Deny linking pictures from external Websites

Hi NG,

I have configured my vhost that its not possible to request Images from external Sites, except the Vhost and the aliasas:

-Server version: Apache/1.3.27 (Unix)
-Server built: Nov 28 2002 15:06:45

<snip>
RewriteEngine on
AddType image/gif .gif .GIF
AddType image/jpeg .jpeg .jpg .jpe .JPG
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www.usgang.ch/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://usgang.ch/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.ausgang.ch/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://ausgang.ch/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://uusgang.ch/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.uusgang.ch/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://ad.usgang.ch/.*$ [NC]
RewriteRule /* http://www.usgang.ch/icon/other/usgang.gif [R,L]
</snip>

It works nice, but somehow, on Internet Explorer 6 it dont work and do the RewriteRule on my own Vhost, say all jpgs/gifs on my
website (and the alias) get rewrited to usgang.gif. It works sometime too and sometime not, strange.

On Mozilla it works very well.

Is that a client/browser issue, or something I made wrong in my apache rewrite code? Any know this issue and could help me?

Many thanks
Oliver




--
Oliver Schalch
oli@no-way.org - got r00t? http://www.r00t.ch
We tend not to choose the unknown, which might be a shock or a disappointment
or simply a little difficult to cope with. And yet it is the unknown with all
its disappointments and surprises that is the most enriching.
-- Anne Morrow Lindbergh

Oliver Schalch wrote:

(snipped)

> I have configured my vhost that its not possible to request
> Images from external Sites, except the Vhost and the aliasas:

> RewriteEngine on

> RewriteCond %{HTTP_REFERER} !^$
> RewriteCond %{HTTP_REFERER} !^http://www.usgang.ch/.*$ [NC]

> RewriteRule /* http://www.usgang.ch/icon/other/usgang.gif [R,L]


Change your [NC] to [OR] when using multiple Rewrite Conditions.

RewriteCond some condition [OR]
RewriteCond some condition [OR]
RewriteCond some condition [OR]
RewriteRule ....



RewriteCond %{HTTP_REFERER} !^$|^.*usgang.*$
RewriteRule (.*)gif$ http://www.usgang.ch/icon/other/usgang.gif [L,R]


That is an example for a gif extension. Logic is simple:

HTTP_REFERER ! ^$ | ^.*usgang.*$

Referrer NOT ( NULL OR MATCHES USGANG )


In Plain English,

If Referrer Is NOT null or NOT match usgang

Then take this action

RewriteRule (.*)gif$ http://www.usgang.ch/icon/other/usgang.gif [L,R]

(.*) gif$

Any Match Ending With gif send to http....

You cannot prevent all graphic theft. An http referrer (referer)
is highly unreliable; it may exist, it may not exist or it may be fake.
Only those browsers sending a referrer will fall into this trap.

MSIE is well known for not sending a referrer just as it is well
known for not following industry standards. All bets are off when
dealing with MSIE, the most abhorrent piece of programming written
by Microsoft.

There is another problem with using referrer returns.
Look closely at these headers I generated:

GET / HTTP/1.0
Referer: http://www.purlgurl.net/Chahta Okla! Chahta Yakni! Chahta Okpulot Taha!
User-Agent: Purl Gurl Choctaw
Host: www.purlgurl.net

GET / HTTP/1.0
Referer: http://www.usgang.ch
User-Agent: Purl Gurl Choctaw
Host: www.purlgurl.net



Research and read this page:

http://www.engelschall.com/pw/apache...teguide/#ToC38


Purl Gurl
--
Amazing Perl Scripts!
http://www.purlgurl.net/~callgirl/android.html

In news:3FA44AAB.EC1F86CC@purlgurl.net,
"Purl Gurl" <purlgurl@purlgurl.net> typed:
> You cannot prevent all graphic theft. An http referrer (referer)
> is highly unreliable; it may exist, it may not exist or it may be
> fake.
> Only those browsers sending a referrer will fall into this trap.
>
> MSIE is well known for not sending a referrer just as it is well
> known for not following industry standards. All bets are off when
> dealing with MSIE, the most abhorrent piece of programming written
> by Microsoft.

Hi,

Thanks for your first post, I'm playing abit like hell, and it seems there isnt a solution or is there?

I just need to deny _all_ links to my site/aliases (jpgs/gifs/...) from _any_ external sites. They are eating all my Bandwith and
server performance.

This must be a heavy issue :-)

Regards,
Oliver

Oliver Schalch wrote:

> Purl Gurl wrote:

(snipped)

> > You cannot prevent all graphic theft.

> it seems there isnt a solution or is there?

"While we cannot 100% protect the images from inclusion,
we can at least restrict the cases where the browser
sends a HTTP Referer header."

- Ralf S. Engelschall, Apache Dot Org


"You cannot prevent all graphic theft."

- Purl Gurl


Read for comprehension.



> I just need to deny _all_ links to my site/aliases (jpgs/gifs/...)
> from _any_ external sites. They are eating all my Bandwith and
> server performance.

How do you know this? Answer my question and you will have
a programmer's answer how to prevent external linking to
graphics or any files. So, how do you know this?

You may prevent ninety-nine point nine percent of external
linking using ANSI C, C++ or Perl. However, consumed CPU
time and processing will be equal to your bandwidth theft.
You may also write a custom Apache module to perform the
same and use the same amount of system resources.

If you are clever you will write a program which rotates
the names of your graphics and rewrites your static pages
with those rotating names, a crontab linked program.
Although clever, you will still generate a 404 response
for every bad external link.

There are number of methods of generating on-the-fly static
pages which include graphics using cgi methodologies.

Here is an example of cgi protected files. This is not
absolutely secure but I can modify this to prevent all
external linking should this become a problem. This is
one of our live performance midi files:

http://www.purlgurl.net/~callgirl/rockmusi.cgi?nikita

Our directory where we store midi files can be found
but cannot be accessed directly, as in indexing. Finding
this directory is difficult for the inexperienced but
not difficult for the experienced. Making linking rather
difficult, is an effective deterrent.

We can afford to do this, use cgi applications for file
serving, because we run our server here at home; we have
ample cpu and system resources being a private server.

Should you elect to be downright nasty about this, replace
your graphics with exceptionally large, exceptionally gross
graphics, such as scat graphics or bestility. Send them
something to think about.

I use a personal picture, a single finger salute for abusive linkers.

Other times, when a person tries to access a forbidden area
or a forbidden file, repeatedly, our androids crash their
system. This is not suggested though; this can cause problems.

You have a lot of choices. Nonetheless, all choices will
have both benefits and detriments. Your final solution will
be determined by your willingness to invest time and effort
into this task, such as you expend researching and reading.

Have you researched and read about this topic as you should?

Post links to these graphics which are so popular, so often
linked, they drain your system resources. I would like to
see what others find so absolutely irresistable.

Are these pictures of Arnold Schwarzenegger and Maria Shriver
having wild unbridled sex in the Sacramento state capital building
while lame duck Gray Davis watches?

QUACK!


Purl Gurl
--
Rock Midis! Science Fiction! Amazing Androids!
http://www.purlgurl.net/~callgirl/

In news:3FA4AFC7.BF4DF89B@purlgurl.net,
"Purl Gurl" <purlgurl@purlgurl.net> typed:
>> I just need to deny _all_ links to my site/aliases (jpgs/gifs/...)
>> from _any_ external sites. They are eating all my Bandwith and
>> server performance.
>
> How do you know this? Answer my question and you will have
> a programmer's answer how to prevent external linking to
> graphics or any files. So, how do you know this?

With my first posted "solution" - except that MSIE dont want be cool with the referer the website works much faster.

> Post links to these graphics which are so popular, so often
> linked, they drain your system resources. I would like to
> see what others find so absolutely irresistable.

http://raddy73.tripod.com/gyals.html

http://forum.mokkels.nl/cgi-bin/topics.pl?hold=1&action=viewtopic&what=9&group=30& gebruikersnaam=&wachtwoord=$

That are two links of many they are linking our chicks - yes we running a community site with much party pictures.

I think I will work with my logs, and start to deny all IP/Hosts I find, not all external sites in one.

Greetings,
Oliver

Oliver Schalch wrote:

> Purl Gurl wrote:

(snipped)

> >> I just need to deny _all_ links to my site/aliases (jpgs/gifs/...)
> >> from _any_ external sites. They are eating all my Bandwith and
> >> server performance.

> > How do you know this? Answer my question and you will have
> > a programmer's answer how to prevent external linking to
> > graphics or any files. So, how do you know this?

> With my first posted "solution" - except that MSIE dont want be cool
> with the referer the website works much faster.

You did not quite answer my question.

From a programming point of view, log entries should show
a GET access to your html page along with GET requests for
your graphics. What you are looking at in your logs is
access to your graphics without an associated GET access
to your html page.

"if not html access then no graphics"

There are a number of free scripts (programs) available,
written in a variety of languages which will protect your
graphics. However, you must use on-fly-page generation
for this method. Basis of decision is will running a
cgi application use as much resources as bandwidth theft?

In time, when hot linking decreases, a cgi application
will use less resources than will bandwidth theft.


Research and read hundreds of links found here:

http://www.google.com/search?hl=en&i...width+theft%22


Later, narrow down your search results with key terms such as:

php, source code, perl, script, software, c code, c source

Any program which uses an http referrer for protection, is not
a program you want to use.


> > Post links to these graphics which are so popular, so often
> > linked, they drain your system resources. I would like to
> > see what others find so absolutely irresistable.

> http://raddy73.tripod.com/gyals.html

> That are two links of many they are linking our chicks


Yes, nearly nude teenage "chicks" would be an enticement.

Why no nearly nude teenage "dudes" at your site?

Is it your intent to appeal to only a male audience?
If so, write an extremely creative .htacess file
which allows only male visitors.

Order Allow,Deny
Allow from male
Deny from female

This will decrease your bandwidth, significantly.
However, this would be an act of discrimination
against lesbians. This is not good.


Move your site from tripod to a decent server. Your "NOSAVE"
pragma is pointless. This does not work. Tripod's ability
to deny document source is of no use either.

Your graphics are stored based on numerical child directories
and numerical file names. You are using a lot of disk space
needlessly creating a child directory for each and every
graphic file. Perhaps you are doing this based on club
membership. Stop doing this. It is your site, run your
site in a way which is best for you, personally.

Your storage method of numerical file names is highly adaptable
to rotating file names or, what I would suggest, is rotating
the numerical name of a single master directory. Move all of
your graphics into a single child directory. Once, twice, maybe
three times a day, change this directory name and rewrite your
html page to reflect this name change. Doing this manually
by hand, would only take a few minutes, using a good program
editor or a "search and replace" program. Won't be long, people
will give up on linking to your graphics.

You do have cgi ability at your .nl site. Why not put this
ability to good use? There are a lot of programs which will
make linking to your graphics nearly impossible.

You mention blocking ip addresses for offenders. Well,
there is something better which I mentioned. Instead of
blocking those ip addresses, use your rewrite engine in
an .htaccess file to send a graphic people really
do NOT want to see. There are hundreds of newsgroups,
*binaries.pictures which will afford you a chance to
download very offensive pictures for use.

Send a graphic these bandwidth thieves do NOT want
to be displayed at their sites. Works everytime.


Research, read and learn. There are lots of solutions
if you are willing to work at this.


Purl Gurl
--
Play Poker! Play Blackjack!
http://www.purlgurl.net/~callgirl/android/poker.cgi
http://www.purlgurl.net/~callgirl/android/blakjack.cgi

Purl Gurl wrote:

> Oliver Schalch wrote:
> > Purl Gurl wrote:

(snipped)

> > >> I just need to deny _all_ links to my site/aliases (jpgs/gifs/...)
> > >> from _any_ external sites. They are eating all my Bandwith and
> > >> server performance.

> > > How do you know this? Answer my question and you will have
> > > a programmer's answer how to prevent external linking to
> > > graphics or any files. So, how do you know this?

> > With my first posted "solution" - except that MSIE dont want be cool
> > with the referer the website works much faster.

> You did not quite answer my question.

> From a programming point of view, log entries should show
> a GET access to your html page along with GET requests for
> your graphics. What you are looking at in your logs is
> access to your graphics without an associated GET access
> to your html page.

> "if not html access then no graphics"

> There are a number of free scripts (programs) available,


I have written a very simple Perl program to exemplify
how you can protect your graphics or any files. This
program is basic and not designed for simultaneous hits
with it lacking flock facilities; it is very simple for
demonstration only. A lot of simultaneous hits will cause
unpredictable results but is easy to cure with addition
of code to handle these circumstances.

If you would like to see this in action, following these
instructions very carefully. Pay close attention to my
comments about browser caching. If you don't, your browser
will fool you into thinking this does not work. This method
has been successfully tested with MSIE 5.x and 6.x, Mozilla
4.x, 5.x and 7.x with all returning success. There is no
Mozilla 6.x version.

Create a hotlink within an html page at your website using
this graphic link:

<img src="http://www.purlgurl.net/~purlgurl/theft.pl/.gif">

Visit your test html page and observe what graphic is displayed.

Visit this page and observe what graphic is displayed:

http://www.purlgurl.net/~purlgurl/theft.html

If the same graphic is displayed, you need to dump your
browser cache. You are seeing a cached copy, not the
actual image. Use your browser "reload page" facility
or clear your memory cache and file cache.


An alternative:

Visit here:

http://www.purlgurl.net/~purlgurl/theft.html

Then visit here:

http://www.purlgurl.net/~purlgurl/theft.pl/.gif

Then visit here:

http://www.purlgurl.net/~purlgurl/hotlink.html


Keep in mind at all times you might be viewing a cached
copy of my graphics, not the actual images. Clear your
cache, reload, or even close and reopen your browser.

I found a "Control R" (reload) works well with MSIE.
Netscape 4.x has a persistent cache and will need a
reload or cache dump. Netscape 7.x handles all of this
very well, no cache errors as expected being the best
written browser available.

This cache problem is actually related to whether or
not your browser obeys "no cache" pragma. Netscape 4.x
is pre-meta and won't. MSIE doesn't do anything right.
Netscape 5.x and 7.x work perfectly.

Use Netscape 7.x if you wish to see all of this happen
in a seamless smooth fashion.

If your bandwidth theft is truly so severe as to load
down your server, look at programs as suggested. You
should know, programs like this actually add to your
server load but will be less than bandwidth problems.

My example is just one of many programming solutions
to this type of problem. Research, read and learn.
Personally, I would not use a program solution, not
even my own programming. The system resource costs
are simply too high, especially in your circumstances
of having dozens and dozens of files to protect.

Best option, most efficient option, is to simply
use a rewrite condition to send an unexpected graphic,
but only for a short period of time, up until those
linking to your graphics understand your message and
stop hot linking.

Blocking ip addresses as you plan, has undesirable side
effects such as blocking those who are not linking to
your graphics. With dynamic ip assignment, chances are
good you will block innocent people. Actually you will
be. You will be blocking those visiting html pages which
contain hotlinks to your site. You will not be blocking
the person who owns the hotlinked html page. If these
pictures are being used in a chatline, you certainly
will be constantly busy trying to block ip addresses.

You are running a membership club, yes? Make it clear
to your members hotlinking to graphics at your site
will result in their membership being terminated.

Yes, there are no easy solutions to hotlinking problems.
Again, best solution is to kick some ass around every
so often. They will get the message.

A good way to kick some ass is to send email to the
owner of a server which shows up in your referrer
log entries. This works very well.


My demonstration pages will be removed in a few days.
After this, you will receive 404 errors. Do it now,
later you will not be able to test this.



Purl Gurl
--
Most Entertaining Android In Existence!
http://www.purlgurl.net/~callgirl/roberta/roberta.cgi

In news:3FA53C47.8BFAE68B@purlgurl.net,
"Purl Gurl" <purlgurl@purlgurl.net> typed:
>
>> http://raddy73.tripod.com/gyals.html
>
>> That are two links of many they are linking our chicks
>
>
> Yes, nearly nude teenage "chicks" would be an enticement.
>
> Why no nearly nude teenage "dudes" at your site?
>
> Is it your intent to appeal to only a male audience?
> If so, write an extremely creative .htacess file
> which allows only male visitors.
>
> Order Allow,Deny
> Allow from male
> Deny from female
>
> This will decrease your bandwidth, significantly.
> However, this would be an act of discrimination
> against lesbians. This is not good.

Mhh, I think you missunderstood me (or was it my english?), because the two links I posted arent mine, those are two links they
linking my pictures, the site I run is http://www.usgang.ch the community site. :)

Well I do manually block the external image links on those pages I know, as well on those two I posted.

Sooner, I will set up a solution with cookies or session based or probably a Database(blob).

Greets,
Oliver