Home

SPF (Sender Policy Framework)

Sender Policy Framework (SPF) is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain’s administrators.

If your email is send from the ip of your domain, then you don’t need set it at all.

You can use https://senderscore.org/ to test the score of your domain.

You can understand what is below coding doing.

var Person = Class.extend({
  init: function(isDancing){
    this.dancing = isDancing;
  },
  dance: function(){
    return this.dancing;
  }
});
var Ninja = Person.extend({
  init: function(){
    this._super( false );
  },
  dance: function(){
    // Call the inherited version of dance()
    return this._super();
  },
  swingSword: function(){
    return true;
  }
});

var p = new Person(true);
p.dance(); // => true

var n = new Ninja();
n.dance(); // => false
n.swingSword(); // => true

// Should all be true
p instanceof Person && p instanceof Class &&
n instanceof Ninja && n instanceof Person && n instanceof Class

I found this because I read it from the souce code of a opensource online game (BrowserQuest), which is based on node.js and html5 websocket.

Original article

• 不要信任用户的输入信息！
• 验证所有来自非信任源的输入信息，是使用白名单，不是黑名单。
• 从一开始就要策划安全。安全并不是可以在最后来做的。
• 保持简单。复杂性会增加安全漏洞的可能性。
• 最低限度保持你程序的攻击面(attack surface)[http://en.wikipedia.org/wiki/Attack_surface]。
• 确保程序有“自动防故障装置”(Fail-safe)[http://en.wikipedia.org/wiki/Fail-safe]
• 采用深度防御(defence in depth)[https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/principles/347-BSI.html]
• 坚持最小特权原则(least privilege)[https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/principles/351-BSI.html]
• 采用威胁建模(threat modelling)[http://www.owasp.org/index.php/Threat_Risk_Modeling]（Web程序更应如此）
• 权限分离(Compartmentalize)[http://www.cgisecurity.com/owasp/html/ch04s09.html]
• 没有不透风的墙，在代码中隐藏秘密都无法长久。
• Don’t write your own crypto / 不要自己编写一种加密方法
• 采用加密（crypto），并不意味着你就安全了（攻击者会寻找弱点）
• 注意缓冲区溢出，并了解如何防范

Since I am going to look how many connections conntected to one process, so I need such a command:

lsof -a -p pid

And how many open file descriptors are currently being used

cat /proc/sys/fs/file-nr

Today I am doing a test to see how many concurrent connections that a eventmachine can support, but got a error like this.

ruby: ed.cpp:938: void ConnectionDescriptor::_WriteOutboundData(): Assertion nbytes > 0’ failed.`

After investigation I found the solution:

• Only call EM.epoll before calling EM.run
• Only call EM.set_descriptor_table_size before calling EM.run