# http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Anti Spam rules # # Created by the Prometheus Group (http://www.prometheus-group.com) # Copyright 2005,2006 and 2007 by the Prometheus Group, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #-------------------------------- # notes #-------------------------------- # Rules work with modsecurity 2.x and above only #-------------------------------- #start rules #-------------------------------- # Phase 2 rules # Rule 300000: Blacklist of referer spam hostnames SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace" #SecRule REQUEST_HEADERS:Referer|ARGS "!@pmFromFile domain-spam-whitelist.conf" \ # "chain,id:300000,rev:2,severity:2,msg:'Blacklist Referer Spam'" SecRule REQUEST_HEADERS:Referer|ARGS "@pmFromFile domain-blacklist.txt" \ "id:300000,rev:2,severity:2,msg:'Blacklist Referer Spam'" # Rule 300001: Blacklist of URI spam SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300001,rev:3,severity:2,msg:'Blacklist URI Spam',phase:4,chain" SecRule REQUEST_BODY|ARGS "(?:ogg|zlib|(?:ht|f)tps?\:/).*" "chain" #SecRule REQUEST_BODY|ARGS "!@pmFromFile domain-spam-whitelist.conf" chain SecRule REQUEST_BODY|ARGS "@pmFromFile domain-blacklist.txt" # Rule 300002: Comment Spam SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300002,rev:1,severity:2,msg:'Spam: Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:blow)+[\w\-_.]*(?:jobs?)+[\w\-_.]*\.[a-z]{2,}" # Rule 300003: Comment Spam SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300003,rev:1,severity:2,msg:'Spam: Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:gay)+[\w\-_.]*(?:beastiality)+[\w\-_.]*\.[a-z]{2,}" # Rule 300004: Comment Spam SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300004,rev:1,severity:2,msg:'Spam: Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:beastilality)+[\w\-_.]*(?:stories)+[\w\-_.]*\.[a-z]{2,}" # Rule 300005: Comment Spam SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300005,rev:1,severity:2,msg:'Spam: Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:free)+[\w\-_.]*(?:beastiality)+[\w\-_.]*\.[a-z]{2,}" # Rule 300006: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300006,rev:1,severity:2,msg:'Spam: Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:horse|animal|dog)+[\w\-_.]*(?:porn|cocks|dick|sex|penis|blowj.*)+[\w\-_.]*\.[a-z]{2,}" # Rule 300007: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300007,rev:1,severity:2,msg:'Spam: Buy Online',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:buy)+[\w\-_.]*online[\w\-_.]*\.[a-z]{2,}" # Rule 300008: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300008,rev:1,severity:2,msg:'Spam: Pharmacy/Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:diet|penis)+[\w\-_.]*(?:pills|enlargement)[\w\-_.]*\.[a-z]{2,}" # Rule 300009: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300009,rev:1,severity:2,msg:'Spam: Pharmacy/Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:enlarg|enhanc).*(male|penis|natural).*\.[a-z]{2,}" # Rule 300010: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300010,rev:1,severity:2,msg:'Spam: Pharmacy/Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:enlarg|enhanc).*(?:male|penis|natural)\.[a-z]{2,}" # Rule 300011: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300011,rev:1,severity:2,msg:'Spam: Pharmacy',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:online)+[\w\-_.]*pharmacy" # Rule 300012: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300012,rev:1,severity:2,msg:'Spam: General',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:i|la)-sonneries?[\w\-_.]*\.[a-z]{2,}" # Rule 300013: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300013,rev:3,severity:2,msg:'Spam: Pharmacy',chain" SecRule REQUEST_HEADERS:Referer|ARGS|!ARGS:toemail|!ARGS:fromemail "(?:silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylpropion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}" # Rule 300014: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300014,rev:4,severity:2,msg:'Spam: Pharmacy',chain" SecRule REQUEST_HEADERS:Referer "!(?:/imp/login\.php)" chain SecRule REQUEST_HEADERS:Referer|ARGS "(?:ephedrine|neurontin|glucosamine|testosterone|cialis!t|lipitor|effexor|propecia|celebrex|gluclosamine|lexapro|ephedra|levitra)+[\w\-_.]*\.[a-z]{2,}" \ # Rule 300015: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300015,rev:1,severity:2,msg:'Spam: General',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:magazine)+[\w\-_.]*(?:finder|netfirms)+[\w\-_.]*\.[a-z]{2,}" # Rule 300016: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300016,rev:1,severity:2,msg:'Spam: Pharmacy',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:male|penis)enlarg*\.(?:biz|com|net|org|us|info)" # Rule 300017: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300017,rev:1,severity:2,msg:'Spam: Pharmacy',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:male|penis).*(?:enlarg|enhanc|natural|pill|surgery|traction)" # Rule 300018: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300018,rev:1,severity:2,msg:'Spam: General',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(mike)+[\w\-_.]*apartment[\w\-_.]*\.[a-z]{2,}" # Rule 300019: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300019,rev:1,severity:2,msg:'Spam: Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:milf)+[\w\-_.]*(?:hunter|moms|fucking|lessons)[\w\-_.]*\.[a-z]{2,}" # Rule 300020: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300020,rev:1,severity:2,msg:'Spam: Pharmacy',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:natural|penis|male).*(?:enlarg.*|enhanc.*)" # Rule 300021: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300021,rev:1,severity:2,msg:'Pharmacy: Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:natural|penis|male)+[\w\-_.]*(?:enlarg.*|enhanc.*)" # Rule 300022: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300022,rev:1,severity:2,msg:'Spam: Pharmacy/Gambling',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:online)+[\w\-_.]*(?:prescription|casino|roulette|slot)+[\w\-_.]*\.[a-z]{2,}" # Rule 300023: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300023,rev:1,severity:2,msg:'Spam: Gambling',chain" SecRule REQUEST_HEADERS:Referer|ARGS "[\w\-_.]*(?:casino|roulette)\.[a-z]{2,}" # Rule 300024: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300024,rev:1,severity:2,msg:'Spam: Gambling',chain" SecRule REQUEST_HEADERS:Referer|ARGS "[\w\-_.]*(?:casino|roulette).*\.[a-z]{2,}" # Rule 300025: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300025,rev:1,severity:2,msg:'Spam: Gambling',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:slot)+[\w\-_.]*machines\.[a-z]{2,}" # Rule 300026: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300026,rev:1,severity:2,msg:'Spam: Pharmacy',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:prozac|zoloft|xanax|valium|hydrocodone|vicodin|paxil|vioxx)+[\w\-_.]*\.[a-z]{2,}" # Rule 300027: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300027,rev:1,severity:2,msg:'Spam: Pharmacy',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:ragazze)-?\w+\.[a-z]{2,}" # Rule 300028: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300028,rev:1,severity:2,msg:'Spam: Gambling',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:texas)+[\w\-_.]*holdem" # Rule 300029: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300029,rev:1,severity:2,msg:'Spam: Pharmacy',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:phentermine)+[\w\-_.]*online" # Rule 300030: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300030,rev:1,severity:2,msg:'Spam: Gambling',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:texas)+[\w\-_.]*hold[\w\-_.].*em" # Rule 300031: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300031,rev:1,severity:2,msg:'Spam: Gambling',chain" SecRule REQUEST_HEADERS:Referer|ARGS "texas[\w\-_.]hold[\w\-_.]em" # Rule 300032: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300032,rev:1,severity:2,msg:'Spam: Gambling',chain" SecRule REQUEST_HEADERS:Referer|ARGS "pacific+[\w\-_.]*poke.*\.[a-z]{2,}" # Rule 300033: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300033,rev:1,severity:2,msg:'Spam: Gambling',chain" SecRule REQUEST_HEADERS:Referer|ARGS "poker+[\w\-_.]*\.[a-z]{2,}" # Rule 300034: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300034,rev:1,severity:2,msg:'Spam: Gambling',chain" SecRule REQUEST_HEADERS:Referer|ARGS "[\w\-_.]*poker\.[a-z]{2,}" # Rule 300035: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300035,rev:2,severity:2,msg:'Spam: Gambling',chain" SecRule REQUEST_HEADERS:Referer|ARGS "[\w\-_.]*poker.*\.[a-z]{2,}" # Rule 300036: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300036,rev:2,severity:2,msg:'Spam: Gambling',chain" SecRule REQUEST_HEADERS:Referer|ARGS "poker.*\.[a-z]{2,}" # Rule 300037: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300037,rev:1,severity:2,msg:'Spam: Gambling',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:random|free|internet)+[\w\-_.]*slots\.[a-z]{2,}" # Rule 300038: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300038,rev:1,severity:2,msg:'Spam: Pharmacy',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:wellbutrin|tenuate|tramadol|pheromones|phendimetrazine|ionamin|ortho.?tricyclen|retin.?a\b)+[\w\-_.]*\.[a-z]{2,}" # Rule 300039: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300039,rev:1,severity:2,msg:'Spam: Pharmacy',chain" SecRule REQUEST_HEADERS:Referer|ARGS "ultram\.[a-z]{2,}" # Rule 300040: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300040,rev:1,severity:2,msg:'Spam: Pharmacy',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:celexa|valtrex|zyrtec|\bhgh\b|ambien\b|flonase|allegra|didrex|renova|bontril|nexium)+[\w\-_.]*\.[a-z]{2,}" # Rule 300041: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300041,rev:1,severity:2,msg:'Spam: Pharmacy',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:[\w\-_.]+\.)?(?:l(?:so|os)tr)\.[a-z]{2,}" # Rule 300042: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300042,rev:1,severity:2,msg:'Spam: Pharmacy',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:lose[\w\-_.]*weight|weight[\w\-_.]*loss).*\.[a-z]{2,}" # Rule 300043: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300043,rev:1,severity:2,msg:'Spam: Pharmacy',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:prices|pills|buy|diet*|medic(?:ine|ation|al)|dru.*)\.pharma.*\.[a-z]{2,}" # Rule 300044: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300044,rev:1,severity:2,msg:'Spam: Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "[0-9a-z_.\-]*(?:bulkcrawler|sysco[mn]-[a-z0-9]+|jagk|kloony|azgirlcam)\.[a-z]{2,}" # Rule 300045: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300045,rev:1,severity:2,msg:'Spam: Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "[0-9a-z_.\-]*(?:camfun24|jardimed|kylos(?:net)?|istarthere|roxtet|freshgirls)\.[a-z]{2,}" # Rule 300046: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300046,rev:1,severity:2,msg:'Spam: Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "[0-9a-z_.\-]*(?:dailyorbit|insurancequoteweb|i-horny|livenet|filthserver)\.[a-z]{2,}" # Rule 300047: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300047,rev:1,severity:2,msg:'Spam: Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "[0-9a-z_.\-]*(?:formula42|ilya|9sekund|find-it-buy-it|xopy|bukakke)\.[a-z]{2,}" # Rule 300048: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300048,rev:1,severity:2,msg:'Spam: Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "[0-9a-z_.\-]*fortunecity\.[a-z.]+\.[a-z]{2,}" # Rule 300049: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300049,rev:1,severity:2,msg:'Spam: Gemeral',chain" SecRule REQUEST_HEADERS:Referer|ARGS "[0-9a-z_.\-]*(?:notlong|isacommie|musicbox[0-9]|miccel|rooody|rowdd|colkk)\.[a-z]{2,}" # Rule 300050: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300050,rev:1,severity:2,msg:'Spam: Pharmacy',chain" SecRule REQUEST_HEADERS:Referer|ARGS "[0-9a-z_.\-]*(?:nullnix|plongs|pimrim|ewilla|startseek|ponagansetpost)\.[a-z]{2,}" # Rule 300051: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300051,rev:1,severity:2,msg:'Spam: General',chain" SecRule REQUEST_HEADERS:Referer|ARGS "[0-9a-z_.\-]*(?:sysrem[0-9]+|lemonrider[0-9]*|exitq|defunctportal|andrewsaluk)\.[a-z]{2,}" # Rule 300052: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300052,rev:1,severity:2,msg:'Spam: Adult',chain" SecRule REQUEST_URI "href.*http.*\{@\DOMAIN}\.*\{\@URL\}.*\{\@ANCHOR\}" # Rule 300052: SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300053,rev:1,severity:2,msg:'Spam: Drugs',chain" SecRule REQUEST_HEADERS:Referer|ARGS "online-phentermine" # Rule 300053: Comment Spam SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300053,rev:1,severity:2,msg:'Spam: Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:hannigan|bynes|alicia[\w\-_.]silverstone)+[\w\-_.]*(?:nude|nudies|american[\w\-_.]pie)+[\w\-_.]*(?:pictures)+[\w\-_.]*\.[a-z]{2,}" # Rule 300054: Comment Spam SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300054,rev:1,severity:2,msg:'Spam: Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "(?:hannigan|bynes|alicia[\w\-_.]silverstone)+[\w\-_.]*(?:nude|nudies)+[\w\-_.]*\.[a-z]{2,}" #Rule 300055: Hidden spam links #examples: # #overflow:auto;width:0;height:0 SecRule REQUEST_BODY|ARGS "< ?font style ?= ?(position ?\: ?absolute|overflow ?\: ?(?:hidden|auto)).*(?:height|width) ?(?:=|\:) ?[0-9] ?(px|\;)" \ "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:300056,rev:1,severity:2,msg:'Spam: Hidden Text Exploit'" #Special RBL rules for blogs #Wordpress #SecRule REQUEST_METHOD “^post$” “chain,id:300057,rev:1,severity:2,msg:’Spam: WordPress Comment From user on RBL: list.dsbl.org’” #SecRule REQUEST_URI “wp-(comments-post|trackback)\.php$” “chain,t:normalisePath” #SecRule REMOTE_ADDR “@rbl list.dsbl.org” # #SecRule REQUEST_METHOD “^post$” “chain,id:300058,rev:1,severity:2,msg:’Spam: WordPress Comment From user on RBL: bl.spamcop.net’” #SecRule REQUEST_URI “wp-(?:comments-post|trackback)\.php$” “chain,t:normalisePath” #SecRule REMOTE_ADDR “@rbl bl.spamcop.net” # #SecRule REQUEST_METHOD “^post$” “chain,id:300059,rev:1,severity:2,msg:’Spam: WordPress Comment From user on RBL: sbl-xbl.spamhaus.org’” #SecRule REQUEST_URI “wp-(?:comments-post|trackback)\.php$” “chain,t:normalisePath” #SecRule REMOTE_ADDR “@rbl sbl-xbl.spamhaus.org” #MovableType #TikiWiki # Rule 300053: Comment Spam SecRule REQUEST_URI "!(?:/imp/compose\.php)" \ "id:300060,rev:1,severity:2,msg:'Spam: Adult',chain" SecRule REQUEST_HEADERS:Referer|ARGS "backseatbangers+[\w\-_.]*\.[a-z]{2,}"