Lani's Study Books

# Exim filter

### Precautions, precautions...

# Drop out if the message is an error message.

if error_message then finish endif

### Assorted spam filtering stuff follows

## My users are trustworthy (because they're me!) - don't check locally sent mail.
if "arkane.demon.co.uk:arkane.net:arkane.co.uk" contains $sender_address_domain then
finish
endif

## Arrange log file
logfile /exim/filterlog

## First, handle the white list
# These are the blessed mail addresses which don't get filtered.
# And always allow postmaster mail through.

if "${lookup {${lc:$sender_address}}dbm{/etc/filters/whitelist} {white} {grey}}" is white or
$header_to: contains "postmaster@" then
finish
endif

## If they've used the magic word, let the mail go through.
if $header_subject: contains "DELETED FOR PUBLIC CONSUMPTION" then
finish
endif

## Then, handle the black list.
# Bounce all mail from these sites or addresses with a nasty message.

if "${lookup {${lc:$sender_address_domain}}dbm{/etc/filters/blacklist} {black} {grey}}" is black or
"${lookup {${lc:$sender_address}}dbm{/etc/filters/blacklist} {black} {grey}}" is black then
fail
finish
endif

## Heuristic spam filtering

# Tell-tale spam headers - X-UIDL, X-PMFLAGS, X-Advertisement

if "${if def:header_x-uidl: {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
x-uidl header indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

if "${if def:header_x-1: {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
x-1 header indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

if "${if def:header_x-pmflags: {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
x-pmflags header indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

if "${if def:header_x-advertisment: {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
x-advertisement header indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Authenticated sender, and not from pegasus

if "$h_comments" contains "authenticated sender" and
"$h_x-mailer" does not contain "pegasus" then
log "message $message_id from $header_from: to $header_to: failed.\n\
authenticated sender (not from pegasus) indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Claims to be from hotmail.com
if "$h_from" contains "hotmail.com" and
"${if !def:header_x-originating-ip {nospam}}" is nospam then
log "message $message_id from $header_from: to $header_to: failed.\n\
claimed to be from hotmail, but not verifiable - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# claims to be from juno.com

if "$h_from" contains "juno.com" and
"${if def:header_x-mailer {juno} {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
claimed to be from juno, but not verifiable - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Broken message-IDs

if $header_message-id does not contain "@" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Message-ID does not contain '@' - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Is the host (From||To) numeric?

if "$header_from: $header_to:" contains "@\\\\d+\\." then
log "message $message_id from $header_from: to $header_to: failed.\n\
From: or To: header contains numeric hostname - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Is the local-part numeric and 8 digits?

if $local_part matches "^\\\\d{8}\\$" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Local part is an 8 digit numeric - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Is the To: address contained in the From: address?
if ( $header_from: contains $header_to: )
and ( "${if def:header_to: {present}}" is present ) then
log "message $message_id from $header_from: to $header_to: failed.\n\
From: contains To: which indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Is neither a To: nor a Cc: header present?
if ( "${if def:header_to: {present}}" is not present )
and ( "${if def:header_cc: {present}}" is not present ) then
log "message $message_id from $header_from: to $header_to: failed.\n\
Neither To: nor Cc: headers present - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Other funny Received headers?
if $header_received: contains "[000.000.000.000]" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Received: included the invalid IP [000.000.000.000] - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

if $header_received: contains "-0600 (EST)" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Received: included the dubious time zone setting -0600 (EST) - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

if $header_received: contains "CLOAKED" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Received: included the string 'CLOAKED' - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Bcc'ed to public addresses?
if ( $header_bcc: contains "-usenet" ) or
( $header_bcc: contains "-sig" ) then
log "message $message_id from $header_from: to $header_to: failed.\n\
Bcc'ed to a public address (-usenet or -sig) - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Bogus To: headers.
if $header_to: contains "Friend@" then
log "message $message_id from $header_from: to $header_to: failed.\n\
To: header included bogus local-part 'Friend' - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

if $header_to: contains "you@" then
log "message $message_id from $header_from: to $header_to: failed.\n\
To: header included bogus local-part 'you' - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

### That's it!

Stopping Spam in the ACL

Exim ACL Spam Filters

This is a mirror of http://vamos-wentworth.org/exim-tricks.html (With a few very minor ammendments)
I have been unable to get to the site since september so I decided to mirror the above URL, It was very useful information for me when I first started out with exim hence my sharing it.

All credit goes to the original author, THIS IS NOT A DOCUMENT WRITTEN BY MYSELF so all rights go to the original author. rossz-work [at] vamos-wentworth [dot] org as well.

These antispam tips are for Exim 4.x. If you don't know how to modify the helo, rcpt, and data ACLs, then these suggestions won't do you much good.

###############################################################################
HELO ACL
###############################################################################

You can block a lot of spammers right after they say HELO. They have a tendency to lie but, fortunately, it's often easy to catch them in their lie.

The first thing a remote system is supposed to do when it connects is to say "HELO domain.com". It is legal to use an ip address with the HELO, but losing acceptance. A spammer might try to HELO with your own ip address. There is absolutely no legitimate reason for someone else to use your ip address here. Plug your own ip address in here where it says ##.##.##.##. Repeat this for each IP address you handle.

deny message = HELO/EHLO with my ip address. You are not me.
log_message = HELO/EHLO my.ip
condition = ${if eq {$sender_helo_name}{##.##.##.##} {yes}{no}}

Basically the same thing as the previous filter, but using your domain name instead of your ip address. You should repeat this filter for each domain you control.

deny message = HELO/EHLO with my domain name. You are not me.
log_message = HELO/EHLO my.domain
condition = ${if match {$sender_helo_name}{your-domain.com} {yes}{no}}

Giving a domain name of 'none' isn't valid, so tell them to bugger off. This filter can be left out since the "period" filter below will catch it.

deny message = No HELO/EHLO name specified.
log_message = HELO/EHLO none
condition = ${if match {$sender_helo_name}{none} {yes}{no}}

A remote system saying they are localhost? Sure they are. This filter can also be omitted if you use the "period" filter below.

deny message = You are not localhost.
log_message = HELO/EHLO localhost
condition = ${if match {$sender_helo_name}{localhost} {yes}{no}}

A proper domain will contain at least one period. A good percentage of spam worms HELO with random characters without a period.

deny message = Invalid HELO/EHLO. You are either spam/a virus, or your system administrator has incorrectly configured your network.
condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}

###############################################################################
RCPT ACL
###############################################################################

Spammers like to forge some big names when they send you email. We can't easily check all of them, not until Sender Permitted From (SPF) is widely used. At least we can check for some of the most commonly abused domains, Yahoo, Hotmail, MSN, and AOL. These four filters will reject email with forged From: addresses containing the "big four" domains.

#Fake Yahoo
deny message = Suspected Faked Yahoo Account, E-mail Rejected.
log_message = Fake Yahoo
senders = *@yahoo.com
condition = ${if match{$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

#Fake Hotmail
deny message = Suspected Faked Hotmail Account, E-mail Rejected.
log_message = Fake hotmail
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}

#Fake MSN
deny message = Suspected Faked MSN Account, E-mail Rejected.
log_message = Fake MSN
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}

# Fake AOL
deny message = Suspected Faked AOL Account, E-mail Rejected.
log_message = Fake AOL
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Nmx.aol.com$\N}{no}{yes}}

Of course, using a few good blacklists is a good idea. I put my blacklist checks immediately after the big four filters.

###############################################################################
DATA ACL
###############################################################################
A valid email should have a message id. Spamming software (and viruses) often don't. So refuse them. Note, this filter has been known to break the rare email sent from a highly customized Qmail server. Personally, I dont' care.

deny condition = ${if !def:h_Message-ID: {1}}
message = Message SHOULD have Message-ID: but does not

Email should have a proper date. So goodbye if it doesn't.

deny condition = ${if !def:h_Date: {1}}
message = Message SHOULD have Date: but does not

You'll need the Exiscan patch for the mime handling to work.

Required to do any mime handling, plus, a broken mime attachment might be an attempt to infect or break into your system.

deny message = Serious MIME defect detected ($demime_reason)
log_message = Broken MIME ($mime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}

Refuse dangerous attachments. This gets a large number of viruses. It also catches a lot of spam with hidden surprises.

deny message = $found_extension files are not accepted here
log_message = Dangerous extension ($found_extension)
demime = com:vbs:bat:pif:scr:exe

For Windows clients, Microsoft has included a lovely little surprise. It is possible to attach a file with a CLSID in the name which causes Windows to hide the file extension. This is entirely independent of the "Hide file extensions for known file types" folder option. This is extremely dangerous, so lets just refuse the bastards.

deny message = Hiding of file extensions is not allowed!
log_message = Dangerous extension (CLSID hidden)
regex = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$

http://vamos-wentworth.org/exim-tricks.html
http://www.carbonstudios.co.uk/site/44/180.html

在 apache 本身的套件中, 有個叫 ab(ApacheBench) 的程式.
ApacheBench 主要是用來測試 apache 執行效率.

ab 參數:
Usage: /usr/sbin/ab [options] [http[s]://]hostname[:port]/path
Options are:
-n requests Number of requests to perform
-c concurrency Number of multiple requests to make
-t timelimit Seconds to max. wait for responses
-p postfile File containg data to POST
-T content-type Content-type header for POSTing
-v verbosity How much troubleshooting info to print
-w Print out results in HTML tables
-i Use HEAD instead of GET
-x attributes String to insert as table attributes
-y attributes String to insert as tr attributes
-z attributes String to insert as td or th attributes
-C attribute Add cookie, eg. 'Apache=1234' (repeatable)
-H attribute Add Arbitrary header line, eg. 'Accept-Encoding: zop'
Inserted after all normal header lines. (repeatable)
-A attribute Add Basic WWW Authentication, the attributes
are a colon separated username and password.
-P attribute Add Basic Proxy Authentication, the attributes
are a colon separated username and password.
-X proxy:port Proxyserver and port number to use
-V Print version number and exit
-k Use HTTP KeepAlive feature
-d Do not show percentiles served table.
-S Do not show confidence estimators and warnings.
-g filename Output collected data to gnuplot format file.
-e filename Output CSV file with percentages served
-s Use httpS instead of HTTP (SSL)
-h Display usage information (this message)

ex: 要執行 1000 次的 connection, 20 次的 concurrent (並行, 同時).
語法: ab -n 1000 -c 20 http://localhost/abc.php
產生出來的結果. 主要要注意的是以下幾個.
Time taken for tests: 總共執行花了多久的時間.(以上 1000 次共多久)
Requests per second: 每秒平均可以處理多少個 connection.

源自：http://blog.longwin.com.tw/archives/000513.html

好站

http://www.php5.idv.tw/
Mandrake8.1伺服器安裝介紹

美國記者問：「他是台灣來的球員，第一個打出全壘打，你知這事嗎？」道奇教練利托回答：「我沒注意到這點，不過這是很漂亮的打擊，事實上很少有投手可以打這麼遠，特別是剛到大聯盟不久的球員。」

openssl s_client -connect servername:465

smtps 465/tcp #smtp protocol over TLS/SSL (was ssmtp)


openssl s_client -connect servername:995

pop3s 995/tcp spop3 # pop3 protocol over TLS/SSL

openwebmail 登入速度變慢
加入排程
/pathto/cgi-bin/openwebmail/openwebmail-tool.pl -q -a -p -i > /dev/null 2>&1
遇到openwebmail錯誤訊息
使用者欲連上openwebmail
出現session 錯誤xxxoooxxx
原因: quota 限制已到
解法:edquota -u user

查看目前連線至本機的ip 及數量(Debian)
netstat -nta | fgrep "ESTABLISHED" | cut -b 43-75 | cut -d ':' -f1 | sort | uniq -c |sort -n -r --key=1,7 | head -25
netstat -nta | fgrep "SYN_RECV" | cut -b 43-75 | cut -d ':' -f1 | sort | uniq -c | sort -n -r --key=1,7 | head -25

由於exim 本身configure 並沒辦法定義某些實體帳戶暫時停用後, 也不收到信 這邊依exim-user 提供的方法並測試已成功,備忘紀錄一下
vi /usr/exim/configure

於begin routers 加入

block_expired_accounts:
driver = redirect
domains = +local_domains
local_parts = /usr/exim/blocked/accounts
data = :fail: account closed
allow_fail

echo id > /usr/exim/blocked/accounts

chown exim /usr/exim/blocked/accounts

/etc/init.d/exim restart

wget exim-xxx.tgz
tar -zxvf exim-xxx.tgz
cd exim-xxxx
cp src/EDITME Local/Makefile
vi Local/Makefile
需修改的地方
EXIM_USER=exim (如果要使用exim 此user執行,記得先新增)
#EXIM_MONITOR=eximon.bin
AUTH_CRAM_MD5=yes
AUTH_CYRUS_SASL=yes
AUTH_PLAINTEXT=yes
AUTH_LIBS=-lsasl2
SUPPORT_TLS=yes
TLS_LIBS=-lssl -lcrypto
TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
TLS_INCLUDE=-I/usr/local/openssl/include/
CYRUS_PWCHECK_SOCKET=/var/pwcheck/pwcheck
CYRUS_SASLAUTHD_SOCKET=/var/run/saslauthd/mux
以上是支援sasl認證需unmark 的部份 預設是mark的
LOG_FILE_PATH=/var/log/exim_%slog
wq
useradd -s /sbin/nologin exim
touch /var/log/exim_mainlog
^mainlog^paniclog
^paniclog^rejectlog
chown exim:exim /var/log/exim_*
make
make install
vi /usr/exim/configure
primary_hostname = yourdomain
hostlist relay_from_hosts = allow relay ip/submask
#host_lookup = *
begin authenticators 區段加入

plain:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}

/usr/exim/bin/exim –bd –q 15m 啟動exim

/usr/exim/bin/ (以我安裝路徑為例)
-M 強迫傳送
-Mar 增加接收者
-Meb 修改信件內容
-Mes 修改傳送者
-Mf 凍結
-Mmad 標記所有queue 的信件為已傳送
-Mmd 標記為已傳送
-Mt 解除凍結

移除queue
/usr/exim/bin/exim -Mrm 移除spool內信件但不會出現回應訊息
-Mg 移除並回應訊息

檢查信件
/usr/exim/bin/exim -Mvb 檢查body
/usr/exim/bin/exim -Mvl 檢查log
/usr/exim/ibn/exim -Mvh 檢查header

檢閱參數

/usr/exim/bin/exim -bv 確認exim binary 可使用且成功讀取configure
/usr/exim/bin/exim -bP 所有exim設定的參數值 (配合grep找出需要檢查的地方)
/usr/exim/bin/exim -bp 所有在queue 內的信件
/usr/exim/bin/exim -brt 查詢針對某些網域的重試規則

原廠資料：http://www.exim.org/exim-html-current/doc/html/spec_html/ch05.html