[Owasp-modsecurity-core-rule-set] Question about RBL Match for SPAM Source Rule

OSSEC junkie ossec.junkie at gmail.com
Fri Dec 11 17:53:55 EST 2009


Thank you Ryan for the file.  I confirmed this is working now.  Silly
gmail made my life miserable messing up the formatting of the
configuration.  I have this config working in a pass-through mode
right now just watching the amount of IP's being detected as spam,
it's quite fascinating.  I have a few more questions though:

1) expirevar, is there a max limit that can be set for this?  Right
now for RBL blocking, it's set to 86400 seconds (1 day), is there a
max limit?  Also, if I were to remove the expirevar variable, would
the block be perm?

2) Where are all the IP's being detected being written to?

3) Any thoughts about expending this type of RBL look-up to include
project honeypot?  That solution would offer a wider scope of coverage
than spamhaus currently does but just curious as to what your stance
on this is.

Thanks again for the great config for spamhaus/rbl look-ups.


More information about the Owasp-modsecurity-core-rule-set mailing list