Best Practices - You Can Help!!

[Pat]

To ensure a secure and high performance server, there are many security and processing tips that we would like to share.   These are what we call 'Best Practices' for users on a shared hosting environment.  Of course VPS and Dedicated server owners will also benefit from following these tips.

We hope you find them helpful and informative.
[ol type=\'1\'][li]Passwords

Many sites are compromised due to using insecure passwords. It is important that you use passwords that are more difficult for the script kiddies to hack.

• no shorter than 8 characters
• should be a mix of alpha and numeric characters
• should include upper and lower case alpha characters
• should not spell a word in the dictionary
• change your password on a regular basis

[/li][li]Scripts and Programs

Customers should keep their scripts and programs updated to the most recent secure release from the Vendor.  Many of the scripts are compromised because they are using older versions, have set their directories to world-writable (chmod 777) and/or easy admin passwords.

Insecure scripts are easily compromised. vBulletin, PHP Nuke, PHPBB and Formmail are the most common scripts compromised. Also, some scripts are just insecure.  PHP Nuke falls into that category in our opinion.  Evil doers are able to access the forums and formmail to send out large volumes of email or instigate outgoing DOS attacks, which puts the servers at risk from a performance and a spam block standpoint.

• Scripts installed via cPanel or Fantastico can easily be kept up-to-date through your cPanel.
• Scripts installed via Plesk can be kept updated through your Plesk control panel.
• Ask your webmaster to ensure the 3rd party scripts they install are kept up-to-date.

[/li][li]Use :fail: instead of :blackhole:

Many customers do not want to receive all the junk email that comes through and set their email to :blackhole:.  Blackhole is much more server intensive than :fail:, so if you have any :blackhole: settings in your email settings, we recommend you change these too :fail: and always use :fail: for future use.

[/li][li]Scripts and email settings

When setting up 3rd party PHP scripts that require outgoing email, such as forums, for example, set a valid email address from the domain the script is installed on and make sure "SMTP authentication is required" setting is set to 'yes'.  Without these settings, your emails may fail.

[/li][li] Do not chmod Directories to 777

Do not set your directories to be world-writable (chmod 777). Those directories open the server up for abuse and compromise because anyone can write to those directories, including uploading malicious scripts.[/li][/ol]

[Mark]

• Use :fail: instead of :blackhole:
  

I'd been using :blackhole: for years, and never noticed any problem. After reading this, I changed it to :fail:. But now I'm getting bounce messages for emails addressed to invalid addresses on my domains, which is bothersome. So I'm thinking of going back to :blackhole:

Any comments?

[Trish]

I've never gotten that with :fail:. I screen email for one client and it got to the point of almost complete saturation with spam, so I set up a couple of boxes and had all unrouted email (i.e. anything address to other than those specific boxes) set to ":fail: no such address here". I know the spammers sure didn't stop but I didn't get a single bounce message after that, and what a delight to check email with not one piece of spam ever coming through

Maybe double-check your settings, Mark?

Just for those who might need the guidance - you do this in your CPanel under Mail --> Default Address -->Set Default Address. Any mail not addressed to a specific existing mailbox will then bounce back to the sender.

Thanks for all the useful info, Pat. I'll be checking into some things on my accounts

[Pat]

Hi,

Trish, thanks for the great response.  Howard (one of our techs) was going to respond to this post for me and informed me you beat him to it and were right on.

You did a nice job of explaining 'how to' which I'm sure many folks will appreciate.

Mark, if you continue to have problems, feel free to open a ticket so one of our techs can review your setup for you.  :fail: is so much easier on the server that we'd really prefer everyone to use it.

Sincerely,

Pat

[Trish]

Thanks for the kind words

Here's an anti-spam measure I have used on some websites, just a small bit of javascript which will hide your email address from the spambots despite it being displayed on your site.  I am no programmer and don't know if this is the best method (maybe someone with more knowledge can back this up or show a better way), but it's been working for me. I never get spam at the addresses I've cloaked with this. If you're already getting spam, you might want to set up a new email address first and then cloak it like this on your site.

Just insert this script in the HTML of the web page where you want the address to show. This example uses joesmith@yourdomain.com as the email address we want to cloak:

Code:

<script type="text/javascript">
<!--    
addy2='yourdomain.com'
addy1='joe'  
addy=('smith' + '@' + addy1 + addy2)
document.write('<A href="mailto:'
+ addy + '">' + addy + '</a>')
//-->
</script>

You just change the parts in bold to your own information:

addy2='yourdomain.com'
addy1='joe'
addy=('smith' + '@' + addy1 + addy2)

Basically you are splitting the 'joesmith' part of the address into 2 parts (you can split it any way you like - 'j' and 'oesmith', for example), then the script combines all the parts. The end result is a normal clickable email link to your visitors, but not readable by the spambots.

[Pat]

Hi Trish,

This is awesome information.  I'm sure professional designers know this, but I edit a lot of our website information myself and if you notice, have not posted any email addresses because of this reason.

Thanks for the tip!!!

Pat

[Mark]

I'm only getting a few of the emails I called "bounce" messages in my prior post, and looking at them more carefully I don't think they are what I said before. I think they are just spam addressed to a non-existant address in my domain with probably also in bcc an address that I don't publicize, but that has gotten out a little bit.

So never mind what I said.

It's a good discussion though.

[Pat]

It's a good discussion though.

[snapback]222[/snapback]

Wow, see how informative of a discussion a misunderstanding created?  Cool!

 

[WHSP-Jarrod]

Here are a few resources that may be useful:

http://www.randpass.com/cgi-bin/randpass

The above is a random password generator that will create 10 passwords that conform to Pat's suggestions above.

Just a note of warning, however, when creating passwords for MySQL database users, avoid using the @ symbol, as certain web applications will get confused by this, as that symbol usually indicates the start of the server name where the MySQL database resides.

http://automaticlabs.com/products/enkoderform

This tool will also hide e-mail addresses from spambots with an extremely high degree of succcess.  Some spambots are able to read the source of a webpage to pick out e-mail addresses, but the Enkoder form here even prevents that.

Hope these help!

[Notawiz]

Hi,

There are also some other ways:

- use the escape() and unescape() functions of JavaScript (see code complete sample);
- use PHP or Perl to turn the email address into a graphic inside an <img> tag.

But if you can, use a form, because the biggest flaw of a "mailto" link is that you loose the occasion of storing the message content directly into your database for later use.

But hey, I've seen forms like this:

Code:

<form action="mailto:mymail@mydomain.com" method="post">
...
</form>

and that is REALLY silly !

Hope this also helps.