FILE: C:\Program Files (x86)\Plesk\ModSecurity\rules\atomic\modsec\30_asl_antispam.conf
--
# Atomicorp (Gotroot.com) ModSecurity rules
# Anti Spam rules
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005 - 2013 by Prometheus Global, Inc. All rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
# Phase 2 rules
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
#Skip these rules if its not a POST or GET
SecRule REQUEST_METHOD "!(?:GET|POST)" "id:370111,phase:2,t:none,skipAfter:END_SPAM,nolog,pass"
#UA spam
#User-Agent: Opera/9.80 how to treat hemorrhoids (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60
# ?[a-z0-9]{4,32} ?.*< ?/ ?a ?> ?, ?[a-z0-9]{4,32} ?.*, ?< ?a href ?= ?\" ?http://[a-z\.0-9/]+/.*< ?/ ?a ?> ?, ?[a-z0-9]{4,32} ?, < ?a href ?= ?\" ?http://[a-z\.0-9/]+/.*< ?/ ?a ?> ?, [a-z0-9]{4,32} ?," \
#"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300300,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Link Spam',logdata:'%{TX.0}'"
#Spamming wiki urls
SecRule ARGS|!ARGS:/html/|!ARGS:/css/|!ARGS:email|!ARGS:/ajax/|!ARGS:/template/|!ARGS:/code/|!ARGS:/sql/|!ARGS:/query/ "\[" \
"id:333900,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,pass,nolog,skip:1"
SecAction phase:2,id:333723,t:none,pass,nolog,skipAfter:END_SPAMMY_URLS
#Rule 300079:
SecRule ARGS|!ARGS:item_value|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/url/|!ARGS:homepage|!ARGS:mode|!ARGS:data[About][content]|!ARGS:data[Contact][content]|!ARGS:config|!ARGS:signature|!ARGS:/url/|!ARGS:template|!ARGS:/header/|!ARGS:/footer/ "(?:\[ ?(url|link) ?= ?\"? ?https?://.*\[ ?(url|link) ?= ?\"? ?https?://.*\[ ?(url|link) ?= ?\"? ?https?://.*\[ ?(url|link) ?= ?\"? ?https?:/|(\[ ?(url|link) ?\]https?://.*\[ ?/ ?(url|link) ?\].*){4,})" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300079,rev:18,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)',logdata:'%{TX.0}'"
#Multiple URLs in a wiki post
SecRule ARGS|!ARGS:suffix|!ARGS:ban|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/search/|!ARGS:/url/|!ARGS:homepage|!ARGS:mode|!ARGS:config|!ARGS:signature|!ARGS:/url/|!ARGS:/template/|!ARGS:/header/|!ARGS:/footer/ "(\[ ?http://.*){4,}" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300023,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)',logdata:'%{TX.0}'"
#
SecRule ARGS "(\[ ?url ?= ?\"? ?https?://.*\[ ?link ?= ?\"? ?https?://.*|\[ ?link ?= ?\"? ?https?://.*\[ ?url ?= ?\"? ?https?://)" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300182,rev:18,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Mixed URL posting types - possible spam',logdata:'%{TX.0}'"
#[url=http://example.com/foo/bar/+]junk[/url]+&location=USA&occupation=Real&interests=Religion,+spiritual&signature=[url=[url=http://www.example.com+]spam phrase[/url]+]another spam phrase[/url][url=[url=http://www.example.com]more spam phrasesówek[/url]+]spam phrase[/url]
SecRule ARGS "\[ ?url ?= ?\[ ?url ?= ?\"? ?https?://.*url ?\]" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300282,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Broken URL posting type - possible spam',logdata:'%{TX.0}'"
#>>>+Technical+Jobs+In+Spamland+<<<
SecRule ARGS|!ARGS:/html/|!ARGS:/css/|!ARGS:email|!ARGS:/ajax/|!ARGS:/template/|!ARGS:/code/|!ARGS:/sql/|!ARGS:/query/ "\[ ?http://.*>>> ?[a-z0-9 -_.,\"\'\|]+ ?<<<.*\]" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,,id:300302,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam Link',logdata:'%{TX.0}'"
#Known wiki spam pattern
#==[http://example.com/stuff'''morestuff''']==
SecRule ARGS|!ARGS:/css/|!ARGS:email|!ARGS:/ajax/|!ARGS:/template/|!ARGS:/code/|!ARGS:/sql/|!ARGS:/query/ "< ?center.*\[ ?http://.*big ?>.*'' ?[a-z0-9 -_.,\"\'\| ].*big.*\]" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,,id:300313,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam Link',logdata:'%{TX.0}'"
SecMarker END_SPAMMY_URLS
#Spam signups
SecRule REQUEST_URI "/ucp\.php" \
"phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,id:391100,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible spammer signup for forum',chain,logdata:'%{TX.0}'"
SecRule ARGS:occupation "(?:^,,,,,|Здравоохранение|Реклама|пластика)"
############ SPAMMER TRICKS ##############
SecRule ARGS "@pm font height hidden auto width position absolute overflow style display px" \
"id:353901,phase:2,t:none,t:urlDecodeUni,t:replaceComments,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:333734,t:none,pass,nolog,skipAfter:END_HIDDEN_TEXT
SecRule ARGS:send_mail "^true$" \
"id:375111,rev:1,phase:2,t:none,t:urlDecodeUni,t:lowercase,skipAfter:END_HIDDEN_TEXT,nolog,pass"
SecRule ARGS:text "^< ?\? ?php" \
"id:375141,rev:1,phase:2,t:none,t:lowercase,t:compressWhiteSpace,skipAfter:END_HIDDEN_TEXT,nolog,pass"
#Rule 300056: Hidden spam links
#examples:
#
#overflow:auto;width:0;height:0
SecRule ARGS|!ARGS:field_id_2|!ARGS:/email/|!ARGS:/milestone/|!ARGS:/^admin/|!ARGS:/^jform/|!ARGS:/^Store_OUI_/|!ARGS:grid_html|!ARGS:/code/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:/^we_/|!ARGS:tmpl|!ARGS:/^elements/|!ARGS:formData|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/css/|!ARGS:/^widget-text/|!ARGS:/^header/|!ARGS:/^footer/|!ARGS:/^wpTextbox/|!ARGS:product_description|!ARGS:sitead|!ARGS:/template/|!ARGS:entire_file "<.{,200}style ?= ?(position ?\: ?absolute|overflow ?\: ?(?:hidden|auto)).{1,200} (?:height|width) ?(?:=|\:) ?[0-9] ?(px|\;)" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:300056,rev:7,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Hidden Text Exploit',logdata:'%{TX.0}'"
#Hidden wiki text using a negative pixel size
#example
#{CODE(ishtml="1")}{CODE}
#SecRule ARGS|!ARGS:/field_id_2/|!ARGS:search|!ARGS:/email/|!ARGS:/^admin/|!ARGS:/^jform/|!ARGS:entire_file|!ARGS:pdf|!ARGS:/code/|!ARGS:formData "(?:height|width) ?(?:=|\:) ?(?:\"|\')? ?-[0-9]+ ?(?:\"|\')? ?px ?;" \
SecRule ARGS|!ARGS:/field_id_2/|!ARGS:search|!ARGS:/email/|!ARGS:/^admin/|!ARGS:/^jform/|!ARGS:entire_file|!ARGS:pdf|!ARGS:grid_html|!ARGS:/code/|!ARGS:optional_head|!ARGS:formData|!ARGS:/^we_/|!ARGS:/^elements/ "< ?div.{1,200}style=\-[0-9]+ ?px ?;.{1,200}< ?/ ?div ?>" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:300058,rev:7,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Hidden Text Using Negative Pixel Size',logdata:'%{TX.0}'"
# Rule 30076
# This matches against height:0-4px (most CSS hidden spam) (regardless of whitespace on either side of the colon)
# This matches against overflow:auto (regardless of whitespace on either side of the colon)
SecRule ARGS|!ARGS:/field_id_2/|!ARGS:/milestone/|!ARGS:/^admin/|!ARGS:/email/|!ARGS:/^jform/|!ARGS:facebookiframe|!ARGS:objectToLike|!ARGS:grid_html|!ARGS:/previewdata/|!ARGS:optional_head|!ARGS:customized|!ARGS:/^grid_html$/!ARGS:/scrollstyle/|!ARGS:statichtml|!ARGS:/^elements/|!ARGS:/^we_/|!ARGS:html|!ARGS:formData|!ARGS:/code/|!ARGS:body_html|!ARGS:/^Store_OUI_/|!ARGS:_message|!ARGS:pdf|!ARGS:/img_style/|!ARGS:field_description|!ARGS:code|!ARGS:emailmessage|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/^emtext/|!ARGS:file_content|!ARGS:/department/|!ARGS:filecontent|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:resumoDetalhe|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/css/|!ARGS:code|!ARGS:/^widget-text/|!ARGS:/^header/|!ARGS:/^footer/|!ARGS:/^wpTextbox/|!ARGS:product_description|!ARGS:sitead|!ARGS:/template/|!ARGS:entire_file "(?: (?:height|width) ?(?:=|\:) ?[0-9] ?px|overflow ?: ?(?:auto|hidden)|style ?= ?\"? ?display ?: ?none ?)" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:300076,rev:29,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Hidden Text Detected',logdata:'%{TX.0}'"
SecMarker END_HIDDEN_TEXT
#####SKIP ALL SPAM RULES BY KEYWORD#########
#SecRule ARGS "@pmFromFile spam.data" \
# "phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,skip:1"
# SecAction phase:2,pass,nolog,skipAfter:END_SPAM
#skip spam rules for content about spam
SecRule ARGS "@pm spamassassin qmail smapdyke postfix clamav clamd modsecurity mod_security ossec" phase:2,id:333902,t:none,pass,nolog,skipAfter:END_SPAM
############ GAMBLING SPAM ##############
SecRule ARGS "@pm casino poker roulette slot pacific hold texas royal bet" \
"phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,id:333903,nolog,skip:1"
SecAction phase:2,id:333735,t:none,pass,nolog,skipAfter:END_GAMBLING_SPAM
# Rule 300032:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:server_name|!ARGS:/filename/|!ARGS:/email/ "(?:pacific[ -_.,\"\'\|].{1,100}poker|[ -_.,\"\'\|].{1,100}casino[ -_.,\"\'\|]|slot[ -_.,\"\'\|].{1,100}machines|(?:random|free|internet)+[ -_.,\"\'\|].{1,100}slots|poker|casino[ -_.,\"\'\|](?:games|action)|bet(ting)?[ -_.,\"\'\|](?:at|on)[ -_.,\"\'\|](?:home|horse))" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,chain,id:300032,rev:11,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Gambling or Poker Content (Disable this rule if you wish to allow that content)',logdata:'%{TX.0}'"
SecRule MATCHED_VAR "!(poker flat|casino royale|un casino di)"
#SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:server_name|!ARGS:/filename/|!ARGS:/email/ "!(poker flat|casino royale)"
# Rule 300028:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:server_name|!ARGS:/filename/|!ARGS:/email/ "(?:texas[ -_.,\"\'\|].{1,100}hold[ -_.,\"\'\|]?em|texas[ -_.,\"\'\|]?hold[ -_.,\"\'\|]?em|casino[ -_.,\"\'\|]?online)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300028,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Gambling',logdata:'%{TX.0}'"
SecMarker END_GAMBLING_SPAM
############ WEIGHT LOSS SPAM ############
# Rule 300042:
SecRule ARGS "@pm weight loss" \
"id:353904,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:333736,t:none,pass,nolog,skipAfter:END_WEIGHTLOSS_SPAM
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:username|!ARGS:server_name|!ARGS:/filename/|!ARGS:/email/ "(?:lose[ -_.,\"\'\|]?weight[ -_.,\"\'\|]?quick|weight[ -_.,\"\'\|]?loss[ -_.,\"\'\|]?pills?|(?:rapid|quick)[ -_.,\"\'\|]?weight[ -_.,\"\'\|]?loss)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300042,rev:4,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Weight Loss',logdata:'%{TX.0}'"
SecMarker END_WEIGHTLOSS_SPAM
############ GENERIC SPAM ################
SecRule ARGS "@pm bulk sysco jagk knloony cam sysrem lemon exit defunct commie andrew music miccel rooo rowdd colkk fortune magazine finder netfirms rolex z0rder fargo weight virility pills squirrel online lezaquin golden mortgage pill hyphen force fast laser fuel cheap phone hontak lasik huojia jinx telemati diamond horo oa274 star exicornt afmbb. cragrats. brook stars eblija liuhecai szilva96 insurance star exicornt afmbb. cragrats. brook stars eblija liuhecai szilva96 insurance loan follow tprehj license ushummingirds credit divorce forever video ganzaoji geurtstagskarten imwithoy liuhecai pharm myzenegra netftplya netguy degree oyoulders payday sonnerie calculator" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,pass,id:363905,nolog,skip:1"
SecAction phase:2,id:333737,t:none,pass,nolog,skipAfter:END_GENERIC_SPAM
# Rule 300051:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:magazine[ -_.,\"\'\|]?(?:finder|netfirms)|rolex[ -_.,\"\'\|]|z0rder|well-fargo|phvonline|weight-watcher|virility[ -_.,\"\'\|]pills|squirrelht|sams-club-online|nexium-online|levaquin-500|golden-coins|gmac-mortgage-corp|enlarge(ment)?pill|crestor[ -_.,\"\'\|]online|3hyphens|forcedvid|fastpayd|spycam|laser[ -_.,\"\'\|]?eye|eye[ -_.,\"\'\|]?laser|fuelcellmarket|fuel-dispenser|fueling-dispenser|cheapest[ -_.,\"\'\|]?i?phone|kontaktlinsen|lasikclinic|huojia|jinxinghj|telemati[ck]sone|a-mortgage|diamondabrasives|-horoskop|oa274|exicornt|afmbb\.|cragrats\.|reuterbrook|lazy-stars|szilva96|(?:mortgage|home loan) calculator|fast loan)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300051,rev:8,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: General',logdata:'%{TX.0}'"
# Rule 300009:
#SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:cash[ -_.,\"\'\|]?advance|pay[ -_.,\"\'\|]?day[ -_.,\"\'\|]?loan|(?:i|la)-sonneries?[ -_.,\"\'\|]*\.[a-z]{2,})" \
# "phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300009,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Possible Loan Spam',logdata:'%{TX.0}'"
SecMarker END_GENERIC_SPAM
############ MALE ENHANCEMENT ##############
SecRule ARGS "@pm penis male enlarg enhanc natural surgery pill traction pump diet member rod cock dick shaft bigger larger increase" \
"id:333906,phase:2,t:none,t:urlDecodeUni,pass,nolog,skip:1"
SecAction phase:2,id:333738,t:none,pass,nolog,skipAfter:END_MALEENHANCE_SPAM
# Rule 300056:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:(?:male|penis)[ -_.,\"\'\|]?(?:en(?:larg|hanc)|natural|pill|surgery|traction|pump)|(?:diet|penis|male)[ -_.,\"\'\|]?(?:pills|en(?:larg|hanc))|(?:en(larg|hanc)).{0,10}(?:male|penis)|pills? x [0-9]+ ?mg|enlarge[ -_.,\"\'\|]?yourself[ -_.,\"\'\|]?now|advanced[ -_.,\"\'\|]?gain[ -_.,\"\'\|]?pro|(?:bigger|larger|increase[ -_.,\"\'\|]?your)[ -_.,\"\'\|]?(?:member|rod|shaft|cock|dick|penis)\b[ -_.,\"\'\|])" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300010,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Male Enhancement Spam',logdata:'%{TX.0}'"
SecMarker END_MALEENHANCE_SPAM
############ PHARMACY SPAM ################
SecRule ARGS|!ARGS:/medical/|!ARGS:/drug/ "@pm adipex allegra ambien amitriptyline bontril buy canadian carisoprodol celexa cheap cialis didrex diet diethylpropion hormone discount drug steroid effexor ephedra ephedrine ewilla extra fioricet flonase free gluclosamine glucosamine hgh hydrocodone ionamin levitra lexapro lipitor lisinopril lostr lsotr medic meridia mexic neurontin nexium nullnix online order ortho oxycodone paxil penicillin pharm phendimetrazine phentermine pheromone pill pimrim plavix plongs ponagansetpost prednisone prescript prevacid price propecia protonix provigil prozac pseudovent ragazze ritalin seroquel silagra startseek store strattera suboxone synthroid tadalafil tenuate topamax toprol tramadol trazodone tricyclen ultracet ultram valium valtex valtrex abilify premarin viagra impotence lithobid keflex terbinafine lamisil gleevec aztrin azithromycin desyrel oleptro beneficat desirel molipaxin thombran trazorel trialodine trittico mesyrel trazodone lamictal purim salbutamol flovent flonase phentrimine aciphex cimetidine ranitidine omeprazole pantoprazole zantac prilosec citalopram lorazepam vicodin vigrx vig-rx vioxx voltaren vytorin wellbutrin xanax xenical zithromax zocor zoloft zyban zyprexa zyrtec doxycycline alli supplements methylphenidate prescription augmentin amoxil outlet" \
"id:333907,rev:2,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:333739,t:none,pass,nolog,skipAfter:END_PHARM_SPAM
# Rule 300040:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/email/!ARGS:Mensaje|!ARGS:/product/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/medical/|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/medication/|!ARGS:/ajax/ "(?:(?:nullnix|plongs|pimrim|ewilla|startseek|ponagansetpost|prozac|zoloft|xanax|valium|hydrocodone|vicodin|paxil!l|vioxx|celexa|valtrex|zyrtec| hgh |!(t)ambien |carisoprodol|flonase|allegra|didrex|bontril|nexium)+[ -_.,\"\'\|].{1,100} -_.,\"\'\|](?:l(?:so|os)tr)|ragazze-? ?|(?:prices|pills|buy|diet.{1,100}medic(?:ine|ation|al)|drug).{1,10}pharma|[ -_.,\"\'\|]meridia[ -_.,\"\'\|]|(?:wellbutrin|tenuate|tramadol|pheromones|phendimetrazine|ionamin|ultram |ortho.?tricyclen)+[ -_.,\"\'\|])\.[a-z]{2,}" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300040,rev:10,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Pharmacy',logdata:'%{TX.0}'"
# Rule 300057:
# stacked spam rule - levitra-levitra-levitra or leviTrA retila_prosac etc.
SecRule ARGS|!ARGS:/page_content/|!ARGS:Mensaje|!ARGS:/product/|!ARGS:/medical/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/medication/|!ARGS:/ajax/|!ARGS:/email/ "[-_ ]?\b(?:adipex|suboxone|pseudovent|topamax|trazodone|prevacid|zyrtec|xenical|toprol|zoloft|synthroid|valtrex|wellbutrin|valium|protonix|vytorin|ritalin|zocor|seroquel|ultracet|plavix|voltaren|zyprexa|xanax|vicodin|penicillin|tramadol|provigil|prednisone|vioxx|zithromax|strattera|ultram!(a)|prozac|abilify|terbinafine|premarin|viagra|male impotence|lithobid\b|keflex\b|amoxil\b|augmentin\b|lamisil|gleevec|aztrin|azithromycin|desyrel|oleptro|beneficat|desirel|molipaxin|thombran|trazorel|trialodine|trittico|mesyrel|trazodone|methylphenidate|sertraline|lamictal|purim|salbutamol|flovent|flonase|phentrimine|aciphex|cimetidine|pantoprazole|omeprazole|ranitidine|zantac|prilosec|citalopram|lorazepam|doxycycline|propecia|natural[-_ ]?hormone[-_ ]?replacement|levitra|phentermine|cialis\b |fioricet|ephedra|ambien\b|carisoprodol)[-_ ]?" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300061,rev:25,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam or Restricted content: Pharmacy and/or Drug content detected',logdata:'%{TX.0}'"
# Rule 300011:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/medical/|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:(?:online|canadian|mexic(?:an|o))[ -_.,\"\'\|]?(?:pharmacy|drug[ -_.,\"\'\|]?store|medication)|(?:cheap(?:est)?|free)[ -_.,\"\'\|]?(?:pill|drug|steroid)s|order(?:ing)?[ -_.,\"\'\|]?(?:drug|pill|steroid)s[ -_.,\"\'\|]?online|extra [0-9][0-9]\% (?:pill|drug|steroid)|[ -_.,\"\'\|]?discounted[ -_.,\"\'\|]?(?:prescriptions?|drug|steroid)|no[ -_.,\"\'\|]?(?:prior)?[ -_.,\"\'\|]?prescription[ -_.,\"\'\|]?needed|online[ -_.,\"\'\|]?phentermine|phentermine[ -_.,\"\'\|].{1,100}online|online[ -_.,\"\'\|](?:prescription|pharmacy|drug[ -_.,\"\'\|]?store)[ -_.,\"\'\|]|muscle supplements and free stuff|free supplements|purchase[ -_.,\"\'\|]?[a-z]+[ -_.,\"\'\|]?prescription[ -_.,\"\'\|]?on[ -_.,\"\'\|]?line|buy[ -_.,\"\'\|]?generic[ -_.,\"\'\|]?[a-z0-9]+[ -_.,\"\'\|]?online)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300011,rev:12,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Pharmacy',logdata:'%{TX.0}'"
# Rule 300038:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/!ARGS:/page_content/|!ARGS:/medical/ "\b(?:silagra|ritalin|levitra|carisoprodol|oxycodone|phentermine|amitriptyline|diethylpropion|abilify|terbinafine|premarin|viagra|male impotence|lithobid\b|keflex\b|lamisil|desyrel|oleptro|beneficat|desirel|molipaxin|thombran|trazorel|trialodine|trittico|mesyrel|trazodone|aztrin|azithromycin|lamictal|purim|salbutamol|flovent|flonase|phentrimine|aciphex|cimetidine|pantoprazole|cimetidine|protonix|ranitidine|zantac|prilosec|citalopram|omeprazole|lorazepam|doxycycline|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|tadalafil|ephedrine|neurontin|glucosamine|cialis\b |lipitor|effexor|propecia|celebrex|gluclosamine|lexapro|ephedra|levitra| alli weight)[ \-_.,<>\|\"\']" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300038,rev:12,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Pharmacy',logdata:'%{TX.0}'"
SecMarker END_PHARM_SPAM
########## ADULT SPAM#################
SecRule ARGS "@pm 9sekund abuse adult alicia amateur anal animal anime apparatus asia ass assauly audition bang barn bdsm beast bestial big blow bondage boob boy brother bukakke bung butt buy bynes c0ck cam camel celeb chat cheat cheer child club cock comic costume counch cuck cuff cum cunt d1ck dad dailyorbit daughter dick dildo dirty dog doll door dress ebony exotic face femdom femsub fetish filth fist fresh fuck furniture gang gay giant girl golden grann hairy hand hannigan hardcore homo horny horse hot hub hudgens hunter huojia husband hyke incent incest japanese jinxinghj kink l1ck large latex lesbian lick leashed little live lolita love maledom malesub man manga mature member men milf mom mouth movie naked natural niece nude nudity nurse pair paris penis photo pic pig plug pony petgirl porn pussies pussy queen rod russian scat scene schoolgirl schoolboy seduce sex s-e-x shabby shaft shag shaved shemale shower silver sister slave sleep slut small son spank spy still story strapon strip submissive suck sultry swap swinger talk tape tease teen tied top torture tounge toy trailer tran tube twink uncle under vagina vibrat vid virgin voyeur whip wife wive woman women xxx young zone zoo orgasm rape illegal date ptch model pantyhose pantyhouse hentai cuckold" \
"id:353908,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:333740,t:none,pass,nolog,skipAfter:END_ADULT_SPAM
# Rule 300065:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:[ -_.,\"\'\|]+brutal[ -_.,\"\'\|]+dild(?:oes|o|os)[ -_.,\"\'\|]|[ -_.,\"\'\|]cum[ -_.,\"\'\|]shots?[ -_.,\"\'\|]|(?:hairy|shaved|leashed|under[ -_.,\"\'\|]?age|lolitas?|teens?) (?:[a-z]+ puss(?:y|ies)|puss(?:y|ies))|[ -_.,\"\'\|]+(?:naked|porn|adult|school(?:girl|boy)|(?:gay|anal) sex)[ -_.,\"\'\|]+movies?[ -_.,\"\'\|]|[ -_.,\"\'\|](?:hudgens|free)[ -_.,\"\'\|]+naked[ -_.,\"\'\|]|9sekund|find-it-buy-it|bukakke|(?:incest|amat(?:eur|ure)|horny|bondage|bestiall?ity|slave|submissive|femdom|maledom|femsub|malesub|gay|lesbian|bi(?:-| )?sexual|lolitas?|shemales?|(?:g|t)rann(?:ys?|ies)|swingers?|milfs?|(?:hot|slut)[ -_.,\"\'\|]?wi(?:v|f)es?|under[ -_.,\"\'\|]?age|sex[ -_.,\"\'\|]?doll|fisting|child|lolitas?|preteens?)[ -_.,\"\'\|]?\b(?:boys|sex|porn|video|mpe?g|avi|wmv|fuck|shag|xxx)\b|teen[ -_.,\"\'\|]?(?:lesbian|gay|girls?|boys?)[ -_.,\"\'\|]?orgasm|porno?[ -_.,\"\'\|]?(?:film|video)|video porno|girls[ -_.,\"\'\|]?in[ -_.,\"\'\|]?pantyhou?se|school(?:boy|girl)[ -_.,\"\'\|]cumshot|sexx?y teen model|teen model sexx?y)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300065,rev:10,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult Content Detected',logdata:'%{TX.0}'"
# Rule 300068:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:silver[ -_.,\"\'\|]foxes|sex[ -_.,\"\'\|]?toys?[ -_.,\"\'\|]?(?:for[ -_.,\"\'\|]?sale|online|store)|free[ -_.,\"\'\|]?adult|sex-position|fake[ -_.,\"\'\|]?vagina|lovehoney ?sex|adult[ -_.,\"\'\|]?(?:shop|store)|anal[ -_.,\"\'\|]?(?:sex)?[ -_.,\"\'\|]?toy|dildos|strapon|butt[ -_.,\"\'\|]?plug|vibrators|official[ -_.,\"\'\|]?pornstar|[ -_.,\"\'\|]inch(?:es)? .{0,10}(?:cock|dick)\b|(?:bdsm|bondage)[ -_.,\"\'\|]?apparatus|(?:sex|fuck|shag|bondage|bdsm)[ -_.,\"\'\|]?(?:furniture|couch)|[ -_.,\"\'\|](?:suck|l[i1]ck).{1,30}(?:c[o0]ck|d[i1]ck|pussy)[ -_.,\"\'\|]|sultryserver|cock[ -_.,\"\'\|]?ring !(nano )|group[ -_.,\"\'\|]?sex|(?:nude|naked|xxx)[ -_.,\"\'\|]?(?:celebs|cheerleaders|girls|boys|teens|nymph)|(?:illegal|rape|fetish|latex|slave|bdsm|leashed|bondage|bestiall?ita?y|farm)[ -_.,\"\'\|]?(?:porn|xxx)|(?:pony|pet)[ -_.,\"\'\|]?(?:girl|boy)|date[ -_.,\"\'\|]?rape[ -_.,\"\'\|]?drug[ -_.,\"\'\|]?video)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300068,rev:9,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Adult Content Detected',logdata:'%{TX.0}'"
# Rule 300057: Comment Spam
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:(?:back[ -_.,\"\'\|]?seat[ -_.,\"\'\|]?bangers?|gang[ -_.,\"\'\|]?bang(?:ed|ing)?)[ -_.,\"\'\|]|(?:fuck|shag)[ -_.,\"\'\|]?giant[ -_.,\"\'\|]?cock\b|(?:mouth|face)[ -_.,\"\'\|]?(?:fuck|shag)|(?:huge|massive|monster)[ -_.,\"\'\|]?(?:cock|dick|strapon)\b[ -_.,\"\'\|]?(?:small|tiny|little)[ -_.,\"\'\|]?(?:wom(?:a|e)n|girl|boy|twink)|girls[ -_.,\"\'\|]?next[ -_.,\"\'\|]?door[ -_.,\"\'\|]?on[ -_.,\"\'\|]?e|(?:top|biggest|hottest|sexiest|teen)[ -_.,\"\'\|]?porn[ -_.,\"\'\|]?stars|(?:hannigan|nymphets?|bynes|alicia[ -_.,\"\'\|]silverstone)[ -_.,\"\'\|]?(?:nude|nudi(?:es|ty)|american[ -_.,\"\'\|]pie)[ -_.,\"\'\|]|(?:blow[ -_.,\"\'\|]?(?:jobs?)[ -_.,\"\'\|]|jennas[ -_.,\"\'\|]?myspace | i kissed a girl|(?:mature|teen|au ?pair)[ -_.,\"\'\|]?(?:sex|porn|xxx|club)[ -_.,\"\'\|]?(?:sex|club|porn|xxx)))" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300057,rev:8,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult',logdata:'%{TX.0}'"
# Rule 300003: Comment Spam
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:(?:g(?:a|u)y|homosexual|bi-?sex(?:ual)?|shemales?|lolitas?|manga|virgins?|teens?|porno?)[ -_.,\"\'\|](?:beastiality|bestiallity|sex[ -_.,\"\'\|]scenes?|video|slut|trailer|(?:boy|girl)[ -_.,\"\'\|](?:pic|video)s?|(?:fuck|shag)ing)|(?:naked|vivid|xxx)[ -_.,\"\'\|](?:boys|girls|child[ -_.,\"\'\|]sex)|anime[ -_.,\"\'\|]boobs?|shabby[ -_.,\"\'\|]virgins?|(?:cunt|pussy|vagina|cock|trann?(?:y|ie)s?|shemales?)[ -_.,\"\'\|]?abuse|cock[ -_.,\"\'\|]?(?:and)?[ -_.,\"\'\|]?ball[ -_.,\"\'\|]?torture|sleep[ -_.,\"\'\|]?assault|my[ -_.,\"\'\|]?gay[ -_.,\"\'\|]?(?:tale|story|porn)|camel[ -_.,\"\'\|]?toe[ -_.,\"\'\|]?auditions?|teen[ -_.,\"\'\|]?anal[ -_.,\"\'\|]?queen|[ -_.,\"\'\|]ebony[ -_.,\"\'\|]porn)[ -_.,\"\'\|]" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300003,rev:12,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult Video',logdata:'%{TX.0}'"
# Rule 300004: Comment Spam
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:(?:beastilality|bestiallity)[ -_.,\"\'\|]?stor(?:y|ies)|bounce[ -_.,\"\'\|]?your[ -_.,\"\'\|]?boob|\bshow[ -_.,\"\'\|]?your[ -_.,\"\'\|]?(?:pussy|cunt|cock)\b|dailyorbit|i-horny|filthserver|milf[ -_.,\"\'\|].{1,100}(?:hunter|cruiser|mom)|(?:fuck|shag|anal)(ing)? lessons?|mikes?[ -_.,\"\'\|]apartment|sexy[ -_.,\"\'\|](?:moms|lingerie|teens?)|(?:horse|animal|dog|farm)[ -_.,\"\'\|].{1,100}\b(?:porn|cocks?|dicks?|sex|penis|blowjob)\b[ -_.,\"\'\|]?|free[ -_.,\"\'\|]?(?:sex|beastiality|bestiallity|extreme|(gay|(?:bi|tran)sex(ual)?)? ?porn|xxx|adult|bondage|bdsm|femdom|sex|femsub|maledom|malesub|fuck|shag)[ -_.,\"\'\|]|(?:sex|beastiality|bestiallity|porn(o|s)?|xxx|adult|bondage|bdsm|femdom|femsub|maledom|malesub|fuck|shag)[ -_.,\"\'\|]?free|camfun24|(?:fresh|dirty)[ -_.,\"\'\|]?(?:girls|comics|boys|teens)|dirty[ -_.,\"\'\|]sex[ -_.,\"\'\|]comic|top model links|teenmodel club)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300004,rev:7,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult',logdata:'%{TX.0}'"
# Rule 30074
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail|!ARGS:/ajax/ "(?:s-e-x|zoo(?:ph|f)ilia|giant cock\b|porn(?:hub|tube)|sexyongpin|(?:wi(?:f|v)es?|slaves?|strippers?|whores?|prostitutes?|under[ -_.,\"\'\|]?age|teeners?|lolitas?|animal|dog|couples?|bisexuals?|bicurious|anal|ass|fisting|rimming|pussy[ -_.,\"\'\|]?(?:(?:li|fu)cking|sex)|barnyard|lesbians?|dykes?|horses?|zoo|nurses?|cheerleaders?|costume|dressup|topless|exotic[ -_.,\"\'\|]?dancer)[ -_.,\"\'\|]?(?:sex|porn|video|xxx)|sex-with|(?:cam|chat|online)sex|live[ -_.,\"\'\|](?:sex|nude|girl)|sexchat|(?:adult|free)[ -_.,\"\'\|]?porn|adult[ -_.,\"\'\|]?video|adultweb|hardcore(?:sex|porn)|(?:teen|lolitas?|xxx|core)porn|cam(?:girl|live|lolita)|(:?animal|cam|chat|dog|hardcore|live|online|voyeur)sex|(?:paris[ -_.,\"\'\|]?hilton|kardashian)[ -_.,\"\'\|]?sex[ -_.,\"\'\|]?tape|huojia|jinxinghj|sex[ -_.,\"\'\|]?(?:plugin|zone)|boy-and-girl-kiss|naughty[ -_.,\"\'\|]?high[ -_.,\"\'\|]?school|(?:horny|sexy|under[ -_.,\"\'\|]?age|amateur)[ -_.,\"\'\|]?(?:teen|porn|xxx|l(?:esbian|olita|ingerie)|bisexual|shemale)|adult[ -_.,\"\'\|]?buy[ -_.,\"\'\|]?sex|sex[ -_.,\"\'\|]?toy[ -_.,\"\'\|]?store|adult[ -_.,\"\'\|]?shopping|(?:under[ -_.,\"\'\|]?age|asian|lesbian|incest|girls?|lolitas?|shemale|(?:g|t)rann(?:y|ie))[ -_.,\"\'\|]?(?:sex|porn)|!(be)slut|sex[ -_.,\"\'\|]?(?:cam|chat|plugin|zone)|adult(?:chat|live|porn|web|friend|xxx)|porn(?:all|m|sex|zone|web|link)|(?:mail[ -_.,\"\'\|]?order|russian)[ -_.,\"\'\|]?bride|dominatrix|maledom|femdom|femsub|malesub|cuckold|(?:ass|butt)[ -_.,\"\'\|]?(?:fuck|shag)|scatology|girl[ -_.,\"\'\|]?girl|foot[ -_.,\"\'\|]?fetish|golden[ -_.,\"\'\|]?shower|submissive[ -_.,\"\'\|]?(?:male|female|husband|wife|girl|boy|dyke|lesbian|twink)|lolita (?:(?:erotica|beauty|model|young|lolita) (?:pic|nude|blue)|underage)|(?:ukraine|russian?|underaged?|asian?|great|little|forbidden|lesbian|teens?|preteens?) lolita|(?:pedo|underage|babies|content) pthc|pthc (?:megaupload|bbs|kasumi)|aqua teen porn|(?:preteen(age)?|underage|lolita) mod(?:el|le))" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300074,rev:22,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult',logdata:'%{TX.0}'"
# Rule 300078:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/refer/|!ARGS:/url/ "[ -_.,\"\'\|](?:sister cartoons|couples? (?:seduce|fuck|bang|shag) (?:teen|young|girl|boy|little)|(?:sister|milf|gay|lesbian|lolitas?|under[ -_.,\"\'\|]?age|teen(?:er)?s?|hardcore|porn)s? (?:sex|fuck|shag)|cumming[ -_.,\"\'\|]?on[ -_.,\"\'\|]?(each[ -_.,\"\'\|]?other|(?:her|his)[ -_.,\"\'\|]?face)|(?:cheating|slut|swapp?(?:ing)?)[ -_.,\"\'\|]?wi(?:v|f)e|free[ -_.,\"\'\|]?movies?[ -_.,\"\'\|]?of|sexy[ -_.,\"\'\|]?strip[ -_.,\"\'\|]?tease|(porno?|sex|gay|lesbian|under[ -_.,\"\'\|]?age|lolita)[ -_.,\"\'\|]?(?:movie|video|picture|still|photo)s?|hardcore[ -_.,\"\'\|]?(?:porn|xxx|movies|teen|lolita)|hentai|(great|fuck|shag)[ -_.,\"\'\|]?penis(?:es)?|(?:real|cute|atk|extreme|ugly|crazy|free|local)[ -_.,\"\'\|]?hairy[ -_.,\"\'\|]?girls?|(?:little|young|underage)[ -_.,\"\'\|]?(?:girl|boy)s?[ -_.,\"\'\|]?(?:naked|sex|fuck|shag|xxx|porn)|large[ -_.,\"\'\|]?natural[ -_.,\"\'\|]?(?:tit|boob)(?:ie)?s?|naked[ -_.,\"\'\|]?(?:boys|girls)[ -_.,\"\'\|]?young|hentai[ -_.,\"\'\|]|(?:big[ -_.,\"\'\|]?tits?|\bporn\b|anal|cuckold|school(?:girl|boy))[ -_.,\"\'\|]?gall?er(?:y|ies))" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300078,rev:6,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult',logdata:'%{TX.0}'"
SecMarker END_ADULT_SPAM
############ COMMERCIAL SPAM #############
SecRule ARGS "@pm free survey cheap discount sale ipod iphone dumps cvv nkoia phone music mp3 player plasma flat screen xbox play payment station ps3 ps2 superfood fuel vaction time share named number increase guarantee advice rollx rollex diet pill vacation percent off buy rumer online leads google ranking limited itune zune wii ipad brass cable broad cigarette phone gifts spells office purchase graduation money shop hand shoulder gucci vuitton oakley" \
"id:333909,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,t:none,id:333741,pass,nolog,skipAfter:END_COMMERCIAL_SPAM
#SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:description|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:brass(?:fast|-parts-india|-nuts-screws-fasteners|-inserts|-fittings-india|-fastener-india|-copper-castings|-components-india|turnedcomponents|terminalconnectors|-screws-bolts-nuts|precisionparts|partsindia|nuts-brassbolts|neutrallinks|-inserts-fasteners-india|insertsbrassnutsbrassbolts|buildinghardware|cableglands|electrical|electricalaccessories|electricalcomponents|fastenersindia|-fasteners|-fasteners-india|fittingcomponents)|cable(glandsworldwide|-glands-asia|glands-india)|serve(?:beer|blog|counterstrike|ftp|game|halflife|mp3|pics|quake)|broad(?:-band-phone|band-phone-future\.blogspot|band-phone-info|bandphoneservices)|\.cable(?:accs|glandsindia)|\.conex(?:india|metals|techno)|diamond-(rings-india|ring-diamond-rings|pendants-india|earrings-india|jewellery-india|ring-rings\.tripod)|electrical(?:-brass-components|brass\.f2s))\.com" \
# "t:none,t:lowercase,t:compressWhitespace,id:300067,rev:13,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Commercial spammer URL',logdata:'%{TX.0}'"
# Rule 300069:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "\b(?:free|cheap|discount|shop|for[ -_.,\"\'\|]?sale)\b[ -_.,\"\'\|](?:crocs|nokia|north ?face|canada ?goose|cell[ -_.,\"\'\|]?i?phone|(?:mp3|music|ip(?:od|hone)[ -_.,\"\'\|]?player)|ip(?:od|hone)|plasma|flat[ -_.,\"\'\|]?screen|\bxbox\b|play[ -_.,\"\'\|]?station|ps(?:4|3|2)|game[ -_.,\"\'\|]?boy|\bpsp\b|louis[ -_.,\"\'\|]?vuitton|(?:hand|shoulder)[ -_.,\"\'\|]?bag|roll?ex|diet[ -_.,\"\'\|]?pill|vacation|time[ -_.,\"\'\|]?share)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300069,rev:25,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Commercial',logdata:'%{TX.0}'"
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:named[ -_.,\"\'\|]?(?:\#1|number[ -_.,\"\'\|]?(?:1|one))[ -_.,\"\'\|]?superfood|fuel[ -_.,\"\'\|]?increase[ -_.,\"\'\|]?guarante|advice[ -_.,\"\'\|]?and[ -_.,\"\'\|]?payment[ -_.,\"\'\|]?notification|(?:louis[ -_.,\"\'\|]?vuitton|factory|north ?face|canada ?goose)[ -_.,\"\'\|]?\b(?:outlet|online|stores?)\b|(?:vacation|time[ -_.,\"\'\|]?share)[ -_.,\"\'\|]?(?:discount|for[ -_.,\"\'\|]?sale|free|[0-9][0-9](?:\%|percent)[ -_.,\"\'\|]?off|cheap)|aggressive[ -_.,\"\'\|]?buying[ -_.,\"\'\|]?equipment|get a discount of up to 50% for|x-?rumer |increase your online leads|1st page google ranking|attract free shipment|yiacoumis z limited|for[ -_.,\"\'\|]?s(?:a|e)ll[ -_.,\"\'\|]?i?(?:phone|tune|pod|xbox|wii|ipad|zune)|cheap[ -_.,\"\'\|]?(?:abercrombie|\buggs?\b)|i sell dumps|interactive survey panel|surveys?[ -_.,\"\'\|]?(?:for|4)[ -_.,\"\'\|]?(?:money|cash)|electronic cigarette|reverse[ -_.,\"\'\|]c?e?l?l? ?[ -_.,\"\'\|]phone[ -_.,\"\'\|]lookup|(?:(?:basket|foot)ball|soccer)[ -_.,\"\'\|]coach[ -_.,\"\'\|]gifts|love spells.{1,100}financial help|microsoft office term 20[0-1][0-9]|can purchase a spinner bicycle|picking a good graduation gifts|quickly earn money|make money fast|(?:uggs?|coach|vitton|factory|michael kors|gucci|oakley|handbags?) outlet|oakley x squared )" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300066,rev:26,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Commercial',logdata:'%{TX.0}'"
SecMarker END_COMMERCIAL_SPAM
############# SEO SPAM #################
SecRule ARGS "@pm traffic mass rankings post thread forum blog guest seo google bing captcha register break web site cool helpful understand nice good rock design search engine optim first rank xrunner xroomer xrumer xruumer xrummer portal website board paralleled matchless otimiza link" \
"id:333910,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:333743,t:none,pass,nolog,skipAfter:END_SEO_SPAM
# Rule 300071:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:xr(?:unn|oom|uu?m)er |mass post threads and messages on forums, blogs, guestbooks,|this forum has captcha on registering, but it's was breaked|break (?:captchas?|anti-?bot (?:protections?)?) automa(?:t|g)icall?y |did you hear about best software for promo and seo|search[ -_.,\"\'\|]engine[ -_.,\"\'\|]optimiz|hello[ -_.,\"\'\|]?cool[ -_.,\"\'\|]?site|xciting[ -_.,\"\'\|]?website|cool[ -_.,\"\'\|]?guest[ -_.,\"\'\|]?book|really[ -_.,\"\'\|]?helpful[ -_.,\"\'\|]?for[ -_.,\"\'\|]?understand|!(very)[ -_.,\"\'\|]?(?:nice|good)[ -_.,\"\'\|]?(?:(?:web)?site|design)|this[ -_.,\"\'\|]?site[ -_.,\"\'\|]?rocks|wonderful(?: that site wonderful|(?:wonderful this|your) portal (?:incomparable|nice))|super your site nice |(?:otimização|otimização) de sites|(?:seo|search engine optimization) services?:? get free evaluation of your (?:(web)?site|blog|forum)|we (?:are interested to|can) increase (?:traffic|rankings?) (?:to|of) your website|free website analysis and ranking report for|p to ten times your targeted traffic|(?:seo|search engine optimization|link[ -_.,\"\'\|]?building) service|drive mass traffic to your site|top of the search engine)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300071,rev:12,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible SEO or spamware content',logdata:'%{TX.0}'"
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:w(?:o(?:nderful (?:your(?:'s (?:portal (?:incomparable|unparalleled)|board unparalleled|site incomparable)| (?:portal incomparable|board unparalleled))|th(?:at (?:board (?:matchless|unmatched)|site wonderful)|is portal (?:peerless|nice))|it's portal unequalled)|w (?:th(?:is (?:b(?:oard wonderful|log peerless)|portal nonpareil)|at (?:site (?:matchless|wonderful)|board unmatched))|your(?: portal unparalleled|'s portal nice)|it's (?:portal|blog) class))|hant to say (?:your(?: b(?:oard (?:un(?:parallel|match)ed|wonderful)|log unparalleled)|'s board (?:incomparable|cool))|th(?:is (?:b(?:oard unparalle|log unequal)led|portal matchless|site cool)|at site (?:unmatched|class))|it's (?:portal matchle|site cla)ss)|a(?:nna say (?:your(?: (?:(?:blog unparallel|portal unmatch)ed|site nonpareil)|'s site cool)|th(?:is (?:board unapproachable|portal nonpareil)|at site unparalleled)|it's b(?:oard unapproach|log incompar)able)|r doesn't make boys men)|e all agree that your theory is crazy)|i (?:say (?:your(?:'s (?:site (?:unapproachable|peerless)|portal wonderful|blog unmatched)| (?:portal (?:incomparable|wonderful)|(?:board matchle|site cla)ss))|th(?:at (?:blog (?:unmatched|wonderful)|site unapproachable)|is board (?:unparalleled|nonpareil|peerless))|it's (?:site matchless|portal nice))|think (?:your(?:'s (?:portal (?:(?:matchle|cla)s|have 5 star)s|site (?:unparalleled|class))| (?:site have 5 star|blog clas)s)|this site peerless)|know (?:your(?:'s (?:portal (?:wonderful|nice)|site incomparable)| portal (?:unparalleled|wonderful))|this (?:site have 5 star|board peerles)s))|yes (?:th(?:is (?:blog (?:un(?:approachable|equalled)|matchless)|site unparalleled|portal nonpareil)|at (?:board nonpareil|site nice))|it's (?:b(?:oard (?:unapproachable|class)|log incomparable)|site incomparable|portal matchless)|your(?: (?:b(?:log wonderful|oard nice)|portal matchless|site nice)|'s portal have 5 stars))|amazing (?:your(?:'s (?:blog (?:unapproachable|nonpareil|class)|site incomparable)| b(?:oard|log) nonpareil)|th(?:is portal unapproachable|at portal unequalled)|it's (?:board unapproachable|portal peerless))|gorgeous (?:th(?:at (?:b(?:log (?:unequalled|cool)|oard incomparable)|site unequalled)|is board peerless)|your(?:'s b(?:oard nonpareil|log unmatched)| portal matchless)|it's site (?:have 5 stars|unmatched))|super (?:th(?:at (?:board incomparable|portal matchless)|is board matchless)|it's (?:blog (?:incomparable|unequalled)|portal peerless)|your (?:(?:portal|site) nice|board cool)))" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300049,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible SEO or spamware content',logdata:'%{TX.0}'"
SecMarker END_SEO_SPAM
############# SEO SPAM #################
SecRule ARGS "@pm hello dear membery forum secretsline everyone name devils shows traffic princess wonderful brilliant knowing" \
"id:353911,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:333744,t:none,pass,nolog,skipAfter:END_FORUM_SPAM
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:hello dear membery? forum|anonymous downloading movies, music and surfing on the internet|secretsline|devils icebox|high quality wire shows|methods for generating youtube traffic)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300035,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible spam content',logdata:'%{TX.0}'"
SecRule ARGS "(?:what is up everyone\? my name is .{1,50}am new to the forum and just wanted to say hi|friend.s princess|wonderful beat \!|broadcast provided brilliant clear idea|my knowing has)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300186,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Generic Forum Spam',logdata:'%{TX.0}'"
SecMarker END_FORUM_SPAM
############# TRAVEL SPAM #################
SecRule ARGS "@pm visit saopaulo paris bahamas island eleuthera" \
"id:333912,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:333745,t:none,pass,nolog,skipAfter:END_TRAVEL_SPAM
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "visit(?:(?:afghanistan|armenia|azerbaijan|bahrain|bangladesh|bhutan|bosnia|brunei|cambodia|china|christmasisland|centralasia|cocosislands|croatia|cyprus|egypt|india|indonesia|iran|israel|jordan|kiev|korea|kosovo|kuwait|kyrgyzstan|laos|latvia|macedonia|malaysia|maldives|mongolia|nepal|northkorea|oman|pakistan|philippines|russia|saudiarabia|southkorea|switzerland|tajikistan|turkmenistan|uae|uzbekistan)|(?:chn|capena|car|esp|solomonislands)\.com|(?:bombay|world)\.info|visit-london\.eu)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300030,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content',logdata:'%{TX.0}'"
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:saopaulo(?:aero|artes|autos|bares|bus|channel|cidades|cinemas|estradas|eventos|gallery|gallery|gaytravel|invest|links|mall|mapas|market|metro|moda|museus|night|noticias|parques|photo|praias|relax|restaurantes|ruas|shuttle|sites|suites|teatros|town|work)|bahamas(-beach-rental|-bookstore|-diving|-honeymoon|-rental|-store|-travel|-villa-rental|homesite)|cat-island(?:-rental\.com|\.net)|eleuthera-(?:bahamas|bahamas-rental|rental))\.com" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300031,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content',logdata:'%{TX.0}'"
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "paris(?:officedetourisme|tennessenews|roller|texasnewspaper)\.info" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300033,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content',logdata:'%{TX.0}'"
SecMarker END_TRAVEL_SPAM
###########DEGREE MILL#############
# Rule 300072:
SecRule ARGS "@pm degree diploma" \
"id:333913,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:333746,t:none,pass,nolog,skipAfter:END_DIPLOMA_SPAM
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:degree|diploma) in radiology" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300072,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Degree Mill',logdata:'%{TX.0}'"
SecMarker END_DIPLOMA_SPAM
############FAKE AV SPAM##################
SecRule ARGS "@pm virus malware spy greeting" \
"id:333914,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:333747,t:none,pass,nolog,skipAfter:END_ANTIVIRUS_SPAM
#Rule 300080
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:free|discount)[ -_.,\"\'\|]?anti[ -_.,\"\'\|]?(?:virus|(?:spy|mal)ware)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300080,rev:5,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Free antivirus/spyware Link/Content',logdata:'%{TX.0}'"
#Rule 300080
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "pick[ -_.,\"\'\|]?up[ -_.,\"\'\|]?your[ -_.,\"\'\|]?greeting[ -_.,\"\'\|]?card" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300060,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam/Malware Link/Content',logdata:'%{TX.0}'"
SecMarker END_ANTIVIRUS_SPAM
############WOW/GOLD FARMING SPAM###########
SecRule ARGS "@pm gold farm making make hour tip likes" \
"id:353915,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:333748,t:none,pass,nolog,skipAfter:END_WOW_SPAM
#Rule 300184
SecRule ARGS "(?:gold[ -_.,\"\'\|](?:making|farmers)|game[ -_.,\"\'\|]tip[ -_.,\"\'\|]wow[ -_.,\"\'\|]gold|gold[ -_.,\"\'\|]an[ -_.,\"\'\|]hour[ -_.,\"\'\|]farm|farming[ -_.,\"\'\|]gold|runescape[ -_.,\"\'\|]?gold|buy (?:instagram|facebook|twitter) likes)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300184,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible spam content',logdata:'%{TX.0}'"
SecMarker END_WOW_SPAM
############ESSAY SPAM###########
SecRule ARGS "@pm essay paper best term dissertations writing custom resume editing proofreading research video custom" \
"id:333916,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:333749,t:none,pass,nolog,skipAfter:END_ESSAY_SPAM
SecRule ARGS|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/ "(?:best (?:term|college) (?:papers|essays)|best essays|academic writing assistance for term papers|(?:custom|essay|resume|paper|book report|video|research paper|dissertation|book and report) (?:writ|edit)ing (?:website|service)|(?:proofreading|custom writing) services|custom (?:research papers|paper writing)|original custom research paper for you|essay editing|custom (?:paper|writing))" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300185,rev:4,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Essay spam content',logdata:'%{TX.0}'"
SecMarker END_ESSAY_SPAM
############# GENERAL FORUM SPAM ###################
SecRule ARGS "@pm dumps cvv verified unlimited ebay heinchuini@ymail.com fullz atm" \
"id:333917,phase:2,t:none,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:333750,t:none,pass,nolog,skipAfter:END_HACK_SPAM
SecRule ARGS "(?:fresh and verified and unlimited ebay|atm pin database|heinchuini@ymail.com|fullz and uk fullz|cvv\+full info|i sell dumps)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300188,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Illegal Activity Forum Spam',logdata:'%{TX.0}'"
SecMarker END_HACK_SPAM
#Movies spam
SecRule ARGS "@pm movies capital rapidshare hollywood" \
"id:353918,phase:2,t:none,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:333751,t:none,pass,nolog,skipAfter:END_MOVIES_SPAM
SecRule ARGS "(?:movies capital (?:has an|scam)|rapidshare premium link generator|huge collection of photos of hollywood stars)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300189,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Illegal Activity Forum Spam',logdata:'%{TX.0}'"
SecMarker END_MOVIES_SPAM
SecRule ARGS "@streq unlimited" \
"id:333919,phase:2,t:none,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
SecAction phase:2,id:333752,t:none,pass,nolog,skipAfter:END_HOSTING_SPAM
SecRule ARGS "business of unlimited reseller hosting" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300301,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Reseller spam',logdata:'%{TX.0}'"
SecMarker END_HOSTING_SPAM
SecRule ARGS "@pm visa fiance spouse spousal green" \
"id:333920,phase:2,t:none,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:333755,t:none,pass,nolog,skipAfter:END_VISA_SPAM
SecRule ARGS "(?:k(?:1|3) (?:fiancee?|spous(?:e|al)) (?:visa|green ?card)|k(?:1|2|3) visa)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300303,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible visa spam',logdata:'%{TX.0}'"
SecMarker END_VISA_SPAM
#job search spam
#job search faster
SecRule ARGS "@pm job search" \
"id:333921,phase:2,t:none,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:333756,t:none,pass,nolog,skipAfter:END_JOBS_SPAM
SecRule ARGS "(?:job search faster|find perfect jobs|free enterprise jobs)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300304,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible job search spam',logdata:'%{TX.0}'"
SecMarker END_JOBS_SPAM
SecRule ARGS "@pm loan checking money cash" \
"id:333922,phase:2,t:none,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:333757,t:none,pass,nolog,skipAfter:END_LOAN_SPAM
SecRule ARGS "(?:second chance checking|pay ?day ?loan|money site url|cash[ -_.,\"\'\|]?advance)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300311,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible loan spam',logdata:'%{TX.0}'"
SecMarker END_LOAN_SPAM
SecRule REQUEST_URI "@pm result: ++++" \
"id:333923,phase:2,t:none,pass,nolog,skip:1"
SecAction phase:2,id:333758,t:none,pass,nolog,skipAfter:END_SPLIT_SPAM
SecRule REQUEST_URI "\+\+\+\+\+\+\+\+\+\+\+.{1,100}result\:" \
"phase:2,deny,status:403,t:none,t:lowercase,id:301311,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Session Splitting Spam Attempt',logdata:'%{TX.0}'"
SecMarker END_SPLIT_SPAM
#All spam end
#anti hotlinking
# SecRule REQUEST_HEADERS:Referer \
# "!@beginsWith %{request_headers.host}" \
# phase:1,t:none,log,drop,chain
# SecRule REQUEST_FILENAME "!\.(?:gif|png|jpe?g|ico)$" \
# t:none,t:lowercase
SecMarker END_SPAM
--