Post by: sidki3003 on August 18, 2002, 01:05:43 AM
My webbug filter.
Replace all images <5x5 with a dummy using proper dimensions.
But give a sign if it's not a simple gif without query string (offsite and inline).
Work with JavaScript.
Ideas by several people.
[Patterns]
Name = "Kill: Webbugs"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js))(^$LST(Bypass_Ads))"
Bounds = "<i(mg|mage|nput)s*>"
Limit = 800
Match = "(*(width=$AV((\"|"|)7[#0:4](\"|"|)))1)"
"&(*(height=$AV((\"|"|)[#0:4](\"|"|)))2)"
"&*src="
"("
"("
"(^*.gif(\"|"|s|>))&(\"|"|)"
"("
"3&(([^ "'+]+{50})5?*$SET(6=5...)|([^ "'+]+)6*)"
")"
"(\"|"|s|>)"
"&$SET(4=<a href=737><img src=7http://Local.ptron/red.gif7 width=747 height=747 border=707></a>)"
")"
"|$SET(4=<img src=7http://Local.ptron/killed.gif7 1 2>)"
")*"
Replace = "4"
/5 and /6 is used for debugging, remove it if you don't need it (blue code).
If you don't maintain a bypass ads list, remove the green code.
That piece of art, "red.gif" is attached (http://"uploaded/sidki3003/20028182156_RED.zip")
(to be placed in the html dir)./sidki
Edited by - sidki3003 on 18 Aug 2002 14:33:07
Post by: JD5000 on August 18, 2002, 02:24:46 AM
BTW, I how long did it take to get the RED just right.
--------
Infopros Joint :: Computer Related Links And Discussion (http://"http://infoprosjoint.net/PN/html/index.php")
Post by: sidki3003 on August 18, 2002, 02:34:01 AM
AgesPost by: JD5000 on August 18, 2002, 10:21:34 AM
Here's one...
http://www.msnbc.com/news/TECH_Front.asp
The code is..
<img src=http://c.msnbc.com/c.gif?NC=1279&NA=1154&PS=28779&PI=7329&DI=305 border=0 height=1 width=1>
Also, in one of the stories..
<img src=http://c.msnbc.com/c.gif?NC=1279&NA=1154&PS=28830&PI=7329&DI=305 border=0 height=1 width=1>
<img src="http://a799.ms.akamai.net/3/799/388/2ebefc7104d681/www.msnbc.com/i/c.gif" width=1 height=1 id=scrollRecord border=0>
In the first two. It looks to me that, "gif" in URL is throwing off the filter. I remember running across this before, just don't remember if I was able to find a workaround...
Right now I'm using this filter to mark obvious web bugs & my old one to kill any possible web bugs.
BTW, not that I didn't like the awesome RED gif...
However, I changed it to a 'lil bug I found at the bugnosis site. 
I removed the white bg & flipped it...NOTE: If anybody tries the image, you'll need to change the replacement size to 18x18.
--------
Infopros Joint :: Computer Related Links And Discussion (http://"http://infoprosjoint.net/PN/html/index.php")
Post by: lnminente on August 18, 2002, 01:25:32 PM
I like it.
This is the way i like to filter. Doing links to the things filtered.
<img src="http://ad.es.doubleclick.net/ad/cuentaplanif/softonic;sz=1x1" width="1" height="1" border="0">
get converted to:
<a href=http://ad.es.doubleclick.net/ad/cuentaplanif/softonic;sz=1x1><img src=http://Local.ptron/red.gif width=4 height=4 border=0></a>
I like too much. Sidky made it again
Note: I am working in a filter for popups to links
but my knowledge is very low
Regards
Post by: sidki3003 on August 18, 2002, 01:38:46 PM
JD,
Oh yes! Good to know you keep an eye on such things.
It slipped thru the quote check.
Fixed I also changed the logic a bit. If the src check fails somehow, it should now be replaced by killed gif anyway.
So now it does:
Replace all images <5x5 with a dummy using proper dimensions.
But give a sign if it's not a simple gif without query string (offsite and inline).
Work with JavaScript.
It just checks for simple gifs since i saw only a handful of other spacers (png, bmp, ico, jpg).
What makes the code a bit complicated are the quotes within scripts.
Updates in the first post.
/sidki
Post by: JD5000 on August 18, 2002, 09:40:41 PM
--------
Infopros Joint :: Computer Related Links And Discussion (http://"http://infoprosjoint.net/PN/html/index.php")
Post by: hpguru on August 19, 2002, 03:06:19 AM
Name = "Replace Web Bugs (eDexter) v2.1"
Active = TRUE
Bounds = "<imgs*>"
Limit = 300
Match = "*(height=$AV([#1:5]))1*"
"& (*(width=$AV([#1:5]))2)"
Replace = "<img src="http://127.0.0.1:80" 1 2 alt="Web Bug">"
Name = "Replace Web Bugs (Standard) v2.1"
Active = FALSE
Bounds = "<imgs*>"
Limit = 300
Match = "*(height=$AV([#1:5]))1*"
"& (*(width=$AV([#1:5]))2)"
Replace = "<img src="http://Local.ptron/tiny_killed.gif" 1 2 alt="Web Bug">"
Facing each other,
a thousand miles apart.
Post by: sidki3003 on August 19, 2002, 03:32:05 AM
Can you meanwhile change the port from 80 to something else?
Because the webserver listens on 80.
Post by: hpguru on August 19, 2002, 04:09:31 AM
quote:
I like the eDexter idea. Last time i looked at it is a while ago.
Can you meanwhile change the port from 80 to something else?
Because the webserver listens on 80.
That would be a problem.
I just checked the documentation and website and evidently port 80 is hard coded. I see no way to change it.If your web server is able to load your site into ram then you may be able to make your own "sidkiDexter" by configuring your server to respond to all requests from 0.0.0.0:1024-5000 by serving a 1x1 transparent gif.
Facing each other,
a thousand miles apart.
Post by: sidki3003 on August 19, 2002, 04:22:11 AM
quote:
If your web server is able to load your site into ram then you may be able to make your own "sidkiDexter" ...
quote:Sambar (5.2) is a nice server with many advantages, but it's not smart enough to redirect to a location other then an HTML document.
... by configuring your server to respond to all requests from 0.0.0.0:1024-5000 by serving a 1x1 transparent gif.
Thanks for looking into it.
Post by: hpguru on August 19, 2002, 05:05:57 AM
Perhaps Scott would consider making a future version of Proxo cache killed.html and killed.gif in Ram so they don't need to be fetched from the disk.
[/hint]
Facing each other,
a thousand miles apart.
Post by: TEggHead on August 19, 2002, 08:42:15 AM
quote:quote:
I like the eDexter idea. Last time i looked at it is a while ago.
Can you meanwhile change the port from 80 to something else?
Because the webserver listens on 80.
That would be a problem.
What about an alternative to eDexter?
exe size around 60Kb
support for CGI
definable port
definable IP
also in SSL available (slighlty larger)
with source (Delphi)
windowless console app
in short, TinyWEB at http://www.ritlabs.com/tinyweb/
and if you can't live without GUI, get it's companion TinyBOX (but only supports one running instance whereas TinyWEB can run several instances (each with own combo of IP:port)
get it at http://people.freenet.de/ralph.becker/tinybox/
Edited by - TEggHead on 19 Aug 2002 09:59:54
Post by: altosax on August 19, 2002, 09:48:16 AM
quote:
You inspired me to take another look at my Web Bug filter and I found a problem with it.
hi hpguru,
your web bug filters look better than the previous but i suggest to replace the [#1:5] with [#0:5] because i've found sometimes both height=0 and width=0.
this because what really interests to the site placing the web bug is not to show a little image but just receive your http request.
regards,
altosax.
Post by: hpguru on August 19, 2002, 01:35:34 PM
quote:
...i suggest to replace the [#1:5] with [#0:5] because i've found sometimes both height=0 and width=0.
this because what really interests to the site placing the web bug is not to show a little image but just receive your http request.
I had thought of matching [#0:10] based on past observations but I was concerned I'd match way too many spacer images.
Facing each other,
a thousand miles apart.
Post by: sidki3003 on August 19, 2002, 06:03:29 PM
quote:
What about an alternative to eDexter?
exe size around 60Kb
support for CGI
definable port
definable IP
also in SSL available (slighlty larger)
with source (Delphi)
windowless console app
in short, TinyWEB at http://www.ritlabs.com/tinyweb/
Looks nice but seems to be the same thing as with my webserver:
I don't see an option to serve requests with something else than an *.htm* doc.
The online help speaks about the NT/2K/XP PATHEXT environment variable but i'd feel a bit uncomfortable appending .GIF to it.
Post by: hpguru on August 19, 2002, 07:24:58 PM
Facing each other,
a thousand miles apart.
Post by: lnminente on August 19, 2002, 07:37:18 PM
Could you use a iframe instead of a gif image?
Post by: sidki3003 on August 19, 2002, 08:33:15 PM
However, after thinking about it, loading of the replacement image should not be a real problem.
Since it's called lots of times it should be in the OS RAM cache anyway.
Post by: hpguru on August 19, 2002, 08:49:53 PM
quote:
Since it's called lots of times it should be in the OS RAM cache anyway.
Unfortunately that's not the case. Monitoring file system activity with Sysinternals Filemon I can observe Proxo opening killed.html, killed.gif, etc.
Facing each other,
a thousand miles apart.
Post by: sidki3003 on August 19, 2002, 09:47:12 PM
When i open a file in notepad the 2nd time, i see almost zero disk read activity in performance monitor.
When i then start FileMon and open that file the 3rd time, i see in the log all those hundreds of reads in the DLLs etc ...
Post by: hpguru on August 19, 2002, 11:30:13 PM
BTW I don't mean to give the impression that eDexter is better than Proxo. Rather the two working together are slightly more efficient than Proxo by itself.
Facing each other,
a thousand miles apart.