Hollering into the void since 2002

Tuesday, March 25, 2003

Countermeasures

Looking at my log files this morning, I found a dramatic jump in accesses to one of my other sites. A quick pass through the files found that someone was incorporating a couple of graphics I have showing maps of the village where my grandmother was born into their page. When I looked at the page, I found well over a hundred maps ripped off in the same manner. I also found that all the surrounding text was in Chinese. (I’m not linking to the page because I don’t want to stress all the other servers being ripped off, but it’s on a site called www.mopsite.com. That domain is registered to someone at an address in China that I can’t parse because it uses abbreviations I don’t know: Mop, SSR77, CS,HN,China 410007. Maybe in Hunan?)

Needless to say, I don’t need hundreds and hundreds of "visitors" who aren’t actually visiting. So I opened up my .htaccess file and whipped up a little mod_rewrite magic to ensure that anyone who accesses my files from the offending site is instead served a little file I created some time back to deal with a similar situation (warning, probably not safe for work).

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http://www.mopsite.com/.*$ [NC]
RewriteCond %{REQUEST_URI} ^/grandma/map.*$ [NC]
RewriteRule ^.* http://www.brandi.org/photos/eye_med_bad.jpeg [R=permanent]

Let’s go through this line-by-line. The first line simply makes sure that mod_rewrite is turned on.

The second line sets the first condition that must be met for the URL to be rewritten. It looks at the HTTP_REFERER variable provided by Apache. If it matches any page on www.mopsite.com, the condition is met. The .* is what says any page can match. [NC] makes the match case-insensitive, since domain names are case-insensitive.

Rewrite conditions are ANDed unless specifically ORed, so the rule will only be applied if the second line is true AND the third line is true. The third line looks at the REQUEST_URI variable, which is the portion of the URL requested that does not include the host name. The offending site was ripping off two of my files, both of which are in the directory /grandma/ and both of which start with map. The .* tells the comparison to match no matter what follows map. I set this to be case-insensitive for no particular reason, but it doesn’t hurt.

The fourth line creates the redirect to the nasty response if the two conditions are met, that is, if a request is made for my map images with a referer of www.mopsite.com. It says take any request (^.*) and replace it with a request to the URL of the nasty response. The [R=permanent] tells the server to send this with a code that tells browsers that this is not a temporary move, but a permanent one.

I checked the offending site after putting this in place, and sure enough, there’s now a special message from me there. I’ll probably leave the redirect in place for a week or two, then check the site again, and if they haven’t removed the inline link to my images, I’ll replace the fourth line with the following:

RewriteRule ^.* [F]

That tells the browser that access to the file is forbidden, with a 403 status code. That will save me more bandwidth than the solution above, which still sends out a small file (although it uses much less of my bandwidth than the map files do). I figure the bandwidth use for my message file is probably worth it for a little while to send my special message.

Now all I need to do is get the message translated into Chinese....

Posted at 9:27 AM

Comments

This site is copyright © 2002-2024, Ralph Brandi.