my configuration to block this referer
spam.