Introduction
Frequently, people with web pages wish to make their email address
available on the World Wide Web. Unfortunately, it is common for bulk
emailers to run automated programs that obtain email addresses from web
pages. With the list of obtained email address, the bulk mailer sends out
unwanted commercial email.
One way of approaching this problem is to configure the web server to look
for programs of that nature hitting the web server, and redirect all such
request to the output of programs like Wpoison. Wpoison is a program
the generates random, nonfunctional email address, which makes the use of
programs that automatically gather email addresses on the web ineffective.
While programs like Wpoison are very effective when we can determine that
it is an email-addressing gathering program hitting our web server, many
such programs will carefully disguise their nature.
Kiwi can be utilized so as to help us further thwart such programs. The
This allows us to determine where someone obtained an email address to
send us unwanted mail. We can take necessary action. For example, we
could look at our web server logs to find out when they obtained the email
address in question, or simply filter out any connections from that
machine. We could also, on Qmail systems, disable the email address that
they obtained by their email address gathering program.
The use of Kiwi-enabled addresses on web pages gives us more
flexibility in handling automated programs that gather email address on
web pages. The rest of this document describes how to implement these
features.
In order to have Kiwi-enabled email addresses on your web pages, you need
the following:
The HTML code to a
Note that the above html will only function in an SSI-enabled web page.
The
By default,
In the above exmaple program, replace
Here is one way of converting the above C code to a wrapper for the
In order for this to run, the
For security reasons, this setup should only be run on systems
where you trust the other users on your system. You can get some level
of protection from untrusted users, by doing the following:
Requirements
Making a web page with a Kiwi-enabled email address
The clicrypt program
The .kiwirc file
Making a wrapper for clicrypt
Security considerations
Testing the web page with the Kiwi enabled
address
Introduction
clicrypt program can be used in a server
side include to trace where people are gathering email addresses. (A
server side include is a feature most web servers have that allows
web pages to run programs to determine their content.)
Requirements
REMOTE_ADDR to contain the IP used to view an SSI-enabled
web page. Most (if not all) SSI-enabled web servers will do this.
Making a web page with a Kiwi-enabled email address
mailto: link with a Kiwi-enabled address
will look something like this:
Where
<A HREF=mailto:user+<!--#exec
cmd="/home/yourusername/clicrypt_wrapper"-->@host.domain.com>
user@host.domain.com is your email address before the
Kiwi cookie is added to it, and
/home/yourusername/clicrypt_wrapper is a small program what
will change the KIWIRC environmental variable, and then call
clicrypt.
The clicrypt program
clicrypt program is one of the programs included with the
Kiwi software suite. It is compiled when the Kiwi suite is compiled. See
the file Start.html for information on how to set
up and compile the Kiwi suite.
make install places clicrypt in
/usr/local/bin
directory with the name clicrypt.
The .kiwirc file
The clicrypt program looks for a .kiwirc file
using the following rules:
KIWIRC is defined, the value
of KIWIRC is the location of the KIWIRC file.
HOME is defined,
look for a file named .kiwirc in the directory
HOME points to.
clicrypt process is
running as (using geteuid), find out the home directory
of that uid, and look for a .kiwirc file there.
Making a wrapper for clicrypt
On most web servers, ssi pages are run as the nobody user,
which means, instead of calling clicrypt directly from the
ssi-enabled webpage, we run a wrapper program which does the
following two things:
Here is what such a program would look like if written in C:
KIWIRC environmental variable
clicrypt program
main() {
setenv("KIWIRC","/home/yourusername/hidden/kiwirc");
execl("/usr/local/bin/clicrypt","clicrypt",(char *)0);
}
/home/yourusername/hidden/.kiwirc with the path to the
kiwirc file you wish clicrypt to use. If
clicrypt is not in its default location
(/usr/local/bin), replace /usr/local/bin/clicrypt
with the path to clicrypt with the path to clicrypt
on your system.
clicrypt program:
clicrypt_wrapper.c
cc -o clicrypt_wrapper clicrypt_wrapper.c
Security considerations
kiwirc file in question needs to
be readable by the user the web server runs ssi scripts as, usually the
nobody user.
Note that some versions of Unix have ways of reading a binary file with
711 permissions, so this method is not always secure.
hidden
hidden unreadable by other users
on your system with chmod 711 hidden
kgu23y34nvcmnq
KIWIRC to the
hidden directory.
chmod 711 clicrypt_wrapper
clicrypt_wrapper