I am dabbling with so much at the moment, and my working life is also quite busy so I guess this site just got left.

I spend a lot of time on github of late, so if you should wish you can keep track of what I am up to on there (although a lot of my repos are private :) ) http://www.github.com/nickpack

The iDroid

I have spent quite a bit of time recently messing around with Android on the iPhone, the project has gained some serious momentum in the recent couple of months and the project is getting to an almost usable state now (Once the power management stuff is sorted, it may well turn out to be a very viable alternative for iOS - this remains to be seen though)

Here are some resources pertaining to Android on the iPhone:

• Linux on iPhone - the blog of planetbeing, the man that started it all off in the first place.
• iDroid Project - the main forum and wiki for all things related to the iDroid.
• My unofficial file repository for iDroid - this is where I collect relevant source code and files and dump my compiles for the community.
• Bluerise’s Github - Bluerise at present is the most active contributor to the project (given planetbeings apparent absence)

There are also a couple of experimental repo’s on my github for my own testing, but be warned, these are VERY experimental and I am sure that most of the time the code will not compile without modification!

BandApp

I recently developed my first iPhone application, and will be launching it as a re-brandable service.

The initial version was built for my friends band ’The Nurse Who Loved Me’ and is intended as an interactive sampler for their music as well as allowing their fans to keep up to date with whats going on.

When I have ironed out a few minor issues, and sat down to discuss future features I will be putting together some pricing schedules and offering it to other bands should they wish for their own version of it.

I am also in the process of porting it to the android platform as I think this would also be beneficial.

You can check out the BandApp site here although this is also still a work in progress.

The Nurse Who Loved Me app can be downloaded from the app store now (Although I am waiting for the iOS4 compatible version to be approved by Apple)

I will attempt to keep this site updated in the near future, but at present there are just too many more important things to do :)

The Validator

Put this in library/Carbidefinger/Validate/Greaterthaneq.php

<?php
/**
 * Greater than or equal to Validator
 * 
 * @package Carbidefinger_Validate
 * @author Nick Pack <nick@carbidefinger.net>
 * @copyright Copyright (c) 2009, Carbide-Finger Ltd, All Rights Reserved
 */
class Carbidefinger_Validate_Greaterthaneq extends Zend_Validate_Abstract
{
  const NOT_GREATEREQUAL = 'notGreaterEqual';
  const MISSING_FIELD_NAME = 'missingFieldName';
  const INVALID_FIELD_NAME = 'invalidFieldName';

  /**
   * @var array
  */
  protected $_messageTemplates = array(
    self::MISSING_FIELD_NAME  =>
      'ERROR: Field name to match against was not provided.',
    self::INVALID_FIELD_NAME  =>
      'ERROR: The field "%fieldName%" was not provided to match against.',
    self::NOT_GREATEREQUAL =>
      'Is not more than or equal to %fieldTitle%.'
  );

  /**
   * @var array
  */
  protected $_messageVariables = array(
    'fieldName' => '_fieldName',
    'fieldTitle' => '_fieldTitle'
  );

  /**
   * Name of the field as it appear in the $context array.
   *
   * @var string
   */
  protected $_fieldName;

  /**
   * Title of the field to display in an error message.
   *
   * If evaluates to false then will be set to $this->_fieldName.
   *
   * @var string
  */
  protected $_fieldTitle;

  /**
   * Sets validator options
   *
   * @param  string $fieldName
   * @param  string $fieldTitle
   * @return void
  */
  public function __construct($fieldName, $fieldTitle = null) {
    $this->setFieldName($fieldName);
    $this->setFieldTitle($fieldTitle);
  }

  /**
   * Returns the field name.
   *
   * @return string
  */
  public function getFieldName() {
    return $this->_fieldName;
  }

  /**
   * Sets the field name.
   *
   * @param  string $fieldName
   * @return Zend_Validate_IdenticalField Provides a fluent interface
  */
  public function setFieldName($fieldName) {
    $this->_fieldName = $fieldName;
    return $this;
  }

  /**
   * Returns the field title.
   *
   * @return integer
  */
  public function getFieldTitle() {
    return $this->_fieldTitle;
  }

  /**
   * Sets the field title.
   *
   * @param  string:null $fieldTitle
   * @return Zend_Validate_IdenticalField Provides a fluent interface
  */
  public function setFieldTitle($fieldTitle = null) {
    $this->_fieldTitle = $fieldTitle ? $fieldTitle : $this->_fieldName;
    return $this;
  }

  /**
   * Defined by Zend_Validate_Interface
   *
   * Returns true if a field name has been set, the field name is available in the
   * context, and the value of that field name is greater than or equal to the provided value.
   *
   * @param  string $value
   *
   * @return boolean 
  */ 
  public function isValid($value, $context = null) {
    $this->_setValue($value);
    $field = $this->getFieldName();

    if (empty($field)) {
      $this->_error(self::MISSING_FIELD_NAME);
      return false;
    } elseif (!isset($context[$field])) {
      $this->_error(self::INVALID_FIELD_NAME);
      return false;
    } elseif (is_array($context)) {
      if ($value >= $context[$field]) {
        return true;
      }
    } elseif (is_string($context) && ($value >= $context)) {
      return true;
    }
    $this->_error(self::NOT_GREATEREQUAL);
    return false;
  }
}

Usage

To use this validator in Zend Form

$element->addPrefixPath(’Carbidefinger’,’Carbidefinger/’)  
     ->addValidator(’Greaterthaneq’, false, array(’FieldToMatch’));

If you've never come across MPTT and are curious as to what it is and why, there is an excellent article on sitepoint explaining the whys & what fors.

MPTT is used on this site for the site map, menus at the top and the breadcrumb navigation, due to the simplicity of retrieving parents and children, it is ideal for this purpose.

Hectors class simplifies the use of the pattern quite considerably, it is capable of building the traversal across the whole table just by a parent reference and provides simple methods to fetch a tree, to fetch all the ancestors of a row as well as all of the decendants of a row.

Hectors original post is on his blog go there to grab the source

Usage Examples

To use the modified preorder tree traversal algorithm in your table, you will initially have to do just a little bit of work but once it is set up everything should be automated for you.

Firstly, you will need to alter the table in your database and add columns to store the "left" and "right" values. (Remember that 'left' and 'right' are reserved words in SQL - so use something else or your queries will fail!)

Next, you will need to create your table class by extending Virgen_Db_Table, and declare the traversal properties.

<?php 
class MyTree extends Virgen_Db_Table
{
    protected $_name = 'tree_example';
    protected $_traversal = array(
        'left'          => 'THE NAME OF YOUR LEFT COL HERE',
        'right'         => 'THE NAME OF YOUR RIGHT COL HERE',
        'column'        => 'THE NAME OF YOUR PRIMARY KEY COL HERE',
        'refColumn'     => 'THE NAME OF YOUR PARENT ID COL HERE'
    );
}

Now when you insert a new record into your table, all of the left and right columns will be updated as necessary to reflect the new preorder tree.

If you have existing data in your table or want to rebuild the entire tree, Hector has provided a rebuildTreeTraversal() method.

<?php
$mytree = new MyTree();
$mytree->rebuildTreeTraversal();

Fetching Descendents of a Given Node

Once your tree is built, you can fetch all descendents of a node with fetchAllDescendents(). The first argument is the node to fetch the descendents of. The node can be either an instance of Zend_Db_Table_Row_Abstract or the string/numeric value of the columns id (based on $_traversal['column']). You can optionally pass in a select object to use as the second argument, which will be used when selecting the descendents (this is where to do any joins or where clauses).

 
<?php
// Fetch all of the children for row with the ID of 1 
$node = $mytree->find(1)->current();
$descendents = $mytree->fetchAllDescendents($node);
// Identical to:
$descendents = $mytree->fetchAllDescendents(1);

 
// With optional select object
$select = $mytree->select()->where('published = ?', 1)->limit(5);
$descendends = $mytree->fetchAllDescendents($node, $select);

Fetching Ancestors of a Given Node

You can also fetch the ancestors just as easily with fetchAllAncestors(). All ancestors from the immediate parent up to the root of the tree will be returned.

 
<?php
 
$ancestors = $mytree->fetchAllAncestors($node);

Fetching Nodes as a Tree

You can fetch nodes as a tree by calling $table->fetchTree(). Its functionality is similar to fetchDescendents, except that it returns a modified rowset in that each row contains a tree_depth value.

 
<?php
 
$tree = $mytree->fetchTree();
 
foreach ($tree as $node) {
    echo str_repeat(' ', $node->tree_depth * 4) . $node->id . PHP_EOL;
}

Restructuring the resultset for template iteration

This site uses PHPTAL as its template engine, as there is no simple way (it is possible, but is vastly over-complicated) to programatically iterate through the resultset in its returned form, so a simple loop to place all the children of parent rows into an associative array was needed!

For this to work you need to alter your tree fetch statement to the following

 
<?php
 
$tree = $mytree->fetchTree()->toArray();

and then loop through your tree like this

 
<?php

$menu = array(); 
$ref = array();

      foreach( $tree as $d ) {
    	$d['Children'] = array();
        if( isset( $ref[ $d['Parent_ID'] ] )) {
            $ref[ $d['Parent_ID'] ]['Children'][ $d['Row_ID'] ] = $d;
            $ref[ $d['Row_ID'] ] =& $ref[ $d['Parent_ID'] ]['Children'][ $d['Row_ID'] ];
        } else {
        	$menu[ $d['Row_ID'] ] = $d;
            $ref[ $d['Row_ID'] ] =& $menu[ $d['Row_ID'] ];
        }
     }

You are then left with a structured multidimensional array ($menu).

To produce a set of nested uniform lists recursively in TAL to display your tree, you'll need something like this

<ul metal:define-macro="output_list" tal:condition="menu">
    <li tal:repeat="list_item menu">
       ${list_item/Row_Name}
        <tal:block tal:define="tree list_item/Children" metal:use-macro="output_list" />
    </li>
</ul>
<tal:block metal:use-macro="output_list" />

A big thanks to Hector for his work on this

tqsfmu69b5

You can access it at http://www.nickpack.com/tools/rblcheck

Simply enter any IPv4 address into it and it will search a pre-defined list of RBL's for you, and will return details if their are any.

I am looking for suggestions for additional RBL lists to add to it, so please comment here if you need one that isnt there already..

Any feedback would be appreciated also.

The pattern itself leads some insight to the problem. Certain patterns will lead to numbered error codes which will provide further insight to the problem. The numbered error codes are described below their corresponding LED code.

Quick Links

• Sections 1,2,3 & 4 are flashing red
• Sections 1,3 & 4 are flashing red
• Sections 1 & 3 are flashing red
• Section 4 is flashing red
• Secondary Error Codes
• Console Reset Codes
• Sending your console in for repair
• Credits/Thanks

XBOX 360 ERROR Codes

After reading this guide if you'd like to discuss the problems you're experiencing with others you can do so in the following thread: http://forums.xbox-scene.com/index.php?showtopic=462099 these are the codes we know so far...

Please contribute if you know of new codes that are not part of this list.

Sections 1, 2, 3, and 4 are flashing red - The AV cable cannot be detected

THINGS TO TRY

1. Make sure that the AV cable is correctly connected to the Xbox 360 console.
2. Disconnect the AV cable from the Xbox 360 console, and then reconnect the AV cable to the Xbox 360 console.
3. If the four flashing red lights continue to flash, try wiping the metal area of the AV pack with a dry cloth. The metal area is the end that plugs into the console. Wipe the metal area thoroughly, and then try the AV Pack again.
4. If the AV cable is correctly connected but the four red lights are still flashing, substitute a different AV cable if you have one available.

Sections 1, 3, and 4 are flashing red - General Hardware Failure

Check the secondary Error Code per the instructions in the section below.

THINGS TO TRY

1. Try restarting the console.
2. If restarting the console does not resolve the behavior, follow these steps:
   • Turn the console off.
   • Unplug all the power and AV cables from the console.
   • Unplug the power cord from the wall socket.
   • Firmly reconnect all the cables.
   • Turn on the console.
3. If these steps do not resolve the behavior, turn the console off, remove the hard drive, and then turn on the console. If the 3x Red LED error light is no longer displayed, turn the console off, re-attach the hard drive, and then turn on the console.
4. Also examine the lights on the power supply. When you turn on the console, the power supply light should illuminate green even if the three lights on the RoL flash red.

Sections 1, and 3 are flashing red - Overheating

Alternatively Overheating can be caused by the console locking up or "freezing" after a set amount of time. Lockups that occur at a specific point in a game are generally problems with the game itself and not caused by overheating.

THINGS TO TRY

1. Let the Xbox 360 console cool.
   Note You may have to wait several hours for the console to cool enough. Do not turn on the console when the console is hot.
2. Verify that the console has sufficient ventilation and that the fan is operating. For more information about ventilation, see the "More Information" section.

PREVENTION SUGGESTIONS

To try to prevent this problem, use the following precautions:

• Do not block any ventilation openings on the Xbox 360 console.
• Do not put the Xbox 360 console on a bed, on a sofa, or on any other soft surface that may block ventilation openings.
• Do not put the Xbox 360 console in a confined space, such as a bookcase, a rack, or a stereo cabinet, unless the space is well-ventilated.
• Do not put the Xbox 360 console near any heat source, such as a radiator, a heat register, a stove, or an amplifier.

DO NOT EVER PUT YOUR CONSOLE IN THE FREEZER OR OUT IN COLD WEATHER

Some people think that doing this might help "fix" an overheating console, in fact doing so could cause even bigger problems. Electronic devices like your console are made to function at and around room temperature, extreme cold temperatures can often cause just as many problems as extreme warm temperatures (such as overheating). Also if the console is located in a dramatically cold area while running, the difference in temperature between the hot console and cold air can create condensation which in turn will short out your console making the situation far worse. Condensation will happen more quickly if your console is overheating due to the greater difference in temperature. In short... DON'T DO IT.

A more aggressive Solution to overheating is to improve the cooling system of the console. The best solution is to replace the thermal compound. If you attempt this you do so at your own risk. If you're console is still under warranty it is recommended that you contact MS for a replacement before attempting to fix it yourself.

Section 4 is flashing red - Hardware Failure

The Specific Type of hardware failure can be determined by the error code displayed on the screen.

If the screen is blank or you would like additional information follow the instructions for determining the secondary error code in the section below.

E45

Unknown (possibly dashboard update related)

E64

DVD Drive Error.... DVD Timeout, Wrong firmware, dvd is without f/w chip, etc.

E65

DVD Drive Error.... DVD Timeout, Wrong firmware, dvd is without f/w chip, etc. This can also be caused by the tray not being fully closed on boot.

E66

DVD Drive Error: DVD model, or version does not match that of the version expected by the dashboard. OR the firmware version on the drive is older then the firmware version expected by the dashboard. Make sure the DVD drive is of the same version originally included with the console and that it is using either the original firmware included with the console or newer.

E67

Hard Drive Error... It could be a problem with the Hard Drive itself or a problem with the internal connection to the hard drive, Try removing the hard drive and playing without it.

E68

Voltage Error... This error means that the Xbox 360 has insufficent power to function properly. This can be caused by an error in the hard drive or the fans that make them suck up too much power, it can also be caused if you have unnecessary accessories attached to the console like an external fan unit. Attempt to remove unnecessary accessories first, and then necessary components such as the hard drive and USB devices. If you have any case mods you may want to investigate those as well.

E69

Hard Drive Error... It could be a problem with the Hard Drive itself or a problem with the internal connection to the hard drive, Try removing the hard drive and playing without it.

E71

Possibly a dashboard update error, Check below in the "Console Reset Codes" for instructions. If that does not work there is no other solution and the console must be sent back to MS for repair.

E72

Error with the NAND flash

E73

General Hardware Error: Ethernet port... this error is caused by a problem with the Ethernet port.

E74

There is high chance it's a scaler chip problem (the "ANA" or "HANA" chip near the AV cable connection) it can also be caused by a faulty AV cable so check that first. In some cases it is a problem with the GPU and may be repairable by doing the x-clamp replacement (see error 0102)

E76

This error deals with the Ethernet port's controller chip, a dead chip may not cause the error but removing the Ethernet controller chip does, it may also be caused by other Ethernet related problems.

E79

Hard Drive Error... It could be a problem with the Hard Drive itself or a problem with the internal connection to the hard drive, Try removing the hard drive and playing without it.
According to tmbinc: E79 is the error code if xam.xex could not be started, i.e. probably a file system corruption.

E80

Wrong LDV version in NAND Flash. This is in new dashboard. You have the update but haven't R3T6 resistor. You can: -Downgrade to old dashboard, solder back the resistor and then update your xbox -If you have CPU Key, get current NAND Flash image and fix LDV (just add 1 up to latest kernel). (See error 1100)

Secondary Error Codes

The specific type of hardware failure can be determined by a "hidden" error code

1. Turn your 360 on, and wait for the red ring of death to show up.
2. Press and hold the sync button on the front of the 360 (Has a wireless icon next to it), keep it held down and press the eject button on the 360's DVD drive.
3. The lights will now indicate the first number in the error code.
4. Let go of the eject button and press it again.
5. The lights will now indicate the second number in the error code.
6. Let go of the eject button and press it again..
7. The lights will now indicate the third number in the error code..
8. Let go of the eject button and press it again.
9. The lights will now indicate the last number in the error code.
10. Let go of the eject button and press it again.
11. The lights will then turn back into the red ring of death.

Key To Error Codes

• All 4 LED's flashing = 0
• 1 LED flashing = 1
• 2 LED's flashing = 2
• 3 LED's flashing = 3

0001

power supply problem

0002

Network Interface problem (might be fixed by loosening the x-clamps)

0003

Power problem could be the PSU could be the GPU/CPU, somehow the console isn't getting clean power from the power supply.

0010

There is a problem with the Southbridge Chip usually dealing with how it connects to the mainboard (cold solder joint/bridged solder joints)

0011

CPU over heating - If you are receiving this error after disassembling your console make sure to all 8 of the heatsinc screws are tightened securely to the board/heatsink holes.

0012

GPU over heating -ensure your x-clamps are installed properly.

0013

RAM over heating

0020

GPU Malfunction, similar to error 0102

0021

This can be caused by two completely different things either:
A. DVD Drive Time out - Can be caused by problems with a firmware flash. This is also speculated to sometime be caused by a problem with the southbridge chipset on the motherboard based on how it connects to the DVD drive. B. GPU error, generally caused by a poor connection to the mainboard (cold solder joints/bridged solder joints) See error 102 for more information

0022

CPU error, generally caused by a poor connection to the mainboard (cold solder joints/bridged solder joints). This can also be triggered by an error with the TSOP.

0023

(not yet known)

0030

Problem with temperature control

0031

could be caused by a short between the heatsink and surrounding capacitors

0032

(not yet known)

0033

(not yet known)

0100

Likely a cold solder join in GPU or Ram chips (see error 0102)

0101

(not yet known)

0102

Error in the "Digital Backbone" (CPU/GPU/RAM), this is usually caused by a cold solder joint between the GPU and the mainboard.
There are two theories to fixing this one deals with the "X" clamps that hold down the chips. The other involves re-Heating the chips.
DO NOT attempt either of these if your console is still under warranty. If your console is still under warranty return it to the store where it was purchased or call MS to have it replaced.

0103

GPU Error this is usually caused by bridged solder points where the GPU connects to the mainboard. see error 0102 for more detailed information

0110

Ram error, this is caused by a cold or bridged solder joint on one of the Ram chips.

0200

(not yet known)

0203

over heating GPU possibly due to lack of thermal compound.

1000

Kernel can't be launched/signature in NAND Flash chip is broken! It could be possible after bad update. http://forums.xbox-scene.com/index.php?sho...p;#entry4156375 This might also be caused by a bad SATA cable.

1001

DVD Drive Error, either incorrect firmware or DVD Time out.

1002

DVD Drive Error, likely a firmware error, drive can eject, read, and write under windows but errors on console, replacing original firmware should fix issue.

1003

Hard Drive Error... It could be a problem with the Hard Drive itself or a problem with the internal connection to the hard drive, Try removing the hard drive and playing without it

1010

Hard Drive Error, Can be caused buy a corrupt or missing eProm. See also E68 above

1011

(not yet known)

1012

(not yet known)

1013

(not yet known) possibly a dashboard update error

1020

(not yet known)

1021

(not yet known)

1022

There is high chance it's a scaler chip problem (the "ANA" or "HANA" chip near the AV cable connection) it can also be caused by a faulty AV cable so check that first. In some cases it is a problem with the GPU and may be repairable by doing the x-clamp replacement (see error 0102)

1023

DVD drive not connected, connect DVD drive to boot

1030

This error deals with the Ethernet port's controller chip, a dead chip may not cause the error but removing the Ethernet controller chip does, it may also be caused by other Ethernet related problems.

1031

This error is for power problems with the RAM chips. It might be cause by a short between the heat sink and resistors or by more serious problems with the RAM. [more info]

1032

(not yet known)

1033

it could be cpu/gpu related or it could be psu related, not much info is known for sure.

1100

Wrong LDV version in NAND Flash. This is in new dashboard. You have the update but haven't R3T6 resistor. You can:
-Downgrade to old dashboard, solder back the resistor and then update your xbox
-If you have CPU Key, get current NAND Flash image and fix LDV (just add 1 up to latest kernel). (see error E80)

1444 and up

There is no "4" in the error codes four lights is a "0" go back and check your code again.

Console Reset Codes

Clear All Installed Game Updates and Console Cache

1. Go to the "system" blade
2. Select "memory"
3. Press Y on the HD symbol
4. Press X,X, Left Bumper, Right Bumper, X,X
5. A message will appear saying: "Do you want to perform maintenance on your Xbox 360 storage devices?"
6. Select Yes

Clear Any Failed system updates that cause the console to error.

1. With the console off, press and hold the sync up button (the small white one)
2. While holding the sync button press the power button to turn on the console
3. Continue to hold the sync button until the Console has booted up completely.
4. During the boot process the console should clear any failed updates, allowing you to use it normally.

Sending in your Console for Repair

If none of the above suggestions work, contact MS customer support get get a support ticket started. If your console is still under warranty DO NOT attempt to open it and fix it yourself. MS will fix it promptly and for free and if you open it you loose the free support.

Check the documentation that came with your Xbox 360 for contact information.

In the US Customer Support can be reached at 1-800-4-MY-XBOX (1-800-469-9269)

Thanks to the guys over at The Scenyx Entertainment Community for allowing us to mirror this.

After reading this guide if you'd like to discuss the problems you're experiencing with others you can do so in the following thread:
http://forums.xbox-scene.com/index.php?showtopic=462099

Thanks to community members for their help:

• posure
• diacronic
• XGC xINSANITYx
• tommiwan
• Team Modfreakz
• neoed30
• Xfab29
• rsintx
• BenS
• leorimolo
• CajunSniper
• gwashington42490
• G0t M4xx 21
• mp3boy
• bluefalcon
• ethylique
• MatrixNeo
• sodiumba
• Taher
• sniper68500
• fierygt
• letsmod
• maysam
• fire4adrymouth
• Chickan

Very Special Thanks to sowa99 who has single-handedly identified about half of the secondary error codes.

#!/usr/bin/perl
#WHMADDON:helloworld:Hello World <b>Example</b>

###############################################################################
# This is an example hello world WHM plugin feel free to modify it as you see fit
###############################################################################
# Load general use case perl modules
use lib '/usr/local/cpanel';
use Cpanel::cPanelFunctions ();
use Cpanel::Form            ();
use Cpanel::Config          ();
use Whostmgr::HTMLInterface ();

use Whostmgr::ACLS          ();
###############################################################################
print "Content-type: text/html\r\n\r\n";
# Check user has root permissions
Whostmgr::ACLS::init_acls();
if ( !Whostmgr::ACLS::hasroot() ) {
# User is not root, tell them where to go
print "You need to be root to see the hello world example.\n";

exit();
}

# Parse input parameters from GET and POST into $FORM{} for later use
my %FORM     = Cpanel::Form::parseform();

# Print a WHM Header
Whostmgr::HTMLInterface::defheader( "Hello World Example Plugin",'/path/to/logo.gif', '/cgi/addon_helloworld.cgi' );

# Print General Output
print "<p>Hello world indeed...</p>";

# End Example

1;

This is a basic plugin for Web Host Manager, for checking an IPv4 address in RBL's, written whilst I was experimenting with WHM's API's and perl in general.

I am releasing it as open source under the GPL in the hope that it might be useful to someone, perl is not my first language so please feel free to point out anything which you think needs improving (which I am almost certain bits of it will!)

I intend to spend some solid time on improving this, but for now, the basic script!

The plugin uses WHM's perl modules & the YUI library provided in all cPanel installations, its display is similar to that of most WHM functions.

Screenshots

Screenshot 1 | Screenshot 2

License

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/

Installation Instructions

For those of you who'd like to look at the code first: Direct Download of the Package

As root on your cPanel server, run the following commands to install the plugin.

 cd /usr/local/src

Download the package

wget http://www.nickpack.com/media/downloads/RBLChecker.tar

Extract the package

tar -xvf RBLChecker.tar

Change into the source directory

cd RBLChecker

Run the installer script

sh install.sh

Change out of the source directory

cd ..

Remove the source directory and downloaded package

rm -rfv /usr/local/src/RBL*

The plugin should now be installed, all the install stuff removed and the plugin now accessible through the plugins panel in WHM (If you cant see it, refresh the page in your browser)

Security

The plugin presently will only run as root from WHM, I dont have resellers and therefore had no need to make this available to them.

The script uses the cPanel::SafeFile perl module for file opening.

The code is freely readable, so feel free to check it over before you run it.

Dependencies

The script has 3 dependencies (the last two are installed by the install.sh script)

1. cPanel/WHM (Obviously)

2. Mail::RBL

3. RegExp::Common

Configuration

Adding and removing RBL's from the check

In /etc/nrbl you will see a file called rblists.conf, this is where the script gets its lists to check from, feel free to add your own to this file, they are checked in the order they appear in this file.

The script expects RBLs in the following format - 1 per line:

 Blacklist Name:uri.oflist.com 

Presently this file has no support for comments, this is something I plan to add.

Support

Please feel free to contact me if you need help, although most shouldnt need it due to the simplicity of the script.

Known Bugs

Trivial Display Bug - Due to a change in WHM::UI, header logo isnt presently rendering - awaiting fix from cPanel (Other third party scripts such as csf experiencing same bug)

Change Log

1b

Following an update to the cPanel internal YUI library, switch to use this instead of calling the API's directly from Yahoo - this prevents security warnings under SSL

Added YUI Container to indicate check is running (upcp style dialog)

1a

Added basic WHM branding via WHM::UI

This is complete fiction as I quite happily play half-life on my Mac Under OSX.

All you need to make this work is an Intel Mac, and a wonderful piece of software that I have used in the past on Linux systems to run windows apps.

The software is called CrossOver Mac, which is basically a nice front-end for Wine with installer capabilities.

I can confirm that I have played the following games perfectly normally on my mac mini under crossover:

• Half-Life
• Opposing Force
• Blue Shift
• Team Fortress Classic
• Counter Strike

Games I've yet to test are the later source series and half-life 2 but I will post back when I have run them up.

I am yet to try Cider but from what Ive been told thats supposed to run windows games far better.

Use of PBL's and suchlike would be much better but aren't entirely practical unless you have only business customers that ALL have static IP's (Which in reality will never happen) or seperate recieving SMTP servers from the ones your customers relay out through.

There is one part of this that I often get asked about so I will explain myself and let you know the implications of doing so before you do it.

I run my RBL checks at the HELO/EHLO stage of SMTP transactions, some will agree with me on this, others will beg to differ.

HELO/EHLO RBL checks - why and why not

I deliberatly reject SMTP transactions if the connecting address is in an RBL because:

1. If the sending address is in an RBL, there is a fair chance that they are in there because they have spammed/are a zombie machine - and who wants those on their network - I don't!
2. Exim likes to fill the logs with - Unexpected disconnection messages if you do it at rcpt stage.
3. Although negligable, why create more load processing the rcpt stage when you won't accept mail from that address anyway?
4. Most of my shared hosting clients are businesses with Business DSL & IT companies that can be contacted to remedy the situation fairly quickly.
5. If the worst comes to the worst, you can temporarily remove the checks of the nuisance RBL quickly & easily.
6. If the offending client IP is dynamic, getting the client to turn their router/modem off and back on again tends to pick up another IP.

The downside with the above is the distinct inability to whitelist IP's, even SMTP auth clients will fail at this stage.

My personal experience of this, is that it hasn't been too much of a problem for me - but then the company I work for doesn't have hundreds of servers to keep an eye on.

I will admit, it might not be entirely practical to implement with larger hosts but I haven't personally had any trouble.

The ACLs

Ok so now I've explained myself - on to the ACL's - I will be happy to answer any questions anyone may have

HELO/EHLO stage ACL's

Near the very top of your exim.conf you need to add:

Now for the helo acls

By the time it gets to here, its passed the checks, so let it go on to the next stage.

RCPT stage ACL's

Most exim servers already come with a RCPT stage ACL list of some nature, so in this instance we just need to add a few things to it.

Spammers like to forge some big names when they send you email. We can't easily check all of them, not until Sender Permitted From (SPF) is widely used. At least we can check for some of the most commonly abused domains, Yahoo, Hotmail, MSN, and AOL. These four filters will reject email with forged From: addresses containing the "big four" domains.

DATA stage ACL's

You should be running some form of spam filtering daemon on ANY public mail server - yes they are load heavy but until someone comes up with a way to remove spam at source (not likely) you should be filtering your mail.

I could go in to detail with SpamAssassin ACL checks here but I would imagine most people reading this have cPanel servers, as cPanel already installs and configures SA I'm going to skip it for now.

I have used varying levels of filtering and header checks with ACL's at data stage in the past, but they tend to be the most problematic when you have customers relaying out via your server.

A prime example of this is the common: Check Message ID acl (see rossz's list) - if a message hasn't been relayed through an SMTP server already, then it won't have a message ID header.

All we need to do now is add one final part to the exim config - within the RCPT acl which again commonly already exists on most servers.

Email should have a proper date header (E-mail client software tends to set this, so its normally ok to check it and reject if not found).

The workaround is to create the temporary directories in another location and symlink them into /tmp

First, create the new directories in a location that isn't noexec (here I have used /root but this can be replaced with anywhere that isnt noexec.

mkdir /root/tmp.pear
mkdir /root/tmp.pear-build-root

Now lets remove any old temporary pear directories.

Now lets symlink those dirs into /tmp (Again if need be replace /root with the location of your choice)

ln -s /root/tmp.pear /tmp/pear
ln -s /root/tmp.pear-build-root /tmp/pear-build-root

Thanks to 'twhite' on the cPanel forums for this one.

I've set up an amazon store, with some useful books that pertain to these tutorials and some that have helped me in the past getting to grips with things

My Amazon Store - Music & Books

Open /etc/named.conf
Undernieth this:

Add the following, substituting 111.222.333.444 for your servers primary IP address (if your server listens on any other addresses add those 1 per line in the acl as per the others in the list)
If you are running a DNS cluster be sure to add the IP addresses of your other DNS server into the list as well.

Next Find the options container and change it so that it looks like this:

Restart named and you should have a closed DNS server, You can add as many ACL's as you like for the different options such as recursion, notify & transfer to give you a bit more control , this tutorial is intended only to get you started.

YaBB has fairly crude regex matches for /^IIS/ coded into it, they are there so that the scripts don't output malformed headers on Windows systems.

Generally as a rule (Wherever possible) I tend to hide version numbers of all core daemons running on any public facing machine - or spoof them.

In this example I had configured apache on a customers server to return Microsoft-IIS/5.0 as its ServerTokens string (Ok not a major means of security - but every little helps) I then ended up with phone calls complaining of YaBB installs throwing 500 errors.

Because of YaBB's crude regex's it was throwing malformed (retarded) windows HTTP headers. So I decided to report it as a bug with YaBB's developers - baring in mind, I don't use YaBB and am not exactly a perl developer (although if I can work it out, how hard can it be!).

I can't say I was overly impressed with the response, I was told to comment out the IIS specific code rather than them fix it. (Great, thanks guys!).

I then politely posted back that it might be a wise idea to check the platform as well as the HTTP daemon (as quite obviously IIS doesn't run (well not stable anyway - good ole' wine) on anything other than windows.

I haven't yet had a response on that, and I know it isn't exactly a critical bug, so I posted it here just as a headsup for anyone that encounters the same issue.

The thread is here on YaBB's community forum if anyone is interested.

I will add to this when I get a chance but below is a VERY short list of my experiences with some of the most used control panels.

Plesk - Commercial

Home Page: http://www.swsoft.com

I found plesk to be stupidly simple to install, configure and use, however I soon found it to be extremely restrictive when you want to get a bit further under the bonnet and tweak the setup to your specific needs, and what the fuck is up with the partition schema and vhost arrangement?

The main annoyance for me, was the fact that more or less every feature I wanted to add to the build was a commercial extra (with an attached price tag) simple things such as spam assassin & an iptables configuration front-end (which is a requirement for more or less everyone nowadays), I don't really see how they can justify making you pay for open source software when everything else on the market offers you the same for free.

I guess my main hindrance with plesk was the fear of it breaking every 10 minutes if I manually added acls and configuration directives outside of the scope of the control panel, this for me is a major thing as the companies I do work for tend to have very specific requirements.

I also found the company, client & domain management way of thinking a little annoying and surplus to requirements.

Overall not particularly impressed, anyone with minimal linux knowledge would be frustrated when custom implementation is needed.

Webmin - Open Source

Home Page: http://www.webmin.com

Although overall im not really a fan of webmin, I have been known to use it in the past and I can't find an awful lot to complain about with it, it has no rivals for the amount of software modules you can plug into it and the amount of control it gives you over everything, my only bugbear with webmin is the user interface, and the way you navigate around the different areas, to a newbie it is a little confusing to use at first, but that said its very functional, very stable and also free (open source)!

ISPConfig - Open Source

Home Page: http://www.ispconfig.org/

I haven't used ISPConfig a great deal, I have a few gripes with the installer having tried to install it on low-spec VPS systems on my development testbed - Constantly running out of memory!

When I finally did get it working, it was far too much like plesk in terms of client & domain management and that was too much of a turn off for me - also my unfamiliarity with postfix didnt help much, It may well be brilliant and I apologise if I haven't given it enough of a chance but I don't think I'll be recommending it to anyone.

cPanel - Commercial

Home Page: http://www.cpanel.net

My control panel of choice, I haven't used anything that rivals it by a long shot yet, there is also a strong community of good, helpful people both in its staff and end-customers

I've found cPanel to be one of the least restrictive of the control panels I've used, it leaves you plenty of scope to customise your boxes as you need them, without it breaking every 10 minutes.

It does have some faults, but what automated system doesn't? Some of the updates have been a little dubious, and the changelogs are a bit lapse of late, but most of the issues it creates are either easily fixed or are promptly corrected by their staff.

I would recommend cPanel for those with a basic understanding of linux as its far less restrictive than plesk but has the tools and community support to help you out if you get stuck with it.

Configserver also have some great products for it that plug straight in, most free, some not.

Conclusion

So there is my very brief overview of experiences with control panel software, all of which were tested on CentOS boxes, when I get a bit more time, I will add more to this and try and make it a little more structured. That said, hope this helps somebody.

When money is no object, RHEL is my obvious choice, but when cost is a factor thats when CentOS comes in

What is CentOS

The Official Description is as follows:

CentOS is an Enterprise-class Linux Distribution derived from sources freely provided to the public by a prominent North American Enterprise Linux vendor. CentOS conforms fully with the upstream vendors redistribution policy and aims to be 100% binary compatible. (CentOS mainly changes packages to remove upstream vendor branding and artwork.) CentOS is free.

Basically what CentOS is, is Red Hat Enterprise Linux, compiled from source with all the Red Hat Branding Removed.

I cannot fault its stability, its never done me any harm therefore would strongly recommend it to anyone.

It has proved to be particularly good in a cPanel shared hosting environment.

Well what are you waiting for? Download it here!

Hiding the BIND Version

If you follow my Closing Open DNS Servers- BIND tutorial, it shows you how to set the version number to something very different.

PHP

Open up your php.ini (If you have Zend Optimizer on linux - normally /usr/local/Zend/etc/php.ini)

Press / and type expose_php

It should then throw you to the exposure line, edit the line so that it reads:

Then save and close the file, finally restart Apache

Now your server will no longer return the 'Powered By PHP v' header, please note though that it will be obvious when php pages are in use, this will hide the version from the http headers but doesnt ensure that the version number isnt exposed elsewhere (such as phpinfo pages etc)

Apache 1.3

Open up your httpd.conf (on a cPanel Server - /usr/local/apache/conf/httpd.conf)

Find the line that reads: ServerSignature on

Delete that line and replace it with the following 2 lines:

Save the file and then restart apache

Thats it, whenever a http header/an error page returns, all your server will say is 'Apache' rather than its full version number.

After some research, I decided to add RBL's and drop connections at SMTP time - that killed off a lot of unwanted mail traffic

The second thing to do was to set up MailScanners work directory as a ramdisk - You wouldn't believe the load decrease!

Heres How You Do It:

Then add this line to it:

You may want to tweak the size of the ramdisk, mailscanner state that it shouldnt use more than 64MB at any given time but I know people running more than that (Some up to 100MB) this will have to be trial and error.

Now Mount the RAMDisk

Check now that it actually mounted

Now tell MailScanner to use the new ramdisk as its working directory. If you use the WHM front-end from configserver, click on the MailScanner Configuration button.

If you installed it via the configserver install script (Which nearly all cPanel servers are) it is located at: /usr/mailscanner/etc/MailScanner.conf

In your MailScanner configuration file, find the line that begins:

Set that to the path of the ramdisk you just created, for example:

Then save the config file, and restart mailscanner, Job done!

Heres how you do it....

Go to the 'Exim Configuration Editor' in Web Host Manager and click the 'Advanced Editor' Button.

In the first box under '#!!# cPanel Exim 4 Config' add:

Then scroll down to the ACL section of the editor, which has
'#!!# These ACLs are crudely constructed from Exim 3 options.
#!!# They are almost certainly not optimal. You should study
#!!# them and rewrite as necessary.

begin acl' above it

In the first of the three boxes add:

That is the list of RBL's that are the least agrovation in shared hosting environments, It is also a good idea to add some additional ACL's from Exim ACL Spam Filters (rossz's list)

Save the exim configuration and your all done!

Create a file called globalaliases in /etc with the aliases one per line in the format: - The first part is the alias at any domain, the second is the recipient address, note that the first two are local users (convention is to forward roots mail in /etc/aliases)

In the directors part of your exim.conf file

You'll then have addresses that won't be interefered with by users having :fail: or :blackhole: Default Addresses.

(assuming you have vi installed, if not use pico or your preferred editor)
/etc/ssh/sshd_config is the common place for the ssh config file although this could vary dependant on your distro, if in doubt use locate to find the sshd_config file on your system.

Assuming you are using vi press: /

this puts vi into search mode, then type: #Port 22

which should take you to a block of config file that looks like:

Change The Listening Port
Start by uncommenting the #Port 22 line (by removing the hash in front of it you are uncommenting it) in vi you do this by pressing the I key to switch to INSERT mode (vi will display INSERT in the bottom left corner if you got it right) then use the delete key to remove the hash.

Next thing to do is to change the port number to something unusual (I would suggest 4 or 5 numbers in length)

Tread carefully with this as you dont want to use a port that another service runs on, a ports list is available HERE.

Deny SSH1 Connections
You should still be in INSERT mode in vi so scroll to the next line, uncomment it as per above and remove the , 1 part from the end, this prevents older ssh1 clients connecting.

Change the Binding Address
Next jump down to the ListenAddress line, uncomment it and change the 0.0.0.0 to one of the IP addresses you have been assigned by your service provider (I would try and keep this different from the address your dns for any domains you host resolves to if possible).

Deny Root Log in
Please ensure you have another user account on the server with shell access and that is part of the wheel group otherwise you will be locked out!

DO NOT CONTINUE UNLESS YOU HAVE A WHEEL GROUP USER

Its normally advisable to deny root logins from the shell, to do this press ESC on your keyboard to switch off INSERT mode in vi, then type: /#PermitRootLogin

the line it finds should look like: #PermitRootLogin yes

Press I to put vi back into insert mode, edit the line so that it looks like: PermitRootLogin no

With that option disabled you will have to log into your server as an unprivelidged user and use the su - command to change to root when you need elevated privelidges.

Restart SSH
Now all you need to do is restart sshd, I would suggest leaving your current SSH session open in case you messed up and cant log in again. To restart SSH on most distros type: /etc/init.d/ssh restart

Then try and log in to ssh via the IP address you set the bindaddress option to earlier, if it works you will have to log in as someone other than root.

Implementing the alert is a very simple process
log-in to your server as root
cd into /root
Open .bash_profile in your favourite editor (e.g. vi .bash_profile)
And add the following line to the bottom, replacing you@yourdomain.com with the e-mail address you would like the alerts to go to:

Harden SSH (I have a basic tutorial for this on my website, you will need to add an additional user to the server and add them to the wheel group to enable them to use the su command)

Edit the root bash profile so that it e-mails you every time somebody logs in as root (Not really hardening security but lets you know if you have been compromised)

Disable anonymous FTP (unless it is essential)

Disable telnet (if it isn’t already)
SSH into server and login as root.

change disable = no to disable = yes

Save and Exit

Edit /etc/motd  - Add a legal warning, as far as I know this has been used as an excuse to get hackers off of charges (in America admittedly, but wise to do anyway)

Disable shell access for accounts that will never be used.

Disable services that won’t be used, such as cups,ircd,vnc

Install APF (Advanced Policy Firewall) – http://www.rfxnetworks.com/apf.php - requires kernel iptables modules to be installed prior to install (These should be in most modern red hat kernels already) this is reasonably easy to install and well documented.

Install BFD (Brute Force Detection) for APF - http://www.rfxnetworks.com/bfd.php - this is one of the most useful security tools available, it sequentially checks the /var/log/secure log for failed logins, and automatically bans them in the firewall if they exceed the maximum amount of login failures.

Install RKHunter – http://www.rootkit.nl – another invaluable tool, this scans system binaries for known exploits and checks for root kits, again easy to install.

Securing Apache

Install mod_security for apache - http://www.modsecurity.org/ - a very useful tool for blocking known script exploits & filtering web requests, there are plenty of rule sets available for this that are very good.

Install mod_evasive - http://www.zdziarski.com/projects/mod_evasive/ - mod_evasive is an evasive manoeuvres module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack.

Securing PHP

Set the following parameters in the php.ini.

safe_mode = On
By enabling safe_mode parameter, PHP scripts are able to access files only when their owner is the owner of the PHP scripts. This is one of the most important security mechanisms built into the PHP. Effectively counteracts unauthorized attempts to access system files (e.g. /etc/paswd) and adds many restrictions that make unauthorized access more difficult.

safe_mode_gid = Off
When safe_mode is turned on and safe_mode_gid is turned off, PHP scripts are able to access files not only when UIDs are the same, but also when the group of the owner of the PHP script is the same as the group of the owner of the file.

open_basedir = directory[:...]
When the open_basedir parameter is enabled, PHP will be able to access only those files, which are placed in the specified directories (and subdirectories).

safe_mode_exec_dir = directory[:...]
When safe_mode is turned on, system(), exec() and other functions that execute system programs will refuse to start those programs, if they are not placed in the specified directory.

expose_php = Off
Turning off the "expose_php" parameter causes that PHP will not disclose information about itself in HTTP headers that are being sent to clients in responses to web requests.

register_globals = Off
When the register_globals parameter is turned on, all the EGPCS (Environment, GET, POST, Cookie and Server) variables are automatically registered as global variables. Because it can pose a serious security threat, it is strongly recommended to turn this parameter off (starting from the version 4.2.0, this parameter is turned off by default)

display_errors = Off
If the display_errors parameter is turned off, PHP errors and warnings are not being displayed. Because such warnings often reveal precious information like path names, SQL queries etc., it is strongly recommended to turn this parameter off on production servers.

log_errors = On
When log_errors is turned on, all the warnings and errors are logged into the file that is specified by the error_log parameter. If this file is not accessible, information about warnings and errors are logged by the Apache server. error_log = filename This parameter specifies the name of the file, which will be used to store information about warnings and errors (attention: this file must be writeable by the user or group apache)

To fix this error you need to:

mkdir /mytmp

Then edit /etc/cron.daily/logrotate and set the TMPDIR so it looks like this:

#!/bin/sh 
TMPDIR=/mytmp
export TMPDIR
/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$? 

if [ $EXITVALUE != 0 ]; then 
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0

Then run this to ensure its working ok:

/etc/cron.daily/logrotate

By adding a smart router you can act as the primary mx for a domain that actually isn't local to your server at all for example: I used this to push virus & spam filtered mail onto a customers Exchange Server negating the need for POP boxes.

To implement smart routers:

Then open /etc/staticroutes in your favourite text editor (vi is my preference) and add each domain you would like pushed on in the following format (one per line):

target.mail.server can be a FQDN or an IP address

In the Routers Configuration section of your exim.conf add the following:

Then after an exim restart you should have working smart routers (its always worthwhile to tail the exim_mainlog for a while afterwards just to make sure its ok)

Thanks to 'projectandrew' on the cPanel Forums for this one.

All credit goes to the original author, THIS IS NOT A DOCUMENT WRITTEN BY MYSELF so all rights go to the original author. rossz-work [at] vamos-wentworth [dot] org as well.

These antispam tips are for Exim 4.x. If you don't know how to modify the helo, rcpt, and data ACLs, then these suggestions won't do you much good.

HELO ACL

You can block a lot of spammers right after they say HELO. They have a tendency to lie but, fortunately, it's often easy to catch them in their lie.

The first thing a remote system is supposed to do when it connects is to say "HELO domain.com". It is legal to use an ip address with the HELO, but losing acceptance. A spammer might try to HELO with your own ip address. There is absolutely no legitimate reason for someone else to use your ip address here. Plug your own ip address in here where it says ##.##.##.##. Repeat this for each IP address you handle.

deny message = HELO/EHLO with my ip address. You are not me.
	log_message = HELO/EHLO my.ip
	condition = ${if eq {$sender_helo_name}{##.##.##.##}{yes}{no}}

Basically the same thing as the previous filter, but using your domain name instead of your ip address. You should repeat this filter for each domain you control.

deny message = HELO/EHLO with my domain name. You are not me.
	log_message = HELO/EHLO my.domain
	condition = ${if match {$sender_helo_name}{your-domain.com}    {yes}{no}}

Giving a domain name of 'none' isn't valid, so tell them to bugger off. This filter can be left out since the "period" filter below will catch it.

deny message = No HELO/EHLO name specified.
	log_message = HELO/EHLO none
	condition = ${if match {$sender_helo_name}{none} {yes}{no}}

A remote system saying they are localhost? Sure they are. This filter can also be omitted if you use the "period" filter below.

deny message = You are not localhost.
	log_message = HELO/EHLO localhost
	condition = ${if match {$sender_helo_name}{localhost}{yes}{no}}

A proper domain will contain at least one period. A good percentage of spam worms HELO with random characters without a period.

deny message = Invalid HELO/EHLO. You are either spam/a virus, or your system administrator has incorrectly configured your network.
	condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}

RCPT ACL

Spammers like to forge some big names when they send you email. We can't easily check all of them, not until Sender Permitted From (SPF) is widely used. At least we can check for some of the most commonly abused domains, Yahoo, Hotmail, MSN, and AOL. These four filters will reject email with forged From: addresses containing the "big four" domains.

#Fake Yahoo
deny message = Suspected Faked Yahoo Account, E-mail Rejected.
	log_message = Fake Yahoo
	senders = *@yahoo.com
	condition = ${if match{$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

#Fake Hotmail
deny message = Suspected Faked Hotmail Account, E-mail Rejected.
	log_message = Fake hotmail
	senders = *@hotmail.com
	condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}

#Fake MSN
deny message = Suspected Faked MSN Account, E-mail Rejected.
	log_message = Fake MSN
	senders = *@msn.com
	condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}

# Fake AOL
deny message = Suspected Faked AOL Account, E-mail Rejected.
	log_message = Fake AOL
	senders = *@aol.com
	condition = ${if match {$sender_host_name}{\Nmx.aol.com$\N}{no}{yes}}

Of course, using a few good blacklists is a good idea. I put my blacklist checks immediately after the big four filters.

DATA ACL

A valid email should have a message id. Spamming software (and viruses) often don't. So refuse them. Note, this filter has been known to break the rare email sent from a highly customized Qmail server. Personally, I dont' care.

deny condition = ${if !def:h_Message-ID: {1}}
	message = Message SHOULD have Message-ID: but does not

Email should have a proper date. So goodbye if it doesn't.

deny condition = ${if !def:h_Date: {1}}
	message = Message SHOULD have Date: but does not

You'll need the Exiscan patch for the mime handling to work.

Required to do any mime handling, plus, a broken mime attachment might be an attempt to infect or break into your system.

deny message = Serious MIME defect detected ($demime_reason)
	log_message = Broken MIME ($mime_reason)
	demime = *
	condition = ${if >{$demime_errorlevel}{2}{1}{0}}

Refuse dangerous attachments. This gets a large number of viruses. It also catches a lot of spam with hidden surprises.

deny message = $found_extension files are not accepted here
	log_message = Dangerous extension ($found_extension)
	demime = com:vbs:bat:pif:scr:exe

For Windows clients, Microsoft has included a lovely little surprise. It is possible to attach a file with a CLSID in the name which causes Windows to hide the file extension. This is entirely independent of the "Hide file extensions for known file types" folder option. This is extremely dangerous, so lets just refuse the bastards.

deny message = Hiding of file extensions is not allowed!
	log_message = Dangerous extension (CLSID hidden)
	regex = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$

Having tried various methods and suggestions from other IT professionals, In the end I gave up.

Thankfully I found a really simple tool that enabled me to reclaim ownership of these folders and files so I thought I would post it here to save anyone else from the same data-loss problems.

The tool is a very simple folder locking tool (Just simply applies a password to any NTFS folder) called DirLock.

Out of curiousity I decided to try it on the re-direction folders, It's as simple as locking the folder with it, then unlocking it again to restore ownership of all files and subfolders to the administrators account.

Hopefully this information is some use to somebody.

See the download.com review of, and download DirLock