# WAF Rule ID 323299  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spammer attempting to post to WP comments as fake search engine 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 1 

**Severity:** Error (HIDS: 8)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Spammer attempting to post to WP comments as fake search engine

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303299  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Link Spam in User-Agent header 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 1 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible Link Spam in User-Agent header

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 313299  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Known worm sign 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 1 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Known worm sign

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300134  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Potential Referer Spam 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 2 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Potential Referer Spam

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303201  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spam Tool detected 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 1 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Spam Tool detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300001  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Abusive or Spam Domain detected in argument 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 24 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule detects if a domain is either a known abusive or spam domains. These are domains that have been used either to flood sites, abuse mailing lists/forums or to spam trusted sources.

This rules work by detecting the use of a the domain in an argument.

Determining what domain was blocked

Please see the Modsecurity_audit_log article about how to read modsecurity audit log events. For a 300001 event, you will want to look at the H section of the audit log entry, which will look similar to this example:

```
--5f3acc73-H--
Message: [file "/etc/httpd/modsecurity.d/30_asl_antispam.conf"] [line "52"]
 [id "300001"] [rev "23"] [msg "Atomicorp.com WAF Rules: Abusive or Spam Domain detected in argument"] 
[data ""] [severity "CRITICAL"] Access denied with code 403 (phase 2). 
Matched phrase "www.example.com" at ARGS:message.
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1311655548998047 492700 (405774* 492191 -)
WAF: ModSecurity for Apache/2.5.13 ( http://www.modsecurity.org/); 201107251315.
Server: Apache/2.2.18 (CentOS)
The element "Matched phrase "www.example.com" at ARGS:message." above shows the phrase that was matched, which in this case was the domain www.example.com. Please look for that line your audit log entry, which will show you which domain was blocked by this rule.
```


**Troubleshooting:**

**False Positives:**

A false positive can occur when a domain is not bounded, due to the parallel matching technique used to do the blocklist searches, or if a domain has previously been used to abuse or spam and is no longer engaging in this activity.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

https://wiki.atomicorp.com/wiki/index.php/ASL_FAQ#How_are_spam_domains_added.3F

https://wiki.atomicorp.com/wiki/index.php/ASL_FAQ#How_are_spam_domains_aged_out.3F

https://wiki.atomicorp.com/wiki/index.php/ASL_FAQ#Do_you_use_third_party_spam_domain_lists.3F


# WAF Rule ID 300299  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Link Spam 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 3 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible Link Spam

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300079  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post) 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 18 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule detects the use of four or more URLs in a single post. This rule is part of the anti spam rule family, and is a simple method of detecting possible URL spamming.

If you wish to allow this, then disable this rule.


**Troubleshooting:**

**False Positives:**

The rule is very simple, and only detects four or more urls, it does not make any determination if these are spam urls or non-malicious urls. If you wish to allow the posting of four or more URLs, please disable this rule.




Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300023  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post) 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 1 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule detects if 4 or more HTML marked up or application specific marked URLs are included in a single post.

This rule works by detecting the use of a URL as either an HTML argument, or an application specific (i.e. url=) URL included in a POST.


**Troubleshooting:**

**False Positives:**

A false positive can occur when an application legitimately allows a user to submit 4 or more URLs in a POST, for all potential uses and users. For example, a forum software packages user posting application would not be an example of this, as some forums may be configured to not allow 4 or more URLs on a post. This rule was developed specifically because some forum software packages do not restrict the amount of URLs in a post, and this method is used by spammers to fill forums and blogs with link spam.

An administrator authenticate application that takes a series of URLs as arguments would be an example of a potential false positive. The rules contain a large library of known web applications and safe methods for using URLs, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule, or for an application to this in a manner where it is simply not possible for the WAF to know if this was authorized. The intent of this rule to assist with web spam attacks, where a spammer attempts to post a series of URLs on wiki, forum, blog or other site. The rules will try to determine if this is authorized, but not all web application provide a means of detecting this and so the rules catch those cases where it way not be able to do this, or where an actual spamming event may have occurred.

If you have a false positive, its recommended that you follow the tuning guidance below.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you know that this behavior is acceptable for your application, and you know the application has a trusted means of showing this action should be allowed, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL. 


If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300182  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Spam: Mixed URL posting types - possible spam 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 18 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule detects mixed URL posting types that some forums, content management systems, guestbooks, blogs and other web application support. For example, a web application may support the tag "url" or it may support the tag "link" which is used to allow a user to either hyperlink some text, or to designate a URL as "clickable" to the end user. No product is known to support both types, they either support "link" or "url", but not both.

Spammers will often try to post links blindly to a forum, blog or other public site or comment system using both tag types in the hopes that the application will support one, or the other tag. As most we applications will just ignore the invalid type, this method of spamming is very effective.

This rules works by detecting when a post contains both types of link tags.


**Troubleshooting:**

**False Positives:**

A false positive can occur when an application legitimately supports both types. No known web application supports both types.

A false positive can also occur if a user accidentally, or deliberately uses both types of markup not knowing which the application supports.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL.


If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_300282](https://docs.atomicorp.com/rules/waf/WAF_300282)



**Outside References:**

None.

# WAF Rule ID 300282  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Spam: Broken URL posting type - possible spam 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 2 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rules detects when a post is made using broken forum, CMS or other user generated URL formats. For example this format:

```
[url=http://www.example.com]some link[/url]
```

Is commonly used by many forum and CMS tools. Some spam tools will attempt to post spam urls to a site, but will post broken urls, for example not closing the url, or injecting multiple url= url= variables in a row.


**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL.


If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300302  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Spam Link 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 2 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible Spam Link

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300313  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Spam Link 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 2 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible Spam Link

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 391100  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible spammer signup for forum 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 1 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible spammer signup for forum

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300056  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Spam: Hidden Text Exploit 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 7 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- replaceComments

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible Spam: Hidden Text Exploit

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300076  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Hidden Text Detected 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 29 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- replaceComments

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rules detects patterns commonly used by web spammers and malware. This by itself may not be an attack.

Specifically this rule detects the use of content markup methods that "hide" the content. For example, methods that make text hidden (but is still loaded by a web browser), or that make sections of a page invisible but potentially still visible to a search engine of browser.


**Troubleshooting:**

**False Positives:**

A false positive can occur when a website legitimately uses this type of content, or if there is an error in the patterns used to detect this. The rules contain a large library of known web applications and safe methods for using this content, such as administrative functions, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300032  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Gambling or Poker Content (Disable this rule if you wish to allow that content) 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 11 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rules detects if a clients actions, such as a post or a request, contains content associated with gambling. This may be authorized for your site, and if it is you will want to disable this rule.



**Troubleshooting:**

**False Positives:**

This rule specific detects gambling content. If this occurs for a purely administrative function please report this as a false positive. If this occurs with normal user interaction with your site, then please do not report this as a false positive as the rule is working as intended.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300028  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spam: Gambling 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 2 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Spam: Gambling

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300042  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Spam: Weight Loss 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 4 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule detects posts weight loss content. Some sites restrict this type of content either to prevent spamming or for legal reasons. If your site allows this type of content, disable this rule.


**Troubleshooting:**

**False Positives:**

A false positive can occur when sites allow this content. The rules contain a large library of known administrative functions that would need to use this content (such as blocking this content, or adding this content to a website). The rules deliberately do not allow non-administrative users, such as forum or blog thread users to post this type of content. This rule is designed to prevent those types of users from posting this type of content (not admins).

If you know that this action was purely administrative, and not a regular user, please report this as a false positive.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_300061](https://docs.atomicorp.com/rules/waf/WAF_300061)
[WAF_300038](https://docs.atomicorp.com/rules/waf/WAF_300038)



**Outside References:**

None.

# WAF Rule ID 300051  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Spam: General 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 10 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rules detects generic spam and content associated with spam (Rolex for example). This is a broad rule, designed to detect this content, but not necessarily to detect its "spaminess". Therefore, if your site allows this type of content you will need to disable this rule.



**Troubleshooting:**

**False Positives:**

A false positive can occur if this type of content is allowed on the site.




Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300010  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spam: Male Enhancement Spam 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 2 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Spam: Male Enhancement Spam

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300040  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spam: Pharmacy 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 10 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Spam: Pharmacy

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300061  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Spam or Restricted content: Pharmacy and/or Drug content detected 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 25 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule detects posts pharmacy and prescription drug content. Some sites restrict this type of content either to prevent spamming of pharmacetucial sites, or for legal reasons. If your site allows this type of content, disable this rule.




**Troubleshooting:**

**False Positives:**

A false positive can occur when sites allow this content. The rules contain a large library of known administrative functions that would need to use this content (such as blocking this content, or adding this content to a website). The rules deliberately do not allow non-administrative users, such as forum or blog thread users to post this type of content. The rules is designed to prevent those types of users from posting this type of content (not admins).

If you know that this action was purely administrative, and not a regular user, please report this as a false positive.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_300038](https://docs.atomicorp.com/rules/waf/WAF_300038)



**Outside References:**

None.

# WAF Rule ID 300011  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spam: Pharmacy 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 12 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rules detects patterns commonly used by web spammers when attempting to post pharmacy type spam on web forums, blogs, comment systems, wikis and other websites. This by itself may not be an indication of spam if the website normally allows this type of content.


**Troubleshooting:**

**False Positives:**

A false positive can occur when a website legitimately uses this type of content, or if there is an error in the patterns used to detect this. The rules contain a large library of known web applications and safe methods for using this content, such as administrative functions, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.

If your website allows Pharmacy related content, simply disable this rule.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300038  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spam: Pharmacy 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 12 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule detects posts pharmacy and prescription drug content. Some sites restrict this type of content either to prevent spamming of pharmacetucial sites, or for legal reasons. If your site allows this type of content, disable this rule.


**Troubleshooting:**

**False Positives:**

A false positive can occur when sites allow this content. The rules contain a large library of known administrative functions that would need to use this content (such as blocking this content, or adding this content to a website). The rules deliberately do not allow non-administrative users, such as forum or blog thread users to post this type of content. The rules is designed to prevent those types of users from posting this type of content (not admins).

If you know that this action was purely administrative, and not a regular user, please report this as a false positive.




Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_300061](https://docs.atomicorp.com/rules/waf/WAF_300061)



**Outside References:**

None.

# WAF Rule ID 300065  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spam: Adult Content Detected 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 11 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule detects if potential adult content is detected in a post.




**Troubleshooting:**

**False Positives:**

A false positive can occur when this type of content is allowed.




Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300068  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Spam: Adult Content Detected 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 9 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible Spam: Adult Content Detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300057  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spam: Adult 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 8 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Spam: Adult

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300003  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spam: Adult Video 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 12 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Spam: Adult Video

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300004  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spam: Adult 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 7 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Spam: Adult

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300074  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spam: Adult 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 23 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rules detects if a clients actions, such as a post or a request, contains content associated with adult content. This may be authorized for your site, and if it is you will want to disable this rule.




**Troubleshooting:**

**False Positives:**

This rule specific detects adult content. If this occurs for a purely administrative function please report this as a false positive. If this occurs with normal user interaction with your site, then please do not report this as a false positive as the rule is working as intended.




Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300078  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spam: Adult 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 6 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Spam: Adult

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300069  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spam: Commercial 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 26 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Spam: Commercial

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300066  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spam: Commercial 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 26 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rules detects content of a commercial nature. This may indicate spamming activity is under way.



**Troubleshooting:**

**False Positives:**

A false positive can occur if you allow this type of content on your website.




Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_360000](https://docs.atomicorp.com/rules/waf/WAF_360000)

[WAF_360002](https://docs.atomicorp.com/rules/waf/WAF_360002)

[WAF_360003](https://docs.atomicorp.com/rules/waf/WAF_360003)

[WAF_360004](https://docs.atomicorp.com/rules/waf/WAF_360004)

[WAF_360005](https://docs.atomicorp.com/rules/waf/WAF_360005)



**Outside References:**

None.

# WAF Rule ID 300071  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible SEO or spamware content 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 13 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rules detects if a post contains content regarding search engine optimization.




**Troubleshooting:**

**False Positives:**

A false positive can occur when a website legitimately uses this type of content (an SEO website for example), or if there is an error in the patterns used to detect this type of spam. The rules contain a large library of known web applications and safe methods for using this content, such as administrative functions, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.

It is not recommended that you disable this rule if your site does not allow SEO content. If your site does allow this type of content, then you will want to disable this rule.

If your site does not allow SEO content, and you believe this is a false positive (it does not contain SEO content), please report this to our security team. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300049  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible SEO or spamware content 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 2 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible SEO or spamware content

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300035  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible spam content 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 3 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible spam content

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300186  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Generic Forum Spam 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 3 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible Generic Forum Spam

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300030  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 2 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300031  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 1 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300033  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 1 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300072  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spam: Degree Mill 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 2 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Spam: Degree Mill

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300080  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Free antivirus/spyware Link/Content 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 5 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rules detects content about free antivirus, antimalware and anti spyware software. Some websites do not allow this type of content, as it is also used by fake antivirus companies and scammers that advertise free antivirus software that actually contains malware.

Disable this rule if you website allow this type of content.


**Troubleshooting:**

**False Positives:**


A false positive can occur when a website legitimately uses this type of content, or if there is an error in the patterns used to detect this type of spam. The rules contain a large library of known web applications and safe methods for using this content, such as administrative functions, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.

It is not recommended that you disable this rule if your site does not allow this type content. If your site does allow this type of content, then you will want to disable this rule.



Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300060  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Spam/Malware Link/Content 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 1 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible Spam/Malware Link/Content

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300184  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible spam content 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 3 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible spam content

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300185  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Essay spam content 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 4 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Essay spam content

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300188  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Illegal Activity Forum Spam 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 1 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible Illegal Activity Forum Spam

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300189  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Illegal Activity Forum Spam 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 3 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible Illegal Activity Forum Spam

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300301  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Reseller spam 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 1 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Reseller spam

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300303  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible visa spam 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 1 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible visa spam

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300304  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible job search spam 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 1 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible job search spam

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300311  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible loan spam 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 2 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rules detects content about advanced loans, payday loans and other similar content. This is a broad rule, designed to detect this content, but not necessarily to detect its "spaminess". Therefore, if your site allows this type of content you will need to disable this rule.



**Troubleshooting:**

**False Positives:**

A false positive can occur if this type of content is allowed on the site.




Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 301311  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spam: Session Splitting Spam Attempt 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 2 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rules detects when a client attempts, and fails to issue what is sometimes referred to as a "session splitting" attack. This type of attack attempts to trick the web server into thinking its serving one request, when its serving another. This attack method is also used to try and trick a WAF into not looking at the second, or "real" request which includes the real payload and attack.

This particular rule catches a method that spammers use to try and post spam to a website, and sometimes to register with a forum, blog, CMS or other web application that requires registration.


**Troubleshooting:**

**False Positives:**

None. This rule only detects completely invalid requests, there is no known legitmiate action that would trigger this rule.



Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300200  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Spam: Hidden Text 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 1 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Spam: Hidden Text

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300201  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Spam: Hidden Text Detected 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 2 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible Spam: Hidden Text Detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 300081  

***  

**Alert message:** Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post) 

**Rule Class:** Generic Attack Ruleset (30_asl_antispam.conf)

**Version:** 1 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

