# http://www.gotroot.com/mod_security+rules
# Comment Spam Rules for modsec 2.x
# NOTICE: THESE RULES ARE OBSOLETE AND ARE NO LONGER SUPPORTED
# Visit http://www.gotroot.com to download supported rules
#
# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/blacklist.conf
#
# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com)
# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
#Version: N-20061022-01
#
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.


#http://www.gotroot.com
#see website for more information
SecRule REQUEST_URI "!(/compose\.php\?)" chain
SecRule ARGS|REQUEST_BODY|REQUEST_URI "Subject\:" chain
SecRule ARGS:Bcc ".*\@"
SecRule REQUEST_URI "!(/compose\.php\?)" chain
SecRule ARGS|REQUEST_BODY|REQUEST_URI "Subject\:" chain
SecRule ARGS|REQUEST_BODY|REQUEST_URI "\s*bcc\:"
SecRule REQUEST_URI "!(/compose\.php\?)" chain
SecRule ARGS|REQUEST_BODY|REQUEST_URI "\s*bcc\:\s*[a-z0-9._%-]+@[A-Z0-9.-]+\.[a-z]{2,}"
SecRule REQUEST_URI "!(/compose\.php\?)" chain
SecRule ARGS "\n[[:space:]]*(to|b?cc)[[:space:]]*:.*@"
SecRule REQUEST_URI "!(/compose\.php\?)" chain
SecRule ARGS "\s*bcc\:\s*[a-z0-9._%-]+\@.*\.[a-z]{2,}"
SecRule HTTP_x-aaaaaaaaa|HTTP_XAAAAAAAAA ".+$"
SecRule HTTP_x-aaaaaaaaaaa|HTTP_XAAAAAAAAAAA ".+$"
SecRule HTTP_x-aaaaaaaaaaaa|HTTP_X_AAAAAAAAAAAA ".+$"
#SecRule HTTP_XXXXXXXXXXXXXXX ".+$"

#unknown pattern in testing, logging only, please send
#any patterns RELATED TO SPAM OR ATTACKS you log with with these rules
#please do not send false positives for this rule set, just turn it off
#SecRule HTTP_aaaaaaaaa|HTTP_AAAAAAAAA ".+$" "log,pass"
#SecRule HTTP_aaaaaaaaaaa|HTTP_AAAAAAAAAAA ".+$" "log,pass"
#SecRule HTTP_aaaaaaaaaaaa|HTTP_AAAAAAAAAAAA ".+$" "log,pass"
#SecRule HTTP_aaaaaaaaaaaaaaa|HTTP_AAAAAAAAAAAAAAA ".+$" "log,pass"

SecRule HTTP_Referer|ARGS "(blow)+[\w\-_.]*(jobs?)+[\w\-_.]*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(gay)+[\w\-_.]*(beastiality)+[\w\-_.]*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(beastilality)+[\w\-_.]*(stories)+[\w\-_.]*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(free)+[\w\-_.]*(beastiality)+[\w\-_.]*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(horse|animal|dog)+[\w\-_.]*(porn|cocks|dick|sex|penis|blowj.*)+[\w\-_.]*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(buy)+[\w\-_.]*online[\w\-_.]*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(diet|penis)+[\w\-_.]*(pills|enlargement)[\w\-_.]*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(enlarg|enhanc).*(male|penis|natural).*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(enlarg|enhanc).*(male|penis|natural)\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(online)+[\w\-_.]*pharmacy"
SecRule HTTP_Referer|ARGS "(i|la)-sonneries?[\w\-_.]*\.[a-z]{2,}"
SecRule REQUEST_URI "!(/sugarcrm/index\.php)" chain
SecRule HTTP_Referer|ARGS "(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylpropion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(ephedrine|neurontin|glucosamine|testosterone|cialis|lipitor|effexor|propecia|celebrex|gluclosamine|lexapro|ephedra|levitra)+[\w\-_.]*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(magazine)+[\w\-_.]*(finder|netfirms)+[\w\-_.]*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(male|penis)enlarg*\.(biz|com|net|org|us|info)"
SecRule HTTP_Referer|ARGS "(male|penis).*(enlarg|enhanc|natural|pill|surgery|traction)"
SecRule HTTP_Referer|ARGS "(mike)+[\w\-_.]*apartment[\w\-_.]*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(milf)+[\w\-_.]*(hunter|moms|fucking|lessons)[\w\-_.]*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(natural|penis|male).*(enlarg.*|enhanc.*)"
SecRule HTTP_Referer|ARGS "(natural|penis|male)+[\w\-_.]*(enlarg.*|enhanc.*)"
SecRule HTTP_Referer|ARGS "(online)+[\w\-_.]*(prescription|casino|roulette|slot)+[\w\-_.]*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "[\w\-_.]*(casino|roulette)\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "[\w\-_.]*(casino|roulette).*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(slot)+[\w\-_.]*machines\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(prozac|zoloft|xanax|valium|hydrocodone|vicodin|paxil|vioxx)+[\w\-_.]*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(ragazze)-?\w+\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(texas)+[\w\-_.]*holdem"
SecRule HTTP_Referer|ARGS "(phentermine)+[\w\-_.]*online"
SecRule HTTP_Referer|ARGS "(texas)+[\w\-_.]*hold[\w\-_.].*em"
SecRule HTTP_Referer|ARGS "texas[\w\-_.]hold[\w\-_.]em"
SecRule HTTP_Referer|ARGS "pacific+[\w\-_.]*poke.*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "poker+[\w\-_.]*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "[\w\-_.]*poker\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "[\w\-_.]*poker.*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "poker.*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(random|free|internet)+[\w\-_.]*slots\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(wellbutrin|tenuate|tramadol|pheromones|phendimetrazine|ionamin|ortho.?tricyclen|retin.?a\b)+[\w\-_.]*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "ultram\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(celexa|valtrex|zyrtec|\bhgh\b|ambien\b|flonase|allegra|didrex|renova|bontril|nexium)+[\w\-_.]*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "([\w\-_.]+\.)?(l(so|os)tr)\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(lose[\w\-_.]*weight|weight[\w\-_.]*loss).*\.[a-z]{2,}"
SecRule HTTP_Referer|ARGS "(prices|pills|buy|diet*|medic(ine|ation|al)|dru.*)\.pharma.*\.[a-z]{2,}"