Stopping hotlinking

Forum Moderators: phranque

Message Too Old, No Replies

Stopping hotlinking

Images in subfolder

Reno

6:55 pm on Mar 1, 2006 (gmt 0)

I just found out from our server admin that people at MySpace are hotlinking to our photos, driving our bandwidth way up.

All the photos in question are in a subfolder, so a typical image pathway would be:

mydomainname.com/images/imagename1.jpg

I was looking into using htaccess to stop this, and found the coding below.

My first question: Is that the correct coding when the .jpg images are in a subfolder, or, would that particular format only be used for top level images?

Second question: Would that htaccess file be placed within that "images" subfolder?

Thanks for any advice...

--------------------------------------

RewriteEngine On
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mydomainname\.com/ [NC
RewriteCond %{HTTP_REFERER}!^$
RewriteRule \.(jpeg¦jpg)$ ../images/nohotlink.gif [L]

--------------------------------------

ps. If this is not correct, any suggestions would be appreciated!

.........................................

Pfui

11:31 pm on Mar 1, 2006 (gmt 0)

I'll demur on the mod_rewrite info because in this forum, I'm usually asking more questions than answering them, sorry!

However, having just gone through discovering* and dealing with two separate MySpace blog-based hijackers -- one swiped two entire pages of content, hotlinked code and all; one swiped another full page of content+code -- you might also consider simultaneously asserting your copyrights and stopping the theft of your bandwidth by serving a "Digital Millennium Copyright Act" (DMCA) notice to MySpace.

Here's the URL I used, courtesy of their FAQ [viewmorepics.myspace.com] (one of the "TOP 6 QUESTIONS"), to report a copyright violation [viewmorepics.myspace.com].

It took MySpace about a month to act on the DMCA, during which time I re-submitted the notices via the Web (after two weeks), and also e-mailed them to their legal department's e-address (found via G). I never received any official 'progress' notice of any kind, but I kept checking the blogs and in time our stuff was gone from both. YAY!

Alas, the worst offender simply packed up our content+code and posted it on their Yahoo blog, on the EXACT SAME DAY MySpace shuttered 'em. I actually watched the move happen via the "hijacked.gif" process (below) and so was able to serve a DMCA to Yahoo within 24 hours. We shall see...

Anyway, look into filing a DMCA.

Good luck!

.
*I serve up a slim (130x20) image weighing in at all of 2k, with just our domain name on it. Titled "hijacked.gif," I can easily track all culprits in our logs, plus we get 'free' advertising because our domain name now shows up instead of a blank or broken graphic. I used to block hotlinks outright but tracking was more difficult. Then I tried a single pixel gif, then a red X, and then finally decided to use OUR bandwidth to OUR advantage:)

jdMorgan

1:28 am on Mar 2, 2006 (gmt 0)

For use in top-level directory .htaccess:


RewriteEngine on
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomainname\.com [NC]
RewriteRule ^images/[^.]+\.jpe?g$ /images/nohotlink.gif [L]

For use in /images subdirectory:


RewriteEngine on
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomainname\.com [NC]
RewriteRule \.jpe?g$ /images/nohotlink.gif [L]

Be sure to flush your browser cache after changing your access-control code, and also after any successful load of the requested image (for example, for an authorized request from a page on your own site). If the image is stored in your browser cache, you will get invalid test results, since your browser won't send the image request to your server, therefore preventing your code from doing anything about the request.

Jim

Reno

7:02 pm on Mar 2, 2006 (gmt 0)

Thank you Jim and Pfui for your advice and feedback -- it is much appreciated. Several hours after writing my post here I was informed by my hosting tech support that they had credited my account for the bandwidth overcharge and had installed the .htaccess to stop this thievery. So hopefully for now, that particular problem is solved.

However I also have other websites at other ISP's, so if the bandwidth leechers hit me there, then thanks to your help I will be able to apply the necessary .htaccess to stop them.

2 brief followup questions...

[1] Do most servers at this point include mod_rewrite in their Perl installations?

[2] Is there any danger that some firewalls will not display an image due to this sort of .htaccess? (I read at another posting in this forum that one must be cautious because there are problems with the way the Norton Firewall functions).

Thanks again.....

....................................

jdMorgan

7:26 pm on Mar 2, 2006 (gmt 0)

> [1] Do most servers at this point include mod_rewrite in their Perl installations?

I assume you mean "with their Apache insatllations" here. The answer is that the better/more expensive your hosting plan is, the more likely it is that they support mod_rewrite. The free hosting services don't and the $3.95 per month hosts don't. In many cases, the only way to find out is to phone them up and ask. Or you can simply put a small 'test' file on your server and try it.

> [2] Is there any danger that some firewalls will not display an image due to this sort of .htaccess? (I read at another posting in this forum that one must be cautious because there are problems with the way the Norton Firewall functions).

Since the code I posted allows for blank referrers, this is not a problem. Rather, the problem is that a few hotlink requests will get through. This is a trade-off that must be made with simple referrer-based access control. See this recent thread [webmasterworld.com] for more info.

Jim

Reno

7:44 pm on Mar 2, 2006 (gmt 0)

Thanks again Jim for generously sharing your expertise with those of us who have only barely entered into "Apache Territory"!