Re: Drop Requests Containing Specific characters?

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 09/07/05 

Date: Wed, 7 Sep 2005 06:11:16 -0700

No, there are no built in features in any web server to filter/reject by
character sequence. This ability belongs in an extension module.

URLScan has this ability but only for the URL. QueryString is naturally
unknown decoding and hence cannot be realistically filtered for character
sequence. Request Headers and Form Entity are even more dubious to scan.

See this blog entry for the rationale and what is really going on:
http://blogs.msdn.com/david.wang/archive/2005/07/18/Why_URLScan_ignores_querystring_for_DenyUrlSequences.aspx 

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Martin Smith" <MartinSmith@discussions.microsoft.com> wrote in message
news:C68EFBEA-6685-4BC6-B735-4070A6EF6BA8@microsoft.com...
Hi,
I am regularly getting error emails from my web pages due to automated
attempts to post maliciously crafted form content in an attempt to see if it
can be used for spamming. (Issue discussed further here
http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay).
There is a vast amount of IPs that are used and blocking the ones used so
far probably won't help that much.
However all of the requests contain the following string:
"This+is+a+multi-part+message+in+MIME+format."
Is there any way (in IIS6) to configure it to just drop any posted requests
with this string?
Cheers,
Martin