Any ideas on how to fix this?

I couldn't get past the confusion engendered by the underlying premise. Why would you need to use cPanel rather than putting the rule directly into the config file (or, presumably, an Include that is dedicated to mod_security alone)? Introducing a middleman only creates more ways things can go wrong.

Hi Lucy, thanks for the response.

I think you have helped me with .htaccess questions years ago.

I'm a bit surprised by your response - or perhaps confused. ModSecurity is installed by default in WHM on my VPS (and I suspect most with WHM/cPanel).

Under the tools menu one has the option to add custom rules that can protect the entire VPS (or be limited to specific domain(s) AFAIK).

Documentation: [documentation.cpanel.net...]

I want this protection across the entire VPS, rather than going domain by domain to install a duplicate solution that will need updating, etc.

I'd be grateful for any help - from you or anyone else with ideas. Thank you!

The part I was trying to figure out is where the rule ends up getting installed, because usually when I think cPanel I think shared hosting, which means htaccess, which means you can't use mod_security--unless the site is using a truly ancient version. But you said VPS, meaning that cPanel will in some way talk to the config file? Now I understand why you're doing this in mod_security rather than, say, in mod_rewrite, which would have inheritance issues unless you've taken full advantage of the 2.4 inheritance options.

But the more important question is what, exactly, REQUEST_BODY covers: everything that is sent in, or just the part that shows up in server access logs? The content of an email is neither a part of the request itself (including query string) nor hidden in an associated header, so I'm worried that it may simply be out of mod_security's purview.

Option B is to write some additional php to do further mail filtering. The code wouldn't have to be repeated for every site; you can put it somewhere in the VPS and then let each site Include it (using the physical filepath instead of the more common document-root approach).

It is actually WHM - so allegedly - the entire (virtual) server sees it.

(WHM >> Home >> Security Center >> ModSecurity™ Tools)

As far as I know request_body will inspect the contact form body on submission. I've been searching online, etc., and this stuff is making my head spin. One issue I've just uncovered is a flag that must be set in the configuration (I don't think it is per rule but I may be wrong) and that is the instruction to allow body inspection.

Something like: SecRequestBodyAccess On

I've just poured over WHM again and can't find anywhere to inspect/change that - nor has Google been helpful*. Clearly, if that is set to "off" all the calls in the rules won't make any difference. Grrr.

*I did see one site that said I can add it in the tools > rules list which I tried/tested but no effect.

Thank you for the php idea. My command line host skills are limited - all the hosting management I do is for my own biz as an adjunct to my real work (which is also very technical as I imagine you'd guess from my screen name). Anywho, thank you so very much for taking a look.