Blocking comment spam with mod_security

I’ve mentioned before that I use mod_security to (partially) prevent comment spam on this site. The trouble with spam is that it evolves, so it’s a constant arms race.

I’ve noticed in the last few months that the spam on this site typically has a URL as the comment name. There’s also a URL field in the comment form, with a note on it that you shouldn’t fill it out. Then, in httpd.conf, I have the following.

SecDataDir /tmp
SecTmpDir /tmp
SecRequestBodyAccess On
SecDefaultAction log,deny,status:406,capture,phase:2,t:lowercase

# Reject comments where the name contains a URL
SecRule ARGS:comment_name “https?://”

# Also, reject comments where the url field contains a URL
SecRule ARGS:comment_url “https?://”

Note that that config is specific to the Habari blogging platform. You’d need to tweak the names of the fields (comment_name and comment_url) for whatever blogging platform you’re using.

I haven’t had any spam since putting this in place, but I’ve had several legitimate comments that, ordinarily, would probably have gotten lost in the noise of moderating hundreds of spam messages.

I don’t believe for a moment that this is a permanent solution, but it at least stems the flood for a moment so I can catch my breath.

I also have a bunch of legacy rules, like:

SecRule ARGS “(zoloft|acyclovir|zithromax)” “msg:’Pharm spam'”

(which, ironically, prevented me publishing this article until I disabled it!) but those require constant maintenance as the spam trends shift from week to week.