WAF Rule ID 323299
Alert message: Atomicorp.com WAF AntiSpam Rules: Spammer attempting to post to WP comments as fake search engine
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 1
Severity: Error (HIDS: 8)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
lowercase
urlDecodeUni
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Spammer attempting to post to WP comments as fake search engine
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 303299
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Link Spam in User-Agent header
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 1
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
htmlEntityDecode
lowercase
urlDecodeUni
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible Link Spam in User-Agent header
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 313299
Alert message: Atomicorp.com WAF AntiSpam Rules: Known worm sign
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 1
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Known worm sign
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300134
Alert message: Atomicorp.com WAF AntiSpam Rules: Potential Referer Spam
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 2
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
lowercase
urlDecodeUni
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Potential Referer Spam
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 303201
Alert message: Atomicorp.com WAF AntiSpam Rules: Spam Tool detected
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 1
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
urlDecodeUni
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Spam Tool detected
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300001
Alert message: Atomicorp.com WAF AntiSpam Rules: Abusive or Spam Domain detected in argument
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 24
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
htmlEntityDecode
lowercase
urlDecodeUni
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rule detects if a domain is either a known abusive or spam domains. These are domains that have been used either to flood sites, abuse mailing lists/forums or to spam trusted sources.
This rules work by detecting the use of a the domain in an argument.
Determining what domain was blocked
Please see the Modsecurity_audit_log article about how to read modsecurity audit log events. For a 300001 event, you will want to look at the H section of the audit log entry, which will look similar to this example:
--5f3acc73-H--
Message: [file "/etc/httpd/modsecurity.d/30_asl_antispam.conf"] [line "52"]
[id "300001"] [rev "23"] [msg "Atomicorp.com WAF Rules: Abusive or Spam Domain detected in argument"]
[data ""] [severity "CRITICAL"] Access denied with code 403 (phase 2).
Matched phrase "www.example.com" at ARGS:message.
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1311655548998047 492700 (405774* 492191 -)
WAF: ModSecurity for Apache/2.5.13 ( http://www.modsecurity.org/); 201107251315.
Server: Apache/2.2.18 (CentOS)
The element "Matched phrase "www.example.com" at ARGS:message." above shows the phrase that was matched, which in this case was the domain www.example.com. Please look for that line your audit log entry, which will show you which domain was blocked by this rule.
Troubleshooting:
False Positives:
A false positive can occur when a domain is not bounded, due to the parallel matching technique used to do the blocklist searches, or if a domain has previously been used to abuse or spam and is no longer engaging in this activity.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
https://wiki.atomicorp.com/wiki/index.php/ASL_FAQ#How_are_spam_domains_added.3F
https://wiki.atomicorp.com/wiki/index.php/ASL_FAQ#How_are_spam_domains_aged_out.3F
https://wiki.atomicorp.com/wiki/index.php/ASL_FAQ#Do_you_use_third_party_spam_domain_lists.3F
WAF Rule ID 300299
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Link Spam
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 3
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
htmlEntityDecode
lowercase
urlDecodeUni
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible Link Spam
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300079
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 18
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
htmlEntityDecode
lowercase
urlDecodeUni
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rule detects the use of four or more URLs in a single post. This rule is part of the anti spam rule family, and is a simple method of detecting possible URL spamming.
If you wish to allow this, then disable this rule.
Troubleshooting:
False Positives:
The rule is very simple, and only detects four or more urls, it does not make any determination if these are spam urls or non-malicious urls. If you wish to allow the posting of four or more URLs, please disable this rule.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300023
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 1
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
htmlEntityDecode
lowercase
urlDecodeUni
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rule detects if 4 or more HTML marked up or application specific marked URLs are included in a single post.
This rule works by detecting the use of a URL as either an HTML argument, or an application specific (i.e. url=) URL included in a POST.
Troubleshooting:
False Positives:
A false positive can occur when an application legitimately allows a user to submit 4 or more URLs in a POST, for all potential uses and users. For example, a forum software packages user posting application would not be an example of this, as some forums may be configured to not allow 4 or more URLs on a post. This rule was developed specifically because some forum software packages do not restrict the amount of URLs in a post, and this method is used by spammers to fill forums and blogs with link spam.
An administrator authenticate application that takes a series of URLs as arguments would be an example of a potential false positive. The rules contain a large library of known web applications and safe methods for using URLs, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule, or for an application to this in a manner where it is simply not possible for the WAF to know if this was authorized. The intent of this rule to assist with web spam attacks, where a spammer attempts to post a series of URLs on wiki, forum, blog or other site. The rules will try to determine if this is authorized, but not all web application provide a means of detecting this and so the rules catch those cases where it way not be able to do this, or where an actual spamming event may have occurred.
If you have a false positive, its recommended that you follow the tuning guidance below.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
If you know that this behavior is acceptable for your application, and you know the application has a trusted means of showing this action should be allowed, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300182
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Spam: Mixed URL posting types - possible spam
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 18
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
htmlEntityDecode
lowercase
urlDecodeUni
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rule detects mixed URL posting types that some forums, content management systems, guestbooks, blogs and other web application support. For example, a web application may support the tag “url” or it may support the tag “link” which is used to allow a user to either hyperlink some text, or to designate a URL as “clickable” to the end user. No product is known to support both types, they either support “link” or “url”, but not both.
Spammers will often try to post links blindly to a forum, blog or other public site or comment system using both tag types in the hopes that the application will support one, or the other tag. As most we applications will just ignore the invalid type, this method of spamming is very effective.
This rules works by detecting when a post contains both types of link tags.
Troubleshooting:
False Positives:
A false positive can occur when an application legitimately supports both types. No known web application supports both types.
A false positive can also occur if a user accidentally, or deliberately uses both types of markup not knowing which the application supports.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
Outside References:
None.
WAF Rule ID 300282
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Spam: Broken URL posting type - possible spam
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 2
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
htmlEntityDecode
lowercase
urlDecodeUni
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rules detects when a post is made using broken forum, CMS or other user generated URL formats. For example this format:
[url=http://www.example.com]some link[/url]
Is commonly used by many forum and CMS tools. Some spam tools will attempt to post spam urls to a site, but will post broken urls, for example not closing the url, or injecting multiple url= url= variables in a row.
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300302
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Spam Link
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 2
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
htmlEntityDecode
lowercase
urlDecodeUni
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible Spam Link
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300313
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Spam Link
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 2
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
htmlEntityDecode
lowercase
urlDecodeUni
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible Spam Link
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 391100
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible spammer signup for forum
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 1
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
urlDecodeUni
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible spammer signup for forum
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300056
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Spam: Hidden Text Exploit
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 7
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
htmlEntityDecode
lowercase
replaceComments
urlDecodeUni
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible Spam: Hidden Text Exploit
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300076
Alert message: Atomicorp.com WAF AntiSpam Rules: Hidden Text Detected
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 29
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
htmlEntityDecode
lowercase
replaceComments
urlDecodeUni
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rules detects patterns commonly used by web spammers and malware. This by itself may not be an attack.
Specifically this rule detects the use of content markup methods that “hide” the content. For example, methods that make text hidden (but is still loaded by a web browser), or that make sections of a page invisible but potentially still visible to a search engine of browser.
Troubleshooting:
False Positives:
A false positive can occur when a website legitimately uses this type of content, or if there is an error in the patterns used to detect this. The rules contain a large library of known web applications and safe methods for using this content, such as administrative functions, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300032
Alert message: Atomicorp.com WAF AntiSpam Rules: Gambling or Poker Content (Disable this rule if you wish to allow that content)
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 11
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rules detects if a clients actions, such as a post or a request, contains content associated with gambling. This may be authorized for your site, and if it is you will want to disable this rule.
Troubleshooting:
False Positives:
This rule specific detects gambling content. If this occurs for a purely administrative function please report this as a false positive. If this occurs with normal user interaction with your site, then please do not report this as a false positive as the rule is working as intended.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300028
Alert message: Atomicorp.com WAF AntiSpam Rules: Spam: Gambling
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 2
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Spam: Gambling
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300042
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Spam: Weight Loss
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 4
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rule detects posts weight loss content. Some sites restrict this type of content either to prevent spamming or for legal reasons. If your site allows this type of content, disable this rule.
Troubleshooting:
False Positives:
A false positive can occur when sites allow this content. The rules contain a large library of known administrative functions that would need to use this content (such as blocking this content, or adding this content to a website). The rules deliberately do not allow non-administrative users, such as forum or blog thread users to post this type of content. This rule is designed to prevent those types of users from posting this type of content (not admins).
If you know that this action was purely administrative, and not a regular user, please report this as a false positive.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
Outside References:
None.
WAF Rule ID 300051
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Spam: General
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 10
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rules detects generic spam and content associated with spam (Rolex for example). This is a broad rule, designed to detect this content, but not necessarily to detect its “spaminess”. Therefore, if your site allows this type of content you will need to disable this rule.
Troubleshooting:
False Positives:
A false positive can occur if this type of content is allowed on the site.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300010
Alert message: Atomicorp.com WAF AntiSpam Rules: Spam: Male Enhancement Spam
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 2
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Spam: Male Enhancement Spam
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300040
Alert message: Atomicorp.com WAF AntiSpam Rules: Spam: Pharmacy
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 10
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Spam: Pharmacy
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300061
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Spam or Restricted content: Pharmacy and/or Drug content detected
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 25
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rule detects posts pharmacy and prescription drug content. Some sites restrict this type of content either to prevent spamming of pharmacetucial sites, or for legal reasons. If your site allows this type of content, disable this rule.
Troubleshooting:
False Positives:
A false positive can occur when sites allow this content. The rules contain a large library of known administrative functions that would need to use this content (such as blocking this content, or adding this content to a website). The rules deliberately do not allow non-administrative users, such as forum or blog thread users to post this type of content. The rules is designed to prevent those types of users from posting this type of content (not admins).
If you know that this action was purely administrative, and not a regular user, please report this as a false positive.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
Outside References:
None.
WAF Rule ID 300011
Alert message: Atomicorp.com WAF AntiSpam Rules: Spam: Pharmacy
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 12
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rules detects patterns commonly used by web spammers when attempting to post pharmacy type spam on web forums, blogs, comment systems, wikis and other websites. This by itself may not be an indication of spam if the website normally allows this type of content.
Troubleshooting:
False Positives:
A false positive can occur when a website legitimately uses this type of content, or if there is an error in the patterns used to detect this. The rules contain a large library of known web applications and safe methods for using this content, such as administrative functions, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.
If your website allows Pharmacy related content, simply disable this rule.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300038
Alert message: Atomicorp.com WAF AntiSpam Rules: Spam: Pharmacy
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 12
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rule detects posts pharmacy and prescription drug content. Some sites restrict this type of content either to prevent spamming of pharmacetucial sites, or for legal reasons. If your site allows this type of content, disable this rule.
Troubleshooting:
False Positives:
A false positive can occur when sites allow this content. The rules contain a large library of known administrative functions that would need to use this content (such as blocking this content, or adding this content to a website). The rules deliberately do not allow non-administrative users, such as forum or blog thread users to post this type of content. The rules is designed to prevent those types of users from posting this type of content (not admins).
If you know that this action was purely administrative, and not a regular user, please report this as a false positive.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
Outside References:
None.
WAF Rule ID 300065
Alert message: Atomicorp.com WAF AntiSpam Rules: Spam: Adult Content Detected
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 11
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rule detects if potential adult content is detected in a post.
Troubleshooting:
False Positives:
A false positive can occur when this type of content is allowed.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300068
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Spam: Adult Content Detected
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 9
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible Spam: Adult Content Detected
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300057
Alert message: Atomicorp.com WAF AntiSpam Rules: Spam: Adult
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 8
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Spam: Adult
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300003
Alert message: Atomicorp.com WAF AntiSpam Rules: Spam: Adult Video
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 12
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Spam: Adult Video
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300004
Alert message: Atomicorp.com WAF AntiSpam Rules: Spam: Adult
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 7
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Spam: Adult
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300074
Alert message: Atomicorp.com WAF AntiSpam Rules: Spam: Adult
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 23
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rules detects if a clients actions, such as a post or a request, contains content associated with adult content. This may be authorized for your site, and if it is you will want to disable this rule.
Troubleshooting:
False Positives:
This rule specific detects adult content. If this occurs for a purely administrative function please report this as a false positive. If this occurs with normal user interaction with your site, then please do not report this as a false positive as the rule is working as intended.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300078
Alert message: Atomicorp.com WAF AntiSpam Rules: Spam: Adult
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 6
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Spam: Adult
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300069
Alert message: Atomicorp.com WAF AntiSpam Rules: Spam: Commercial
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 26
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Spam: Commercial
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300066
Alert message: Atomicorp.com WAF AntiSpam Rules: Spam: Commercial
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 26
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rules detects content of a commercial nature. This may indicate spamming activity is under way.
Troubleshooting:
False Positives:
A false positive can occur if you allow this type of content on your website.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
Outside References:
None.
WAF Rule ID 300071
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible SEO or spamware content
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 13
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rules detects if a post contains content regarding search engine optimization.
Troubleshooting:
False Positives:
A false positive can occur when a website legitimately uses this type of content (an SEO website for example), or if there is an error in the patterns used to detect this type of spam. The rules contain a large library of known web applications and safe methods for using this content, such as administrative functions, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.
It is not recommended that you disable this rule if your site does not allow SEO content. If your site does allow this type of content, then you will want to disable this rule.
If your site does not allow SEO content, and you believe this is a false positive (it does not contain SEO content), please report this to our security team. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300049
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible SEO or spamware content
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 2
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible SEO or spamware content
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300035
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible spam content
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 3
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible spam content
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300186
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Generic Forum Spam
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 3
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible Generic Forum Spam
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300030
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 2
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300031
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 1
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300033
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 1
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300072
Alert message: Atomicorp.com WAF AntiSpam Rules: Spam: Degree Mill
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 2
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Spam: Degree Mill
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300080
Alert message: Atomicorp.com WAF AntiSpam Rules: Free antivirus/spyware Link/Content
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 5
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rules detects content about free antivirus, antimalware and anti spyware software. Some websites do not allow this type of content, as it is also used by fake antivirus companies and scammers that advertise free antivirus software that actually contains malware.
Disable this rule if you website allow this type of content.
Troubleshooting:
False Positives:
A false positive can occur when a website legitimately uses this type of content, or if there is an error in the patterns used to detect this type of spam. The rules contain a large library of known web applications and safe methods for using this content, such as administrative functions, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.
It is not recommended that you disable this rule if your site does not allow this type content. If your site does allow this type of content, then you will want to disable this rule.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300060
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Spam/Malware Link/Content
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 1
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible Spam/Malware Link/Content
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300184
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible spam content
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 3
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible spam content
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300185
Alert message: Atomicorp.com WAF AntiSpam Rules: Essay spam content
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 4
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Essay spam content
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300188
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Illegal Activity Forum Spam
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 1
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible Illegal Activity Forum Spam
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300189
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Illegal Activity Forum Spam
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 3
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible Illegal Activity Forum Spam
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300301
Alert message: Atomicorp.com WAF AntiSpam Rules: Reseller spam
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 1
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Reseller spam
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300303
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible visa spam
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 1
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible visa spam
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300304
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible job search spam
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 1
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible job search spam
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300311
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible loan spam
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 2
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rules detects content about advanced loans, payday loans and other similar content. This is a broad rule, designed to detect this content, but not necessarily to detect its “spaminess”. Therefore, if your site allows this type of content you will need to disable this rule.
Troubleshooting:
False Positives:
A false positive can occur if this type of content is allowed on the site.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 301311
Alert message: Atomicorp.com WAF AntiSpam Rules: Spam: Session Splitting Spam Attempt
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 2
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
lowercase
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
This rules detects when a client attempts, and fails to issue what is sometimes referred to as a “session splitting” attack. This type of attack attempts to trick the web server into thinking its serving one request, when its serving another. This attack method is also used to try and trick a WAF into not looking at the second, or “real” request which includes the real payload and attack.
This particular rule catches a method that spammers use to try and post spam to a website, and sometimes to register with a forum, blog, CMS or other web application that requires registration.
Troubleshooting:
False Positives:
None. This rule only detects completely invalid requests, there is no known legitmiate action that would trigger this rule.
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300200
Alert message: Atomicorp.com WAF AntiSpam Rules: Spam: Hidden Text
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 1
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Spam: Hidden Text
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300201
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Spam: Hidden Text Detected
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 2
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
htmlEntityDecode
lowercase
urlDecodeUni
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible Spam: Hidden Text Detected
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.
WAF Rule ID 300081
Alert message: Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)
Rule Class: Generic Attack Ruleset (30_asl_antispam.conf)
Version: 1
Severity: Warning (HIDS: 7)
HTTP Protocol Phase: 2
HTTP Status: 403
Action: deny
Transforms:
compressWhitespace
htmlEntityDecode
lowercase
urlDecodeUni
Log Types:
Basic Information (log)
Capture full session (auditlog)
Description:
Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)
Troubleshooting:
False Positives:
Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Configuration Notes:
enabled by: MODSEC_10_RULES
Requires Engine version: 2.9.0 or above
Tuning guidance Notes:
None.
If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules
Additional Information:
Similar rules:
None.
Outside References:
None.