sorry i dont know answer to your query...but i love your website..its great

may be you havent looked
godaddy.com they are having detailed whois information for this..please check out there...i think i cant post it here may be TOC of this website..

)) very funny situation)) But if u want to prevent this, javascript cannot help you. I advice you to use PHP and when u can stop all of this. If u haven't time to teach PHP, i can help u with a code, what prevent's this. Good luck to you

orion_rus: I posted my query here because EpicLearning is using Javascript to bypass my referrer ban. I'll gladly accept any method, php or otherwise, for renewing the block.

Thank you.

Eliz.

stapel:
only javascript can be used to automatically redirect user to another page) what's why they use it. U can't block window.open and loading u lockation where, because this window haven't history and u can't check is it from this site, or user open browser and type ur page there.
That's why u need php to check it.Algoritm is follows. When somebody opens a page u save in a server session his location, when he opens a test u check for location, if he jumps in a test from ur site, u accept this, but if location is not set u relocate him to a main page. That's all

I'm sorry, but I'm not familiar with your terms. What do you mean by "opening a test"?

Plus, the referring site appears in my server logs, so there must be some detection at some point that the call is coming from them. Is there no way to use this information to block them?

Thank you.

Eliz.

Stapel: It looks like you now have the perps stopped for both methods.
Neither URL from your first message gets thru, buth give a forbidden error. -LH

That's weird, 'cuz I haven't changed anything. Nice, but weird.

Eliz.

I don't see that. I can still launch the lesson by clicking the button in the second link. (Win XP SP2 w/ Popup blocker enabled)

Sorry.

To ban by referer, you're going to need to do something server-side. Does your web server support PHP? ASP? And is it Windows IIS or Apache or?

My server runs Apache, and I know PHP is allowed; I think ASP is, too.

Thank you.

Eliz.

Okay, as I re-read your original message:

I banned them by referrer, as you can see when you try to click on their links on this page:

How did you do that?

using the top link of the 2 provided, I end up at a page with three links to original content site, but I get a 403 error on each.

using the second link provided, I end up at a page on the original content site, at least that's what my address bar claims.

I don't know the solution, just adding my experiences this morning. If it matters, XP sans SP2.

why don't you just put a header at the top of your pages?

"purplemath - ANOTHER FREE TUTORIAL" make sure you link back to your home page.

... or am i missing the point?

I agree with topr8. A link is a link, just make sure your visitors know your site is free and independent and can be reached directly.

lance: I banned by referrer by using my .htaccess file.

topr_8: I haven't added a line such as you suggest because I haven't wanted the pages to look too cluttered. Besides, most people who steal my stuff (and it's about one a week that we catch) do some sort of copy-n-paste, and delete all (or at least most) of the copyright information. So they'd delete your suggested header, anyway.

longhaired_genius: Part of the problem here is that the visitors aren't "my" visitors; they're somebody else's customers. I have been able to kick other peoples' customers to my front page (when my lessons are framed) or to a 403 error (when they're found to be linking directly and have been banned). But these Javascript boxes are a new thing, and I'm looking for a method of blocking this, if possible.

Thank you.

Eliz.

Stapel u are agree to use php? if you agree i know a method how u can prevent opening page with education at the beginning (this means u can't go to this pages before u don't visited a main page or another pages, where would be placed a link to those)

It seems that Internet Explorer (i've only tried v. 6) does not carry the referrer with it when opening a popup window with window.open(), while Firefox does.

If the browser does not carry the referrer information with it, there's nothing you can do...

Except, you can test for the window name ("rec"), the window width ("750"), and the window height ("600") - if all three matches (or just the name, if you're lazy) you can display a little message to your visitors using javascript.

Put this somewhere inside your <body> tags:

---------------------- 
<script type="text/javascript"> 
var myString = "This page is absolutely free<br>Really.<br>It is. Totally so"; 
  
if (window.name == "rec") { 
 document.write(myString); 
} 
</script> 
----------------------

You could also display an alertbox if you prefer that. It's as simple as this:

---------------------- 
<script type="text/javascript"> 
var myString = "This page is absolutely free\n\nReally.\n\nIt is. Totally so"; 
  
if (window.name == "rec") { 
 alert(myString); 
} 
</script> 
----------------------

---
nice site, btw

[edited by: claus at 5:31 pm (utc) on Dec. 26, 2004]

orion_rus: Sure, I'd be glad to try something in a PHP script. I don't know PHP myself, but I have successfully installed scripts, so, with instructions, I should be okay.

claus: I hadn't even put the browser thing together. Usually when I'm cruising my server stats, I'm in IE, and in IE the pop-up opened with my lesson displaying. When I recently checked their pop-up from the link in this thread, I was in Mozilla, which led to the 403 page.

Thank you for the Javascript suggestion. I'll see about giving that a try.

Eliz.

stapel: I'm no expert on Apache and .htaccess, but I think two of your statements are at odds with each other:

...Plus, the referring site appears in my server logs, so there must be some detection...

and

I banned by referrer by using my .htaccess file.

Are you saying that you have banned access if "epiclearning.com" is the referer, but you still get hits that have "epiclearning.com" as the referer? If that is the case, then perhaps your entry in .htaccess needs some work. Again, I'm not familiar with Apache at all, so maybe some Apache guru can jump in here.

In the mean time, try putting this bit of code in the top of one of your pages:

<? 
$Referer = $_SERVER['HTTP_REFERER']; 
$BadGuy = "epiclearning"; 
$Jerk = strpos($Referer, $BadGuy); 
if ($Jerk) { 
header("location:http://www.disney.com/"); 
exit(); 
} 
?> 

And make sure the page is parsed by your PHP engine. That may mean changing the page extension to .php or modifying .htaccess so php parses your .htm files. I can't tell you how to modify the .htaccess file though because I don't know what needs to be done.

<added after seeing claus' message>
You might also try banning if there is no referer. This would also catch someone who has the page bookmarked directly, but even someone clicking a link from within your own site sends a referer. Just a thought.
</added>

[edited by: Lance at 5:54 pm (utc) on Dec. 26, 2004]

mods please delete link after some time

link deleted

[edited by: benevolent001 at 6:39 pm (utc) on Dec. 26, 2004]

claus: Starting from your suggestion, I added a script to one of the pages they're selling.

One security measure we already have in place for our site is a link to a non-existant page, which link is accessed only by site-snaggers. When the snagger tries to follow the link, it is redirected (by .htaccess) to a script which then bans the user by IP address.

Instead of popping up an alert box, I have redirected the "rec" javascript pop-up window to that non-existant page, thereby banning the user by IP address. And it is the customer that gets banned; I checked by just getting myself banned by IP. (So don't try clicking on their "Start Lesson" button, or you won't be able to access my site. Or, if you do get yourself banned, post your IP here and I'll unblock you.)

Lance: I share your confusion regarding the logs. If the referrer information isn't passed, then how is it landing in my logs? And if the referrer information is passed, then why isn't the .htaccess ban working? This may be another manifestation of that IE-versus-sensible-browser thing, which is why the ban works in Mozilla (and the calls show up in the logs) but not in IE.

Thanks to all. Now I have a script snippet to add to some more pages....

Eliz.

Hello eliz
i checked it and its works great

Best wishes

claus, interesting solution. The problem with it is that the fraudster only needs to randomize the window name and window size a little bit in order to bypass the script.

I'm just brainstorming here but I think cryptography is the only solution that can't be circumvented easily. If you want to ensure that your internal pages can only be accessed from within your site I suggest this dynamic html (CGI, SSI, PHP, ASP, JSP, etc.) solution:

1) Use a server-side secret key to generate a signature of the user agent IP and embed it into urls that point to the protected internal page.

2) When receiving a request for the protected page, extract the signature from the request URL and use the public key to verify it against the request's user agent IP. If the signature is valid, serve the request. If it isn't, do a 404, 301 or whatever seems apropriate.

This solution only protects against hotlinking. It will not prevent the fraudster from copying your content and serving it on a separate server. It will also cause trouble with search engine spiders. Depending on the spider's IP, the spider sees different URL's for the same page which can lead to all sorts of problems (pages not spidered, dup content penalty, no PR, sandbox trigger). If the protected pages need to be indexed by SEs, you will need to do some sort of cloaking.

Again, I think your solution is a quick fix to the poster's problem. It may even put off the fraudster for ever. My solution might be more long term.

Hanu: Since most of my users come directly to a lessons, usually from a search-engine link, I wouldn't want to prevent people from getting to a lesson from outside of my site.

There are many ways to "secure" a site, such as requiring registration before use. However, I would like to try to avoid such remedies, if at all possible. So far, DMCA filings and .htaccess bans have been quite successful. These Javascript boxes were the only remaining problem. Yes, they can change the name of their boxes, but since they're using a template for their lessons, I would suspect they would change all the boxes to the same new name. Then I'll tweak my script.

Again, thanks to all for the help.

Eliz.

hello
it is what i suggest u to do.
In a start html and each html what doesn't a lesson add the follwoing:
<?
session_start();
$_SESSION['url']=$_SERVER['REQUEST_URI'];
?>
in a lessons add:
<?
session_start()
if (!isset($_SESSION['url'])) {header("Location: index.html";}/*except index.html u should type a path to your main index file (like www.somesite.com/index.html)*/
?>
good luck to you

ups i mean
header("Location: index.html");
good luck again)

Rather disturbing, reading here that ie isn't sending the referer along with popups. Otherwise, referer is not alterable, right? You wouldn't, for example, be able to devise a script which circumvents hotlinking protection by having the page re-set the browser's referer to the domain where you are trying to hotlink to, so each image requested then is requested with the new domain name as the referer? I'm not really interested in hotlinking per se but this example would also disrupt another soft-type security measure I've been thinking of employing to prevent cross-site request forgeries.

>> Rather disturbing, reading here that ie isn't sending the referer along with popups.

These two link types will not carry the referrer with them in IE:

<a href="#" onclick="javascript:window.open('page.htm')">popup</a>
 
<a href="javascript:window.open('page.htm')">popup2</a>

>> Otherwise, referer is not alterable, right?

I've had no success with this script snippet, neither in IE6 nor in FF 1:

document.referrer = "duh";

Sorry, I'm late. I just happened upon this topic.
If your website is PHP capable, you can compare the referrer with a variable and accept/deny the referrer depending on the result.

<?php
// set the url to compare referrer to
$yoursite = "http://YOUR URL HERE";

// redirect user to yoursite?
$redirect = "yes";

// display message if redirect fails or is not chosen
$yourmessage = "You are not authorized to use my content!";

// get http referer
$referer = $_SERVER[HTTP_REFERER];

// is it a offsite, masked, or blank referrer?
if(substr("$referer", 0, strlen($yoursite))!=$yoursite ¦¦ $referer == "" ¦¦ substr("$referer", 0, 4)=="XXXX"){

// redirect or kill
if($redirect == "yes"){
Header("Location:$yoursite") or die("$yourmessage");
} else {
die("$yourmessage");
}
}
?>

This code would be inserted before the opening html tag. You can save your pages as php files even if they contain plain html.

I added a bookmark check so that people are not prevented from visiting your site from their favorites. I also remove the www. from the referer just in case yoursite does not use www., but the referer does.

<?php
// set the url to compare referrer to. omit www.
$yoursite = "http://YOUR URL HERE";

// redirect user to yoursite?
$redirect = "yes";

// display message if redirect fails or is not chosen
$yourmessage = "You are not authorized to use my content!";

// get http referer
$referer = $_SERVER[HTTP_REFERER];

// remove www from referer
$referer = str_replace("www.","",$referer);

// is it offsite, masked, blank, or bookmark referrer?
if(substr("$referer", 0, strlen($yoursite))!=$yoursite ¦¦ $referer == "" ¦¦ substr("$referer", 0, 4)=="XXXX" ¦¦!eregi("^bookmark",$referer)){

// redirect or kill if no yoursite exists and not bookmark
if($redirect == "yes"){
Header("Location:$yoursite") or die("$yourmessage");
} else {
die("$yourmessage");
}
}
?>

Of course this will only work if your server is PHP capable. I'm sure there is javascript to serve this same function, but if the client disables javascript, your code is wasted. The hijacker can possibly circumnavigate your javascript, but probably not your php.