Rule 420003: block #preview spam

Purpose

Blocks POST requests having #preview in the request target.

The preview anchor is part of the action-property of the <form>-tag of forms provided to users to submit new tickets:

<form id="newticket" method="post" action="/newticket#preview">
...
</form>

or comments to existing tickets:

<form method="get" action="/ticket/1#comment" class="printableform">
...
</form>

Legitimate user agents (browsers) seem to remove that in the actual POST request, but spam bots obviously don't bother to do that.

Example

--64aaa505-A--
[26/Apr/2007:08:04:08 +0200] yX4ykKwQKoYAAG9DmZAAAAAR XX.XX.XX.XX 38863 217.24.1.134 80
--64aaa505-B--
POST /ticket/24%23preview HTTP/1.1
Host: madwifi.org
Connection: keep-alive
Content-Length: 812
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
Referer: http://madwifi.org/ticket/24#preview
Via: 1.0 JN-PLM-C62-01 (NetCache NetApp/5.6.2R1D31)

--64aaa505-C--
author=leqric&comment=%3Ca+href%3Dhttp%3A%2F%2Fdomain.tld%2Fl%3FmU%3Efamous+person+nude%3C%2Fa%3E+famous+person+nude+http%3A%2F%2Fdomain.tld%2Fl%3FmU+famous+person+nude+%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fdomain.tld%2Fl%3FmV%3Efamous+person+naked%3C%2Fa%3E+famous+person+naked+http%3A%2F%2Fdomain.tld%2Fl%3FmV+famous+person+naked+%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fdomain.tld%2Fl%3FmW%3Efamous+person+sex%3C%2Fa%3E+famous+person+sex+http%3A%2F%2Fdomain.tld%2Fl%3FmW+famous+person+sex+%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fdomain.tld%2Fl%3FmX%3Efamous+person+topless%3C%2Fa%3E+famous+person+topless+http%3A%2F%2Fdomain.tld%2Fl%3FmX+famous+person+topless+%0D%0A%3Ca+href%3Dhttp%3A%2F%2Fdomain.tld%2Fl%3FmY%3Efamous+person+monsters+ball%3C%2Fa%3E+famous+person+monsters+ball+http%3A%2F%2Fdomain.tld%2Fl%3FmY+famous+person+monsters+ball&action=leave&ts=1148051038&preview=
--64aaa505-F--
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=512
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

--64aaa505-H--
Message: Access denied with code 403 (phase 1). Pattern match "^/(newticket|simpleticket|ticket/[0-9]+).*\\#preview$" at REQUEST_URI. [id "420003"] [rev "1"] [msg "#preview spam"]
Action: Intercepted (phase 1)
Stopwatch: 1177567448937104 2852 (1037* 1153 -)
Producer: ModSecurity v2.1.0 (Apache 2.x)
Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_python/3.2.10 Python/2.4.4
WebApp-Info: "trac.madwifi" "-" "-"

--64aaa505-Z--

Protected handlers

• newticket
• simpleticket
• ticket

See also

• Spam type description: #preview spam

History

rev:1

Initial version.