[Modsecurity] Squirrelmail "Forward" message does not work

Ryan E. Helfter rhelfter at datapipe.com
Thu Jun 29 17:45:55 EDT 2006 

I don't seem to able to replicate this...

Here is a test message, with squirrelmail 1.4.6 (RELEASE)

---------------------------- Original Message
----------------------------
Subject: test
From:    "Ryan E. Helfter" <reh at 420am.org>
Date:    Thu, June 29, 2006 5:33 pm
To:      reh at 420am.org
------------------------------------------------------------------------
--

Test


Here are the mod_security rules I added:

#http://www.gotroot.com
#see website for more information
SecFilterSelective REQUEST_URI "!(/compose\.php\?)" chain
SecFilterSelective THE_REQUEST "Subject\:" chain
SecFilterSelective ARG_Bcc ".*\@"
SecFilterSelective REQUEST_URI "!(/compose\.php\?)" chain
SecFilterSelective POST_PAYLOAD "Subject\:" chain
SecFilterSelective POST_PAYLOAD "\s*bcc\:"
SecFilterSelective REQUEST_URI "!(/compose\.php\?)" chain
SecFilterSelective POST_PAYLOAD
"\s*bcc\:\s*[a-z0-9._%-]+@[A-Z0-9.-]+\.[a-z]{2,}"
SecFilterSelective REQUEST_URI "!(/compose\.php\?)" chain
SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|b?cc)[[:space:]]*:.*@"
SecFilterSelective REQUEST_URI "!(/compose\.php\?)" chain
SecFilterSelective ARGS_VALUES "\s*bcc\:\s*[a-z0-9._%-]+\@.*\.[a-z]{2,}"
SecFilterSelective HTTP_x-aaaaaaaaa|HTTP_XAAAAAAAAA ".+$"
SecFilterSelective HTTP_x-aaaaaaaaaaa|HTTP_XAAAAAAAAAAA ".+$"
SecFilterSelective HTTP_x-aaaaaaaaaaaa|HTTP_X_AAAAAAAAAAAA ".+$"
#SecFilterSelective HTTP_XXXXXXXXXXXXXXX ".+$"

>From blacklist.conf

SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|b?cc)[[:space:]]*:.*@"

I believe was the rule you had problems with, but that rules looks for
"to: and  bcc:" not To: or Bcc:.  

My guess is your not chaining the rules properly?  Just a guess...

I'd like to help you out further, but not sure I can without more info
on your environment...

Also, how come you are logging mod_security as Error 500 (internal
server error...) this will cause any real 500 errors to look like it's a
problem with mod_security :)

I use 506 cause that's not an RFC error code.  :)

Regards,

--
Ryan E. Helfter
UNIX Security Engineer

DataPipe Managed Hosting Services

- What It Means To Be Sure -

rhelfter at datapipe.com  | http://www.datapipe.com
Tel: 201.792.1918 x300 | Fax: 201-792-3090

More information about the Modsecurity mailing list