Exim system filter sample config
Posted On 2007年6月26日 星期二 at 於 下午5:09 by Lani# Exim filter
### Precautions, precautions...
# Drop out if the message is an error message.
if error_message then finish endif
### Assorted spam filtering stuff follows
## My users are trustworthy (because they're me!) - don't check locally sent mail.
if "arkane.demon.co.uk:arkane.net:arkane.co.uk" contains $sender_address_domain then
finish
endif
## Arrange log file
logfile /exim/filterlog
## First, handle the white list
# These are the blessed mail addresses which don't get filtered.
# And always allow postmaster mail through.
if "${lookup {${lc:$sender_address}}dbm{/etc/filters/whitelist} {white} {grey}}" is white or
$header_to: contains "postmaster@" then
finish
endif
## If they've used the magic word, let the mail go through.
if $header_subject: contains "DELETED FOR PUBLIC CONSUMPTION" then
finish
endif
## Then, handle the black list.
# Bounce all mail from these sites or addresses with a nasty message.
if "${lookup {${lc:$sender_address_domain}}dbm{/etc/filters/blacklist} {black} {grey}}" is black or
"${lookup {${lc:$sender_address}}dbm{/etc/filters/blacklist} {black} {grey}}" is black then
fail
finish
endif
## Heuristic spam filtering
# Tell-tale spam headers - X-UIDL, X-PMFLAGS, X-Advertisement
if "${if def:header_x-uidl: {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
x-uidl header indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
if "${if def:header_x-1: {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
x-1 header indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
if "${if def:header_x-pmflags: {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
x-pmflags header indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
if "${if def:header_x-advertisment: {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
x-advertisement header indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Authenticated sender, and not from pegasus
if "$h_comments" contains "authenticated sender" and
"$h_x-mailer" does not contain "pegasus" then
log "message $message_id from $header_from: to $header_to: failed.\n\
authenticated sender (not from pegasus) indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Claims to be from hotmail.com
if "$h_from" contains "hotmail.com" and
"${if !def:header_x-originating-ip {nospam}}" is nospam then
log "message $message_id from $header_from: to $header_to: failed.\n\
claimed to be from hotmail, but not verifiable - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# claims to be from juno.com
if "$h_from" contains "juno.com" and
"${if def:header_x-mailer {juno} {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
claimed to be from juno, but not verifiable - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Broken message-IDs
if $header_message-id does not contain "@" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Message-ID does not contain '@' - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Is the host (From||To) numeric?
if "$header_from: $header_to:" contains "@\\\\d+\\." then
log "message $message_id from $header_from: to $header_to: failed.\n\
From: or To: header contains numeric hostname - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Is the local-part numeric and 8 digits?
if $local_part matches "^\\\\d{8}\\$" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Local part is an 8 digit numeric - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Is the To: address contained in the From: address?
if ( $header_from: contains $header_to: )
and ( "${if def:header_to: {present}}" is present ) then
log "message $message_id from $header_from: to $header_to: failed.\n\
From: contains To: which indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Is neither a To: nor a Cc: header present?
if ( "${if def:header_to: {present}}" is not present )
and ( "${if def:header_cc: {present}}" is not present ) then
log "message $message_id from $header_from: to $header_to: failed.\n\
Neither To: nor Cc: headers present - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Other funny Received headers?
if $header_received: contains "[000.000.000.000]" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Received: included the invalid IP [000.000.000.000] - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
if $header_received: contains "-0600 (EST)" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Received: included the dubious time zone setting -0600 (EST) - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
if $header_received: contains "CLOAKED" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Received: included the string 'CLOAKED' - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Bcc'ed to public addresses?
if ( $header_bcc: contains "-usenet" ) or
( $header_bcc: contains "-sig" ) then
log "message $message_id from $header_from: to $header_to: failed.\n\
Bcc'ed to a public address (-usenet or -sig) - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Bogus To: headers.
if $header_to: contains "Friend@" then
log "message $message_id from $header_from: to $header_to: failed.\n\
To: header included bogus local-part 'Friend' - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
if $header_to: contains "you@" then
log "message $message_id from $header_from: to $header_to: failed.\n\
To: header included bogus local-part 'you' - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
### That's it!
Exim ACL Spam Filters Config
Posted On at 於 下午2:01 by LaniStopping Spam in the ACL
Exim ACL Spam Filters
This is a mirror of http://vamos-wentworth.org/exim-tricks.html (With a few very minor ammendments)
I have been unable to get to the site since september so I decided to mirror the above URL, It was very useful information for me when I first started out with exim hence my sharing it.
All credit goes to the original author, THIS IS NOT A DOCUMENT WRITTEN BY MYSELF so all rights go to the original author. rossz-work [at] vamos-wentworth [dot] org as well.
These antispam tips are for Exim 4.x. If you don't know how to modify the helo, rcpt, and data ACLs, then these suggestions won't do you much good.
###############################################################################
HELO ACL
###############################################################################
You can block a lot of spammers right after they say HELO. They have a tendency to lie but, fortunately, it's often easy to catch them in their lie.
The first thing a remote system is supposed to do when it connects is to say "HELO domain.com". It is legal to use an ip address with the HELO, but losing acceptance. A spammer might try to HELO with your own ip address. There is absolutely no legitimate reason for someone else to use your ip address here. Plug your own ip address in here where it says ##.##.##.##. Repeat this for each IP address you handle.
deny message = HELO/EHLO with my ip address. You are not me.
log_message = HELO/EHLO my.ip
condition = ${if eq {$sender_helo_name}{##.##.##.##} {yes}{no}}
Basically the same thing as the previous filter, but using your domain name instead of your ip address. You should repeat this filter for each domain you control.
deny message = HELO/EHLO with my domain name. You are not me.
log_message = HELO/EHLO my.domain
condition = ${if match {$sender_helo_name}{your-domain.com} {yes}{no}}
Giving a domain name of 'none' isn't valid, so tell them to bugger off. This filter can be left out since the "period" filter below will catch it.
deny message = No HELO/EHLO name specified.
log_message = HELO/EHLO none
condition = ${if match {$sender_helo_name}{none} {yes}{no}}
A remote system saying they are localhost? Sure they are. This filter can also be omitted if you use the "period" filter below.
deny message = You are not localhost.
log_message = HELO/EHLO localhost
condition = ${if match {$sender_helo_name}{localhost} {yes}{no}}
A proper domain will contain at least one period. A good percentage of spam worms HELO with random characters without a period.
deny message = Invalid HELO/EHLO. You are either spam/a virus, or your system administrator has incorrectly configured your network.
condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}
###############################################################################
RCPT ACL
###############################################################################
Spammers like to forge some big names when they send you email. We can't easily check all of them, not until Sender Permitted From (SPF) is widely used. At least we can check for some of the most commonly abused domains, Yahoo, Hotmail, MSN, and AOL. These four filters will reject email with forged From: addresses containing the "big four" domains.
#Fake Yahoo
deny message = Suspected Faked Yahoo Account, E-mail Rejected.
log_message = Fake Yahoo
senders = *@yahoo.com
condition = ${if match{$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
#Fake Hotmail
deny message = Suspected Faked Hotmail Account, E-mail Rejected.
log_message = Fake hotmail
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}
#Fake MSN
deny message = Suspected Faked MSN Account, E-mail Rejected.
log_message = Fake MSN
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}
# Fake AOL
deny message = Suspected Faked AOL Account, E-mail Rejected.
log_message = Fake AOL
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Nmx.aol.com$\N}{no}{yes}}
Of course, using a few good blacklists is a good idea. I put my blacklist checks immediately after the big four filters.
###############################################################################
DATA ACL
###############################################################################
A valid email should have a message id. Spamming software (and viruses) often don't. So refuse them. Note, this filter has been known to break the rare email sent from a highly customized Qmail server. Personally, I dont' care.
deny condition = ${if !def:h_Message-ID: {1}}
message = Message SHOULD have Message-ID: but does not
Email should have a proper date. So goodbye if it doesn't.
deny condition = ${if !def:h_Date: {1}}
message = Message SHOULD have Date: but does not
You'll need the Exiscan patch for the mime handling to work.
Required to do any mime handling, plus, a broken mime attachment might be an attempt to infect or break into your system.
deny message = Serious MIME defect detected ($demime_reason)
log_message = Broken MIME ($mime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
Refuse dangerous attachments. This gets a large number of viruses. It also catches a lot of spam with hidden surprises.
deny message = $found_extension files are not accepted here
log_message = Dangerous extension ($found_extension)
demime = com:vbs:bat:pif:scr:exe
For Windows clients, Microsoft has included a lovely little surprise. It is possible to attach a file with a CLSID in the name which causes Windows to hide the file extension. This is entirely independent of the "Hide file extensions for known file types" folder option. This is extremely dangerous, so lets just refuse the bastards.
deny message = Hiding of file extensions is not allowed!
log_message = Dangerous extension (CLSID hidden)
regex = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$
http://vamos-wentworth.org/exim-tricks.html
http://www.carbonstudios.co.uk/site/44/180.html
Apache 壓力測試
Posted On at 於 上午10:01 by Lani在 apache 本身的套件中, 有個叫 ab(ApacheBench) 的程式.
ApacheBench 主要是用來測試 apache 執行效率.
ab 參數:
Usage: /usr/sbin/ab [options] [http[s]://]hostname[:port]/path
Options are:
-n requests Number of requests to perform
-c concurrency Number of multiple requests to make
-t timelimit Seconds to max. wait for responses
-p postfile File containg data to POST
-T content-type Content-type header for POSTing
-v verbosity How much troubleshooting info to print
-w Print out results in HTML tables
-i Use HEAD instead of GET
-x attributes String to insert as table attributes
-y attributes String to insert as tr attributes
-z attributes String to insert as td or th attributes
-C attribute Add cookie, eg. 'Apache=1234' (repeatable)
-H attribute Add Arbitrary header line, eg. 'Accept-Encoding: zop'
Inserted after all normal header lines. (repeatable)
-A attribute Add Basic WWW Authentication, the attributes
are a colon separated username and password.
-P attribute Add Basic Proxy Authentication, the attributes
are a colon separated username and password.
-X proxy:port Proxyserver and port number to use
-V Print version number and exit
-k Use HTTP KeepAlive feature
-d Do not show percentiles served table.
-S Do not show confidence estimators and warnings.
-g filename Output collected data to gnuplot format file.
-e filename Output CSV file with percentages served
-s Use httpS instead of HTTP (SSL)
-h Display usage information (this message)
ex: 要執行 1000 次的 connection, 20 次的 concurrent (並行, 同時).
語法: ab -n 1000 -c 20 http://localhost/abc.php
產生出來的結果. 主要要注意的是以下幾個.
Time taken for tests: 總共執行花了多久的時間.(以上 1000 次共多久)
Requests per second: 每秒平均可以處理多少個 connection.
源自:http://blog.longwin.com.tw/archives/000513.html
