Does userdata_bl_domains could block

Lately I have seen a lot of forms filled with domain “” that points to malicious code or to an spammer page.
So, I added “” to my userdata_bl_domains file but some of my customers complained that they use that a lot, so I had to delete that on my blacklist.
So, Is possible to add a line like “” on this rule or this rule is just for domains only?

Thanks in advance for your input.


it is possible to add a line like “” to the file “userdata_bl_domains” and rule will work.

Thank you.

I will will add those sites on my

Best Regards,

Hi, Cwaf_Team.

Do you have a reference guide where I can read how to properly used each of the userdata_bl_[filename]?
I am interested in one where I could add phrases or email addresses to a black list where to be checked when users posts comments on forms.


you can read

you can find in our rules files names, but in case with domains in the rule 210921 are additional conditions

ARGS|REQUEST_URI|XML:/* "(?:data|gopher|ogg|php|zlib|(?:f|ht)tps{0,1}):/

We can remove these conditions to pass complete control over domain to a users.

Actually what I was looking is to have a file like per example “user_bl_phrases” (just an example), where I could add any text that I will like to block in any web form in my server.

I mean if some one writes in the form an email like this:

or any text like this:
beauties in disguise

I will like to be able to add texts in a file like “user_bl_phrases” that mod security could check the list and proceed accordingly if the phrase is matched.

For now I really don’t know if Comodo rules has already a file for this.

Best Regards,

you can add your custom rule to track suspicious data

SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_BODY|XML:/* "@pmFromFile userdata_bl_words" \
  msg:'COMODO WAF: Bad data is not allowed by policy||%{tx.domain}|%{tx.mode}|5',\

You should completely understand what parameters to track. Also, rule provided as example, without any warranties, could produce a lot of false positives.

I have tried the rule that you kindly wrote and modified it a bit, but it is not working.

Here is the rule:

SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_BODY|XML:/* “@pmFromFile /mymodsec/userdata_bl_emails”
“id:110491,msg:‘SECMAS: Blocked email not allowed by policy||%{tx.domain}|%{tx.mode}|5’,phase:1,deny,status:403,log,rev:1,severity:5”

and the file userdata_bl_emails that is located at my directory /mymodesec/ contains per example:

I have escaped the @ and dots (.) and seems not working. Even it didn’t work with @ and dot not escaped.

What I pretend is that when someone writes those emails on a form, the IP is blocked.

Is there something wrong on my rule or data?

Thank you for your help.

Best Regards,