Author Topic: Remove Kazaa headers  (Read 2793 times)

Jor

  • Sr. Member
  • ****
  • Posts: 421
    • ICQ Messenger - 10401286
    • AOL Instant Messenger - jor otf
    • Yahoo Instant Messenger - jor_otf
    • View Profile
    • http://members.outpost10f.com/~jor/
    • Email
Remove Kazaa headers
« on: July 18, 2002, 11:38:20 AM »
If you use Kazaa (or the spyware-free KazaaLite), be aware this program reports on you by sending specific headers to the supernodes. While these may be harmless, I don't like them leaving my machine.

The following header filters take care of the problem:

##
## Proxomitron Config File
##
## Remove Kazaa headers
##

[HTTP headers]
In = FALSE
Out = TRUE
Key = "X-Kazaa-IP: [out]"
Match = " & $LOG(CHeader X-Kazaa-IP removed: )"

In = FALSE
Out = TRUE
Key = "X-Kazaa-Network: [out]"
Match = " & $LOG(CHeader X-Kazaa-Network removed: )"

In = FALSE
Out = TRUE
Key = "X-Kazaa-SuperNodeIP: [out]"
Match = " & $LOG(CHeader X-Kazaa-SuperNodeIP removed: )"

In = FALSE
Out = TRUE
Key = "X-Kazaa-Username: [out]"
Match = " & $LOG(CHeader X-Kazaa-Username removed: )"


You can also download a mergable config:
Attachment: kazaa.cfg 928 Bytes

 
 

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Remove Kazaa headers
« Reply #1 on: July 18, 2002, 10:43:03 PM »
How did you get Kazaa to work with Prox?
Except for the Start, Home, ... windows (these use IE's proxy options) it uses another port (1214 by default).
And Kazaa's own proxy options only allow for socks.

sidki

 
 

Jor

  • Sr. Member
  • ****
  • Posts: 421
    • ICQ Messenger - 10401286
    • AOL Instant Messenger - jor otf
    • Yahoo Instant Messenger - jor_otf
    • View Profile
    • http://members.outpost10f.com/~jor/
    • Email
Remove Kazaa headers
« Reply #2 on: July 18, 2002, 11:18:09 PM »
It is the web interface of Kazaa where these headers may occur -- I noticed them in my Proxomitron log while previewing downloaded items in the "Theatre" field.
Since then I've also found them occuring in the search, start, and my kazaa fields.

I can't filter Kazaa's actual traffic over port 1214, but start/my kazaa/theatre report over normal HTTP to a server (resolved to different IP's), so I'm not really sure what is happening, but if I can, I will filter them out. Also, they do not always occur, it would seem Kazaa only reports at certain intervals.


BTW, I have gotten Kazaa to run over HTTP Tunnel, but never noticed anything suspicious going on.

Edited by - Jor on 19 Jul 2002  00:23:26
 

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Remove Kazaa headers
« Reply #3 on: July 18, 2002, 11:35:50 PM »
Ah ok, i didn't know this.
What i consider as a real threat is that it transmits these headers on *every* TCP connect via port 1214.
You can see this with a packet sniffer. It's very easy to collect IPs this way.
The only solution would be socksifying Proxomitron so that you can enter it as a proxy in Kazaa's options, but i don't really like to do that. I think that would have a lot of unwanted side effects.

edit: Yes, HTTP-Tunnel might be another option, but from my location the free service is slow like hell.

BTW: I came across your "Kill ad scripts (part 3 - external files)" filter recently. I really like it

sidki


Edited by - sidki3003 on 19 Jul 2002  00:57:01