whoo wrote:

For the last 24 hours, I have been using a variation of this in my .htaccess:

SecFilterEngine On
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:403"
SecFilterSelective "POST_PAYLOAD" "casino|ritalin|levitra|lolita|zyban|valtex|valium"

Just one question as I prepare to upgrade to "Sparkle" today: Does this code go in the htaccess in the blog's root directory, or in another directory ie: conf, admin, myskin folder ?

BaileyWTNH,

my own "hardened" .htaccess is in the root of my site. IF you were feeling especially brave you might want to drop an .htaccess with just the mod_security stuff above into your /htsrv directory, since thats where the file responsible for comment submission lives.

There are several other files that will be affected by the rules in that directory also, however they would be affected all the same if you used the .htaccess in a directory above that > .htaccess's affect child dirs

Also, please note, that depending on where you employ mod_security, that words you include in that list will be be restricted completely -- that is even you will not be able to use them. Your own blog posts are sent via an http_post, so if you want to blog about viagra, or casinos, you might want to keep that in mind.

Clear as mud, I imagine.

Scarily enough, I think I understood that.

I followed your instructions and it works great. Thanks for the guide, whoo!

I might add that my webhost runs php as cgi, so the phpinfo page didn't have an apache section and didn't say that mod_security was enabled, but I had changed a setting with the host, so I knew that it was. When in doubt, ask your web host.

great personman! Im glad to heat that!! Did you do the /htsrv directory or web root??

I wanted to add that most of the examples I've found use a error 412 page -- frankly, I really like my 403 though and enjoy the idea that a human spammer might see it, AND Ive never seen a 412 in my logs unless Im looking at the raw logs -- I like the quick looks at my cpanel logs that show me those 403s :)

Also, I should add that Ive gotten ONE piece of comment spam in the last 4 days, and it was a word I hadnt added, "pharmacy". Go figure.

I was also seeing the occassional registration that contained spam words, and that has stopped -- I think theyre hoping that by registering, they can pass unmoderated comments (which they cannot, anyway). It's catching those too, and im blocking one particular tld that seems to be the most popular "fake email addy" for spammer signups.

The /htsrv directory covers blog user registrations as well.

I did have it in my web root, but I just moved it to htsrv so I could be a little more aggressive and not have to worry about catching blog posts.

A lot of spam comes from sites like "something-ag4s.blogspot.com" The thing they have in common is a dash followed by four random characters, then .blogspot.com. I'm not to the point of banning blogspot, but what about something like this:

SecFilterSelective "POST_PAYLOAD" "casino|ritalin|levitra|lolita|zyban|valtex|valium|-[a-z0-9]{4}.blogspot.com"

I haven't tried this because I'm not sure if I'm doing the RegEx correctly. Is my syntax ok?

I can point you to a good way to test it..

check your pm's later today.

actually, on second thought, thats not the way to block that, since if I read correctly, your talking about a referer. That particular mod_security rule is going to look at content, not referer.

mod_security can be used to check referers though. the gotroot link above contains example rules of how you would do that.

No, actually I was talking about urls in comments. I went ahead and tested it and it seems to work just like I want it to. That rule should stop half of the comment spam before it even touches the php files.

ahhh oke, well thats good then. :)

I ran into a bit of a hitch recently; I solved it and thought I might share.

Some of what I wanted to block I wanted to be able to post. The solution was simple

Add the following line:

SecFilterEngine Off

to an .htaccess in b2evolution's /admin directory. When done, you will be able to post content regardless of whether or not it's being blocked via the method I explained above.

PS: the line turns off mod_security for any files accessed within that directory.

I've been adding words to this rule and I guess I added one too many. This morning someone couldn't post a comment with the word "Socialist" in it. It was matching "cialis", which is a word in a lot of spam comments. Since this method has the power of regular expressions, I was able to fix it like this:

SecFilterSelective "POST_PAYLOAD" "paxil|diazepam|celebrex|tramadol|phentermine|xanax|ritalin|levitra|lolita|zyban|valtex|valium|[^o]cialis[^t]|-[a-z0-9]{4}.blogspot.com"

Now it only matches "cialis" if it's not in between an o and a t.

Another option would be to surround keywords with with [\W] to only match when there's a non-alphanumeric character on either side. So,

[\W]cialis[\W]

would match " cialis ", "cialis.blogspot.com", "www.cialis.com", "buy-cialis.cheap.com", etc. But it wouldn't match "socialist" or any other words that have "cialis" in the middle of them (with other letters on either side).

With regex, the possibilities are really opened up. I'm not very good with regex, but it's already helping me quite a bit.

specialist

Right you are, EdB. This should cover that, too:

[^oe]cialis[^t]

Or the \W method, although it might let through some false negatives.

thought I would share this:

SecFilterEngine On
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:403"
SecFilterSelective "POST_PAYLOAD" ".ru|marketing|loan|pharmacy|tramadol|pharm|casino|www4|www3|www1|ww2|sex|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylpropion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia|xanax|mp3|drug|pill|valium"

since I linked to this thread from the registration spam thread .. notice I block .ru (that takes care of all links, and that includes registration attempts that might attempt to use a .ru email addy.

Im sure, in fact I know, its possible to code a way to check email addy content against a list of unwanted tlds but:

My personal thing has been keeping everything consolidated -- in other words, rather than using one file/hack/plugin to do one thing, and another to do something else, and so on, I can use just one: my .htaccess

For what its worth, since I started using mod_security, ive not gotten ONE spam registration

What kind of log is it that you are using to see how many hits are blocked?

That's the apache log. Check with your webhost to see how to view it.

I'm getting the mod_security error but it only occurs when I am saving after editing a post. Does anyone have a suggestion that can be implemented in b2evo settings.

No really. If you have access to your host a) ask them to 'white rule' the request or b) you may be able to temporarily disable mod-security from your cPanel

You may also like to start a new thread when you get as issue, with version number etc.

There are various files that cause this issue, (evoadm.php) for example. Check the URL, and post it with the query.