Good site, admin

I started seeing emails posted via contact forms with this message body. All sites on multiple servers starting experiencing this. I believe this is just a probe to test if contact forms are requiring captcha or this could be a initial set up for backscatter, etc. Either way, I don't like it. The first piece of investigation was to look at the IP of the originating requests. Unfortunately, they're all random. Clearly the program is using a proxy, or this could be a virus/worm related activity. So blocking based on origin is not a good solution.

The next route that made the most sense for me was to create a mod_security rule to block this traffic based on POST payload. I'm running mod_security-2.1.2, so this rule may not work depending on what brand of mod_sec you're running. I created the following rule in my custom rule config.

SecRule REQUEST_BODY ".*good site, admin.*" "auditlog,log,deny,phase:2,status:403,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,id:20090517,rev:3,severity:2,msg:'Contact Spam Probe'"

I might need to work on the regex a bit, since this is pretty broad, but for now, it's stopping these requests in their tracks. Hope this helps!