Dealing with Deep-Linking to Your Online Photos?

Pig Hogger asks: "I've had my own hobby website since 1993, and over the years it has expanded to be quite a reference for the domain I am covering (some pro websites list it as additional reference, and so does Wikipedia. Google page-ranks it amongst the top). Every so often, I peruse the logs, most especially looking at the referrers to see where people come from, and once in a while, I notice that some webloggers deep-link to an image on my site. I do not mind too much when it's on-topic, but when it's not *AND* it's sucking-up bandwidth, I tend to be irked. Or worse, when you can't go look at the referring page without registering on the weblog site. In those cases, I change the picture filename (and the corresponding webpage that calls it), and I substitute a smaller (and most often, naughty) picture. What other tricks those of you are facing the same problem have to address this problem?"

Use a CGI script to block them.

[MooseGuy529]

What most websites do is use a CGI script that blocks by Referer and/or IP Address (so like allow any request with your site as a referer, or any IP that has requested another page within the past ~5 minutes, in case people hide referers with crappy paranoid firewalls). You could make it generate a list of pages for you to easily review and allow or block.

Re:Use a CGI script to block them.

[miu]

This technique is actually so common that wget has an option get around it. If external links directly to your images, downloads, or mail sending scripts is really is a problem for you I'd think that 'unlock this resource for this ip when ip requests this page' methods are slightly more effective, although a dynamic system that changes the referring page and the target on a periodic basis or per session (automate what the question submitter mentioned as his method) could be better.

HTTP headers are so incredibly easy to fake that methods that depend on them are probably a bad idea

Re:Use a CGI script to block them.

[pv2b]

So you can tell wget to lie to the web server when raiding your favorite web page for images.

That's not what the person asking the question asked for. He wants to stop sites from deep-linking his jpegs, not protect his nuclear launch code CGI to be used only from his own home page.

A simple filter which would require the referer to be on his web site would pretty much stop his problems anyway. The people deep-linking to his web site write their web pages for browsers with <img src> tags, and as far as I know, you can't in HTML tell the web browser to fake a referer header. Then again, I'm not a HTML-head...

And it's not really practical to tell your user to use wget to download your web site either. :-) At that rate, it's probably easier to mirror the image. Problem solved.

Re:Use a CGI script to block them.

[JimDabell]

My point is not that wget can get around 'referer' header filters, but that the technique itself is a very weak protection.

No, it's very strong protection. You seem to think that this is some sort of anti-copying measure. It's a way of protecting server resources. Nobody's going to bother deep linking when 99% of their visitors are going to get broken images. They'll just copy it to their own server instead.

I bet it is only a matter of time before web board software comes up with a script for all signature images. The signature img tag is rewritten from www.whatever.tld/myimage.jpg to www.board.tld/img-sig.cgi?www.whatever.tld and a request that fakes up a referer header to make the request look like an internal link from www.whatever.tld sent instead by way of the cgi.

Why on earth would somebody do that instead of simply copying the image to their server?

Re:Use a CGI script to block them.

[raju1kabir]

Because cookies aren't accepted by all browsers, and are blocked by every paranoid lunatic on the internet.

That's why I gratuitously make sure my site requires cookies.

There's no virtue in lunatic paranoia if it doesn't come at a cost, and I'm here to levy that cost.

Get over it.

[LittleBigLui]

"Deep linking" is what makes the web the web.

Re:Get over it.

Show us where it says "Must allow deep linking no matter the cost in bandwidth" in the Internet Constitution.

Re:Get over it.

[Daniel+Dvorkin]

What makes the Web the Web is hyperlinking, period. Using an image at another site on your own page isn't the same thing.

I kinda sorta halfway agree with you about "deep linking" in its original sense: if there's a really good page at http://www.bigco.com/foo/bar/spam/eggs/x/y/z.html, and you want to have a link on your page that says "Click here to read this really good page," it's really dumb for BigCo Inc.(R)(c)(tm) to force you to link to the main page at bigco.com so people have to navigate through their site to get to the page in question. That kind of thing is a violation of the spirit of the Web, I agree. But neither BigCo nor (more often) some guy running a site out of his basement on a 256k DSL line is obligated to be your image hosting service.

Re:Get over it.

[digitalchinky]

That sounds a little like me port scanning your system without permission, finding a hole, busting in, then using your webserver for my own world domination plans - complete with 500 gigabytes of transfer per day.

Nothing in any internet constitution to prevent me doing that. You left the door open. Not everyone lives in the US, not everyone has a legal system in place to deal with or care about exploiting overseas computer systems. (I live in Asia)

Getting over it is not always an option for some. I'm certain you'd be pissed if I did that. Remember, your laws don't apply to what I do.

Re:Get over it.

[Lehk228]

because embedding other people's images costs them money you dumbfuck, image hosts (except for shitty ones) usually cost money, and to avoid paying for hosting some jackasses decide to use other people's servers to take the hit for them.

Solved problem

[JimDabell]

The typical solution to this is serving a complaint image to requests with the Referer header set to something starting with 'http' that don't correspond to your website. Five minutes on Google would have told you this (and provided ready-made recipes for Apache).

Here's what I did

[Sentry21]

I have a file called bestgif.gif on my website - simply put, the best gif ever. Then Mexicans started putting it in their sig on these huge forums, and my bandwidth went up near a few gigs a month (from almost nothing). So...

RewriteCond %{HTTP_REFERER} ^http://pkpidgeot.com/.*$ [NC]
RewriteRule .*bestgif\.gif$ http://sites.darien.ca/temp/.tubgirl.jpg [R,NC]

I'm willing to bet their accounts got suspended when suddenly their sigs contained a large picture of a large woman spewing a fountain of shit into the air.

My bandwidth usage drops off completely soon after I add a site to the list.

Re:Here's what I did

[Sentry21]

For reference, it's this gif that I have that gets linked to.

I was thinking of linking my copy here and setting the rewrite rule to 'if the referer isn't slashdot, show tubgirl', but then people would copy/paste the links to their friends, who would get an unpleasant surprise.

Either way, the link I provided above seems to be webspace on an ISP's server. I'm sure it can handle it.

Re:Here's what I did

[Morris+Thorpe]

The site that was deeplinking to you is a Pokemon site, which means it was a bunch of kids.

Yep, you're a tough guy and a class act.

And what the hell does the fact that they are Mexicans have to do with anything?

Re:Here's what I did

[Sentry21]

Plus the whole refering them to tubgirl and other "shocker" stuff has always been, in my opinion, a little extreme.

If I were a simple webhost client with a bandwidth limit, those links would most likely have put me over my limit. Fortunately, the server I have is colocated at a rather large colo, and we don't pay much for bandwidth, so it only really came down to a few dollars (basically it cost me a day's worth of my usual decadent lunch).

Yeah, it's extreme, but putting an image on someone else's server into your sig on an absurdly popular message board is also extreme - but they don't realize it. I certainly can't e-mail them and say 'please don't use my image', and I shouldn't have to waste my time making a 'don't steal this image' image for one site. So, I just used what I had, managed to wget an image without having to look at it, and voila, problem solved.

Switching images is far more fun

[jgaynor]

Blocking is easy enough nowadays, but switching images is far more fun. I had this image in my gallery, from when a bus at my university crashed into a dorm. Before a recent football game, a fan from Uconn found this image and used it in a 'we're gonna kick your ass'-type post on their athletics message board. So I saw this in my logs and removed/changed the image to this one. The post was then filled with 'wtf' comments and was pulled a day later :).

Re:Switching images is far more fun

[Mmm+coffee]

I used image switching on a site I was working on, only my image was a bit more disruptive.

Create a 1px x 1px transparent gif and open it in a hex editor. I forgot which bytes exactly to change, but if you change a some of the 01's to FF in the first X bytes, you can create a 64kX64K pixel GIF file that weighs in at roughly 100 bytes. Use that as your switched image, and you will have lots of laughs as you see the hotlinker's sites 50 screens wide by god knows how many screens tall. It makes any site totally unreadable and costs almost zero bandwidth to boot. Works for me. ;)

Re:Switching images is far more fun

[I8TheWorm]

IPalindromeI replied to a journal entry I made about this topic, and pointed out that it's 2 bytes per axis, which I should have realized given the values of 255 mentioned before. So it's bytes 7-10 that become FF. I tested it and it worked... the images is HUGE, but the filesize is 43 bytes.

You're also right about being disruptive and non-offensive, and keeps your bandwidth usage pretty low.

So do I have to pay you some royalties if I use this in the future?

Apache recipe

[ccarr.com]

I have a number of photo sites, most of which would be interesting only to friends and family, but a couple are of general interest. I don't mind LINKING (as in anchor tags) to my photos, but nobody does that. They EMBED (with img tags) my photos, thus sucking up my bandwidth to enhance their own pages.

First, name your photos with a unique file extension. I use ".jpeg" for photos and ".jpg" for other incidental JPEG files on the site. Then, place this in the relevant area of your Apache config:

### BLOCK IMAGE EMBEDDING
SetEnvIfNoCase Referer "^http://.*yourdomain\.com/" local_ref=1
<FilesMatch "\.(jpeg)">
Order Allow,Deny
Allow from env=local_ref
</FileMatch>

Copying photos vs. deep-linking

[JavaRob]

Preventing people from *copying* the images is a completely new challenge, and fortunately most people don't worry about that too much.

Deep-linking is more dangerous than copying, because it can unexpectedly cause vast increases to your bandwidth if the image is redisplayed in a more popular location.

Copying... well, it's annoying if someone else uses your photo on a site w/o crediting you, and especially annoying if they are selling prints or something like that, but neither one costs you money (remember, you were displaying it for free), and in both cases they are violating copyright, so you can complain to their host with some reasonable hope of action.

If you're actually a good photographer and are *selling* those photos, then you need to look into ways to make them hard to copy. The obvious is only letting people preview a low-res or plainly watermarked version. You can use that annoying trick of catching the right-click event in JavaScript and popping a copyright reminder notice. You can display a transparent gif *over* the actual photo (defined in CSS instead of an image tag), like Google does for their photos of copyrighted book pages.

Uh Oh!

In those cases, I change the picture filename (and the corresponding webpage that calls it), and I substitute a smaller (and most often, naughty) picture. What other tricks those of you are facing the same problem have to address this problem?"

Does this mean a goatse or tubgirl link will get you modded up "+1 Informative"?

A sad day, indeed.

Re:Solved problem (htaccess and geocities)

[Jondaley]

Here is my .htaccess for doing just this.

I have gotten a number of emails from people who didn't appreciate my changing their image (or their background -- that was a good one, couldn't read the person's site at all)

# Need additional rewrite for the directory without a slash, because otherwise
# the (.*) matches the whole URL. There is probably a better way to do this
# but this works
RewriteRule html_gifs$ http://www.geocities.com/last_id_in_the_world/html _gifs/ [L,R=permanent]

# People who don't get it...
RewriteCond %{HTTP_REFERER} ^http://www.playahead.com/GroupInfo.aspx.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://www.xanga.com/private/home.aspx$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://www.kindertent.nl/template.php?id=278628&t id=38$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://nuvoleinviaggio.blog.excite.it/$ [NC]
RewriteRule ^(.*)$ http://www.geocities.com/last_id_in_the_world/html _gifs/funny_looking.gif [L,R=permanent]

# People who don't get it. -- these people are especially annoying,
# as apparently mozilla-- doesn't set the referrer is not set when using style sheets...
#RewriteCond %{HTTP_REFERER} ^$ [OR]
# RewriteCond %{HTTP_REFERER} ^http://www.xanga.com/home.aspx?user=da_forg3tabl3 _1.*$ [NC]
RewriteRule backgrounds/blue-faded.jpg /~jondaley/html_gifs/funny_looking.gif [L,R=permanent]

# uncomment this if you want people who don't have their referrer
# set to also be redirected
RewriteCond %{HTTP_REFERER} ^$ [OR]

# If linked to from somewhere else, forward them to geocities
RewriteCond %{HTTP_REFERER} !^http://www.snurgle.org/.*$ [NC]

# Forward all requests, since we are within the html_gifs directory
RewriteRule ^(.*)$ http://www.geocities.com/last_id_in_the_world/html _gifs/$1 [R=permanent]

To those who choose to use referrer

[wowbagger]

Some of us block the REFERER header out of privacy concerns, since many browsers do not distinguish between a GET kicked off due to a page element like an IMG tag, and a link click.

May I make the following suggestions?

1. If you MUST use a referrer block, please consider simply rate limiting non-matching requests to a very low rate, like 2kB a second. That will keep your bandwidth down, yet allow the paranoid among us to still see your image (albeit after a wait).
2. Use a CGI to provide the image, and have the page in question generate the link dynamically - that way, for the next five minutes your image might be visible as http://example.com/image.cgi?pic=foo.gif&key=59823 4
   and later the key value may be different. That way, you don't rely upon a spoofable header. Yes, this makes your image non-cachable, but if you are using referrer blocking, perhaps that is not a bad thing?

A better way to do it

[Rameriez]

I had this exact same problem with a few images I host on my site. Typically from forums that allow avatars to be hosted offsite. I did a bit of a google on the problem of "hot linking", and came up with this:

http://www.alistapart.com/articles/hotlinking/

It's an excellent solution that prevents hot/deep image embedding, but allows for normal anchor links to your pictures. You'll need to be hosting on an apache server and be allowed to use .htaccess files and have mod_rewrite, plus the tiniest amount of php/perl scripting knowledge (php example in link).

Basically, you rewrite any requests for images from offsite with a URL that points to a script. Embedded images will fail, because the browser expects image data when it gets text/html instead. The script simply displays the image, perhaps puts a credit in, and a link back to your site.

This way, you can block most people from stealing your bandwidth by embedding your images in their pages, but not prevent less-harmful linking.

Problems with simple blocks

[wizzy403]

I used to be the webmaster for a fairly popular (in our particular niche) website with an online store. I got pissed off when I started seeing people putting things up on eBay with IMG tags pointing at our server. So I did what many of you have suggested, set up a mod_rewrite rule that if the referrer was not blank and not our site, it substituted a "Copyright Violation" JPG file (The bosses probably wouldn't approve of Tubgirl or the Goatse guy). I had to discontinue this within a week because a fairly popular BSD router software (can't remember which one, sorry) used to include the IP address of the router in the REFERRER field, and so quite a number of legitimate viewers were getting "Copyright Violation" images in place of ALL the pictures on our site. And the worst thing was, it used the PUBLIC IP in the REFERRER field instead of the private NAT address, so I couldn't even add an exception for NAT space to fix it... After spending another two weeks looking around, I just started banning sites one at a time (eBay...) from being in the REFERRER field and keeping an eye on my logs. PITA, I know...

That was a few years ago, perhaps this is a non-issue now. But keep in mind that people running braindead routers or webcaches might inadvertantly trigger your rule and get pissed. If you're just a hobby site, no big deal, I guess. But if you're making money off the site (online stores and the like) you risk losing business over it.

Dont block them ...

[vrai]

... redirect them to one of the GNAA/goats.cx style shock images. Nothing will discourage (most) webloggers from deep linking to your images more than turning their precious 'blogs' in to gay scat porn sites.

Slightly better solution

[OblongPlatypus]

SetEnvIfNoCase Referer "^http://" remote_ref=1
SetEnvIfNoCase Referer "^http://.*\.yourdomain\.com/" remote_ref=0
<FilesMatch "\.(jpeg)">
Order Deny,Allow
Deny from env=remote_ref
</FilesMatch>

This will let your page work for people with anonymizer services and firewalls which block the referer field. Of course for those people the remote linking will work as well, but usually they are few enough for the bandwidth impact to be negligible.

Re:duh

[RevDobbs]

Jebus Chrisp, man, you've just created a copy protection circumvention device! Off to the gallows with you!

more bait-and-switch ideas

[Chuq]

You could always do what Rob at Cockeyed.com did :)