Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
The Internet Graphics Media Software

Dealing with Deep-Linking to Your Online Photos? 139

Pig Hogger asks: "I've had my own hobby website since 1993, and over the years it has expanded to be quite a reference for the domain I am covering (some pro websites list it as additional reference, and so does Wikipedia. Google page-ranks it amongst the top). Every so often, I peruse the logs, most especially looking at the referrers to see where people come from, and once in a while, I notice that some webloggers deep-link to an image on my site. I do not mind too much when it's on-topic, but when it's not *AND* it's sucking-up bandwidth, I tend to be irked. Or worse, when you can't go look at the referring page without registering on the weblog site. In those cases, I change the picture filename (and the corresponding webpage that calls it), and I substitute a smaller (and most often, naughty) picture. What other tricks those of you are facing the same problem have to address this problem?"
This discussion has been archived. No new comments can be posted.

Dealing with Deep-Linking to Your Online Photos?

Comments Filter:
  • irked? (Score:1, Funny)

    by Anonymous Coward
    > I do not mind too much when it's on-topic, but when it's not *AND* it's sucking-up bandwidth, I tend to be irked.

    And you ask this question on Slashdot? Why don't you tell us the URL?
    We will show you what deep linking can feel like.
  • by MooseGuy529 ( 578473 ) <i58ht6b02.sneakemail@com> on Tuesday February 08, 2005 @07:45AM (#11605249) Homepage Journal

    What most websites do is use a CGI script that blocks by Referer and/or IP Address (so like allow any request with your site as a referer, or any IP that has requested another page within the past ~5 minutes, in case people hide referers with crappy paranoid firewalls). You could make it generate a list of pages for you to easily review and allow or block.

    • This technique is actually so common that wget has an option get around it. If external links directly to your images, downloads, or mail sending scripts is really is a problem for you I'd think that 'unlock this resource for this ip when ip requests this page' methods are slightly more effective, although a dynamic system that changes the referring page and the target on a periodic basis or per session (automate what the question submitter mentioned as his method) could be better.

      HTTP headers are so incr

      • So you can tell wget to lie to the web server when raiding your favorite web page for images.

        That's not what the person asking the question asked for. He wants to stop sites from deep-linking his jpegs, not protect his nuclear launch code CGI to be used only from his own home page.

        A simple filter which would require the referer to be on his web site would pretty much stop his problems anyway. The people deep-linking to his web site write their web pages for browsers with <img src> tags, and as far a
        • My point is not that wget can get around 'referer' header filters, but that the technique itself is a very weak protection. The fact that wget has a built feature to get around it shows that a large number of people are already aware of the technique and how to defeat it.

          Since referer restriction is becoming common I bet it is only a matter of time before web board software comes up with a script for all signature images. The signature img tag is rewritten from www.whatever.tld/myimage.jpg to www.board.tl

          • I'm sorry, I'm not so skilled in the ways of HTML. But can the proper javascripts or HTTP headers tell a browser to fake a referrer header?

            Or do you mean that the CGI script goes to fetch it, and then relays it to the user? That could work, but the bboard software would be retarded not to cache it in that case.
          • My point is not that wget can get around 'referer' header filters, but that the technique itself is a very weak protection.

            No, it's very strong protection. You seem to think that this is some sort of anti-copying measure. It's a way of protecting server resources. Nobody's going to bother deep linking when 99% of their visitors are going to get broken images. They'll just copy it to their own server instead.

            I bet it is only a matter of time before web board software comes up with a script for

            • Why on earth would somebody do that instead of simply copying the image to their server?

              Some people might just copy the image, but a system that just works transparently has the potential to be more popular. Once such a script is written it works the exact same way that an img tag would.


              • Except for the fact that it also uses more resources on the server than just straight copying would. You're doubling the bandwidth needed (1 "unit" to grab the image from the other server, 1 "unit" to send it off to the client).

        • Um, you totally missed my point. I would use a CGI script to control access to the images, not another CGI script. Instead of /images/image001.jpg, you would do /cgi-bin/image.cgi?id=001 and it would check the referer and/or and provide the image if correct, otherwise provide 1. nothing, 2. an "Image Hosted by OtherSite", or 3. something nasty (perhaps selected by amount of hits per "stealing" domain).

      • The OP was complaining about the bandwidth. An occasional hit from wget isn't as likely to be a problem. Most broswers aren't set up to fake headers, and certainly not at the direction of site x that's linking pictures from site y.
        • I don't think that wget itself is likely to be a problem, it merely illustrates a desire to defeat 'referer' restrictions. In my previous reply in this thread I describe a simple cgi that could easily become part of webboard code to handle signatures and automate the process of faking a referer header.
          • Yes, but nobody would actually do that because it would defeat the purpose of the deep-link, which is to *not host the image themselves*. It's a lousy way to prevent someone from spidering your site, but it's a really good (and effective) way of preventing deep-linking.
    • ... redirect them to one of the GNAA/goats.cx style shock images. Nothing will discourage (most) webloggers from deep linking to your images more than turning their precious 'blogs' in to gay scat porn sites.
  • Get over it. (Score:2, Insightful)

    "Deep linking" is what makes the web the web.
    • Re:Get over it. (Score:2, Insightful)

      by Anonymous Coward
      Show us where it says "Must allow deep linking no matter the cost in bandwidth" in the Internet Constitution.
    • Re:Get over it. (Score:5, Insightful)

      by Daniel Dvorkin ( 106857 ) * on Tuesday February 08, 2005 @09:05AM (#11605794) Homepage Journal
      What makes the Web the Web is hyperlinking, period. Using an image at another site on your own page isn't the same thing.

      I kinda sorta halfway agree with you about "deep linking" in its original sense: if there's a really good page at http://www.bigco.com/foo/bar/spam/eggs/x/y/z.html, and you want to have a link on your page that says "Click here to read this really good page," it's really dumb for BigCo Inc.(R)(c)(tm) to force you to link to the main page at bigco.com so people have to navigate through their site to get to the page in question. That kind of thing is a violation of the spirit of the Web, I agree. But neither BigCo nor (more often) some guy running a site out of his basement on a 256k DSL line is obligated to be your image hosting service.
  • Solved problem (Score:4, Informative)

    by JimDabell ( 42870 ) on Tuesday February 08, 2005 @07:49AM (#11605277) Homepage

    The typical solution to this is serving a complaint image to requests with the Referer header set to something starting with 'http' that don't correspond to your website. Five minutes on Google would have told you this (and provided ready-made recipes for Apache).

    • On problem with this solution is that newer firewall software blocks referer headers. I know Norton Internet Security 2004 does this.
      • On problem with this solution is that newer firewall software blocks referer headers. I know Norton Internet Security 2004 does this.

        Then Norton Internet Security 2004 will not work with a lot of web sites, because a lot of web sites do this already.

        In reality, the sites usually work if the Referrer: header is empty, or if it says you came from the same site. It's when the Referrer: site says the link is from another site that the site denies the request, so NIS 2004 won't break every site. But I'

        • The problem on some webforums I read from time to time got so severe for a while that I wrote a proxomitron rule to change the referrer header of whatever image I was requesting to be the site that I was requesting it from. So basically it looked like the referrer was the directory that the image was in. http://foo/bar/image.png would get a referrer of http://foo/bar/.

          This worked on every site I checked. Leaving it blank/non-existant did not always work, although it did work most of the time.

          I no longer u
      • On problem with this solution is that newer firewall software blocks referer headers.

        That's no problem; if you re-read my comment, you'll see that I suggested only blocking requests with a Referer header that started with http that didn't match your website. Blank Referer headers and Referer headers that say "blocked by [xxx]" will not trigger this.

    • Here is my .htaccess for doing just this.

      I have gotten a number of emails from people who didn't appreciate my changing their image (or their background -- that was a good one, couldn't read the person's site at all)

      # Need additional rewrite for the directory without a slash, because otherwise
      # the (.*) matches the whole URL. There is probably a better way to do this
      # but this works
      RewriteRule html_gifs$ http://www.geocities.com/last_id_in_the_world/html _gifs/ [L,R=permanent]

      # People who don't get it...
      RewriteCond %{HTTP_REFERER} ^http://www.playahead.com/GroupInfo.aspx.*$ [NC,OR]
      RewriteCond %{HTTP_REFERER} ^http://www.xanga.com/private/home.aspx$ [NC,OR]
      RewriteCond %{HTTP_REFERER} ^http://www.kindertent.nl/template.php?id=278628&t id=38$ [NC,OR]
      RewriteCond %{HTTP_REFERER} ^http://nuvoleinviaggio.blog.excite.it/$ [NC]
      RewriteRule ^(.*)$ http://www.geocities.com/last_id_in_the_world/html _gifs/funny_looking.gif [L,R=permanent]

      # People who don't get it. -- these people are especially annoying,
      # as apparently mozilla-- doesn't set the referrer is not set when using style sheets...
      #RewriteCond %{HTTP_REFERER} ^$ [OR]
      # RewriteCond %{HTTP_REFERER} ^http://www.xanga.com/home.aspx?user=da_forg3tabl3 _1.*$ [NC]
      RewriteRule backgrounds/blue-faded.jpg /~jondaley/html_gifs/funny_looking.gif [L,R=permanent]

      # uncomment this if you want people who don't have their referrer
      # set to also be redirected
      RewriteCond %{HTTP_REFERER} ^$ [OR]

      # If linked to from somewhere else, forward them to geocities
      RewriteCond %{HTTP_REFERER} !^http://www.snurgle.org/.*$ [NC]

      # Forward all requests, since we are within the html_gifs directory
      RewriteRule ^(.*)$ http://www.geocities.com/last_id_in_the_world/html _gifs/$1 [R=permanent]
    • Yeha, but it's a lot more funny to post it on slashdot and read the replies. That Uconn thing had me laughing for quite a while.
  • by Sentry21 ( 8183 ) on Tuesday February 08, 2005 @07:52AM (#11605296) Journal
    I have a file called bestgif.gif on my website - simply put, the best gif ever. Then Mexicans started putting it in their sig on these huge forums, and my bandwidth went up near a few gigs a month (from almost nothing). So...

    RewriteCond %{HTTP_REFERER} ^http://pkpidgeot.com/.*$ [NC]
    RewriteRule .*bestgif\.gif$ http://sites.darien.ca/temp/.tubgirl.jpg [R,NC]

    I'm willing to bet their accounts got suspended when suddenly their sigs contained a large picture of a large woman spewing a fountain of shit into the air.

    My bandwidth usage drops off completely soon after I add a site to the list.
    • I use this technique as well, although with a less harsh image saying "thanks for your interest in my pictures, feel free to look at them on dedasys.com".

      I wonder what will happen if enough people start using it though - will people simply start copying the images?

      I guess if you're worried enough, you can watermark them or use other things to keep them from being useful, if you want people to pay.

      BTW, whenever anyone actually asks to use my photos, I always say yes and have never asked for money - what i
      • Preventing people from *copying* the images is a completely new challenge, and fortunately most people don't worry about that too much.

        Deep-linking is more dangerous than copying, because it can unexpectedly cause vast increases to your bandwidth if the image is redisplayed in a more popular location.

        Copying... well, it's annoying if someone else uses your photo on a site w/o crediting you, and especially annoying if they are selling prints or something like that, but neither one costs you money (remember
        • I've never seen an image protection trick that worked without changing the actual image itself. (Pre-processing it and applying a watermark, for example.) Even Kodak's website (www.proshots.com) for professional photographers has a huge flaw that lets any competent geek download the full quality high-res images without any sort of watermark or copyright indicator.

        • You can also put them in a Flash movie. I'm sure they can be extracted but how many of the people that would be stealing his images are smart enough to do that?
          • Try this one [airtightinteractive.com]. Not FOSS, but free-as-in-beer and very pretty. The images are displayed through the Flash app rather than hidden by it, but it's more than enough to stall the average punter, if that's what you want to do.

            Except over a remote RDP link, where the fading and flashing can cause a page to take 20 minutes or more to finish loading over a 128kb ADSL uplink.
      • What you should do is to whitelist everyone who has accessed it already -- this will no doubt include the offending deeplinker. Then when people start complaining to the deep linker about tubgirl or what not, they'll check and see nothing wrong. People will get upset that the deeplinker is both linking to a horrible image, AND denying it.

        should be quite fun.
    • I did something similar, though not quite as mean. I ran a site for awhile that did an image a day. I was checking the stats and found a site that was giving me huge referals. Except they weren't, they had just linked to my image. In any case, used mod_rewrite to instead put an add up for my site. Worked wonders!
    • So now, of course, you're slashdotting every other site that has a "bestgif.gif [google.com]".
    • Perhaps people should start using the Coral to coralized things like what I think you're talking about [nyud.net].

      The gif truly is amazing. I found it in someone's sig last week and was blown away.
    • The site that was deeplinking to you is a Pokemon site, which means it was a bunch of kids.

      Yep, you're a tough guy and a class act.

      And what the hell does the fact that they are Mexicans have to do with anything?
      • If that was his rewrite rule, I wonder who might be interested in his deliberate exposure of children to that material. This thread is a public admission that he deliberately placed indecent material on a children's site.

        I'm not a big fan of censorship or our indecency laws, but placing that image on a children's site seem a bit of an overreaction. On that might come back and bite.
        • If that was his rewrite rule, I wonder who might be interested in his deliberate exposure of children to that material. This thread is a public admission that he deliberately placed indecent material on a children's site.

          Yes, I routinely replace often-linked pictures with TUBGIRL, and no, I don't have any problem risking to expose such pictures to children. The very least it can do is teach parents to teach their children to be smart.

          And to those who say "please think of the children", I say that a lot

    • Sentry21, you're going on my friends list because I can't afford to have foes like you. ;-)
  • Does your server allow setting up rules by refering site? If a lot came from one place, point them at a "deep linking not accepted" image or give them a 302 redirection back to an image on their site. You could generally turn off deep linking by file type (e.g. jpeg, gif, etc), but that seems extreme.
  • by jgaynor ( 205453 ) <jon@gaAUDENynor.org minus poet> on Tuesday February 08, 2005 @08:12AM (#11605428) Homepage
    Blocking is easy enough nowadays, but switching images is far more fun. I had this image [rescuehumor.com] in my gallery, from when a bus at my university crashed into a dorm. Before a recent football game, a fan from Uconn found this image and used it in a 'we're gonna kick your ass'-type post on their athletics message board. So I saw this in my logs and removed/changed the image to this one [gaynor.org]. The post was then filled with 'wtf' comments and was pulled a day later :).
    • That image seems to wind up in the Targum and Medium pretty often. :)

      (I'm a grad student at RU right now.)
    • Must ... click ... links ... through ... corporate ... firewall ...

      Doh, the temptation to see.

    • by Mmm coffee ( 679570 ) on Tuesday February 08, 2005 @02:19PM (#11609307) Journal
      I used image switching on a site I was working on, only my image was a bit more disruptive.

      Create a 1px x 1px transparent gif and open it in a hex editor. I forgot which bytes exactly to change, but if you change a some of the 01's to FF in the first X bytes, you can create a 64kX64K pixel GIF file that weighs in at roughly 100 bytes. Use that as your switched image, and you will have lots of laughs as you see the hotlinker's sites 50 screens wide by god knows how many screens tall. It makes any site totally unreadable and costs almost zero bandwidth to boot. Works for me. ;)
      • Damn. I'm sure getting a lot of new friends out of this deep-linking thread.
      • Dude, save use the trouble and link to it.
      • Not knowing much at all about images, I experimented a bit with what you said. I created a 1px x 1px transparent gif. I opened it with UltraEdit and changed they 7th and 9th bytes from 01 to FF (these were the only 01's I found in the initial bytes of the file).

        It did enlarge the image, but kept the file at 1k in size. However, it didn't make it huge... just 255px x 255px.

        Can you remember any more about it? I couldn't find a link anywhere, but it sounds like a great way to prevent deep linking witho
        • Yeah, edit bytes 6 and 8 to FF, that would make it a short integer and thus have an upper boundary of 64ksomething. That should do it.

          Yeah, it was a wonderful little replacement image. Totally disruptive, very hilarious, non-offensive (harmless), and costs next to no bandwidth.
          • IPalindromeI replied to a journal [slashdot.org] entry I made about this topic, and pointed out that it's 2 bytes per axis, which I should have realized given the values of 255 mentioned before. So it's bytes 7-10 that become FF. I tested it and it worked... the images is HUGE, but the filesize is 43 bytes.

            You're also right about being disruptive and non-offensive, and keeps your bandwidth usage pretty low.

            So do I have to pay you some royalties if I use this in the future?
    • You are too cool to not be a friend of mine. Welcome to my friends list!
  • Apache recipe (Score:5, Informative)

    by ccarr.com ( 262540 ) <chris_carr.slashdot@ccarr@com> on Tuesday February 08, 2005 @09:09AM (#11605816) Homepage
    I have a number of photo sites, most of which would be interesting only to friends and family, but a couple are of general interest. I don't mind LINKING (as in anchor tags) to my photos, but nobody does that. They EMBED (with img tags) my photos, thus sucking up my bandwidth to enhance their own pages.

    First, name your photos with a unique file extension. I use ".jpeg" for photos and ".jpg" for other incidental JPEG files on the site. Then, place this in the relevant area of your Apache config:

    ### BLOCK IMAGE EMBEDDING
    SetEnvIfNoCase Referer "^http://.*yourdomain\.com/" local_ref=1
    <FilesMatch "\.(jpeg)">
    Order Allow,Deny
    Allow from env=local_ref
    </FileMatch>
    • SetEnvIfNoCase Referer "^http://" remote_ref=1
      SetEnvIfNoCase Referer "^http://.*\.yourdomain\.com/" remote_ref=0
      <FilesMatch "\.(jpeg)">
      Order Deny,Allow
      Deny from env=remote_ref
      </FilesMatch>

      This will let your page work for people with anonymizer services and firewalls which block the referer field. Of course for those people the remote linking will work as well, but usually they are few enough for the bandwidth impact to be negligible.
  • There has to be someone out there dumb enough to sue over this...

  • I would just automatically add a copyright notice to off-site referrers, i.e. generate images with copyright notices.
    If trafic becomes too high, you could use another solution, but it does hot sound as if that's the problem.
    I think linking is much preferable to copying, since you still have control over the images, and can track who sees them.
  • Uh Oh! (Score:2, Funny)

    by Anonymous Coward
    In those cases, I change the picture filename (and the corresponding webpage that calls it), and I substitute a smaller (and most often, naughty) picture. What other tricks those of you are facing the same problem have to address this problem?"

    Does this mean a goatse or tubgirl link will get you modded up "+1 Informative"?

    A sad day, indeed.
    • Does this mean a goatse or tubgirl link will get you modded up "+1 Informative"?

      Hmm, let's try it. For those of you who don't know what he was refering too, goatse [goat.cx] and tubgirl [tubgurl.com] are those sites. ;)
  • duh (Score:2, Funny)

    by nuggetman ( 242645 )
    all you need to stop people from stealing your images is a no-right-click javascript. sheesh.
    • Wow.

      And how can you stop me from using View Source?

    • The problem is not copying, it is linking and sucking up bandwidth.

      Besides which, disabling javascript defeats your trick, and it's in the browser cache anyway. If it's on someone's screen, it's in their computer.
    • all you need to stop people from stealing your images is a no-right-click javascript. sheesh.

      Except that all browser allow to turn JavaScript off. And then there's still wget, lynx, w3m, ... and "View Source".

      • And for those web devs who are really stupid, "Print Screen" (yes, I actually saw a guy do this ...).
        • And for those web devs who are really stupid, "Print Screen" (yes, I actually saw a guy do this ...).
          It's not that stupid. I've seen people posting pictures of themselves having sex but cutted-up in tiny pieces pieced together in a table. So, instead of having to save 150 little bits and pieces (only one or two being naughty) and reassembling them, you just do a print screen, and voilà! instant embarrassing picture ready to laugh at...
          • And low-res - you could probably write a script to get the image in a better resolution, and make it general case (i.e., open the html as text, select the table, and have it parse that, as the simple but inelegant way to do it).
      • not to mention my personal favorite, Firefox's page info, which includes a media section with all the videos, images, objects, etc in a page that you can directly download.
    • The only problem with many of those no-right-click javascript thingies is they assume the right button is number 2. On my system (Linux/X) it's number 3.

      That, and as others have pointed out, "view source" or "view page info", and/or disabling javascript makes that approach rather pointless.

      Besides, it's not about them physically stealing the images (which they can do with screen shots if nothing else; if they can see it, they can save it). The issue here is about them embedding your image in their web

    • ...and then shows the menu. It's probably a bug, but it's both useful and amusing.
  • by wowbagger ( 69688 ) on Tuesday February 08, 2005 @10:21AM (#11606370) Homepage Journal
    Some of us block the REFERER header out of privacy concerns, since many browsers do not distinguish between a GET kicked off due to a page element like an IMG tag, and a link click.

    May I make the following suggestions?

    1. If you MUST use a referrer block, please consider simply rate limiting non-matching requests to a very low rate, like 2kB a second. That will keep your bandwidth down, yet allow the paranoid among us to still see your image (albeit after a wait).
    2. Use a CGI to provide the image, and have the page in question generate the link dynamically - that way, for the next five minutes your image might be visible as http://example.com/image.cgi?pic=foo.gif&key=59823 4
      and later the key value may be different. That way, you don't rely upon a spoofable header. Yes, this makes your image non-cachable, but if you are using referrer blocking, perhaps that is not a bad thing?

    • In my experience the best solution is simply to only block those who provide valid referrers, since all you need is to block most remotely referred requests, not all.

      Apache recipe in this previous comment [slashdot.org].
    • You nickname sounds awfully familiar to me. Are you on SKTC by chance?
  • by Rameriez ( 644702 ) on Tuesday February 08, 2005 @10:27AM (#11606422) Homepage

    I had this exact same problem with a few images I host on my site. Typically from forums that allow avatars to be hosted offsite. I did a bit of a google on the problem of "hot linking", and came up with this:

    http://www.alistapart.com/articles/hotlinking/ [alistapart.com]

    It's an excellent solution that prevents hot/deep image embedding, but allows for normal anchor links to your pictures. You'll need to be hosting on an apache server and be allowed to use .htaccess files and have mod_rewrite, plus the tiniest amount of php/perl scripting knowledge (php example in link).

    Basically, you rewrite any requests for images from offsite with a URL that points to a script. Embedded images will fail, because the browser expects image data when it gets text/html instead. The script simply displays the image, perhaps puts a credit in, and a link back to your site.

    This way, you can block most people from stealing your bandwidth by embedding your images in their pages, but not prevent less-harmful linking.

  • by wizzy403 ( 303479 ) * on Tuesday February 08, 2005 @11:48AM (#11607252)
    I used to be the webmaster for a fairly popular (in our particular niche) website with an online store. I got pissed off when I started seeing people putting things up on eBay with IMG tags pointing at our server. So I did what many of you have suggested, set up a mod_rewrite rule that if the referrer was not blank and not our site, it substituted a "Copyright Violation" JPG file (The bosses probably wouldn't approve of Tubgirl or the Goatse guy). I had to discontinue this within a week because a fairly popular BSD router software (can't remember which one, sorry) used to include the IP address of the router in the REFERRER field, and so quite a number of legitimate viewers were getting "Copyright Violation" images in place of ALL the pictures on our site. And the worst thing was, it used the PUBLIC IP in the REFERRER field instead of the private NAT address, so I couldn't even add an exception for NAT space to fix it... After spending another two weeks looking around, I just started banning sites one at a time (eBay...) from being in the REFERRER field and keeping an eye on my logs. PITA, I know...

    That was a few years ago, perhaps this is a non-issue now. But keep in mind that people running braindead routers or webcaches might inadvertantly trigger your rule and get pissed. If you're just a hobby site, no big deal, I guess. But if you're making money off the site (online stores and the like) you risk losing business over it.
  • by Chuq ( 8564 ) on Wednesday February 09, 2005 @01:51AM (#11615966) Journal
    You could always do what Rob at Cockeyed.com [cockeyed.com] did [cockeyed.com] :)

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...