Tech: How to prevent image leeching (hot linking) in IIS 6.0

One of the most annoying things about hosting your own web site is that some people will take advantage of your web server serving up images and other content to any browser that requests them, even if the browser is displaying a page somewhere else on the internet.

By not hosting the images themselves, leeches save both disk space and bandwidth. It’s called leeching, image stealing, hot linking, hijacking and just plain stealing.

Earlier this evening I logged into my WordPress blog and noticed an incoming link from another blogger. Incoming links are always good so I went off to check out who it was. It was a small-time blogger who made a one sentence post and hot linked the image on my server. The important thing was that he didn’t copy the image, he hot linked to it. This means that my own web server is spending resources serving up images that have nothing to do with my own web site.

Amazingly (and rather rudely) the leecher didn’t give me a link back at all. He just took a URL to the image source; presumably right clicking on the image whilst reading my blog, obtaining the URL to the image file and before you could say, “Arrgh Matey’s, I’m going to steal this!” he had the image referenced on his own site. WordPress somehow picked this up. My WordPress installation is tightly locked down and has very restricted access to any logging. Certainly nothing that would have picked up a leecher. The WordPress API web service must have identified the image reference as an incoming link. Marvellous!

Now, how do I stop this behaviour? If I was using CPanel, I’d have just turned Hot linking off from the panel options. If I was using Apache on Linux, I could use .htaccess to create a rewrite rule in order to deny all access to images by external websites. However with IIS 6.0, this isn’t easy as there is no way to do anything this useful. IIS 6.0 is a woefully basic web hosting platform, but it can be extended with third party software. I’ll explain how below. But first, take a look at the leeched page before and then after.

Before In my opinion, leechers suck.

AfterBurnt.

How to do it?

You would have thought that with all the websites hosted on Windows Server 2003 or earlier there would be an article on the internet like this one addressing this issue. Guess what? There isn’t. This is absolutely unbelievable, either every Windows System Administrator is using one of the (rather expensive) third party solutions to this or they’ve rolled their own and kept it a secret.

Anyway, if you want to do something similar here’s a walkthrough:

How to stop leeching with Internet Information Services 6.0 (and possibly 5.0 and 7.0)

There are two components available which can provide .htaccess-like Apache rewriting functionality for IIS. These are Helicon Tech’s ISAPI_Rewrite ($99.00) or Ionic’s ISAPI Rewrite Filter (FREE). Originally Helicon Tech’s rewrite addon was the only one available and was quite a lot more expensive than it is now. Even earlier this year, Ionic’s ISAPI rewrite filter had many bugs and performance issues. They’re now fixed so I’m going to explain how it works here.

1. Download Ionic’s ISAPI Rewrite Filter

IS API means “Internet Services API” and ISAPI Filters are external library controls, usually written in C/C++ which are called prior to serving any resource request. Ionic’s ISAPI Rewrite Filter allows you to specify some rules in an .ini file for Windows’ IIS in a similar way to a .htaccess file in Linux’s Apache.

2. Create a directory for Ionic’s ISAPI Rewrite Filter

Create a directory (e.g. “C:\IONIC_ISAPI_REWRITE”) and copy the IsapiRewrite4.dll file to it. Also create a new file called IsapiRewrite4.ini and copy the below code into it:

#blocks any hotlinking, except for google, msn, yahoo crawlers, google image search
#also allows hotlinking/viewing of logo images
RewriteCond %{HTTP_REFERER}         ^(?!HTTP_REFERER)
RewriteCond %{HTTP_REFERER}         ^(?!http?://(?:www\.)yoursite\.com/)   [I]
RewriteCond %{HTTP_REFERER}         ^(?!http?://(?:images\.|www\.)?(cache|google|googlebot|yahoo|msn|ask|picsearch|alexa)\..*)   [I] 
RewriteCond %{HTTP_USER_AGENT}        ^(?!.*google|yahoo|msn|ask|picsearch|alexa|clush|botw.*) [I]
#apply restrictions above to all images, except logo images
RewriteRule .*(?!logo).*\.(?:gif|jpg|jpeg|png)$     /images/nogo.jpg   [I,L]

RewriteRule ^images/nogo\.jpg$/     images/nogo.jpg [I,L]

Code credit: David Bee [http://www.codeplex.com/IIRF/Thread/View.aspx?ThreadId=22290]
There is likely to be more a more elegant solution, suggestions welcome!

3. Set permissions on the directory for the interactive user

Set security permissions to allow for reading. This will be IUSR_[SERVERNAME] (replace SERVERNAME with your server name). Right click the directory and select Properties, then the Security tab.

4. Enter the filter into Internet Information Services (IIS) Manager

Decide whether you want this filter to apply to all your websites or just one. If you want the above rules to apply to all websites on the server, right click the “Web Sites” folder in IIS. If you just want to apply to one website, right click the website node. Select Properties and then the ISAPI Filters tab.

Add the filter. Give it any name you like and browse to the IsapiRewrite4.dll file. Select OK.

5. Restart IIS

Right click the server node in IIS and select “All Tasks->Restart IIS”. This is required whenever you make changes to the ISAPI Filters for any individual websites or the server.

6. Done

Test. Link the image from another server (or create your own HTML file that links the image from a different machine). Sit back and relax. Experiment with the rules. It’s possible to prevent access to all kinds of files, or to redirect the user when requesting certain file types, like bandwidth-intensive installer executables or zip files.

Why not turn the tables, replace the image with an advert?

I was tempted, but since this blogger has zero readership I don’t see the point. Of course, it is possible to replace the image with anything you like. I’ve known some web hosts to redirect leeched images to all kinds of images, even pórnográphy. Novice bloggers be warned. Always host your own images. Never insert an image using a URL that isn’t on a friendly server that allows hot linking.

Also I don’t want more attention from this site. I’d rather deny the resource request at the server and save my own bandwidth.

Quick social comment (skip this if you want to miss the rant)

99% of the script-kiddie hacking attempts that I get, including splogging and leeching, come from the United States. Of these mischievous internet users that I have traced, they all appear to be kids with rather immature MySpace or Bebo accounts or with poorly put together websites. I’m puzzled as to why this is. Has anyone noticed any similar patterns, and more importantly does anyone have any ideas as to why this demographic (14-18 year old American males) are disproportionately represented in my firewall black list? When I was their age I used to get my kicks by eagerly awaiting the monthly edition of “Micro User” magazine (later, Acorn User) so I could get my hands on the latest shareware. First I would be typing out the listings in the magazines for my own games. It would take all day to put together a simple draughts game. Later (out of desperation for entertainment) I’d learn to hack the extra levels and security protection out of cover disk games. Are kids these days so bored that they have no attention span to do something constructive, to write some software instead?

Opinions as ever are welcome. Type a piece of your mind below!