HELP!!! - Our images pulled from other servers

Hello everyone,

I've found several websites, where it appears that they are stealing our
content, including graphics, content, etc. They are not hosting this info on
their own site, but rather pulling them from our website and draining our
bandwidth.

Is there a way in IIS (or should it be done via ASP code?) that I could
limit the domains that could pull that info? (only the ones that pay us), so
in case www.xyz123abc789.com is trying to profit from our images (and
instead of downloading them to their server they link to our server) instead
of the images it appears a message (text or image) saying "you can display
these images, blablabla..."

FYI, we're running on Win2003

Thanks for your prompt response
SB-R

Re: HELP!!! - Our images pulled from other servers

Hello,

This is commonly known as "hot linking". ISAPI filters can prevent hot
linking by checking the referer (this is the most common way to prevent
this). Both free and commercial ISAPI filters for this purpose exists:

http://www.michaelbrumm.com/leechblocker.html
http://www.isapirewrite.com/

Others may also exists if you do a search on google.com.

Just be careful of what you block. If you block .htm files by checking the
referer, everyone coming from another website will be unable to visit your
website (because the referer is the other website).

Since HTTP is a stateless protocol there is no fail-safe solution to the
problem. Each request is new to the webserver, and the webserver cannot
really know if the client is "browsing" your website (webserver) or
another website (webserver). All the webserver knows is that there was a
request sent to the webserver.

--
Regards,
Kristofer Gafvert
http://www.gafvert.info/iis/ - IIS Related Info


segis bata wrote:

>Hello everyone,
>
>I've found several websites, where it appears that they are stealing our
>content, including graphics, content, etc. They are not hosting this info
>on their own site, but rather pulling them from our website and draining
>our bandwidth.
>
>Is there a way in IIS (or should it be done via ASP code?) that I could
>limit the domains that could pull that info? (only the ones that pay us),
>so in case www.xyz123abc789.com is trying to profit from our images (and
>instead of downloading them to their server they link to our server)
>instead of the images it appears a message (text or image) saying "you can
>display these images, blablabla..."
>
>FYI, we're running on Win2003
>
>Thanks for your prompt response
>SB-R

Re: HELP!!! - Our images pulled from other servers

Hello,

This is commonly known as "hot linking". ISAPI filters can prevent hot
linking by checking the referer (this is the most common way to prevent
this). Both free and commercial ISAPI filters for this purpose exists:

http://www.michaelbrumm.com/leechblocker.html
http://www.isapirewrite.com/

Others may also exists if you do a search on google.com.

Just be careful of what you block. If you block .htm files by checking the
referer, everyone coming from another website will be unable to visit your
website (because the referer is the other website).

Since HTTP is a stateless protocol there is no fail-safe solution to the
problem. Each request is new to the webserver, and the webserver cannot
really know if the client is "browsing" your website (webserver) or
another website (webserver). All the webserver knows is that there was a
request sent to the webserver.

--
Regards,
Kristofer Gafvert
http://www.gafvert.info/iis/ - IIS Related Info


segis bata wrote:

>Hello everyone,
>
>I've found several websites, where it appears that they are stealing our
>content, including graphics, content, etc. They are not hosting this info
>on their own site, but rather pulling them from our website and draining
>our bandwidth.
>
>Is there a way in IIS (or should it be done via ASP code?) that I could
>limit the domains that could pull that info? (only the ones that pay us),
>so in case www.xyz123abc789.com is trying to profit from our images (and
>instead of downloading them to their server they link to our server)
>instead of the images it appears a message (text or image) saying "you can
>display these images, blablabla..."
>
>FYI, we're running on Win2003
>
>Thanks for your prompt response
>SB-R

Re: HELP!!! - Our images pulled from other servers

You need a third party ISAPI filter for that.

You can do it in ASP too.

I found this one:
http://www.irritatedvowel.com/Programming/DeepLinkingHttpMod ule.aspx

With a simple search of Google.

"segis bata" wrote in message
news:e8Zdex7QGHA.5296@tk2msftngp13.phx.gbl...
> Hello everyone,
>
> I've found several websites, where it appears that they are stealing our
> content, including graphics, content, etc. They are not hosting this info
> on their own site, but rather pulling them from our website and draining
> our bandwidth.
>
> Is there a way in IIS (or should it be done via ASP code?) that I could
> limit the domains that could pull that info? (only the ones that pay us),
> so in case www.xyz123abc789.com is trying to profit from our images (and
> instead of downloading them to their server they link to our server)
> instead of the images it appears a message (text or image) saying "you can
> display these images, blablabla..."
>
> FYI, we're running on Win2003
>
> Thanks for your prompt response
> SB-R
>

Re: HELP!!! - Our images pulled from other servers

On Thu, 9 Mar 2006 15:59:30 -0500, "segis bata"
wrote:

>Hello everyone,
>
>I've found several websites, where it appears that they are stealing our
>content, including graphics, content, etc. They are not hosting this info on
>their own site, but rather pulling them from our website and draining our
>bandwidth.
>
>Is there a way in IIS (or should it be done via ASP code?) that I could
>limit the domains that could pull that info? (only the ones that pay us), so
>in case www.xyz123abc789.com is trying to profit from our images (and
>instead of downloading them to their server they link to our server) instead
>of the images it appears a message (text or image) saying "you can display
>these images, blablabla..."
>
>FYI, we're running on Win2003
>

Have you considered 'branding' the images?

Some have actually put new images in their own sites, then altered the
ones being hijacked to be insulting or unfriendly (I've seen ebay
sellers who have taken other sellers pictures, only to find that the
image in their listing says: "We are crooks and steal things". The
seller, if there are bids, cannot remove the image and gets a lot of
bad press.

Re: HELP!!! - Our images pulled from other servers

On Thu, 9 Mar 2006 15:59:30 -0500, "segis bata"
wrote:

>Hello everyone,
>
>I've found several websites, where it appears that they are stealing our
>content, including graphics, content, etc. They are not hosting this info on
>their own site, but rather pulling them from our website and draining our
>bandwidth.
>
>Is there a way in IIS (or should it be done via ASP code?) that I could
>limit the domains that could pull that info? (only the ones that pay us), so
>in case www.xyz123abc789.com is trying to profit from our images (and
>instead of downloading them to their server they link to our server) instead
>of the images it appears a message (text or image) saying "you can display
>these images, blablabla..."
>
>FYI, we're running on Win2003
>

Have you considered 'branding' the images?

Some have actually put new images in their own sites, then altered the
ones being hijacked to be insulting or unfriendly (I've seen ebay
sellers who have taken other sellers pictures, only to find that the
image in their listing says: "We are crooks and steal things". The
seller, if there are bids, cannot remove the image and gets a lot of
bad press.

Re: HELP!!! - Our images pulled from other servers

>Is there a way in IIS (or should it be done via ASP code?) that I could
>limit the domains that could pull that info?

As Kristofer mentions, the most primitive way to combat hotlinking is
an ISAPI filter on the referer field. However, while this may make a
palpable dent in the reuse of your images for malicious purposes
(depending on the skill of may abusers, who can get around the filter
if they are dedicated), it may also make a dent in the number of legit
users who can view the images, since the referer field simply is not
always present. If you tightly control the browser versions and
proxies of _all_ of your legit users -- basically, if they're your
employees -- you could get away with the referer filter alone. But I
do think it's a can of worms for a public website.

However, there are more robust solutions available. One that I've
used is streaming image files on-the-fly with random names. This
means that you are actually assembling the response stream in ASP (I
actually did this in PHP, but the same concepts apply) before sending
it back to the client, rather than letting IIS stream the pix directly
from your disk. Your ASP reads the file from disk and sends back an
image/jpeg stream, for example; the IMG links are to .ASP files. In
this way, you can generate new file names each time using an internal
algorithm that outsiders will never see. Even better, some people
suggest rotating the same random file names across your links, to make
outside hotlinkers look like fools by having the IMG links load, but
load different content than they were expecting. Or you can have
outdated filenames all bring up the same "Stop hotlinking" image.

However, bear in mind that a technique like this is sure to slow down
image delivery, since the code has to be run through the preprocessor
and can't compete, as far as I saw in testing, with IIS just grabbing
the file straight off disk. Because of the overhead, you may want to
use an image cache and let each image be hotlinked for even a full day
before expiring it. Depends on your traffic patterns.

--Sandy

Re: HELP!!! - Our images pulled from other servers

>Is there a way in IIS (or should it be done via ASP code?) that I could
>limit the domains that could pull that info?

As Kristofer mentions, the most primitive way to combat hotlinking is
an ISAPI filter on the referer field. However, while this may make a
palpable dent in the reuse of your images for malicious purposes
(depending on the skill of may abusers, who can get around the filter
if they are dedicated), it may also make a dent in the number of legit
users who can view the images, since the referer field simply is not
always present. If you tightly control the browser versions and
proxies of _all_ of your legit users -- basically, if they're your
employees -- you could get away with the referer filter alone. But I
do think it's a can of worms for a public website.

However, there are more robust solutions available. One that I've
used is streaming image files on-the-fly with random names. This
means that you are actually assembling the response stream in ASP (I
actually did this in PHP, but the same concepts apply) before sending
it back to the client, rather than letting IIS stream the pix directly
from your disk. Your ASP reads the file from disk and sends back an
image/jpeg stream, for example; the IMG links are to .ASP files. In
this way, you can generate new file names each time using an internal
algorithm that outsiders will never see. Even better, some people
suggest rotating the same random file names across your links, to make
outside hotlinkers look like fools by having the IMG links load, but
load different content than they were expecting. Or you can have
outdated filenames all bring up the same "Stop hotlinking" image.

However, bear in mind that a technique like this is sure to slow down
image delivery, since the code has to be run through the preprocessor
and can't compete, as far as I saw in testing, with IIS just grabbing
the file straight off disk. Because of the overhead, you may want to
use an image cache and let each image be hotlinked for even a full day
before expiring it. Depends on your traffic patterns.

--Sandy