Stop Spam With Mod_Security And RBL

Spam Sucks

I’ve been fine-tuning my Mod_Security rules for the last several days and I think I’m just about finished.  I found all the rules at GotRoot and I noticed that the black-list rules were all static – meaning that they were probably out of date before they were even published.

According to the documentation for Mod_security2 there is support for Real Time Blacklists (RBL) but I did not have much luck finding how to configure RBL at GotRoot – and Google did not help much either.  I found a few sparse blog posts here and there – most of these RBL rules either slowed my server to a crawl or just crashed Apache.

Finally after hours of Googling and tinkering, I came up with a Mod_security2 rule that will check against an RBL:

SecRule REMOTE_ADDR "@rbl bl.spamcop.net" "chain,deny, log, id:350000,msg:'RBL: httpbl.spamcop.net',severity:'1'"

SecRule REMOTE_ADDR "!127.0.0.1"

It seems that this rule works pretty well using spamcop.net. You can replace the “httpbl.spamcop.net” with any RBL you choose, for example httpbl.abuse.ch also works, but is a bit slower (unless you’re in Switzerland I suppose) and I’ll be testing zen.spamhaus.org tomorrow. You can also multiple rules/RBLs at the same time, but expect a noticeable decrease in performance if you do.  Also be aware that this rule only works with Mod_security2, not the older (and now obsolete) mod_security 1.9.

I am brand-new to using mod_security so if you have any other tips, advice or wisdom please post them.

2 thoughts on “Stop Spam With Mod_Security And RBL

  1. I have an easier way to get rid of spam. I never give out my real email address. I use spamex.com to create a different address for each instance I need one. If I get any spam on any one address, I turn it off. All my spam has stopped except for a very rare occasion that I can handle. It is cheap and painless and works.
    It also gives me the ability to change all my addresses at one time if I happen to change email providers. This is worth the price in of itself.

Leave a Reply

Your email address will not be published.