Using Kiwi to protect mailto: URLs


Making a web page with a Kiwi-enabled email address
The clicrypt program
The .kiwirc file
Making a wrapper for clicrypt
Security considerations
Testing the web page with the Kiwi enabled address


Frequently, people with web pages wish to make their email address available on the World Wide Web. Unfortunately, it is common for bulk emailers to run automated programs that obtain email addresses from web pages. With the list of obtained email address, the bulk mailer sends out unwanted commercial email.

One way of approaching this problem is to configure the web server to look for programs of that nature hitting the web server, and redirect all such request to the output of programs like Wpoison. Wpoison is a program the generates random, nonfunctional email address, which makes the use of programs that automatically gather email addresses on the web ineffective.

While programs like Wpoison are very effective when we can determine that it is an email-addressing gathering program hitting our web server, many such programs will carefully disguise their nature.

Kiwi can be utilized so as to help us further thwart such programs. The clicrypt program can be used in a server side include to trace where people are gathering email addresses. (A server side include is a feature most web servers have that allows web pages to run programs to determine their content.)

This allows us to determine where someone obtained an email address to send us unwanted mail. We can take necessary action. For example, we could look at our web server logs to find out when they obtained the email address in question, or simply filter out any connections from that machine. We could also, on Qmail systems, disable the email address that they obtained by their email address gathering program.

The use of Kiwi-enabled addresses on web pages gives us more flexibility in handling automated programs that gather email address on web pages. The rest of this document describes how to implement these features.


In order to have Kiwi-enabled email addresses on your web pages, you need the following:

Making a web page with a Kiwi-enabled email address

The HTML code to a mailto: link with a Kiwi-enabled address will look something like this:

<A HREF=mailto:user+<!--#exec cmd="/home/yourusername/clicrypt_wrapper"-->>
Where is your email address before the Kiwi cookie is added to it, and /home/yourusername/clicrypt_wrapper is a small program what will change the KIWIRC environmental variable, and then call clicrypt.

Note that the above html will only function in an SSI-enabled web page.

The clicrypt program

The clicrypt program is one of the programs included with the Kiwi software suite. It is compiled when the Kiwi suite is compiled. See the file Start.html for information on how to set up and compile the Kiwi suite.

By default, make install places clicrypt in /usr/local/bin directory with the name clicrypt.

The .kiwirc file

The clicrypt program looks for a .kiwirc file using the following rules:

Making a wrapper for clicrypt

On most web servers, ssi pages are run as the nobody user, which means, instead of calling clicrypt directly from the ssi-enabled webpage, we run a wrapper program which does the following two things: Here is what such a program would look like if written in C:
main() {
    execl("/usr/local/bin/clicrypt","clicrypt",(char *)0);

In the above exmaple program, replace /home/yourusername/hidden/.kiwirc with the path to the kiwirc file you wish clicrypt to use. If clicrypt is not in its default location (/usr/local/bin), replace /usr/local/bin/clicrypt with the path to clicrypt with the path to clicrypt on your system.

Here is one way of converting the above C code to a wrapper for the clicrypt program:

Security considerations

In order for this to run, the kiwirc file in question needs to be readable by the user the web server runs ssi scripts as, usually the nobody user.

For security reasons, this setup should only be run on systems where you trust the other users on your system. You can get some level of protection from untrusted users, by doing the following:

Note that some versions of Unix have ways of reading a binary file with 711 permissions, so this method is not always secure.

Testing the web page with the Kiwi enabled address

Go to the web page containing the Kiwi-enabled email address. Verify that the SSI correctly created an email address with a Kiwi cookie. Next, send a message to the address on the web page.

Once you get the message, look at the email address the message was sent to. You may have to enable viewing of full headers on your mail user agent to do this.

The email address the example mail sent to yourself above will be in this form:
Where user is your username, cookie is an encrypted cookie that looks like 2gbn5tn or gq4y5ci, and is the host and domain name portion of your email address.

To the information stored in the email address' cookie, type in the following commands at a Unix shell prompt:

$ /usr/local/bin/decode
Where /usr/local/bin/decode is the location the decode symlink to the clicrypt binary is located. Use the cut and paste functionality of the environment your mail user agent is in to paste the above cookie.

The next step is to use the paste functionality of your environment to paste the above cookie. After pasting the above cookie, hit the return key.

The output from the decode program will look something like this:

Data type: 28BIT IP BLOCK
The message portion of deocde's output will contain, within a range of 16 ips, the ip that you viewed the web page from. (The reason for the 16-ip range is because the Kiwi specification does not give us a finer resolution.)

With this information, you can look at the logs, and determine when and where someone obtained the email address in question.