Hello everyone,

I've found several websites, where it appears that they are stealing our
content, including graphics, content, etc. They are not hosting this info on
their own site, but rather pulling them from our website and draining our
bandwidth.

Is there a way in IIS (or should it be done via ASP code?) that I could
limit the domains that could pull that info? (only the ones that pay us), so
in case www.xyz123abc789.com is trying to profit from our images (and
instead of downloading them to their server they link to our server) instead
of the images it appears a message (text or image) saying "you can display
these images, blablabla..."

FYI, we're running on Win2003

Thanks for your prompt response
SB-R

On Thu, 9 Mar 2006 15:59:30 -0500, "segis bata"
[quoted text, click to view]

Have you considered 'branding' the images?

Some have actually put new images in their own sites, then altered the
ones being hijacked to be insulting or unfriendly (I've seen ebay
sellers who have taken other sellers pictures, only to find that the
image in their listing says: "We are crooks and steal things". The
seller, if there are bids, cannot remove the image and gets a lot of

[quoted text, click to view]

As Kristofer mentions, the most primitive way to combat hotlinking is
an ISAPI filter on the referer field. However, while this may make a
palpable dent in the reuse of your images for malicious purposes
(depending on the skill of may abusers, who can get around the filter
if they are dedicated), it may also make a dent in the number of legit
users who can view the images, since the referer field simply is not
always present. If you tightly control the browser versions and
proxies of _all_ of your legit users -- basically, if they're your
employees -- you could get away with the referer filter alone. But I
do think it's a can of worms for a public website.

However, there are more robust solutions available. One that I've
used is streaming image files on-the-fly with random names. This
means that you are actually assembling the response stream in ASP (I
actually did this in PHP, but the same concepts apply) before sending
it back to the client, rather than letting IIS stream the pix directly
from your disk. Your ASP reads the file from disk and sends back an
image/jpeg stream, for example; the IMG links are to .ASP files. In
this way, you can generate new file names each time using an internal
algorithm that outsiders will never see. Even better, some people
suggest rotating the same random file names across your links, to make
outside hotlinkers look like fools by having the IMG links load, but
load different content than they were expecting. Or you can have
outdated filenames all bring up the same "Stop hotlinking" image.

However, bear in mind that a technique like this is sure to slow down
image delivery, since the code has to be run through the preprocessor
and can't compete, as far as I saw in testing, with IIS just grabbing
the file straight off disk. Because of the overhead, you may want to
use an image cache and let each image be hotlinked for even a full day
before expiring it. Depends on your traffic patterns.