The idea behind Wpoison is really very simple. Junk e-mailers write programs to automatically scan thousands and thousands of web pages, looking for e-mail addresses which they then send unsolicited junk e-mail to, or which they sell to other spammers. By and large, these address harvesting web crawlers are about as intelligent as the spammers who use and/or develop them, which is to say not very. The majority of these programs can be easily fooled into accepting lots and lots of completely fake and useless e-mail addresses, so long as the bogus addresses in question appear to reside in ordinary nondescript web pages. That is where Wpoison comes in.
However, Wpoison has uses beyond merely annoying Spammers. Exploit-finding bots typically scan web-pages for potential user accounts, applications known to have problems, and vulnerable CGI. Applications like Wpoison can be used to flood these bots with useless information making it that much more difficult to sort through and find valid information.
Wpoison does generate an infinite loop for bad bots to get trapped in. However, it does place a delay at the end of each page to prevent the script from DoS'ing your server. In spite of this, you may wish to consider the fact that scripts such as Wpoison can really consume bandwidth and system resources if you get many bots trapped in them at the same time.
Wpoison is a Perl CGI script. To install it, simply place it inside a CGI-BIN directory. If you are using it as part of a bad-bot trap, then you ideally want it to be the first link in every HTML page. To mask the link and make it so that humans do not stumble upon it, it is generally advisable to make it a link from a blank (or background colored) image with a non-text ALT tag. You also want to prevent good bots from stumbling into it (as it provides them with an infinite loop) by adding it's directory into the robots.txt file.
If you look at the start of Wpoison, it invokes Perl thusly:
#!/usr/bin/perl -w
You will have to determine if you feel confident that it can be run without the "-T" anti-data tainting flag.
