Howto prevent / protect your server against php mail form injection using modsecurity
Posted by HostsVault | Posted in How-To's | Posted on 28-05-2009-05-2008
0
Sometimes You may notice your server IP got blocked for being source of spam just cuz one of your users have got an easy to hack mailing form that hackers was able to inject e-mail addresses into it which caused you this problem
There are many methods to fight such spam attempts am here listing some using Apache’s modsecurity just add those lines to your modsecurity config (this works with modsecurity 2.X) :
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain
SecRule REQUEST_BODY "[A-Za-z0-9._%-]+@[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,\x20[A-Za-z0-9._%-]+@[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain
SecRule REQUEST_BODY "[A-Za-z0-9._%-]+@[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,[A-Za-z0-9._%-]+@[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain
SecRule REQUEST_BODY "[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,\x20[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
SecRule REQUEST_BODY "bcc:|cc:|bcc%3A|cc%3A" t:lowercase,chain
SecRule REQUEST_BODY "[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}\,[A-Za-z0-9._%-]+%10[A-Za-z0-9._%-]+\.[A-Za-z]{2,4}"
Ugly rules isn’t it :) , this rules scan the body of the request (it should not contain any BCC or CC’ed emails) for e-mail pattern and blocks it accordingly, there are other methods to send spam without using your installed MTA the most famous one is direct mailer or dark mailer what ever dm.cgi stands for, this also can be blocked using modsecurity here are some rules that should help you doing that :
SecRule REQUEST_URI "dm.cgi" SecRule REQUEST_BODY|REQUEST_URI "\.cgi\?m\=state" SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=snd" SecRule REQUEST_BODY|REQUEST_URI "cgi\?m\=icfg"
Fighting spam and insuring your server security is multiple layer process so you cant relay just on one solution you have to integrate them more than one and always go through your logs to assure everything is in place and nothing looks fishy.
For instance in this spam fighting issue you can handle and block this spam also using iptables but that’s another post, hope this post is helping anyone out there.
