PHP Spam Poison (phpwpoison) 1.2.0.

Features.

• It uses PHP, so no CGI access is needed.
• Fast and lightweight.
• Highly configurable.
• Can be included by others PHP pages.
• Require software available in most hosting services.
• Doesn't require a SQL database.
• Works in Linux/Unix and Windows servers (with IIS or Apache).
• GPL license (open-source).
• Simple to install.

Demo.

Check out this demostration page:
demonstration page.

Requirements.

• Required: PHP 4.1.x or higher. Your web server should be able to interpret the PHP language. It really doesn't matter the platform (tested with GNU/Linux and Windows 2000).
• Required: A web server. It should work with any web server running in your workstation or server (tested with Apache in GNU/Linux, with Apache in Windows 2000 and IIS in Windows 2000).

Download.

• The current version (1.2.0, 2005/03/26) is available as a tar.gz package (13k) or as a zip file (15k).
• There is a Readme file included with all packages.
• There is a Changelog file included with all packages.
• There is a signed checksum file that lets you verify the integrity of the downloaded file.
• There is a License file included with all packages.

Do not forget to download the word list needed by phpwpoison:

• The word list is available as a tar.gz file (282K) or as a zip file (282K).
• There is a License file for the word list.

Questions, comments, suggestions.

You can send your questions, comments or suggestions by email or post them in the web forum.

Or, if you feel more confortable, don't hesitate to contact me by email (mario@mariovaldez.org).

Alternatives.

Isn't this software what you are looking for?
There are several other products to create spam traps for email harvesters.

• BlackFlag. Source in Perl. CGI. License unknown. Requires Apache.
• KillSpam. Source in Perl. CGI. Public domain. Requires Perl.
• SpamBotPoison. Source in Perl. CGI. Proprietary license.
• SpamPoison (port of WPoison). Source in PHP. Page script. Open-source, GPL license. Requires Apache.
• SugarPlum. Source in Perl. CGI. Open-source, GPL license. Requires Apache.
• Toxic Waste Dump. Source in QBasic. Offline. License unknown.
• WPoison. Source in Perl. CGI. Open-source, BSD (old) license.
• wpoison.php (port of WPoison). Source in PHP. Page script. Open-source, BSD (old) license.

Browse the source files (1.2.0).

• emailusers.php

Tips.

Always create a robots.txt file in your site, to let search engines know that they should not visit the spam trap. Email harvesters usually ignore the robots.txt file, so they will fall into the trap anyway.

For more information about the robots.txt file, visit The Web Robots pages or the Robots.txt Tutorial (from SearchEngineWorld).

For example, the robots.txt file in this website looks like this (meaning that search engines should not follow the spam trap located in the users.php webpage):

User-agent: *
Disallow: /users.php
Disallow: /users.php/

The pages generated by phpWPoison may take a few seconds to render, but it's not because they are slow. It is because phpWPoison waits a random number of seconds before finishing sending the page. The goal is slow-down the spam-spider. You can adjust this waiting time editing the variables pwp_minsleeptime and pwp_maxsleeptime.

You can include the output of the phpWPoison script so it can be shown as part of a different webpage. Just build you hosting page (as PHP) as usual, but for the content use something like:

Then edit the emailusers.php script and change the option pwp_scriptname to the name of the hosting script. Change the option pwp_standalone to false. Also, adjust the paths of the files set in the options pwp_word_file, pwp_cache_file and pwp_spammer_file (which are relatives to the hosting script).

NOTE: if you include the script into another, the pwp_html_preheader, pwp_html_postheader and pwp_html_footer variables are ignored. Then you should provide the meta tag ROBOTS in the head of the hosting webpage (or be sure to provide a robots.txt file in your site).

Installation.

1) Get the files.
Get the files from http://www.mariovaldez.net/software/phpwpoison/ (There are zip and tar.gz files available). Be sure to download also the wordlist.

2) Unpack.
Extract the script files in a web server directory. That will create a phpwpoison directory with few filesinside. Then unpack the wordlist and save it in the same directory.

3) Change ownership.
Change the ownership of those files and the directory phpwpoison to the user used by your web server (usually nobody in Unix/Linux). To change the ownership in Linux/Unix, you execute in a shell terminal in the server the command chown:

In Windows environments, using the Windows Explorer, check the Security tab of the Properties dialog of the directory, and set the permissions so that the user IUSR_servername has permissions to read and write on the phpwpoison directory.

If you cannot set the ownership, at least be sure to enable writting permissions in the directory.

4) Rename the directory.
Rename the phpwpoison directory to a simple name. Avoid poison, spam, etc. The idea is to not give a clue to those email-harvester robots that this is a trap.

5) Rename the script.
Rename the emailusers.php file to any simple name. Avoid poison, spam, etc. The idea is to not give a clue to those email-harvester robots that this is a trap.

6) Configure.
Edit the renamed PHP file, changing at least the pwp_scriptname variable. If you renamed the script to listusers.php then set the pwp_scriptname variable to listusers.php. Also, check the pwp_html_postheader and pwp_html_footer variables, where you can insert HTML so the generated pages match your website look.

7) Test.
Try to open the renamed PHP file from your the browser thru the web server. (Please note that by default, the script will make a pause of up to 30 seconds before finishing rendering the page; to modify or eliminate that delay, edit the script and change the options pwp_minsleeptime and pwp_maxsleeptime).

8) You are done.

The following step is optional:

9) Create a spammer list (option available since version 1.1.0).
Maybe you already have a list of email addresses of known spammers. A list with real addresses (not fake addresses like those used by most spammers). Some spammers are just uninformed people thinking that spamming is a good business practice. Some of them will stop spamming when learn that spamming is not good for their business. But for those who don't...

Let the phpwpoison script create fake email addresses mixed with spammers addresses. Let other spammers know what spamming is all about for the receiver.

Create a text file with each line containing an email address. Avoid using the default spammers.txt filename. Edit the phpwpoison script and change the variables pwp_use_spammer_list, pwp_spammer_file and pwp_spammer_ratio.

License of phpwpoison.

PHP Spam Poison (phpwpoison).
Copyright ©2004, 2005 by Mario A. Valdez-Ramirez. You can contact Mario A. Valdez-Ramirez by email at mario@mariovaldez.org or by paper mail at Olmos 809, San Nicolas, NL. 66495, Mexico.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

License of the wordlist.

Copyright 1993, Geoff Kuenning, Granada Hills, CA All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All modifications to the source code must be clearly marked as such. Binary redistributions based on modified source code must be clearly marked as modified versions in the documentation and/or other materials provided with the distribution.
4. All advertising materials mentioning features or use of this software must display the following acknowledgment: This product includes software developed by Geoff Kuenning and other unpaid contributors.
5. The name of Geoff Kuenning may not be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY GEOFF KUENNING AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL GEOFF KUENNING OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.