Hello everyone,

I've found several websites, where it appears that they are stealing our
content, including graphics, content, etc. They are not hosting this info on
their own site, but rather pulling them from our website and draining our
bandwidth.

Is there a way in IIS (or should it be done via ASP code?) that I could
limit the domains that could pull that info? (only the ones that pay us), so
in case www.xyz123abc789.com is trying to profit from our images (and
instead of downloading them to their server they link to our server) instead
of the images it appears a message (text or image) saying "you can display
these images, blablabla..."

FYI, we're running on Win2003

Thanks for your prompt response
SB-R

Hello,

This is commonly known as "hot linking". ISAPI filters can prevent hot
linking by checking the referer (this is the most common way to prevent
this). Both free and commercial ISAPI filters for this purpose exists:

http://www.michaelbrumm.com/leechblocker.html
http://www.isapirewrite.com/

Others may also exists if you do a search on google.com.

Just be careful of what you block. If you block .htm files by checking the
referer, everyone coming from another website will be unable to visit your
website (because the referer is the other website).

Since HTTP is a stateless protocol there is no fail-safe solution to the
problem. Each request is new to the webserver, and the webserver cannot
really know if the client is "browsing" your website (webserver) or
another website (webserver). All the webserver knows is that there was a
request sent to the webserver.

Show quoteHide quote

You need a third party ISAPI filter for that.

You can do it in ASP too.

I found this one:
http://www.irritatedvowel.com/Programming/DeepLinkingHttpModule.aspx

With a simple search of Google.

Show quoteHide quote

On Thu, 9 Mar 2006 15:59:30 -0500, "segis bata"
<segisb***@hotmail.com> wrote:

Show quoteHide quoteHave you considered 'branding' the images?

Some have actually put new images in their own sites, then altered the
ones being hijacked to be insulting or unfriendly (I've seen ebay
sellers who have taken other sellers pictures, only to find that the
image in their listing says: "We are crooks and steal things". The
seller, if there are bids, cannot remove the image and gets a lot of
bad press.

As Kristofer mentions, the most primitive way to combat hotlinking is
an ISAPI filter on the referer field.  However, while this may make a
palpable dent in the reuse of your images for malicious purposes
(depending on the skill of may abusers, who can get around the filter
if they are dedicated), it may also make a dent in the number of legit
users who can view the images, since the referer field simply is not
always present.  If you tightly control the browser versions and
proxies of _all_ of your legit users -- basically, if they're your
employees -- you could get away with the referer filter alone.  But I
do think it's a can of worms for a public website.

However, there are more robust solutions available.  One that I've
used is streaming image files on-the-fly with random names.  This
means that you are actually assembling the response stream in  ASP (I
actually did this in PHP, but the same concepts apply) before sending
it back to the client, rather than letting IIS stream the pix directly
from your disk.  Your ASP reads the file from disk and sends back an
image/jpeg stream, for example; the IMG links are to .ASP files.  In
this way, you can generate new file names each time using an internal
algorithm that outsiders will never see.  Even better, some people
suggest rotating the same random file names across your links, to make
outside hotlinkers look like fools by having the IMG links load, but
load different content than they were expecting.  Or you can have
outdated filenames all bring up the same "Stop hotlinking" image.

However, bear in mind that a technique like this is sure to slow down
image delivery, since the code has to be run through the preprocessor
and can't compete, as far as I saw in testing, with IIS just grabbing
the file straight off disk.  Because of the overhead, you may want to
use an image cache and let each image be hotlinked for even a full day
before expiring it.  Depends on your traffic patterns.

--Sandy

problem: SSL certificate associated with website in IIS changes upon reboot
Install SSL on Default Website Affects Other websites???
Application Pool timouts.
IIS6 and Integrated Security problem
Remember My Password checkbox
IIS6 on Win 2003 server ISAPI loadLibrary security problem
Outlook web access
IIS suddenly wants login?
no client-answer on challenge-msg (type2)
About SSL security and IIS 6.0