(Note: This page only explains how to install Wpoison on your own web server. There is also a separate page that describes how to use Wpoison once it has been installed, either on your own server, or elsewhere on the net.)

There are a variety of methods that can be used when installing Wpoison on your own web server, ranging from the trivial, to the more advanced. In general, if you can use one of the more advanced methods of installation, you will have a better likelihood of getting spammer's address harvesting web crawlers to suck up the bogus e-mail addresses that are generated by Wpoison. Note however that the more advanced methods of installation generally require you to have the ability to modify your local web server configuration, and if you are just using someone else's web server, you probably do not have this luxury. (But you may still be able to ask your local webmaster to make the necessary web server configuration adjustments.)

The simplest way of installing Wpoison is just to put a copy of it directly into your own local /cgi-bin/ directory, and to give it whatever filename extension your own local web server has reserved for use by CGI scripts/program. (Usually, but not always, the filename extension reserved for designating CGI scripts and programs will be .cgi but check with your local webmaster and use whatever filename extension is most appropriate for your server.)

When installing Wpoison, either in your /cgi-bin/ directory, or elsewhere on your system, it is highly advisable to give Wpoison a base filename which is something other than wpoison. For example, you might want to install wpoison using some intentionally misleading name like members.cgi, clients.cgi, or something else that seems likely to be a desirable target for the spammer's address harvesting web crawlers.

if you have chosen the simple method of installing Wpoison, then all you need do is to put a copy of the script into your /cgi-bin/ directory (using the proper filename extension and some misleading base file name), set its permissions so that it is considered executable, and then you are done. All that remains in this case is to make some links from your other web pages to to your installed copy of Wpoison.

Although the simple method of installing Wpoison may be sufficient to allow you to foil any address harvesting web crawlers that are dumb enough to be lured (by your HTML links) over to your installed copy of Wpoison in your /cgi-bin/ directory, many of these web crawlers have by now been programmed to avoid any and all web pages that reside under /cgi-bin/. (Hint: This is actually good news because it means that you can also often protect your real e-mail addresses from being harvested simply by insuring that they only appear on web pages that themselves reside underneath your local /cgi-bin/ directory.)

If you want to be able to foil even the more sophisticated address harvesting web crawlers, you will need to install your local copy of Wpoison some place outside of your /cgi-bin/ directory. (In practice, this usually means that Wpoison will need to be installed either in your local DocumentRoot directory or else in some subdirectory of that directory.

Installing CGI scripts in directories other than the /cgi-bin/ directory generally requires that you have read/write access to your local web server's configuration files, and that you are able to designate some directory in addition to /cgi-bin/ as a place where executable CGI scripts may appear. Unfortunately, the methods for accomplishing this vary widely between different brands of web servers. Here we will only describe how to accomplish this for the case where the local web server is the widely used Apache web server.

If you are using the Apache web server, then the best thing to do is to create a new directory directly underneath your existing DocumentRoot directory, place your local copy of Wpoison in that new directory (remembering to set its permissions so that it is considered executable) and then add directives to your Apache configuration file (usually called httpd.conf) to tell Apache that files within the new directory may be executable CGI scripts.

When creating your new directory for Wpoison, remember that your goal is to make it look like something that might be attractive to a spammer's address harvesting web crawler. So pick a name for this new directory that will make it look attractive, for example addresses or contacts or client-pages. (Actually, it probably doesn't matter what you call this directory, as long as its name doesn't contain any substrings that might tip off a clever spammer, or his harvester, to what you are doing. For example, do not name the new directory wpoison or spam-bait or any variation thereof. That would just be a dead giveaway.) Also, as noted above, when you put your copy of Wpoison into this new directory, do not just give it the name wpoison.cgi. Some of the address harvesting web crawlers are already smart enough to avoid looking at anything that has the word wpoison in it, so give your copy of the script some other name, for example, addresses.cgi or contacts.cgi. (Again, it probably doesn't matter too much what you call the script file as long as you do not give it a name like wpoison.cgi or spam-bait.cgi or any other name that might give away the script's true purpose.)

Once you have created your new directory under your existing DocumentRoot directory, and once you have installed your local copy of Wpoison in that new directory (marking it as executable) then the final step is to tell the Apache web server that your new directory is allowed to contain executable scripts, just like your existing /cgi-bin/ directory.

Doing this is really quite simple. Assuming that your local DocumentRoot directory is set (in your Apache configuration file) to /usr/local/apache/htdocs, and assuming that you have given your new directory the name eat-me, all you need to do in order to tell Apache that this new directory can contain executable CGI scripts is to add the following directives to the very end of your existing httpd.conf configuration file:

 <Directory "/usr/local/apache/htdocs/eat-me">
Options ExecCGI
Once you have made this addition to your web server configuration file, all you need to do is to restart Apache in order for this change to take effect. See your server documentation for instructions on restarting your web server. (If you have a recent vintage version of the Apache web server installed, you should just be able to issue the command apachectl restart in order to restart your server.)

Unfortunately, just installing your local copy of Wpoison in a directory other than your local /cgi-bin/ directory may not always be enough to insure that the address harvesting web crawlers will in fact mistake your installed copy of Wpoison for an ordinary web page that they can extract e-mail addresses from. That's because many of these crawlers are also smart enough to avoid looking at any web URL that ends with the .cgi filename suffix. If you want to be able to fool even these crawlers into picking up bogus e-mail addresses from your installed copy of Wpoison, you will need install Wpoison on your server in such a way that the script file has some file name suffix other than .cgi.

It is trivially easy to install your local copy of Wpoison in such a way that its filename extension is something other than .cgi, for example .foo. If you want to do this, just give the file whatever name you like, for example bait.foo. Once you have done this however you will still need to configure your web server so that it will understand that files with a suffix of .foo should be treated like executable CGI scripts. Otherwise, even if the file exists in the proper directory, and even if it has its permissions set so that it appears to be executable, your local web server will probably still refuse to execute it.

If you are running the Apache web server, you can specific a set of filename extensions which the server will then recognize as suffixes that designate executable CGI script. This is accomplished via the AddHandler cgi-script directive. Normally, a directive of this type will already be present in your existing httpd.conf configuration file, and it will look something like this:

 AddHandler cgi-script .cgi
This just specifies that all files with the suffix .cgi should be considered by the server to be executable CGI scripts. If you want to extend the set of filename suffixes which will receive this treatment, all you have to do is to add another suffix onto the list of filenames suffixes specified in your AddHandler cgi-script directive. For example, you could edit this directive so that it says:
 AddHandler cgi-script .cgi .foo
thus insuring that all files with either the suffix .cgi or the suffix .foo will henceforth be treated by the server as executable CGI scripts.

When installing Wpoison on your own web server it is strongly recommended that you make exactly this sort of a change to your web server configuration, and that you install the Wpoison script file on your server so that its filename suffix is equal to your new alternative CGI script suffix (i.e. .foo in the example above.)