# both.conf
# Rules to block access to known spam scripts

# Will block if the Host header is in all caps with a lower-case tld,
# if the request URI ends with ".php" (case insensitive), if the user agent
# matches the list of patterns, if the method is POST and if Referer is not set.
# See #3885 for details
SecRule REQUEST_HEADERS:Host "[0-9A-Z\.-]\.[a-z\.]+" \
    "chain,log,deny,status:406,id:13421,t:none,\
    msg:'POST request appears to be to spam mailer'"
SecRule REQUEST_FILENAME "\.php$" "chain,t:lowercase"
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0$" "chain,t:removeWhitespace"
SecRule REQUEST_HEADERS_NAMES "!@contains Referer" "chain"
SecRule REQUEST_METHOD "POST"

# Block for long postdata from sketchy clients 3976 
SecRule ARGS "[0-9a-zA-Z=&%]{80}" \
    "chain,log,deny,status:406 \
    msg:'Unusual POST data',id:13701,t:none"
SecRule REQUEST_FILENAME "\.php$" "chain,t:lowercase"
SecRule REQUEST_HEADERS:Accept "^[*]/[*]$" "chain,t:removeWhitespace"
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0$" "chain,t:none,t:removeWhitespace"
SecRule REQUEST_METHOD "POST"

# Block POSTs to a known spam script payload
SecRule REQUEST_FILENAME "sys\d{5,}\.php$" "chain,log,deny,status:406 \
    msg:'Access to known spam script',id:13703,t:lowercase,t:removeWhitespace"
SecRule REQUEST_METHOD "POST"

# Ticket 7140 <https://trac.imhtech.net/T3/ticket/7140>
<Files "sitedata.php">
    SecRule ARGS_NAMES "@pm text subj data address port login password email name headers to" \
        "log,deny,status:406,msg:'Access to known spam script',id:13704,t:removeWhitespace"
</Files>