q<head>
<title>CSCI.4220 Network Programming Class 11</title>
<link rel="stylesheet" type="text/css" href="netprog.css">
</head>

<body>
<img src="rpi_logo.gif" width="217" height="41">
<p>
<center>
<h2>CSCI.4220 Network Programming</br>
Fall, 2006<br>
Class 11: Http, cgi, cookies<br>
</h2>
</center>
<p>
<!-----------------------------------------
<h3>email</h3>
<p>
There are several kinds of email software. Individual users use a user
agent or mail reader such as Eudora, Pine, Outlook, or Netscape
messenger.
<p>
These connect with a mail server. A mail server has a mailbox for each
user. When a user agent connects to the mail server, it authenticates
the user and then sends the mail.
<p>
The mail server connects over the internet with other mail servers
using a the SMTP Protocol (Simple Mail Transfer Protocol). Note that
the mail server is both a client and a server. It has to have a
mechanism for temporarily storing mail for unreachable servers (it
retries every 30 minutes or so for several days). 
<p>
<a href=http://www.faqs.org/rfcs/rfc821.html>Here is 
RFP 821 SMTP (August, 1982)</a><p>

At the time, it did not occur to anyone that email would be used for
anything other than English text so SMTP only understands 7 bit ascii.
So other files such as <b>word</b> documents or images has to be encoded.
<p>
One such encoding mechanism for converting binary text to character
text is base64 encoding.  A 24 bit (3 byte) chunk of binary data is
converted converted into four 6-bit chunks using the characters
<tt>A-Z,a-z,0-9,+,/</tt>. 
This means that the resulting file is larger by a factor of 4:3.

<pre>
------=_NextPart_000_7103_2e33_71fc
Content-Type: image/jpeg; name=''P9250077.JPG''
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=''P9250077.JPG''

/9j/4AAQSkZJRgABAAEBOgE6AAD//gAfTEVBRCBUZWNobm9sb2dpZXMgSW5j
LiBWMS4wMQD/2wCEAAwICQsJCAwLCgsODQwPEyAUExEREyccHRcgLigwMC0o
LCwzOUk+MzZFNywsQFdARUxOUlNSMT1aYFlQYElQUk8BDQ4OExATJRQUJU80
</pre>

Here are some SMTP commands
<p>
HELO - Identify the SMTP sender to the SMTP receiver. (Obsoleted by RFC 2821)
<p>
EHLO - Identify the SMTP sender to the SMTP receiver under Extended SMTP.
<p>

MAIL - Set the envelope return path (sender) and clear the list of envelope recipient addresses.

<p>
RCPT - Add one address to the list of envelope recipient addresses.
<p>
DATA - Consider the lines following the command to be e-mail from the sender.
<p>
RSET - Reset the envelope.
<p>
NOOP - Ask the receiver to send a valid reply (but specify no other action).
<p>
QUIT - Ask the receiver to send a valid reply, and then close the transmission channel.
<p>

It is possible to use telnet to connect to an SMTP server and
enter some SMTP commands.  Here is such a runstream
<pre>
freebsd4.8 >telnet cliffclavin.cs.rpi.edu 25
Trying 128.213.1.9...
Connected to cliffclavin.cs.rpi.edu (128.213.1.9).
Escape character is '^]'.
220 cliffclavin.cs.rpi.edu ESMTP Sendmail 8.12.10/8.12.10; Mon, 3 Oct 2005 09:04:27 -0400 (EDT)
HELO cs.rpi.edu
250 cliffclavin.cs.rpi.edu Hello ingallsr@ashley.cs.rpi.edu [128.213.7.3], pleased to meet you
MAIL FROM:haydent@cs.rpi.edu
250 2.1.0 haydent@cs.rpi.edu... Sender ok
RCPT TO: ingalr@rpi.edu
250 2.1.5 ingalr@rpi.edu... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Subject: This is a test

No message

.
250 2.0.0 j93D4RaA036490 Message accepted for delivery
QUIT
221 2.0.0 cliffclavin.cs.rpi.edu closing connection
Connection closed by foreign host.
</pre>

<b>Blocking Spam</b>

Here are some rules for blocking spam
<p>
If a mail comes from an unidentified IP address not attached to a domain
name, just a number only, then don't accept the mail.  All legitimate 
ISP mail servers have domain names attached.
<p>
The simplest and by far most widely deployed authentication scheme
begins with a reverse DNS lookup of the connecting IP. If there is no
answer, it's a safe bet that the IP is not a legitimate sender. If
there is an answer, a forward DNS lookup of that answer authenticates
the sender if it returns the connecting IP. In other words, we look up
the name of the connecting IP, and look up the IP of that name, and
they must match.
<p>
If mail comes from a mail server which is listed in one of the RBL's
(realtime blackhole list) then we block it with an error message that
indicates this.  The error will say something like "We do not accept 
mail from spam friendly ISP's such as China Telecom"  or "We can not 
accept your mail as your mail server is in the published list of open 
relays." 
<p>
Look for key words (Viagra, Mortgage)
<p>
Vipul's Razor is a distributed, collaborative, spam detection and
filtering network. Through user contribution, Razor establishes a
distributed and constantly updating catalogue of spam in propagation
that is consulted by email clients to filter out known spam. Detection
is done with statistical and randomized signatures that efficiently
spot mutating spam content. User input is validated through reputation
assignments based on consensus on report and revoke assertions which
in turn is used for computing confidence values associated with
individual signatures.
<p>
Spam Assassin is a widely used spam blocking tool, used by
the Computer Science Dept.  It performs a number of tests on
each message and totals a score.  If the score is above a certain
threshold (set by the user), it is considered to be spam.
Here is some output.  
<pre>
X-Spam-Score: 11.497 (***********) HTML_MESSAGE,MIME_HTML_ONLY,PYZOR_CHECK,RCVD_HELO_IP_MISMATCH,
                                   RCVD_IN_XBL,RCVD_NUMERIC_HELO,URIBL_SBL
X-Spam-Report: Spam Report from cliffclavin.cs.rpi.edu:
 3.2 RCVD_HELO_IP_MISMATCH  Received: HELO and IP do not match, but should
 1.3 RCVD_NUMERIC_HELO      Received: contains an IP address used for HELO
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.0 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 2.8 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
 3.1 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
                                  [86.107.16.2 listed in sbl-xbl.spamhaus.org]
 1.1 URIBL_SBL              Contains an URL listed in the SBL blocklist
	                          [URIs: allsoftoem.net]
</pre>
<p>
Here are some other spam blocking messages
<p>
<pre>
 0.6 NO_REAL_NAME           From: does not include a real name
 3.2 CHARSET_FARAWAY_HEADER A foreign language charset used in headers
 2.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP address
                           [58.9.68.10 listed in dnsbl.sorbs.net]
 1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
	                  [Blocked - see <http://www.spamcop.net/bl.shtml?58.9.68.10>]
 3.4 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL blocklist
	                  [URIs: 457416.com]
 2.5 MIME_CHARSET_FARAWAY   MIME character set indicates foreign language
 1.7 INVALID_MSGID          Message-Id is not valid, according to RFC 2822
 0.9 DATE_IN_PAST_12_24     Date: is 12 to 24 hours before Received: date
 0.0 UNPARSEABLE_RELAY      Informational: message has unparseable relay lines
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.8 RCVD_IN_DSBL           RBL: Received via a relay in list.dsbl.org
                            [<http://dsbl.org/listing?219.83.100.19>]
 0.3 RCVD_IN_NJABL_PROXY    RBL: NJABL: sender is an open proxy
			    [219.83.100.19 listed in combined.njabl.org]
 3.1 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
	                    [219.83.100.19 listed in sbl-xbl.spamhaus.org]
 1.1 URIBL_SBL              Contains an URL listed in the SBL blocklist
                            [URIs: ranchasa.com]
 3.4 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL blocklist
                            [URIs: ranchasa.com]
 3.6 URIBL_SC_SURBL         Contains an URL listed in the SC SURBL blocklist
	                    [URIs: ranchasa.com]
 0.8 DRUGS_ERECTILE_OBFU    Obfuscated reference to an erectile drug
 0.0 DRUGS_ERECTILE         Refers to an erectile drug
 0.0 DRUGS_ANXIETY          Refers to an anxiety control drug
 0.2 DIGEST_MULTIPLE        Message hits more than one network digest check
 0.0 FORGED_OUTLOOK_HTML    Outlook can't send HTML message only
 0.0 FORGED_OUTLOOK_TAGS    Outlook can't send HTML in this format
 0.4 DRUGS_DIET             Refers to a diet drug
 1.3 HG_HORMONE             Talks about hormones for human growth
 0.0 DRUGS_ANXIETY_EREC     Refers to both an erectile and an anxiety drug
 0.6 ADVANCE_FEE_2          Appears to be advance fee fraud (Nigerian 419)
</pre>
--------------------------------->
<p>
<h3>HTTP</h3>
<p>
<a href=http://www.cs.tut.fi/~jkorpela/http.html>Here is a link to
a description of all of the HTTP headers</a>
<p>
The only important request type is GET.
Other request types besides GET include HEAD, POST (http/1.0), (<a href=http://ftp.ics.uci.edu/pub/ietf/http/rfc1945.html>
RFC 1945, (1996)</a><p>
<a href=http://www.w3.org/Protocols/rfc2616/rfc2616.html>HTTP/1.1 (RFC 2161, 1999)</a> added more request types,
including DELETE, TRACE, and PUT, that are rarely used.
<p>
The POST request is used to send data from a client to a server.  The data itself is included after
two CRLFs.
<p> 

<b>HTTP 1.0 vs 1.1</b>
<p>
HTTP 1.0 defines 16 headers, though none are required. HTTP 1.1
defines 46 headers, and one (Host:) is required in requests. The Host
request-header field specifies the Internet host and port number of
the resource being requested, as obtained from the original URI given
by the user or referring resource (generally an HTTP URL).  This allows
two or more URLs to be at the same IP address.
<p>
For example, a request on the origin server for
&lt;http://www.w3.org/pub/WWW/&gt; would properly include:
<pre>
       GET /pub/WWW/ HTTP/1.1
       Host: www.w3.org
</pre>
<p>
HTTP 1.1 must support both persistent and non-persistent connections.  In the latter case, each
document requested opens its own TCP connection.  Each connection is closed after a single
document is sent, although the browser usually opens multiple parallel connections to
download multiple documents.  The client can send a <tt>Connection: close</tt> header if it
does not want to use this.
<P>
HTTP/1.1 also allows chunking, in which a large, dynamically generated document can be
sent before the server knows its size.
<p>
<b>URL encoding</b>
<p>
Data sent as part of a GET request has to be URL encoded.
<p>
HTML form data is usually URL-encoded to package it in a GET or POST
submission. In a nutshell, here's how you URL-encode the name-value
pairs of the form data:

<ul>
<li> Convert all "unsafe" characters in the names and values to "%xx",
where "xx" is the ascii value of the character, in hex. "Unsafe"
characters include =, &, %, +, non-printable characters, and any
others you want to encode-- there's no danger in encoding too many
characters. For simplicity, you might encode all non-alphanumeric
characters.  
<li> Change all spaces to plusses.  
<li>String the names
and values together with = and &, like <pre>
name1=value1&amp;name2=value2&amp;name3=value3 </pre> <li>This string
is your message body for POST submissions, or the query string for GET
submissions.  </ul> For example, if a form has a field called "name"
that's set to "Lucy", and a field called "neighbors" that's set to
"Fred & Ethel", the URL-encoded form data would be

    name=Lucy&neighbors=Fred+%26+Ethel

with a length of 34.<p>
<b>Proxy Servers</b>
<p>A Proxy Server is a network entity that satisfies HTTP requests on behalf of an original web server.
<p>
It caches recent documents. If the document is cached, it returns it
immediately. Otherwise it passes the request on to the server. The
server sends the document back to the proxy. The proxy stores a copy
of the document and passes it on to the requesting client.
<p>
Note that it is both a client and a server at the same time.
<p>
In practice hit rates range from .2 to .7, thus dramatically reducing network traffic.
<p>
Proxy servers also allow filtering.  A company can block access to certain web sites.
<p>

<h3>CGI</h3>
<p>
<a href=http://www.cs.rpi.edu/~ingallsr/formtest2.html>Here is the demonstration of html forms</a><p>
<a href=http://www.cs.rpi.edu/~ingallsr/src/generic.c>and here is the C code
which is compiled to generate the output.</a><p>
<p>

<h3>Cookies</h3>

HTTP is a stateless protocol, but vendors need to keep some sort
of state information (i.e. shopping cart info).  Most major sites use
cookies.
<p>
Cookie technology has four components
<p>
<ol>
<li> A cookie header line in the HTTP response message
<li> A cookie header line in the HTTP request message
<li> A cookie file kept on the end user's system and managed by
the user's browser
<li>A backend database at the server
</ol>
<p>
IP addresses don't work as well because of NAT, DHCP, etc.
<p>
A user contacts a commercial web site for the first time.  The
web site creates a unique id for her and creates an entry in the
database.  In its initial reply, it has a header
<p>
<code>Set-cookie: ID=123456</code>
<p>
Her browser creates a new line in the client cookie database
<p>
Each subsequent request to the same site contains this header
<p>
<code>Cookie: ID=123456</code>
<p>
If the user returns to the site a week later, the browser will continue
to send the Cookie header.  This allows the server to 
recommend merchandise or provide one-click shopping
or otherwise customize the window,
<p>
Can be used by portal designers to see how many 
visitors go to which pages, and from where they come from
Distinct visitors vs simply hits
<p>
A cookie can contain up to five fields
<pre>
Domain (www.yahoo.com)
Path (/)
Content (UserID=123456;team=jets)
Expires (28-2-05 23:59)
Secure (yes or no)
</pre>

If the expires field is absent, the cookie expires when the browser exits
(a non-persistent cookie)
<p>
The shopping cart info can be stored in the cookie itself (a
list of things bought).
<p>
<h4>The problem with cookies</h4>
<p>
There is a lot of misinformation about cookies.  Cookies cannot
contain viruses, they cannot erase stuff on your hard drive, they
cannot read files on your hard drive.  However, they are stored and
used without the user's consent or knowledge
<p>
Cookies allow sites to track not only their own users,
but also visitors to other sites.  The technology for this is
sometimes called a <em>Web Beacon</em> or a </em>tracking bug</em>.
The company which is best known for this is DoubleClick.
<p>
Other commercial sites are <em>doubleclick enabled</em>.  When you
go to a site, there is an invisible image which sends a request
to DoubleClick with the doubleclick cookie. Now doubleclick is
able to track your web browsing on many sites, and this information
about your shopping preferences
is shared among doubleclick customers.  
All of this is invisible to the user.
<p>
If you and I log into the same web site and we have never been there
before, we might see different ads.  I could see cameras, you could
see sports paraphernalia.
<p>
<b>Required Reading</b>
<p>
<!---
<a href=http://cr.yp.to/im.html>Here is a good reference for email and SMPT.</a>  Follow each of the
links on this page. <a href=http://cr.yp.to/smtp.html>Make sure you read his page on SMTP</a>
<p>
--->
<a href=http://www.jmarshall.com/easy/http/>Here is a good on-line tutorial on HTTP</a>  I probably should
have asked you to read this before doing the first two assignments.
<p>
<a href=http://www.cookiecentral.com/c_concept.htm> Here is a good description
of cookies.</a>  Read "The Cookie Concept" and "The Dark Side".  The other
articles listed on the left side of the page make good reading too.

</body>
</html>