There are ways of getting under the mod_sec radar. That may be the case for this particular issue.
Normally if you were to put http://anything
as an argument in an URL on your server, mod_security would block it. If it isn't doing so then you need to check mod_security is actually running.
and right after that last php you add ?blah=
and then after that http://
and then after that blah.com
(sorry - don't wan't Scott's mod_sec blocking me)
You should get mod_sec triggering
Its the first thing I do when upgrading/changing.
Also try some of the other rules, like the blogspot one in blacklists.conf