Perl programmer for hire: download my resume (PDF).
John Bokma MexIT
freelance Perl programmer

Anti-leech using .htaccess

Tuesday, January 11, 2005 | 2 comments

If you run your own site and have some pictures on it you probably have encountered so called leechers. People who link on their site to your images (remote loading) and hence using your bandwidth, and returning nothing. Some even copy your content as well to go with the photos...

I regularly check the access log the Apache webserver creates using a program written in Perl, for leech attempts. Often my MSN Messenger display pictures are leeched, and most of the time by people having a website with freewebs.com. Luckily freewebs has a very strict policy, if they receive a complaint about leeching, the offending site is removed.

But sometimes complaining doesn't help, moreover the owner of the hosting service is quite unwilling to take any action.

Quite some time ago I emailed boards2go.com about one of their members leeching. The reply I got back stated that it was not their problem and that I had to contact the member. I couldn't find any contact details. Moreover I prefer not to email people at random since most people are not that careful with their computer systems and my address might end up being abused by spammers, trojans, viruses, etc. So at that time I decided to just move the image to a different directory.

But after months of entries in my access log file, stating the image could not be found, I emailed boards2go.com again. Mia, of the boards2go staff gave the same advice, contact the board Admin. I couldn't find any contact information so I decided to create an image with the same name but "just" over 4000 pixels height. I was hoping the board owner would get the message.

Disabling right mouse clicks?

After a few days, nothing happened. So I emailed boards2go again. I warned them that if the leeching was not stopped I would put an image up that violates their terms of service (TOS). This was the reply I got:

I suggest you contact the owner of the message board and
request they remove the link to your image. You can also
set up a no right click so they cannot copy the url to the
image or you can set alternate text that only gives the
name of the image and not the file pathway.

There are many sites that do allow leeching of their images
and B2G is not responsible for verifying that images are
being leeched with permission of the owner.  As for making
sure the board violates TOS, I would not suggest you do so
as we are already aware that the board owner will not be
responsible for what you are doing.

Mia
Boards2Go Staff

I can recommend Mia to read the following two articles which explain what's wrong with her suggestions:

Those "tricks" don't stop people from remote loading. Moreover they are a nuisance to normal visitors so I don't use them. Moreover, I recommend others not to use them either. It's too easy to circumvent.

mod_rewrite and .htaccess to the rescue

A way to prevent leeching is to check the referer [sic] of a request. Most browsers send a referer with the request for an image. If the image is on a page this referer can be the address (URL) of the page. Note the "can be", since some browsers (often in combination with firewalling software) hide the referer. Also some people hard code the referer as a way of protecting their privacy.

Most anti-leach solutions take action when the referer does not equal the page that has the image on it. This might be wrong, as explained above. A better test is: check if the referer is equal to the page of the leecher. However, this approach takes more work, the site owner has to keep adding new rules for each new leecher.

After reading her email, I decided to use the clue bat, so I added the following two lines to my .htaccess. The actual URL I redirected to has been removed (no, it was not leading to a goatse photo).

RewriteCond %{HTTP_REFERER} user=quittingaway
		RewriteRule ^/miscellaneous/thesadhorse\.jpg$ http://... [R=301,L]

The first line checks if the HTTP_REFERER contains the string user=quittingaway. I considered this string specific enough for this leecher. The more specific this regular expression the better. The second line redirects (R=301 means permanent redirect) requests for the thesadhorse.jpg photo to another web address. Note that I escaped the . in front of jpg since a . means any character in a regular expression. The L between the square brackets means this is the last rewrite rule.

Instead of redirecting to a different image you might prefer to replace the second line with:

RewriteRule ^/miscellaneous/thesadhorse\.jpg$  -  [F]

The F flag makes the Apache HTTP server immediatly send back an HTTP response of 403 (FORBIDDEN) as a reply to the request.

Anti-leeching related

Also today

Please post a comment | read 2 comments, latest by John Bokma | RSS feed