Howto setup SPF (Sender Policy Framework) on a domain

SPF is a Policy Framwork that helps fighting return-path address forgery and makes it easier to identify spoofs. Domain owners identify and pinpoint sending mail servers in a DNS record, and thereby its posible for SMTP receivers (e.g. MTAs like Exim, Postfix, Qmail etc.) to verify the envelope sender address against this information, and can distinguish authentic messages from forgeries before any message data is transmitted.

Create a SPF record
The easist way to create a SPF record is to use this online tool: openspf

Deploy the SPF record
To use the newly created SPF record on a domain, make sure you have access to create a TXT-DNS record for the given domain. If you have access to create a TXT-DNS record all you need is to create such a TXT-DNS record containing the SPF record information, and you are done.

Comments off

Block referer spam easily

I have built this small tutorial because somebody kept requesting different urls on the server with referer spam. The tutorial shows how to block referer spamon a Debian 3.1 server with a apache 2 webserver by using mod_security

Install mod_security

debian21:~# apt-get install libapache2-mod-security
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
The following NEW packages will be installed:
  libapache2-mod-security mod-security-common
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 274kB of archives.
After unpacking 737kB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 stable/main mod-security-common 1.8.7-1 [240kB]
Get:2 stable/main libapache2-mod-security 1.8.7-1 [34,4kB]
Fetched 274kB in 0s (682kB/s)
Selecting previously deselected package mod-security-common.
(Reading database ... 28605 files and directories currently installed.)
Unpacking mod-security-common (from .../mod-security-common_1.8.7-1_all.deb) ...
Selecting previously deselected package libapache2-mod-security.
Unpacking libapache2-mod-security (from .../libapache2-mod-security_1.8.7-1_i386.deb) ...
Setting up libapache2-mod-security (1.8.7-1) ...
Setting up mod-security-common (1.8.7-1) ...


Enable the newly installed module

debian21:~# a2enmod mod-security
Module mod-security installed; run /etc/init.d/apache2 force-reload to enable.


Add this setup to your apache2.conf or your .htaccess file

<ifmodule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # Unicode encoding check
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    SecFilterForceByteRange 0 255

    # Only log suspicious requests
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    #SecAuditLog logs/audit_log
    # Debug level set to a minimum
    #SecFilterDebugLog logs/modsec_debug_log
    #SecFilterDebugLevel 0

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # By default log and deny suspicious requests
    # with HTTP status 500
    SecFilterDefaultAction "deny,log,status:500"

    # Block request with suspicious referers
    SecFilterSelective "HTTP_REFERER" "(holdem|poker|casino|porn)" deny,nolog,status:500


And then restart apache

debian21:~# /etc/init.d/apache2 restart
Forcing reload of web server: Apache2.


Then run a few test requests to ensure it works as we intended it to

debian21:~# wget http://localhost/ --referer=
--15:33:34--  http://localhost/
           => `index.html'
Resolving localhost...
Connecting to localhost[]:80... connected.
HTTP request sent, awaiting response... 500 Internal Server Error
15:33:34 ERROR 500: Internal Server Error.



It blocks the request just like we thought it would.


debian21:~# wget http://localhost/ --referer=
--15:33:43--  http://localhost/
           => `index.html'
Resolving localhost...
Connecting to localhost[]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,009 [text/html]

100%[========================================>] 1,009         --.--K/s

15:33:43 (9.62 MB/s) - `index.html' saved [1009/1009]



The request passed right trough as intended ;)

And we are done.
This is only one way of preventing referer spam, some others have done a similar block by using the built-in Linux firewall called iptables. Perhaps more on using iptables as blocking mechanism another time.

Comments off