Anti-U?E Index Chris' Home Page

Anti-UCE: Server-Side Includes


Currently there are a few major service providers who are not taking appropriate action against spammers' web-sites. Refusing E-mail from such sites is an option, but it is not really necessary because they are not the main sources of spam. I am currently adding a warning to all pages on this site, to problem ISPs' customers, that they may be locked out of this web site. Hopefully the problem ISPs' own customers will apply a little pressure to change their policies. The warning is done by the means of server-side includes; it causes a small notice to show up at the top of each page served by this site. To set this up, you need three things:

  1. Server-side includes in all your HTML documents.
  2. A perl script to process the includes.
  3. A letter for the perl script to point to.
Note: This is not a comprehensive introduction to perl and your HTTP server. I cannot guarantee that these scripts will work on your system. This code is presented as an example only, without guarantee or warranty. However, if you are having trouble implementing a similar setup, I will be glad to help out as much as I can.

1. Server-side includes in all your HTML documents.

This is done by configuring your HTTP daemon to allow server-side includes (beyond the scope of this document), and then executing a perl script near the top of the body of each HTML file. The execution statement looks like this (for Apache, anyway):

<!--#exec cmd="/usr/local/lib/ssi/header.pl"-->

The string above will be replaced with the text that results from actually executing the command, before the HTML is passed back to the client. If a line like this is put in every .HTML file, then you will be able to easily add "global" notices which appear on every .HTML file served by your site.

Note: ".shtml" is the usual extension for server-parsed HTML files. However, Apache has the "XBitHack" configuration directive. When it is enabled, the server will parse (as if it were .shtml) any .html file on which execute permissions are set. (Then you don't have to rename all of your files.)

2. A perl script to process the includes.

Note: since this page was written, NetCom says they have changed their policy and will no longer support spammers' web-sites. This SSI technique is no longer in use for NetCom netblocks at this site; it is merely being used as an example.

Here is the script that I am currently using to print out a small notice at the top of each file -- only for users accessing my site through what I think are some of NetCom's netblocks:

#!/usr/bin/perl

# Print the HTML code to be inserted into the file.
sub warn {
    local ( $ispName, $warnFile ) = @_;

    print <<END_OF_PRINT
<P>
<CENTER><H3>
Clients/customers of $ispName please read
<A HREF="$warnFile">this important notice</A>.
</H3></CENTER>
<P>
END_OF_PRINT
    ;
}

# Returns true if we think the IP address belongs to NetCom
sub is_netcom() {
    local $ip = shift;
    return (1) if ( $ip =~ "^199\.18[23]\." );    # 199.182-183.*.*
    return (1) if ( $ip =~ "^204\.3[0-3]\." );    # 204.30-33.*.*
# [... some other tests deleted]
    return (0);
}

$client_ip_addr = $ENV{'REMOTE_ADDR'};

&warn( "NetCom", "/notices/netcom.html" )
    if ( &is_netcom( $client_ip_addr ) );

3. A letter for the perl script to point to.

Each time a HTML file with the server-side include is sent to a client whose IP address matches the regular expression, a hyperlink is inserted into the retrieved file which points to the named HTML file. You can see my "open letter" to NetCom users here.

Note: since this page was written, NetCom says they have changed their policy and will no longer support spammers' web-sites. This SSI technique is no longer in use for NetCom netblocks at this site; it is merely being used as an example.

Anti-U?E Index Chris' Home Page