Blocking Image Bandwidth Theft with URL Rewriting

I like to periodically watch the HTTP traffic on my server. I can see what I'm actually serving up over the wire, and how much bandwidth I'm using.

This is a companion discussion topic for the original blog entry at:

Thanks for adding bloglines to the list. There’s probably a couple more you will have to add over time.

However, as with every header field, it really isn’t reliable. The next step would probably be to use cookies or GET/HEAD pictures only in some pre-defined order.

Nice article…I’ve long used Apache and now am trying to figure out how to do things that used to be easy on IIS for work. This will help.

Thought you might want to know that images are rewritten on when seen through bloglines. Additionally, I am switching to for RSS feeds - it’s the best feed aggregator I’ve come across yet, it would be nice if you could add that to your list. I always read Coding Horror, you’re my absolute favorite .Net related writer!

(I thought it might be that I often leave the www our of the url since that is kind of redundant, but in either case, still not seeing your images on Bloglines.)

Please add to the list.

The next step would probably be to use cookies or GET/HEAD pictures only in some pre-defined order.

I understand the cookie approach, but describe the GET/HEAD approach?

Also, I added and to the whitelist based on some additional sniffer trace monitoring.

Also, I found a nifty tool that lets you tests whether or not your anti-hotlink approach is working on your server:

Be sure to clear your browser cache before running the test; stuff on disk will always show up.

Looks like the various anti-hotlink alternatives are also enumerated on that site:

They sell a product that generates random URLs on the server side which are only valid for a fixed amount of time, eg, “ColdLink”. Interesting.

I’m glad I’m not the only one who’s had to resort to image blocking because of those damn MySpace users.

Hey Jeff,

Mate, feel you pain. You might get a chuckle out of the following article:
a href=""

  • Dugie

Andrew, that’s hilarious, LOL!

I am switching to for RSS feeds

I’ll add that to the whitelist later tonight.

Been an avid reader for a while. Just noticed the added image-parsing required to post.

While I understand the need to avoid spamming the board, have you considered that a blind person will now require the aid of a friend to post a comment to your blog? The solution is very far from perfect. I can’t give you a better solution off the cuff, but you should be aware that it does cause problems for some users.

This can be done with IIS 6

I’ve set it up at to stop other sites nicking the photos and maps.

I can’t remember exactly what I did off the top of my head, if anyone is interesting, I’ll dig out my source.

Wow, I really should have turned down my speakers before clicking the myspace link…actually…I should have just not clicked the myspace link. Nothing good can ever come from that place.

Thanks for the great image blocking technique.

While understanding the reasons for this step it is also bad for some users. From now on I can see just WTF images in my own feedreader.

ciao Ronny

Ulrik Jensen: Why would a blind person care about imaging blocking posts?

For that matter, what percentage of CodingHorror readers are so blind that they have to use a screen reader as their only possible means of surfing the web? I will go out on a limb and say very few are.

My father-in-law is just about completely blind, but can see shapes out of the corner of one eye and he is STILL able to browse the web and look at images. Of course, he has a special magnification utility that goes far beyond the one built into windows, but so would anyone else that can barely see.

I’m more concerned about all the poor lynx users :frowning:

Oh, and why is the captcha always “orange”? That’s not very hard to defeat lol.

It works for pretty much all the standard spam-bots that are out there, which is pretty much all this site gets. It works for now, and is easy to habituate. I’m guessing if anyone bothers to “break” it, he’ll change it to random words.

For IIS you can use a href=""isapi rewrite/a, there is a free “lite” version available that works like magic.

Another way they seem to be able to reach you is using a redirect from google images, so be careful with what you add to your accept list.

OK the link didn’t show up in the previous comment:

Yes, I’ve had to do the same for - funny that my q*bert pictures also get leeched. The other culprit (myspace is bad, yes) is ebay - people selling “emulator paks” while theiving other people’s code are also likely to thieve on the bandwidth as well. For those I usually replace them with a funny custom image involving a baby and excement and then report them to ebay for having offensive images. Then again I’m vindictive.

I have a custom image deliverer that can scale up and down images and it also checcks to make sure the referer is me. It catches 99% of the links and returns an “image missing” - figure that will confuse people and waste their time.

MySpace is popular because it’s chaotic and allows you to do what you feel like without much structure. You can do what you want where you want to do it. It’s like IM gone mental, with the output stored for future reference.

Friendster was more structured and lost popularity for that reason, as well as having a hostile administrator and slow system response for a long period of time… but it was a lot more structured.

Anyone who thinks that the up-and-coming generation are tech-whizzes who can do great things with technology should take a look at MySpace as a counter-example. They’re just consumers of what’s put in front of them, and that’s about the extent of it.