Author Topic: Kill Webbugs: Another One  (Read 6502 times)

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Kill Webbugs: Another One
« on: August 18, 2002, 01:05:43 AM »
updated 2002-08-18

My webbug filter.

Replace all images <5x5 with a dummy using proper dimensions.
But give a sign if it's not a simple gif without query string (offsite and inline).
Work with JavaScript.

Ideas by several people.

[Patterns]
Name = "Kill: Webbugs"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js))(^$LST(Bypass_Ads))"
Bounds = "<i(mg|mage|nput)s*>"
Limit = 800
Match = "(*(width=$AV((\"|"|)7[#0:4](\"|"|)))1)"
        "&(*(height=$AV((\"|"|)[#0:4](\"|"|)))2)"
        "&*src="
        "("
        "("
        "(^*.gif(\"|"|s|>))&(\"|"|)"
        "("
        "3&(([^ "'+]+{50})5?*$SET(6=5...)|([^ "'+]+)6*)"
        ")"
        "(\"|"|s|>)"
        "&$SET(4=<a href=737><img src=7http://Local.ptron/red.gif7 width=747 height=747 border=707></a>)"
        ")"
        "|$SET(4=<img src=7http://Local.ptron/killed.gif7 1 2>)"
        ")*"
Replace = "4"

/5 and /6 is used for debugging, remove it if you don't need it (blue code).

If you don't maintain a bypass ads list, remove the green code.

That piece of art, "red.gif" is attached (to be placed in the html dir).

/sidki

Edited by - sidki3003 on 18 Aug 2002  14:33:07
 

JD5000

  • Full Member
  • ***
  • Posts: 241
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://home.satx.rr.com/jd5000/
    • Email
Kill Webbugs: Another One
« Reply #1 on: August 18, 2002, 02:24:46 AM »
Hey now, yet another filter to add to the collection.

BTW, I how long did it take to get the RED just right.

--------
Infopros Joint :: Computer Related Links And Discussion

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Kill Webbugs: Another One
« Reply #2 on: August 18, 2002, 02:34:01 AM »
Ages

 
 

JD5000

  • Full Member
  • ***
  • Posts: 241
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://home.satx.rr.com/jd5000/
    • Email
Kill Webbugs: Another One
« Reply #3 on: August 18, 2002, 10:21:34 AM »
While messing with something else.. I noticed some bugs getting by..

Here's one...

http://www.msnbc.com/news/TECH_Front.asp

The code is..

<img src=http://c.msnbc.com/c.gif?NC=1279&NA=1154&PS=28779&PI=7329&DI=305 border=0 height=1 width=1>


Also, in one of the stories..

<img src=http://c.msnbc.com/c.gif?NC=1279&NA=1154&PS=28830&PI=7329&DI=305 border=0 height=1 width=1>
<img src="http://a799.ms.akamai.net/3/799/388/2ebefc7104d681/www.msnbc.com/i/c.gif" width=1 height=1 id=scrollRecord border=0>


In the first two. It looks to me that, "gif" in URL is throwing off the filter. I remember running across this before, just don't remember if I was able to find a workaround...

Right now I'm using this filter to mark obvious web bugs & my old one to kill any possible web bugs.

BTW, not that I didn't like the awesome RED gif... However, I changed it to a 'lil bug I found at the bugnosis site. I removed the white bg & flipped it...

NOTE: If anybody tries the image, you'll need to change the replacement size to 18x18.

--------
Infopros Joint :: Computer Related Links And Discussion

lnminente

  • Jr. Member
  • **
  • Posts: 73
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Kill Webbugs: Another One
« Reply #4 on: August 18, 2002, 01:25:32 PM »
Yes yes yes.
I like it.

This is the way i like to filter. Doing links to the things filtered.

<img src="http://ad.es.doubleclick.net/ad/cuentaplanif/softonic;sz=1x1" width="1" height="1" border="0">

get converted to:
<a href=http://ad.es.doubleclick.net/ad/cuentaplanif/softonic;sz=1x1><img src=http://Local.ptron/red.gif width=4 height=4 border=0></a>

I like too much. Sidky made it again

Note: I am working in a filter for popups to links
but my knowledge is very low

Regards

 
 

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Kill Webbugs: Another One
« Reply #5 on: August 18, 2002, 01:38:46 PM »
Thanks lnminente

JD,
Oh yes! Good to know you keep an eye on such things.

It slipped thru the quote check. Fixed

I also changed the logic a bit. If the src check fails somehow, it should now be replaced by killed gif anyway.

So now it does:

Replace all images <5x5 with a dummy using proper dimensions.
But give a sign if it's not a simple gif without query string (offsite and inline).
Work with JavaScript.

It just checks for simple gifs since i saw only a handful of other spacers (png, bmp, ico, jpg).
What makes the code a bit complicated are the quotes within scripts.

Updates in the first post.

/sidki

 
 

JD5000

  • Full Member
  • ***
  • Posts: 241
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://home.satx.rr.com/jd5000/
    • Email
Kill Webbugs: Another One
« Reply #6 on: August 18, 2002, 09:40:41 PM »
Sweet, looks to be working great.

--------
Infopros Joint :: Computer Related Links And Discussion

hpguru

  • Moderator
  • Sr. Member
  • *****
  • Posts: 257
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://lightning.prohosting.com/~hpguru/
    • Email
Kill Webbugs: Another One
« Reply #7 on: August 19, 2002, 03:06:19 AM »
You inspired me to take another look at my Web Bug filter and I found a problem with it. Here are the updates.

Name = "Replace Web Bugs (eDexter) v2.1"
Active = TRUE
Bounds = "<imgs*>"
Limit = 300
Match = "*(height=$AV([#1:5]))1*"
        "& (*(width=$AV([#1:5]))2)"
Replace = "<img src="http://127.0.0.1:80" 1 2 alt="Web Bug">"



Name = "Replace Web Bugs (Standard) v2.1"
Active = FALSE
Bounds = "<imgs*>"
Limit = 300
Match = "*(height=$AV([#1:5]))1*"
        "& (*(width=$AV([#1:5]))2)"
Replace = "<img src="http://Local.ptron/tiny_killed.gif" 1 2 alt="Web Bug">"


Facing each other,
a thousand miles apart.
Facing each other,
a thousand miles apart.

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Kill Webbugs: Another One
« Reply #8 on: August 19, 2002, 03:32:05 AM »
I like the eDexter idea. Last time i looked at it is a while ago.
Can you meanwhile change the port from 80 to something else?
Because the webserver listens on 80.

 
 

hpguru

  • Moderator
  • Sr. Member
  • *****
  • Posts: 257
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://lightning.prohosting.com/~hpguru/
    • Email
Kill Webbugs: Another One
« Reply #9 on: August 19, 2002, 04:09:31 AM »
quote:

I like the eDexter idea. Last time i looked at it is a while ago.
Can you meanwhile change the port from 80 to something else?
Because the webserver listens on 80.



That would be a problem. I just checked the documentation and website and evidently port 80 is hard coded. I see no way to change it.

If your web server is able to load your site into ram then you may be able to make your own "sidkiDexter" by configuring your server to respond to all requests from 0.0.0.0:1024-5000 by serving a 1x1 transparent gif.

Facing each other,
a thousand miles apart.
Facing each other,
a thousand miles apart.

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Kill Webbugs: Another One
« Reply #10 on: August 19, 2002, 04:22:11 AM »
quote:
If your web server is able to load your site into ram then you may be able to make your own "sidkiDexter" ...

quote:
... by configuring your server to respond to all requests from 0.0.0.0:1024-5000 by serving a 1x1 transparent gif.
Sambar (5.2) is a nice server with many  advantages, but it's not smart enough to redirect to a location other then an HTML document.

Thanks for looking into it.

 
 

hpguru

  • Moderator
  • Sr. Member
  • *****
  • Posts: 257
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://lightning.prohosting.com/~hpguru/
    • Email
Kill Webbugs: Another One
« Reply #11 on: August 19, 2002, 05:05:57 AM »
[Hint]
Perhaps Scott would consider making a future version of Proxo cache killed.html and killed.gif in Ram so they don't need to be fetched from the disk.
[/hint]

Facing each other,
a thousand miles apart.
Facing each other,
a thousand miles apart.

TEggHead

  • Jr. Member
  • **
  • Posts: 93
    • ICQ Messenger - 21893433
    • AOL Instant Messenger -
    • Yahoo Instant Messenger - eljarec
    • View Profile
    • Email
Kill Webbugs: Another One
« Reply #12 on: August 19, 2002, 08:42:15 AM »
quote:

quote:

I like the eDexter idea. Last time i looked at it is a while ago.
Can you meanwhile change the port from 80 to something else?
Because the webserver listens on 80.



That would be a problem. I just checked the documentation and website and evidently port 80 is hard coded. I see no way to change it.



What about an alternative to eDexter?

exe size around 60Kb
support for CGI
definable port
definable IP
also in SSL available (slighlty larger)
with source (Delphi)
windowless console app

in short, TinyWEB at http://www.ritlabs.com/tinyweb/

and if you can't live without GUI, get it's companion TinyBOX (but only supports one running instance whereas TinyWEB can run several instances (each with own combo of IP:port)

get it at http://people.freenet.de/ralph.becker/tinybox/


Edited by - TEggHead on 19 Aug 2002  09:59:54
 

altosax

  • Sr. Member
  • ****
  • Posts: 328
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Kill Webbugs: Another One
« Reply #13 on: August 19, 2002, 09:48:16 AM »
hpguru wrote:

quote:

You inspired me to take another look at my Web Bug filter and I found a problem with it.



hi hpguru,
your web bug filters look better than the previous but i suggest to replace the [#1:5] with [#0:5] because i've found sometimes both height=0 and width=0.
this because what really interests to the site placing the web bug is not to show a little image but just receive your http request.

regards,
altosax.

 
 

hpguru

  • Moderator
  • Sr. Member
  • *****
  • Posts: 257
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://lightning.prohosting.com/~hpguru/
    • Email
Kill Webbugs: Another One
« Reply #14 on: August 19, 2002, 01:35:34 PM »
quote:

...i suggest to replace the [#1:5] with [#0:5] because i've found sometimes both height=0 and width=0.
this because what really interests to the site placing the web bug is not to show a little image but just receive your http request.



I had thought of matching [#0:10] based on past observations but I was concerned I'd match way too many spacer images.

Facing each other,
a thousand miles apart.
Facing each other,
a thousand miles apart.