ModSecurity: rules against comment spam
Lately the wiki of my Vuurmuur project has been receiving quite a lot of comment spam. Although removing the spam manually is boring work, i still don’t really mind the spam, because it enables me to practice with ModSecurity rules to fight it off. So far, the spam seems to be following a pattern, in which the spam is posted by bots, and has the same general layout for longer periods of time. That makes it worthwhile to spend time on creating rules against it. Yesterday a new type of spam emerged on the wiki. The following audit_log is for one of them. I had to slightly edit it for layout reasons.
–9075cb7a-A– [22/Aug/2006:20:20:46 +0200] SPO4w5FhwZUAADItDEgAAAAC 195.225.177.131 34189 192.168.1.101 80 –9075cb7a-B– POST /tiki/tiki-index.php HTTP/1.1 Host: wiki.vuurmuur.org Referer: http://wiki.vuurmuur.org/tiki/tiki-index.php?page=Vuurmuur User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Content-Length: 1304 Content-Type: application/x-www-form-urlencoded
–9075cb7a-C– page=Vuurmuur&cols=60&comments_sort_mode=points_desc& comments_parentId=0&rows=6&comments_postComment= post&comments_threshold=0&comments_threadId=0& comments_data=Chevrolet+-+%5BURL%3Dhttp%3A%2F%2F canonprnbf.kickme.to%2F+%5D+Chevrolet+%5B%2FURL%5D+ home+based+businesses+-+%5BURL%3Dhttp%3A%2F%2F 1964cadulj.blog.kataweb.it%2F1964cadulj%2Findex-home- based-businesses.html+%5D+home+based+businesses+ %5B%2FURL%5D+diet+pills+-+%5BURL%3Dhttp%3A%2F%2F aemerge4li.web1000.com%2Findex-diet-pills.html+%5D+diet+ pills+%5B%2FURL%5D+Cash+Advance+-+%5BURL%3D http%3A%2F%2Fseamlesmnp.su.pl%2F+%5D+Cash+Advance +%5B%2FURL%5D+Azithromycin+-+%5BURL%3D http%3A%2F%2Fthelacefab7ne.kickme.to%2F+%5D+ Azithromycin+%5B%2FURL%5D+allergy+-+%5BURL%3D http%3A%2F%2Fgeo.ya.com%2Faeggcelpzg%2Findex- allergy.html+%5D+allergy+%5B%2FURL%5D+Cash+Advance+ -+%5BURL%3Dhttp%3A%2F%2Faofficeuov.ir.pl%2F+%5D+ Cash+Advance+%5B%2FURL%5D+free+games+-+%5BURL %3Dhttp%3A%2F%2Fwww.geocities.com%2Fthebestjwb %2Findex-free-games.html+%5D+free+games+%5B%2F URL%5D+Ambien+-+%5BURL%3Dhttp%3A%2F%2F beadedluwu.su.pl%2F+%5D+Ambien+%5B%2FURL%5D+altace +-+%5BURL%3Dhttp%3A%2F%2Facellphonehy4.tripod.com %2Findex-altace.html+%5D+altace+%5B%2FURL%5D +&comments_reply_threadId=0&comments_title=Chevrolet& comments_offset=0&comments_previewComment=preview& comments_grandParentId= –9075cb7a-F– HTTP/1.1 200 OK X-Powered-By: PHP/4.3.10-16 Set-Cookie: PHPSESSID=b2497fd593f56c5af4f3613ba78a7619; path=/tiki Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8
–9075cb7a-H– Stopwatch: 1156270844524739 1475657 (17717* 38503 0) Producer: ModSecurity v1.9.2 (Apache 2.x) Server: Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-16 mod_ssl/2.0.54 OpenSSL/0.9.7e
–9075cb7a-Z–
A general rule against the comment spam would probably not be that hard. Just blocking “http://” would probably to the trick. However, I’m not quite willing to do this, since people might actually post real and interesting links to the wiki. I noticed that the above comment and the 30 other already posted messages all contained the uppercase word URL, so i decided to block on that. Below are the rules, which as you can see are quite an improvement over these rules, because they now only match on actual comments posts ;-)
SecFilterSelective REQUEST_URI “/tiki/tiki-index.php” “chain,msg:‘LOCAL comment spam’” SecFilterSelective POST_PAYLOAD “URL” chain SecFilterSelective POST_PAYLOAD “comments_postComment=post” log,deny,status:403
An Apache restart and just wait… but not for long:
[Tue Aug 22 21:35:44 2006] [error] [client 195.225.177.131] mod_security: Access denied with code 403. Pattern match “comments_postComment=post” at POST_PAYLOAD [msg “LOCAL comment spam”] [hostname “wiki.vuurmuur.org”] [uri “/tiki/tiki-index.php”] [unique_id “VTGBGJFhwZUAADMnAWAAAAAA”]
This morning there were 59 attempts blocked already which i would have to remove manually without these rules. So taking the time to setup the rules really pays off.