How can I block framing proxy sites

Forum Moderators: phranque

Message Too Old, No Replies

How can I block framing proxy sites

ones that modify my code to be specific

twist

11:01 pm on Feb 27, 2006 (gmt 0)

Some background threads which don't seem to have a solution,
[webmasterworld.com...]
[webmasterworld.com...]

Ok, I know this is old news but I just learned about it today. These proxy sites that allow you to surf anonymously not only frame your page but modify the code on your page. The modify your framebusting scripts also, making them useless. I was able to use these sites to look at google and even this site with no problem. All must not be hopeless though, I tried viewing different proxy sites with the other proxy sites and what do you know, they redirect to google.

If they have figured out a way to stop other proxy sites from framing themselves, their must be a way to stop them from framing and modifying my pages. I mean a way beyond simply banning IP addresses.

This really bugs me, it would be nothing for one of these websites to simply modify your advertisers code. I haven't found one that does it yet, but I imagine they must exist.

twist

2:06 am on Feb 28, 2006 (gmt 0)

I was hoping for a server side solution, but since I started this thread i'll go ahead and give my temp javascript solution which seems to be working.

I changed just my homepage link to this,

The hijacking website doesn't see the "href" and so doesn't modify it. I figure a link to "http://example.com/" not being spidered isn't a big deal either. So if anyone that comes across my website in a frame and uses the home link it will break the frame. Downside is, if someone has javscript disabled my home page link disappears.

Key_Master

2:12 am on Feb 28, 2006 (gmt 0)

Google "proxy buster javascript".

twist

5:55 am on Feb 28, 2006 (gmt 0)

wow thanks, never would of thought of typing in proxy buster.

Looked at one solution, not sure I want to block google but hopefully I can figure out a way to just deter the framers.

extras

4:33 pm on Feb 28, 2006 (gmt 0)

If you want to block someone by using SetEnvIf or RewritRule, you need to know the IP (or IP range) and/or USER_AGENT, or any HTTP request Header parts that you can use to distinguish them from normal access.

So, the first step is to study access.log, and even setup a cgi to log entire header.

Possibly, simple IP based blocking will do.

twist

7:40 pm on Feb 28, 2006 (gmt 0)

The problem with IP blocking is it would be a constant never ending battle. I was hoping their might be a way to detect redirects. I assume this is how they are hijacking the page. Anyway, I came up with a javascript solution,

I started a thread at the javascript forums, so if anybody wants to help or knows of a better script, heres the link,

[webmasterworld.com...]

extras

11:57 pm on Feb 28, 2006 (gmt 0)

I recently wrote a simple script to check access.log periodically (by cron) and do whatever you want (like detecting certain access pattern and prohibiting the IP dynamically.)

I wrote it in shellscript (as it's small and fast), but we can easily write something similar in Perl/Python/PHP/whatever, too.

But again, you've got to know the detectable access pattern of them (or anyone you don't want).

That's why I said the first thing you should do is studying the access.log.

Note:

If your site is dynamically served by scripts, detection code can be placed in them.
It's easy to detect excessive/aggressive accesses.

jdMorgan

12:21 am on Mar 1, 2006 (gmt 0)

> setup a cgi to log entire header.

This would be useful to determine, for example, if the %{HTTP_X_FORWARDED_FOR}, %{HTTP_VIA}, or %{CLIENT_IP} headers are present -- a good sign that the request is via proxy. If so, then the %{REMOTE_ADDR} can be blocked, unless it's AOL or some other well-known ISP that uses proxy servers in their networks.

Jim