# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# RBL rules
#
# Created by the Prometheus Group (http://www.prometheus-group.com)
# Copyright 2005,2006, 2007 and 2008 by the Prometheus Group, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
# Distribution of this work or derivative of this work in any form is 
# prohibited unless prior written permission is obtained from the 
# copyright holder. 
#
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS   
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE   
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE   
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE   
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR   
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF   
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS   
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN   
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)   
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF   
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---


#Global RBL rules
SecRule REMOTE_ADDR "!@pmFromFile /etc/asl/whitelist" \
"chain,deny, log, id:350000,rev:2,msg:'Global RBL Match: IP is on the xbl.spamhaus.org Blacklist',severity:'1'" 
SecRule REMOTE_ADDR "@rbl xbl.spamhaus.org" 

#Block TOR exit nodes
#SecRule REMOTE_ADDR "!@pmFromFile /etc/asl/whitelist" \
#"chain,deny, log, id:350001,rev:2,msg:'Tor Exit Node RBL Match: IP is on the torexit.dan.me.uk  Blacklist',severity:'1'" 
#SecRule REMOTE_ADDR "@rbl torexit.dan.me.uk" 
# 
##Block open proxies
#SecRule REMOTE_ADDR "!@pmFromFile /etc/asl/whitelist" \
#"chain,deny, log, id:350002,rev:2,msg:'Open Proxy RBL Match: IP is on the http.dnsbl.sorbs.net Blacklist',severity:'1'" 
#SecRule REMOTE_ADDR "@rbl http.dnsbl.sorbs.net" 
#
##Block open socks proxies
#SecRule REMOTE_ADDR "!@pmFromFile /etc/asl/whitelist" \
#"chain,deny, log, id:350003,rev:2,msg:'Open SOCKS proxy RBL Match: IP is on the socks.dnsbl.sorbs.net Blacklist',severity:'1'" 
#SecRule REMOTE_ADDR "@rbl socks.dnsbl.sorbs.net" 
#
##Block other open http proxies
#SecRule REMOTE_ADDR "!@pmFromFile /etc/asl/whitelist" \
#"chain,deny, log, id:350004,rev:2,msg:'Misc Open Proxy RBL Match: IP is on the misc.dnsbl.sorbs.net Blacklist',severity:'1'" 
#SecRule REMOTE_ADDR "@rbl misc.dnsbl.sorbs.net" 
#
#Special targeted RBL rules for blogs
#Configured as a subset of the mail rules - so RBLs are on for the whole system
#Wordpress
#SecRule REQUEST_METHOD “^post$” “chain,id:300061,rev:1,severity:2,msg:’Spam: WordPress Comment From user on RBL: list.dsbl.org’”
#SecRule REQUEST_URI “wp-(comments-post|trackback)\.php$” “chain,t:normalisePath”
#SecRule REMOTE_ADDR “@rbl list.dsbl.org” chain
#SecRule REMOTE_ADDR "!@pmFromFile /etc/asl/whitelist"
##
#SecRule REQUEST_METHOD “^post$” “chain,id:300062,rev:1,severity:2,msg:’Spam: WordPress Comment From user on RBL: bl.spamcop.net’”
#SecRule REQUEST_URI “wp-(?:comments-post|trackback)\.php$” “chain,t:normalisePath”
#SecRule REMOTE_ADDR “@rbl bl.spamcop.net" chain
#SecRule REMOTE_ADDR "!@pmFromFile /etc/asl/whitelist"
##
#SecRule REQUEST_METHOD “^post$” “chain,id:300063,rev:1,severity:2,msg:’Spam: WordPress Comment From user on RBL: sbl-xbl.spamhaus.org’”
#SecRule REQUEST_URI “wp-(?:comments-post|trackback)\.php$” “chain,t:normalisePath”
#SecRule REMOTE_ADDR “@rbl sbl-xbl.spamhaus.org” chain
###SecRule REMOTE_ADDR "!@pmFromFile /etc/asl/whitelist"