MyTrueHost launched Web Hosting for Indian clients just in Rs 60/Month with various payment options(netbanking, debit card, credit card,cash card or paypal).
Please Visit at https://www.mytruehost.in

Exploit Removal Guide

The following is a first step in finding and removing exploits and root kits on a Linux or BSD system.

1. EXECUTE THE FOLLOWING COMMANDS TO HELP PREVENT UPLOADS OF EXPLOITS:

chmod 0750 `which curl` 2>&-; chmod 0750 `which fetch` 2>&-; chmod 0750 `which wget` 2>&-

2. EXECUTE THE FOLLOWING COMMANDS TO CHECK FOR POSSIBLE EXISTING EXPLOITS:

shfor x in “/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp”; do ls -loAFR $x 2>&- grep -E “^$^/ apache nobody unknown www web htdocs ” grep -E “^$^//$\*$\.pl$” grep -Ev “sess_” tee exploits.txt; done; echo -e “\n\nPossible Exploit Files and Directories: `grep -Ev “^$^/” exploits.txt wc -l tr -d ‘ ‘`” tee -a exploits.txtexit

Lines ending with an asterisk ‘*’, ‘.pl’, or a slash ‘/’ are possible exploit files or directories which should be investigated and removed followed by rebooting the server to kill any running exploit processes. You can refer to the exploits.txt file generated by the above commands for later reference.

3. You should also install and run the progam called rkhunter.
Rootkit Hunter is scanning tool to ensure you for about 99.9% you’re clean of nasty tools.
This tool scans for rootkits, backdoors and local exploits by running tests like:

– MD5/SHA1 hash compare
– Look for default files used by rootkits
– Wrong file permissions for binaries
– Look for suspected strings in LKM and KLD modules
– Look for hidden files
– Optional scan within plaintext and binary files
WWW: http://www.rootkit.nl/

On BSD sytems:
cd /usr/ports/security/rkhunter; make install clean; rehash; rkhunter -c(or for help with rkhunter arguments do: rkhunter -h)

On RedHat, Fedora, CentOS systems:
yum -y install rkhunter;
rkhunter -c
(or for help with rkhunter arguments do: rkhunter -h)

 

SERVER LOAD TWEAKS…APACHE/MYSQL/SMTP-POP3/EXIM/IMAP

Q:- How to trace the server load? (Inludes with all application.)

 

The steps are according to services :-

—————————————————————-

1. Apache :-

  • TOP command >> check for many httpd processes
  • Login to WHM >> Check for “Apache ststus”,if find anyone downloading mp3,rar,exe,zip files then suspen that account
  • Also used to check “cpu/memory/Mysql Usage” option from WHM >> Here we can find actual CPU and Memory usage for particular domain.

—————————————————————-

2. Mysql :-

  • TOP command >> check for many httpd processes
  • MySQLadmin process / mysqladmin status
  • Also used to check “cpu/memory/Mysql Usage” option from WHM >> Here we can find actual CPU and Memory usage for particular domain.

—————————————————————-

3. Ftp :-

  • ps -aux | grep ftp >> used for checking ftp action taken by user like uploading /downloading files
  • tail -f /var/log/secure

—————————————————————-

4. SMTP / POP3 /IMAP :-

  • tail -f /var/log/exim_mainlog >> checking for logs and check which email addresses is continuesly scrolling and confirm is it doing spaming,if confirmed then suspend account
  • tail -f /var/log/exim_mainlog | grep public_html >> check for spamming if anybody is using php script for sending mail
  • Login to whm and select “Manage Mailqueue” to find the email address which is doing spamming.

—————————————————————-

First of all check the load and if its above safe limits, we have to settle it down. run deep scripts untill you get the messages “no processes found” for mysql, exim and http. check the load again. restart the services by proper restart scripts
s-http, s-mysql, s-exim. Then proceed for investigation.

* top, shift p, check processes taking load and are in plenty.
* if apache
* quickly go to whm and check apache status and do the needful. if theres nothing in apache
check netstat -n|less . it can be http attack.
* if mysql-
do mysqladmin process and look for processes and queries.
* if exim-
go to /var/log/exim_maillog and check the logs for spam.
this can be done by grepping the logs as follows:
tail -f /var/log/exim_mainlog|grep /tmp
tail -f /var/logs/exim_mainlog |grep public_html
tail -f /var/logs/exim_mainlog |grep sendmail
check mail queue
check for frozen mails and delete frozen mails.
* check io wait if its more.
there can be some reasons for this.
* any user may be downloading heavy files- this you can see in the apache status.
* you can see the heavy cpu consuming processes on the server by ps auxw|grep mvi,mgp,mp3,pkgacct,backup,gzip and you can get the processes. check it and kill it as necessary.
* last is check out for bad processes by ps auxw|grep nobody and kill the bad processes. to know more about what is happening behind the process you can check at /proc/procid.

—————————————————————-

  • 1> ps aux | grep nobody or gzip /backup /fixquota
  • 2> TOP / shift + p / shift + m / k =kill
  • 3> tail -f /var/log/… | grep … .avi/.mpg/.rar/.jpg all logs
  • 4> cd /proc/pid ls -alh
  • 5> Apache status/ cpu mysql memory usage form whm
  • 6> netstat -n
  • 7> w
  • 8> Event Viewer log / Task manager for windows
  • 9>tail -f /var/log/exim_mainlog|grep tmp /sendmail /public_html

—————————————————————-

  • 1) top…..to see the process list, then accroding kill the process which is taking load
  • 2) ps -aux
  • ps -aux | grep gzip, backup, pkg
  • tail -f /var/log/exim_maillog | grep sendmail, public, tmp
  • 3) w to see whois online
  • 4) kill httpd, mysqld, cppop
  • 5) netstat
  • 6) mysqladmin process :- to see the mysql process
  • 7) /scripts/restartsrv_service name:- to restart the service if it goes down
  • 8) tail -f /etc/httpd/logs/access_log
  • tail -f /etc/httpd/logs/error_log

or you can manage the serverload using WHM

1) under the server status option you can see the
apache status…
CPU/Mysql usages/memory
service status and you can manage the server
2) SQL services under this option you can see the mysqladmin process3) restart services:- using this option you can restart the services

 

—————————————————————-


top

Will display the processes that are using the maximum processor resources
We can use various options to monitor and control process through top like shift + p, shift + m and k which is used to kill processes. r can be used to renice a process and prioritise a process. In case of high i/o wait we need to check the logs for
high resources using processes.

———
uptime
———
It displays the the time since the server has been up and running, number of users logged in and the load average. Similarly we can use ‘w’.

————
ps -auxwf
————
Will display the process with details like, username, pid, resource usage and child processes. It is very effective in monitoring processes.
We generally use ps -auxwf | grep gzip
ps -auxwf | grep backup
ps -auxwf | grep pkg
For bad processes – ps -auxwf | grep nobody

——————-
Kill and Kill All
——————-
used to kill processes or services that are found to be eating up server resources.

————–
Spamming
————–
To check spamming we can watch for the mail logs using :
tail -f /var/log/exim_mainlog | grep sendmail
tail -f /var/log/exim_mainlog | grep tmp
tail -f /var/log/exim_mainlog | grep public_html
as spamming can be done from a user’s public_html directory using a script or through sendmail. Another way of spamming is using the tmp directory as it is the ‘world writable directory’.

————–
WebServer logs
————–
We can check for customized logs in the WHM under the Server Status section.
We can trace the user responsible for high web server resource usage by the folowing command
tail -f /etc/httpd/logs/access_log | grep mp3
tail -f /etc/httpd/logs/access_log | grep rar
tail -f /etc/httpd/logs/access_log | grep wav etc

tail -f /etc/httpd/logs/access_log | grep 408 can be used to check for DDOS attacks on the server.

——–
mysql
——–
Apart from top and ps, ‘mysqladmin processlist’ can be used to check the mysql processes, users and the type of process/query being run by the user.

Killing a proceess is the first option to control server load, restarting the affected server is another option. Still if the load is high we track down the responsible user and suspend him.(This applies for all servers,i.e,apache, mysql, exim etc.)
—————————————————————-

1. top – check load average, iowait, httpd, mysql, exim etc.
2. P = CPU Usage, M = Memory Usage, K = kill unwanted processes.
3. If load is high, run “deep”.
4. Login to WHM of the server and check apache, cpu/memory, mysql status.
5. If any user found downloading gif images, mp3, etc; suspend that particular user.

iowait is high, someone is backing up their files; run
# ps aux | grep pkg
# ps aux | grep gzip
# ps aux | grep backup

Spamming check-
# tail /var/log/exim_mainlog –f | grep public_html
MySQLdump check-
# ps aux | grep mysqldump
# mysqladmin processlist — mysql status
Bad processes running-
# ps aux | grep nobody

Service restart commands-
#/scripts/restartsrv_mysql
#/scripts/restartsrv_httpd
#/scripts/restartsrv_exim

—————————————————————-

By using a top command you can find out the process which is causing the load on the server. You can use kill or kilall command to kill that process. OR you can run deep command which will kill all the httpd, exim and mysql process. once the server load comes down restart the service which you have killed.

1. Apache :-

Using top command, we will come to know whether httpd service is eating up high resources on server. if so then kill the httpd service and restart it again when load comes to normal.

You can check if any backup is going on, run the following commands:
# ps aux | grep pkg
# ps aux | grep gzip
# ps aux | grep backup
If any backup process is going on, kill that process.

Also Login to WHM and Check for “Apache ststus”, if find anyone downloading mp3,rar,exe,zip files then suspend that account.

the other way to check any download is going on is by using
ps auxw | grep nobody | grep mp3 , jpeg, wmv, mpeg, rar and kill that process.

ALso you can used to check “cpu/memory/Mysql Usage” option from WHM. Here we can find actual CPU and Memory usage for particular domain.

2. Exim Mail :-

Check for spamming by checking the logs for exim

tail -f /var/log/exim_mainlog >> checking for logs and check which email addresses is continuesly scrolling and confirm is it doing spaming,if confirmed then suspend account.

tail -f /var/log/exim_mainlog | grep tmp

Login to whm and select “Manage Mailqueue” to find the email address which is doing spamming.

3. MySQL :-

Use the mysqladmin command as mysqladmin process / mysqladmin status

Also used to check “cpu/memory/Mysql Usage” option from WHM. You can get actual CPU and Memory usage for particular domain.

4. Ftp :-
ps -aux | grep ftp >> used for checking ftp action taken by user like uploading /downloading files
tail -f /var/log/secure

5. ps command :-

Use ps -auxw command ALWAYS to check if there is bad processes running by doing ps aux|grep nobody. You’ll sometimes see bad scripts running as nobody. Normally only httpd, merlange chat, and sometimes proftpd are run as user nobody. so if you find any other process is running as user nobody kill that process.

kill -9 pidofproc
—————————————————————-

Some basic commands to see load average and process running on the server,
1]top :: This command is very useful for system administartion. Basically it gives you summary view of system, including number of users, memory usage, CPU usage and active processes.
Shift+p =>list all processes accourding to maximum CPU usage.
Shift+m=>list all processes accourding to maximum memory usage.

2]w :: This commands gives us information regarding who is logged into server and what processes they are running
w -s , gives you shorter process listing.

3]uptime:: It will also gives us information regarding the number of user logged into server, Current time, time since server is up, load average.

4]ps :: list the current running processes.
ps -aux , gives us information of users, PID, resoure usages like CPU and memory, processes running.

Reasons for increase of load on the server::

Load on server will get increase due to sevral reasons sated below,

1.many httpd processes
2.any user is downloading mp3, exe, zip files
3.email spamming
4.uploading/downloading files via FTP
5.mysql processes and queries run by user

Troubleshooting::

1.If many load increased suddenly, fire “deep” command, which kills httpd, mysql and exim processes.
2. Also Login to WHM and Check for “Apache ststus”, if find anyone downloading mp3,rar,exe,zip files then suspend that account.
3.For spamming, you need to fire following commands,
tail -f /var/log/exim_mainlog | grep public_html

—————————————————————-
1)top
2)w
3)shift+m
4)shift+p
5)tail -f /usr/local/apache/logs/access_log
6)tail -f /usr/local/apache/logs/error_log
7)tail -f /var/log/exim_mainlog

—————————————————————-

1. Check for server load using top command with following options:
Shift p CPU Usage,
Shift m Memory Usage
& check which process is taking load with the help of above two options.
Kill the responsible process using k option.
2. Check for the downloads using
# ps auxw | grep nobody | grep mp3 , jpeg, wmv, mpeg, rar
# ps auxw | grep gzip, backup, fixquota
Suspend the perticular account who is repeatedly downloading the above mentioned files.
3. Check for access & error logs for following options
# tail -f /etc/httpd/logs/access_log | grep 408, zip
# tail -f /etc/httpd/logs/error_log | grep 203
4. Check mail spamming with following commands.
#tail -f /var/log/exim_mainlog | grep sendmail, public_html, tmp
5. Login to WHM of the server and check apache, cpu/memory, mysql status & check for frozen mails in mail queue manager.
6. Check Mysql errors with
# mysqladmin processlist
check the users, command, time & information fields.
7. If you are making changes to httpd.conf then first run # httpd -configtest before restarting httpd to reduce the downtime.
8. Restart the perticular service causing load tomgo hihg with # /scripts/restartsrv_httpd, exim, mysql

—————————————————————-

 

Script to catch malicious perl scipts uploaded to /tmp

Following script can help you to catch malicious perl scipts uploaded to /tmp.

#!/bin/bash
#Script designed for http://dantechie.blogspot.com/. Its GNU,FREE,DISTRIBUTABLE

ROOTBADSCRIPTS=/root/badperlscripts
EMAILLOG=/root/emailperlscriptlog
LOAD=`cat /proc/loadavg | awk ‘{print $1, $2, $3}’`
HOST=`hostname`
TIME=`date`
ADMINEMAILS=”,admin@admin.com”
if [ ! -e $ROOTBADSCRIPTS ]; then
mkdir $ROOTBADSCRIPTS
chmod 700 $ROOTBADSCRIPTS
fi
rm -f $EMAILLOG
touch $EMAILLOG
for FILES in /tmp/*
do
if [ ! -d $FILES ]; then
if [ -w $FILES ]; then
#grep perl $FILES > /dev/null 2>&1
head -1 $FILES | grep perl > /dev/null 2>&1
if [ $? -eq 0 ];
then
echo “$TIME $HOST $FILES — perl script found Load : $LOAD ” >> $EMAILLOG
mv -f $FILES $ROOTBADSCRIPTS
killall -9 perl > /dev/null 2>&1
killall -9 perl > /dev/null 2>&1
killall -9 perl > /dev/null 2>&1
#//chown root.root $FILES
#//chmod 000 $FILES
#//chattr +i $FILES
fi
fi
fi
done
for FILES in /dev/shm/*
do
if [ ! -d $FILES ]; then
if [ -w $FILES ]; then
#grep perl $FILES > /dev/null 2>&1
head -1 $FILES | grep perl > /dev/null 2>&1
if [ $? -eq 0 ];
then
echo “$HOST $FILES — perl script found Load : $LOAD ” >> $EMAILLOG
mv -f $FILES $ROOTBADSCRIPTS
killall -9 perl > /dev/null 2>&1
killall -9 perl > /dev/null 2>&1
killall -9 perl > /dev/null 2>&1
#//chown root.root $FILES
#//chmod 000 $FILES
#//chattr +i $FILES
fi
fi
fi
done
if [ -s $EMAILLOG ]; then
cat $EMAILLOG | mail -s “Perl Script report on $HOST” $ADMINEMAILS
fi
exit

 

How to trace the DDOS attack on the server ?

1. Your should have following setting at the time of DDOS attack in httpd.conf:

TimeOut = 20

KeepAlive Off

MaxClients 384

MinSpareServers 20

MaxSpareServers 25

2. in /usr/local/ddos/ddos.conf

NO_OF_CONNECTIONS=20

3. You should have 7 SSH session and 1 WHM at the time of DDOS.

4. Check the domlogs to trace out a particular website for the DDOS. Use the following command to check the latest updated domlog file for the website.

ll -lt |less

5. You should keep the following command to check the DDOS.

top, access_logs, error_logs,

ps aux | grep php

check the apache status in the WHM

cd /root/nobody_check

./apachetrace

cd /tmp

ls and check suspected scripts.

6. If necessary reboot the server. This will kill the http process which is causing the DOS. When the server is up, that process will start again and at that time you can trace it and kill it.

7. You can change the permission of the suspected domain. Make the DNS changes to 127.0.0.1 . please use TTL 20 for fast dns propagation. Don’t set the redirectio for the website in httpd.conf.

8. After the DDOS attacker is trace down, don’t forget to revert back the changes make to https.conf.

9. Suspend the suspected domain and mail the client about this.

check queue by whm

if queue is high I will check queue by whm

I will scroll bottom I will see which domain is most of time or aol

If I find any I will click on id I will see his email headers so we ill get spammer.

I know all mails are not spamer in such case we will delete mails. Only

Tail –f /var/log/exim_mainlog |grep sendmail

Tail –f /var/log/exim_mainlog |grep tmp

Tail –f /var/log/exim_mainlog |grep public_html

Tail –f /var/log/exim_mainlog |grep hostname

Or

Cd /var/spool/cron

Check if someone is sending mail or bulk list.

2)check aol mails

if we find continuously mails from AOL

logged at server

check mail queue who is sending mail to AOL id check header and suspend the account.

As per apache load.

Ps auw |grep nobody

We check is there any old or bad process kill it

We check apache status.

We check access_logs

We check domlogs of domain

For control

1)cap domain name for ip limit

2)if ddos 127.0.0.1 update client

3)if accessing only one file redirect it

4)if ~access ban by mod_sec

in ddos we used following method

In DDOS ON mode usually the best setting is

/usr/local/ddos/ddos.conf

NO_OF_CONNECTIONS=100

/etc/httpd/conf/httpd.conf

Timeout =10

KeepAlive = OFF

mod_evasive = uncomment

===========================================================

In DDOS OFF mode

/usr/local/ddos/ddos.conf

NO_OF_CONNECTIONS=650

/etc/httpd/conf/httpd.conf

Timeout =50

KeepAlive = On

mod_evasive = comment

Ddos mode should be off when attack stop.

We check proc/pid too

mysqladmin processlist

if one database again and again we suspend him.

 

 

How to set limit to remove the Frozen Maiils Automatically ?

vi /etc/exim.conf

timeout_frozen_after = 8d ( 8 Days )

/scripts/restartsrv_exim

 

Nobody Prevention Script

A big problem today is the abundance of Spammers listing as “Nobody”.

This tutorial will outline how to properly set it up on Cpanel based systems.

root@yourserver [~]# mv /usr/sbin/sendmail /usr/sbin/sendmail.real
// backup your existing sendmail in the event of an error.

root@yourserver [~]# pico /usr/sbin/sendmail
// Open this badboy up, now paste the code below into it.

Code:
======
 #!/usr/local/bin/perl
# use strict;
 use Env;
 my $date = `date`;
 chomp $date;
 open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
 my $uid = $>;
 my @info = getpwuid($uid);
 if($REMOTE_ADDR) {
         print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
 }
 else {

        print INFO "$date - $PWD -  @info\n";

 }
 my $mailprog = '/usr/sbin/sendmail.real';
 foreach  (@ARGV) {
         $arg="$arg" . " $_";
 }

 open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
 while ( ) {
         print MAIL;
 }
 close (INFO);
close (MAIL);
======

Now save the work above…

root@yourserver [~]# chmod +x /usr/sbin/sendmail
// make sendmail executable

root@yourserver [~]# echo > /var/log/formmail.log

root@yourserver [~]# chmod 755 /var/log/formmail.log (If no work change to chmod 777)

root@yourserver [~]# pico /var/log/formmail.log
// above is where all the data is stored, it may take up to a couple hours for it to begin filling with data. However if you notice an extreme amount of instances of a user sending mail, it may be spam. In the past without this script it would list them as “Nobody”. With the script in place it lists the user and where the mail is being setn from.
————————————————————————–
As always it’s a good idea to routinely check who and how many perl processes are running as this is also another large gateway for outgoing spam.

root@yourserver [~]# ps aux | grep perl
// if you see a user with one to many perl processes running, and nothing much going on at his site, in most cases that i’ve seen this is the source of spam.

 

TYPES OF WEB HOSTING SERVICE

Free web hosting service
It is a free of cost web hosting service and frequently advertisement-supported and of limited features. It will either provide a sub-domain (yoursite.example.com) or a directory on host’s site (www.example.com/~yourname).

Shared web hosting service
Here your web site is hosted on the same server where many other sites are their, ranging from a few to hundreds or more. Usually, all domains may share a common pool of server resources, such as RAM and the CPU.

Reseller web hosting
Reseller can be a web host by selling shared web hosting packages to its clients. Resellers can function as personal domain, by any combination of these listed types of hosting, depending on who they are affiliated with as a supplier. Resellers’ accounts may vary tremendously in size as they may have their own virtual dedicated server to a co-located server.

Virtual Dedicated Server
A virtual private server is a method of dividing a physical server computer into multiple servers that each has the appearance and capabilities of running on its own dedicated machine. The practice of slicing up a single server so that it appears as multiple servers has been common practice in computers, but has seen reappearance lately with the development of virtualization software and technologies for other architectures.

Dedicated hosting service
In Fully Managed hosting client gets his own web server and gains full control over it; however, the user typically does not own the server. Where in Self-Managed or Unmanaged hosting the user has complete administrative access to the server, that means the customer is accountable for the security and safeguarding of his own dedicated server.

Managed hosting service
The client gets his own web server on lease but is not allowed full control over it; though they are allowed to control their data via FTP or other remote management tools. The client is not allowed full control so that the provider can assure quality of service by means of not allowing the user to change the server or potentially create configuration problems.

Co-location web hosting service
It is more or less similar to the dedicated web hosting service, here the user has his colo server; the hosting company provides physical space that the server takes up and concern about the server. This is the most dominant and expensive type of the web hosting service. In the majority cases, the co-location provider may provide little or indirect support for customers machine by providing only the electrical, Internet access, and storage facilities for the server.

Clustered hosting
Clustered hosting is nothing but having multiple servers hosting the same content for better resource utilization. It eliminates the problems inbuilt with typical shared hosting infrastructures. It provides clients with a “clustered” handling of security, load balancing, and necessary website resources. A clustered hosting platform is data-driven (no human interaction is needed to condition a new account to the platform).

File hosting service
In file hosting files are hosted in place of web pages. Online file storage service is an Internet hosting service planned to host static content, typically large files that are not web pages through web and FTP access. File hosting service can be optimized for serving many users or optimized for single-user storage. Some file hosting services are video sharing, virtual storage and remote backup.

Image hosting service
It allow individual to upload images to an image host website. The uploaded image then stored onto image host server and shows the individual codes, which allow others to view that image. With the popularity of blogs, forums, auctions, and other interactive pages, image hosting services have become extremely popular among end users.

Video hosting service
It is also called as a video sharing which allows persons to upload video clips to a video host website, where it gets stored with the individual different types of code to allow others to view that video. Some examples of video hosts are Yahoo! Video, YouYube, Myspace etc.

Blog hosting service
Many weblog applications are accessible for users to download and install on their own systems. A extensive list of licenses are used by consumer hosted weblog software. Some of these are open-source software that can be used, modified, and redistributed freely, with no usage restrictions. Others are proprietary software that may be licensed for a fee or have versions available free of charge.

One-click hosting
Web service which allows internet users to easily upload one or more files from their hard drives onto the one-click host’s server free of charge. Mostly such services simply return a URL which can be given to other people, who can then fetch the file later on. Some internet forums exist in order to share such links; this type of file sharing has to a degree taken over from P2P filesharing services.

 

How to uninstall apf on a linux machine

You can use the following steps to uninstall apf on a linux machine:

First stop the apf service.

 

# /etc/rc.d/init.d/apf stop

Remove the apf files from the server.

 

# rm -Rf /etc/apf
# rm -Rf /etc/rc.d/init.d/apf
# rm -Rf /var/log/apf_log
# rm -Rf /var/log/apfados_log
# rm -Rf /usr/local/sbin/apf

Disable apf in the run levels.

 

# /sbin/chkconfig –level 345 apf off

Open up and remove this line:

 

# vi /etc/cron.daily/fw
/etc/rc.d/init.d/apf restart >> /dev/null 2>&1

 

Prevent hotlinking of images from .htaccess

Preventing Images Hotlinking on a Web Site

Bandwidth theft or hotlinking is a direct linking to web site’s files (images, video, etc.). It can be prevented with the mod_rewrite module.

Place rules like below into the .htaccess files for the domain (for example www.example.com):

 RewriteEngine on
RewriteCond % !^$
RewriteCond % !^http://(www\.)?example\.com(/)?.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|png|swf)$ – [NC,F] 

 

How to Set Up and Create Sender Policy Framework (SPF) Domain DNS TXT Record.

About SPF: SPF (Sender Policy Framework)  is an open standard specifying a technical method that was created in order to stop and eliminate the forged or spoofed sender email addresses in the mail envelope SMTP MAIL FROM or Return-Path that commonly used in spam message.

SPF allows the owner of an Internet domain to use special format of DNS records (“SPF”) to specify which machines are authorized to transmit e-mail for that domain. For example, the owner of the example.net domain can designate which machines are authorized to send e-mail whose sender e-mail address ends with “@example.net”.

A typical example TXT record for SPF looks like this:

 

example.net.  TXT  “v=spf1 mx a:pluto.example.net include:aspmx.googlemail.com -all”
The parts of the SPF record mean the following:

v=spf1    SPF version 1
mx    the incoming mail servers (MXes) of the domain are authorized to also send mail for example.net
a: pluto.example.net    the machine pluto.example.net is authorized, too
include:aspmx.googlemail.com    everything considered legitimate by gmail.com is legitimate for example.net, too
-all    all other machines are not authorized

To check if your SPF record is correct, there are various SPF checker, tester or validator available like http://www.kitterman.com/spf/validate.html