From johan at sege.nu Tue Dec 12 03:50:09 2006 From: johan at sege.nu (Johan =?ISO-8859-1?Q?Segern=E4s?=) Date: Tue, 12 Dec 2006 09:50:09 +0100 Subject: [Modsecurity] Spamming thru forms Message-ID: <1165913409.18634.3.camel@roadrunner.serienet.levonline.com> I have huge problems with people spamming thru our customers forms. Not only to our own customers but they also inject shit load of addresses. Mostly it looks like it's osCommerce contact form but I dont think it's only that one. Anyone have a nice rule against this? Or will it block too many legal forms as well? I'm using latest rules.conf, jitp.conf and rootkits.conf. From johan at sege.nu Tue Dec 12 09:35:26 2006 From: johan at sege.nu (Johan =?ISO-8859-1?Q?Segern=E4s?=) Date: Tue, 12 Dec 2006 15:35:26 +0100 Subject: [Modsecurity] Spamming thru forms In-Reply-To: <1165913409.18634.3.camel@roadrunner.serienet.levonline.com> References: <1165913409.18634.3.camel@roadrunner.serienet.levonline.com> Message-ID: <1165934126.20463.16.camel@roadrunner.serienet.levonline.com> Can someone build a mod_security rule based on following: http://f6design.com/journal/2006/12/09/securing-php-contact-forms/ Maybe? tis 2006-12-12 klockan 09:50 +0100 skrev Johan Segern?s: > I have huge problems with people spamming thru our customers forms. Not > only to our own customers but they also inject shit load of addresses. > Mostly it looks like it's osCommerce contact form but I dont think it's > only that one. > > Anyone have a nice rule against this? Or will it block too many legal > forms as well? > > I'm using latest rules.conf, jitp.conf and rootkits.conf. > > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity From david at cryptix.de Tue Dec 12 09:37:39 2006 From: david at cryptix.de (David Obando) Date: Tue, 12 Dec 2006 15:37:39 +0100 Subject: [Modsecurity] Spamming thru forms In-Reply-To: <1165934126.20463.16.camel@roadrunner.serienet.levonline.com> References: <1165913409.18634.3.camel@roadrunner.serienet.levonline.com> <1165934126.20463.16.camel@roadrunner.serienet.levonline.com> Message-ID: <457EBEB3.5010700@cryptix.de> Dear Johan, why don't you use a CAPTCHA (http://en.wikipedia.org/wiki/Captcha)? Regards, David Johan Segern?s schrieb am 12.12.2006 15:35: > Can someone build a mod_security rule based on following: > http://f6design.com/journal/2006/12/09/securing-php-contact-forms/ > > Maybe? > > > tis 2006-12-12 klockan 09:50 +0100 skrev Johan Segern?s: > >> I have huge problems with people spamming thru our customers forms. Not >> only to our own customers but they also inject shit load of addresses. >> Mostly it looks like it's osCommerce contact form but I dont think it's >> only that one. >> >> Anyone have a nice rule against this? Or will it block too many legal >> forms as well? >> >> I'm using latest rules.conf, jitp.conf and rootkits.conf. >> >> _______________________________________________ >> Modsecurity mailing list >> Modsecurity at gotroot.com >> http://lists.gotroot.com/mailman/listinfo/modsecurity >> > > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity > -- The day microsoft makes something that doesn't suck is the day they start making vacuum cleaners. gpg --keyserver pgp.mit.edu --recv-keys 1920BD87 Key fingerprint = 3326 32CE 888B DFF1 DED3 B8D2 105F 29CB 1920 BD87 From johan at sege.nu Wed Dec 13 03:30:27 2006 From: johan at sege.nu (Johan =?ISO-8859-1?Q?Segern=E4s?=) Date: Wed, 13 Dec 2006 09:30:27 +0100 Subject: [Modsecurity] Spamming thru forms In-Reply-To: <1165934126.20463.16.camel@roadrunner.serienet.levonline.com> References: <1165913409.18634.3.camel@roadrunner.serienet.levonline.com> <1165934126.20463.16.camel@roadrunner.serienet.levonline.com> Message-ID: <1165998627.8222.0.camel@roadrunner.serienet.levonline.com> Wow, I openend my eyes and found the following: http://www.securephpwiki.com/index.php/Email_Injection#modsecurity This solved everything. Hopefully not killing to many customers. =) Now I will shut up for a while. ;) - Johan tis 2006-12-12 klockan 15:35 +0100 skrev Johan Segern?s: > Can someone build a mod_security rule based on following: > http://f6design.com/journal/2006/12/09/securing-php-contact-forms/ > > Maybe? > > > tis 2006-12-12 klockan 09:50 +0100 skrev Johan Segern?s: > > I have huge problems with people spamming thru our customers forms. Not > > only to our own customers but they also inject shit load of addresses. > > Mostly it looks like it's osCommerce contact form but I dont think it's > > only that one. > > > > Anyone have a nice rule against this? Or will it block too many legal > > forms as well? > > > > I'm using latest rules.conf, jitp.conf and rootkits.conf. > > > > _______________________________________________ > > Modsecurity mailing list > > Modsecurity at gotroot.com > > http://lists.gotroot.com/mailman/listinfo/modsecurity > > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity From mfernandez at netglobalis.net Wed Dec 13 10:15:01 2006 From: mfernandez at netglobalis.net (Matias Fernandez) Date: Wed, 13 Dec 2006 12:15:01 -0300 Subject: [Modsecurity] Website trouble Message-ID: <458018F5.8050802@netglobalis.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Is there any problem with the website? When I try to open http://www.gotroot.com/mod_security+rules I got a 403 error. Regards. - -- Matias Fernandez NOC NetGlobalis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFgBj1NY4OpROh5FcRAqkQAKCAR8Vqbz7KA+c/tqggBcnkumyHPQCZAbR+ sz00o1JN0lYFZbCubcU7PXc= =DrSu -----END PGP SIGNATURE----- From mike at gotroot.com Wed Dec 13 13:35:41 2006 From: mike at gotroot.com (Michael Shinn) Date: Wed, 13 Dec 2006 13:35:41 -0500 Subject: [Modsecurity] Spamming thru forms In-Reply-To: <1165998627.8222.0.camel@roadrunner.serienet.levonline.com> References: <1165913409.18634.3.camel@roadrunner.serienet.levonline.com> <1165934126.20463.16.camel@roadrunner.serienet.levonline.com> <1165998627.8222.0.camel@roadrunner.serienet.levonline.com> Message-ID: <1166034941.7067.102.camel@localhost.localdomain> There is already a rule for this in the blacklist.conf file. That file may be too intense for some systems, but let me know if those rules work for you to stop spam. I'm working on a lighter weight set of rules for antispam, minus the actual spam blacklist itself. On Wed, 2006-12-13 at 09:30 +0100, Johan Segern?s wrote: > Wow, I openend my eyes and found the following: > http://www.securephpwiki.com/index.php/Email_Injection#modsecurity > > This solved everything. Hopefully not killing to many customers. =) > > > Now I will shut up for a while. ;) > > - Johan > > tis 2006-12-12 klockan 15:35 +0100 skrev Johan Segern?s: > > Can someone build a mod_security rule based on following: > > http://f6design.com/journal/2006/12/09/securing-php-contact-forms/ > > > > Maybe? > > > > > > tis 2006-12-12 klockan 09:50 +0100 skrev Johan Segern?s: > > > I have huge problems with people spamming thru our customers forms. Not > > > only to our own customers but they also inject shit load of addresses. > > > Mostly it looks like it's osCommerce contact form but I dont think it's > > > only that one. > > > > > > Anyone have a nice rule against this? Or will it block too many legal > > > forms as well? > > > > > > I'm using latest rules.conf, jitp.conf and rootkits.conf. > > > > > > _______________________________________________ > > > Modsecurity mailing list > > > Modsecurity at gotroot.com > > > http://lists.gotroot.com/mailman/listinfo/modsecurity > > > > _______________________________________________ > > Modsecurity mailing list > > Modsecurity at gotroot.com > > http://lists.gotroot.com/mailman/listinfo/modsecurity > > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From mike at gotroot.com Wed Dec 13 13:36:20 2006 From: mike at gotroot.com (Michael Shinn) Date: Wed, 13 Dec 2006 13:36:20 -0500 Subject: [Modsecurity] Website trouble In-Reply-To: <458018F5.8050802@netglobalis.net> References: <458018F5.8050802@netglobalis.net> Message-ID: <1166034980.7067.104.camel@localhost.localdomain> Whats your IP address? Its possible your source got on a blacklist somehow. On Wed, 2006-12-13 at 12:15 -0300, Matias Fernandez wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > Is there any problem with the website? > > When I try to open http://www.gotroot.com/mod_security+rules I got a 403 > error. > > Regards. > > - -- > Matias Fernandez > NOC NetGlobalis > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.3 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFFgBj1NY4OpROh5FcRAqkQAKCAR8Vqbz7KA+c/tqggBcnkumyHPQCZAbR+ > sz00o1JN0lYFZbCubcU7PXc= > =DrSu > -----END PGP SIGNATURE----- > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From mirror at prometheus-group.com Tue Dec 19 18:10:42 2006 From: mirror at prometheus-group.com (mirror at prometheus-group.com) Date: 19 Dec 2006 18:10:42 -0500 Subject: [Modsecurity] Modsecurity rules update for 20061219 Message-ID: <20061219231042.25242.qmail@plesk.shinn.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New Release of GotRoot Web Signatures Diff of /etc/modsecurity/apache2-rules.conf Diff of /etc/modsecurity/blacklist.conf Diff of /etc/modsecurity/proxy.conf Diff of /etc/modsecurity/rules.conf Diff of /etc/modsecurity/blacklist2.conf Diff of /etc/modsecurity/exclude.conf Diff of /etc/modsecurity/rootkits.conf Diff of /etc/modsecurity/useragents.conf Diff of /etc/modsecurity/exclude.conf Diff of /etc/modsecurity/badips.conf Diff of /etc/modsecurity/recons.conf Diff of /etc/modsecurity/jitp.conf -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQIVAwUBRYhxcrVvl2Kn6BhaAQL1cg/+LAkUSNPDcQxymZkQr9lSEWr1m2E440M1 WSUChyEofWedXhmu0v60kiCDXY6CphAKtesbCVA1g6HV6mR3F556YG3T9UvmOVsL zT0Is/OL0zGjIC8RCzDgvEWretX3s7DWfejQMH0sjBCFQ7xSeyEpqDa3JZ2acIaB JmmB+RMhD6nHpJ1TZF+4M0dEM2zbEB1t3Cex5u/k8/NrkWBkxMwhoOk8Wd7eT+4V +M2DOzw7cH8bsDq1vLzE1gtcaprswYXVLxo0d43bLJ/sE/J1x1scFuunqN3pGrQr upE0bZG2kOwRDABXAfEsn7pihv+rk4pBttE5Gzz+Gc0gn1TJN8QhzK8uoRgj2XaW IS9ePLXQe2dhfkMatrMS+a7f9lkKJeFMsNNpq4bQgFVhL7rhtX+UUj6wIwHDgIY8 TrrZcnzjeDLZlJVU6waw9t7H3S4yTs/zidLldpUKSsbJcU6vyqJZNFALK19DC4PV taN4AUpjEPKhFm/fjWfMRwYJMpyILybwtRRqVj8sLLwgxWTL4UNibT+YZO76xFKE rMe0EHVzT87LR7iLjMTVTpVz7guriuL53R3iMRKD6hnoLMz0jtIgX3b2FMKINW8F VMd/XTSKNBW5umOEDFphvcswEDSO08YR4YIKWDEhvhQOb3R8FxOsZafdulrF1xZf hjxgxTPuuVY= =AEUH -----END PGP SIGNATURE----- From mike at gotroot.com Tue Dec 19 18:13:02 2006 From: mike at gotroot.com (Michael Shinn) Date: Tue, 19 Dec 2006 18:13:02 -0500 Subject: [Modsecurity] Modsecurity rules update for 20061219 In-Reply-To: <20061219231042.25242.qmail@plesk.shinn.net> References: <20061219231042.25242.qmail@plesk.shinn.net> Message-ID: <1166569982.21789.52.camel@localhost.localdomain> Feh... the updater diff code broke, there are some minor bug fixes in this release, even though its not in this e-mail. :-) On Tue, 2006-12-19 at 18:10 -0500, mirror at prometheus-group.com wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > New Release of GotRoot Web Signatures > > Diff of /etc/modsecurity/apache2-rules.conf > > > Diff of /etc/modsecurity/blacklist.conf > > > Diff of /etc/modsecurity/proxy.conf > > > Diff of /etc/modsecurity/rules.conf > > > Diff of /etc/modsecurity/blacklist2.conf > > > Diff of /etc/modsecurity/exclude.conf > > > Diff of /etc/modsecurity/rootkits.conf > > > Diff of /etc/modsecurity/useragents.conf > > > Diff of /etc/modsecurity/exclude.conf > > > Diff of /etc/modsecurity/badips.conf > > > Diff of /etc/modsecurity/recons.conf > > > Diff of /etc/modsecurity/jitp.conf > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (GNU/Linux) > > iQIVAwUBRYhxcrVvl2Kn6BhaAQL1cg/+LAkUSNPDcQxymZkQr9lSEWr1m2E440M1 > WSUChyEofWedXhmu0v60kiCDXY6CphAKtesbCVA1g6HV6mR3F556YG3T9UvmOVsL > zT0Is/OL0zGjIC8RCzDgvEWretX3s7DWfejQMH0sjBCFQ7xSeyEpqDa3JZ2acIaB > JmmB+RMhD6nHpJ1TZF+4M0dEM2zbEB1t3Cex5u/k8/NrkWBkxMwhoOk8Wd7eT+4V > +M2DOzw7cH8bsDq1vLzE1gtcaprswYXVLxo0d43bLJ/sE/J1x1scFuunqN3pGrQr > upE0bZG2kOwRDABXAfEsn7pihv+rk4pBttE5Gzz+Gc0gn1TJN8QhzK8uoRgj2XaW > IS9ePLXQe2dhfkMatrMS+a7f9lkKJeFMsNNpq4bQgFVhL7rhtX+UUj6wIwHDgIY8 > TrrZcnzjeDLZlJVU6waw9t7H3S4yTs/zidLldpUKSsbJcU6vyqJZNFALK19DC4PV > taN4AUpjEPKhFm/fjWfMRwYJMpyILybwtRRqVj8sLLwgxWTL4UNibT+YZO76xFKE > rMe0EHVzT87LR7iLjMTVTpVz7guriuL53R3iMRKD6hnoLMz0jtIgX3b2FMKINW8F > VMd/XTSKNBW5umOEDFphvcswEDSO08YR4YIKWDEhvhQOb3R8FxOsZafdulrF1xZf > hjxgxTPuuVY= > =AEUH > -----END PGP SIGNATURE----- > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com