I have been using ModSecurity for quite some time now to protect a webserver, but i never felt the need to write my own rules. Recently though, my site got quite a lot of spam in the comments of my TikiWiki based site. Since i was not willing to disable the anonymous comment posting i decided to see if i could use Mod_Security to block the spam.
The spam all looked alike with the following characteristics. It all contained a list uri’s with a pipe | before them. So decided to try the most easy way, by blocking all posts with this characteristic.
SecFilterSelective REQUEST_URI “.php” chain
SecFilterSelective POST_PAYLOAD ” | http:”
And it works fine:
[Sat Jul 01 12:37:32 2006] [error] [client 220.127.116.11] mod_security: Access denied with code 404. Pattern match ” \\| http\\:” at POST_PAYLOAD …
Surely the rule can be much refined, but as long as it works as it does, and i see no bad side effects, i’m happy 😉