Post #81

Bandwidth theft and flame-bait

29th December 2003, early evening | Comments (28)

Well well, after a nice break for Christmas, I returned to my blog to find two rather annoying things: firstly some complete arse has taken to posting aggressive and rude comments here; and secondly, that a very busy site had linked directly to the three greetings cards I displayed in an earlier post, with no mention of me or my site (I left a comment, but they didn’t do anything about it).

How was I to deal with those two things with a tummy full of turkey?

Bandwidth theft

The bandwidth thieves were easy to deal with, I simply altered my .htaccess file to map any external requests for images to a *cough* pornographic *cough* image. This means that for the last four days, when the site in question has requested the images from my server, an interesting scene involving numerous men and a hard working lady has been sent in their place.

Normally I wouldn’t have taken such measures, but I was rather annoyed at the large amount of hits my server has taken through this site, and the fact that I got no mention in their post at all. Hopefully it’ll teach them not to be so anti-social.

You might be wondering why they haven’t taken the porn down and made local copies of the funny cards? Well, the slightly amusing thing about this is that because the path to the image isn’t altered by the .htaccess file, if you already have my cards in your browser cache you won’t see the porno image, only the original pictures you downloaded from my site. So to the cache-viewing site owners the page still shows the three greetings cards. To all the new visitors though, their front page will have taken on a slightly racier tone.

The code I’m using to stop bandwidth leaching from this specific site is:

  1. #RewriteCond %{HTTP_REFERER} ^http://(www\.)?foobar\.com/ [NC]
  2. #RewriteRule \.(jpe?g|gif|bmp|png)$ images/nohotlink.jpg [L]
  3. Download this code: 81a.txt

You can find other examples on the altlab site.

(I’ll probably instigate a nicer, global rule as well, pointing towards a child-friendly 403 page with a full explanation of why bandwidth theft and nicking content is a bad thing.)

The rude person

The rude guy was slightly less easy to deal with, but his actions did spur me on to write a comment moderation script, as well as an IP address blocker.

The comment moderation script is active, by default, on any posts over a week old (though I can activate it on any post) and seems to be working fine. The IP blocker is still a bit beta — it works fine (denying access to the comment form for those bad boys and girls) but at the moment I don’t know how to differentiate between static and dynamic IPs, so in theory I could end up punishing an innocent user. I am trying to find a way around this though, and if anyone knows how to differentiate between static and dynamic IPs I’d appreciate a comment below.

This is what blocked users will see in place of the comment form:

Commenting from your IP address is not allowed. At some point in the past a user with your IP address has written something (usually offensive) which has resulted in the blocking of this feature. If you feel there’s been some mistake then please contact me and we can see about un-blocking you.

This was the first time I’d ever had offensive comments on my site (or by email) and I must say it was extremely frustrating. I longed to find the guy and throttle some sense in to him — nothing makes me madder than being called something I’m not, and having to deal with people who won’t see sense.

However, I responded to his comments in a sensible, informative way, putting straight his misconceptions and asking for his contact information so we could continue the discussion by email, but he simply ignored the facts I presented to him and came back with more abuse. After three bouts of crap-and-reply, crap-and-reply, crap-and-reply I gave in and wiped him out the database — I don’t see why I should have to put up with that sort of thing on my own site (especially when it was all unfounded).

I don’t want anyone to have a bad impression of me, and generally do all I can to show people I’m a very friendly, open chap, but when someone is so obviously filled with spite there’s little you can do to change their mind.

Someone else also posted an inflammatory comment, but I left that one in, thinking that at least I could use their words to illustrate a point.

Ah well, at least my blogging software is better for the experience.

Jump up to the start of the post


Comments (28)

Jump down to the comment form ↓

  1. Rands:

    I think whenever you reach a certain sized population of folks reading your site, you're likely to run into twits/flame bait -- it's one of the taxes of putting your opinions out there for all to see.

    I like the idea of comment moderation, but I believe it means you still have to ascertain whether or not the comment is flame bait or not which means... well... you have to read the garbage. That sucks.

    I think having folks interested in posting to you site having to register with a valid email will get rid of the average troll who is just bored / useless / twitish. I'm using MT and it sounds like they're headed in that direction.

    Good luck.

    Posted 1 hour, 9 minutes after the fact
    Inspired: ↓ Dunstan, ↓ Craig C
  2. Dris:

    That's the funniest method of thwarting hot-linkers ever. And I love the eloquent phrasing: "Numerous men and a hard-working lady." Priceless.

    As far as the morons go, there's not much you can do about them. They'll always be there, especially online. Heck, there are many who are bold enough to act like pricks in person, even when the Internet doesn't provide anonymity.

    Simplefix might as well have just insulted himself with the way he ended his comment. Do a Google search for "AOL Translator". Great stuff.

    Idiot1. Hmm... Well, I don't think I can say much that will make him sound even more laughable, besides having started his post with, "this site sucks in IE6". At least he was a *little* informative. :P

    Anyways, the thing to remember is that these occurrences are few and far between. I don't think it's worth it to have an email signup to comment on a blog; you'll drive away potential comments, and it won't keep away the most devout losers. After all, trolls still appear on forums, don't they? The best thing to do is probably moderate in the few instances that these things happen.

    Posted 1 hour, 35 minutes after the fact
    Inspired: ↓ Dunstan
  3. Sian:

    The trappings of being rich and famous with knobbly knees.

    I'm quite proud to say that I had my first moaning comment on my site this week (I don't normally get comments) but having lived through my forums with some stupid arse making it difficult for others you have my full sympathy. And secondly good for you for being able to code an IP blocker thingy.

    Right, back to my Photoshop 7 book.

    Posted 2 hours, 3 minutes after the fact
    Inspired: ↓ Dunstan
  4. [m]:

    I always wonder how old these guys (or girls, you never know ;) ) are. Are they allowed unsupervised access to the internet? Isn't their mommy watching?

    Your "bandwidth-protection-plan" isn't really bandwidth protecting, just very, very funny. It should've linked to an outside picture, now you're still gettin' the bill, if the site owner happends to be the same person mentioned above.

    On a side-note: What's Dunstan doing with the occasional picture of a scene "involving numerous men and a hard working lady"? ;) Surely you don't have them just for such an occasion, where there are bytes being stolen?

    Posted 2 hours, 42 minutes after the fact
    Inspired: ↓ Dunstan
  5. Dunstan:

    I think that registration with a valid email address might stop the very casual flamer, but it's not that hard to get a hotmail or yahoo one, so I think, on balance, that that system would do more harm than good.

    I'd much rather read the rubbish than have you guys go through a registration process, however simple.

    But thanks for the suggestion Rands, ideas are always welcome :o)

    Posted 2 hours, 53 minutes after the fact
    Inspired by: ↑ Rands, ↑ Dris
    Inspired: ↓ Craig C
  6. Dunstan:

    "The trappings of being rich and famous with knobbly knees."

    I have an aunt who will contest to the allure of my knees - when I was little she was always "Oooh, look at those lovely knees!" Though maybe that's just what Aunts do?

    Anyway, they now have quite a high opinion of themselves, so well done for bringing them back down to earth with your 'knobbly' comments, Sian ;o)

    Posted 3 hours, 1 minute after the fact
    Inspired by: ↑ Sian
    Inspired: ↓ Sian
  7. Dunstan:

    "Your "bandwidth-protection-plan" isn't really bandwidth protecting..."

    Yeah, I know, but I figured it was worth it for these guys, and anyway, to link to an external image would make me guilty of bandwidth theft :op

    "On a side-note: What's Dunstan doing with the occasional picture of a scene 'involving numerous men and a hard working lady'?"

    Umm, err... it, it came in a spam email. Yes, that sounds plausible...

    Posted 3 hours, 17 minutes after the fact
    Inspired by: ↑ [m]
  8. Sian:

    My pleasure *bows*

    Its a very difficult situation to find the right balance. I would be quite happy to create an account which I would sign up to if I had the facility to edit my posts for spelling errors etc.

    Posted 3 hours, 42 minutes after the fact
    Inspired by: ↑ Dunstan
    Inspired: ↓ Dunstan, ↓ Steven
  9. Dunstan:

    Oooh, now that's a great idea, Sian.
    I think I might look into that when I get a mo.

    Good thinking that girl!

    Posted 3 hours, 52 minutes after the fact
    Inspired by: ↑ Sian
    Inspired: ↓ Steven, ↓ Sian, ↓ Sian
  10. SĂ©rgio Carvalho:

    If you want to know whether an IP is dynamic, one solution can be DNS-based spam blacklists (e.g. http://www.dnsrbl.com/useus.html).

    Posted 4 hours, 56 minutes after the fact
  11. Steven:

    The ability to edit your comments once they are posted is a great idea and is very easy to implement. Unless you use a member database instead of cookies, if you clear your cookies, or your browser automatically clears them on exit then you are pretty much screwed.

    It looks like Movable Type is taking a step toward a member database comment system which could ultimately kill 95% of the spam on weblogs in the future. The only problem I have with that is I do not wish to register for all the weblogs that I visit daily and leave comments at.

    Posted 10 hours, 30 minutes after the fact
    Inspired by: ↑ Sian, ↑ Dunstan
    Inspired: ↓ Sian
  12. Bashtard:

    To add to the example .htaccess

    If you are applying the Rewrite to multiple domains it looks as such:

    RewriteCond %{HTTP_REFERER} ^http://(.*.)?foobar.com(/)?.*$ [NC,or]
    RewriteCond %{HTTP_REFERER} ^http://(.*.)?boofar.com(/)?.*$ [NC]

    Notice the 'or' statement.

    You can have multiple domain entries as long as the final entry is an [NC] by itself.

    Example, my .htaccess which has 7 domains that are currently viewing a slightly more disgusting version of pornography if they attempt to hotlink.

    Let me tell you.. the Danish LOVE the shemales!!

    Posted 14 hours, 3 minutes after the fact
    Inspired: ↓ Sian
  13. Anon:
    Posted 18 hours after the fact
  14. Colin D. Devroe:

    Bandwidth stealing is something that I feel is a harsh offense in Internet Law. Or should I call it Internet courtesy. There are times when linking to content is not a bad thing, however using it on your page, when it's source is not available to you locally is definately something that any "novice" should figure to be wrong. It could actually cost people money, and often does.

    However, as far as flame bait, I am all for the Admin of the site having the power to remove malicious messages. But I always have felt, at least here in the U.S., that Free Speech is exactly that. So I am always very hard pressed to totally remove a comment. Usually I will be sure the right words are scrambled, without changing the user's message. And blocking all together is something I don't think I will ever do. But, this is at the will of the Admin, in my opinion.

    Posted 21 hours, 35 minutes after the fact
    Inspired: ↓ Sian, ↓ Tanny
  15. Sian:

    Steven: "The only problem I have with that is I do not wish to register for all the weblog's that I visit daily and leave comments at."

    Good point, perhaps for such websites you could post without signing up for an account with the option of letting the comments post with or without admin moderation. The enticement to sign up for an account would be the ability of being able to edit what you've posted. Personally being able to correct spelling errors, typo's and content would be an enticement.

    Colin: "However, as far as flame bait, I am all for the Admin of the site having the power to remove malicious messages. But I always have felt, at least here in the U.S., that Free Speech is exactly that. So I am always very hard pressed to totally remove a comment. Usually I will be sure the right words are scrambled, without changing the user's message. And blocking all together is something I don't think I will ever do. But, this is at the will of the Admin, in my opinion."

    Another good point and I agree that it's down to a sites owner to decide what their tolerance threshold is, especially when it's a personal blog.

    Posted 1 day after the fact
    Inspired by: ↑ Dunstan, ↑ Steven, ↑ Colin D. Devroe
    Inspired: ↓ Zelnox
  16. Sian:

    Bashtard: "Let me tell you.. the Danish LOVE the shemales!!"

    Are you refering to the photograph of Dunstan's "hard working lady", "the slightly more disgusting" version on your website, or just volunteering this information?

    Posted 1 day after the fact
    Inspired by: ↑ Dunstan, ↑ Bashtard
  17. Bashtard:

    Well if you truly want to find out, I suggest you try hotlinking to me and see what "hard working lady" you get!

    She makes me run screaming every time.

    Posted 1 day, 2 hours after the fact
  18. Tanny:

    A friend of mine uses a spam blocking system for his domain that requires an email address. The message is quarantined and an email is sent to the author with a link. When the author of the comment selects the link they get a page with a generated graphic that has letters and numbers they must enter. When they enter the code, they are determined to be a "real" person instead of a spam generating program and the message is taken out of quarentine. After that the person's comments are posted immediately without quarentine.

    I thought it was a nice solution. Kind of a pseudo-registration. This allows you to create a "white list" and easily move a person to the "black list".

    Posted 1 day, 3 hours after the fact
    Inspired by: ↑ Colin D. Devroe
    Inspired: ↓ Ben Meadowcroft
  19. Zelnox:

    Unregistered users could also post limited comments (say in length and/or times), whereas registered users could do more. Good comments can enrich an article. Dunstan gains more control also. For example, everyone gets only 100 characters per comment and a maximal post count of 3 per article per day. Those who register would get a higher upper bounds, say 500 characters per comment and 15 comments per article per day.

    However, would editing comments make nagivating vertical comments here less necessary? For instance, instead of replying, I could just append more text to my original post.

    What do you think?

    Posted 1 day, 21 hours after the fact
    Inspired by: ↑ Sian
    Inspired: ↓ Sian, ↓ [m]
  20. Sian:

    Like yourself Zelnox I wouldn't want to totally exclude those who didn't have an account. To my mind (this is from a user point of view) it could be the same sort of setup as you get on bulletin boards, I'm assuming that it could be done seeing as most bulletin boards also link into a database of some sort. However if this was implemented where do you draw the line between a blog and forum, would it be purely the layout of it?

    I'd still be fully prepared to signup for an account on blogs that I read on a regular basis. But for it to remain a 'blog' for me I wouldn't want a fully featured profile combination.

    Posted 1 day, 21 hours after the fact
    Inspired by: ↑ Zelnox
    Inspired: ↓ Zelnox
  21. [m]:

    Zelnox, I don't think that's such a great idea. Think about this: what if you have done some research on the subject of the post you are replying to, but you can't post it because there's a charactercount restriction. You don't want to sign up and go through the whole process of regestration, so you end up not posting it at all. Valueable content lost.

    The whole idea of subscribers is firstly to keep spam-prevention less time consuming. Secondly to give subscriber extra, well, stuff. I mean, subs and non-subs should have the same post priviledges because what you want to say is the same, sub or not.

    Posted 1 day, 22 hours after the fact
    Inspired by: ↑ Zelnox
  22. Zelnox:

    Hi Sian,

    Differentiation between a blog and a forum is not an issue in my opinion. It does not matter what kind of medium the content is in; I only wish to read the discussion. It is more a preference, like if you prefer tea or coffee. Still, there is a difference between a blog and a forum where the former has a 'host'. The host guides discussion by writing articles. In a forum, anybody (let us say registered) can start their own thread. It is organized in a tree structure, but can be unelegant.

    The amount of detail stored in an user profile can be used for accountability. I believe it is to deter malicious behaviour. Of course, having to give out too much personal information can scare potential users. Wouldn't it be nice if there was a universal account that people could use (MS Passport? Hehe) But then, a spammer would only need one account to hit them all. >_< There should be some safety mechaniasms. Maybe someone (Dunstan? ^_^) should implement a lightweight universal account repository aimed at blogs. Like you said, I agree and think that a full profile is over-kill.

    Posted 2 days, 7 hours after the fact
    Inspired by: ↑ Sian
  23. Zelnox:

    Hi [m],

    I see well your position. I have been in a similar position in a forum.

    What I had in mind to curb spam might have been too draconian (character count for everyone, then easing off the restriction as one receives a higher clearance level). Instead of letting only subs post, some non-subs are allowed to post short comments, so it is not completely restrictive. If you were to write an elaborate comment, yes, it would require registration. But why would it scare you if you are honest? If the problem is about convenience, I think it can be solved by stating that registration is lightweight, meaning the blog would collect only a few information about you. Already, in order to post, you must give a name and an e-mail address.

    A proper solution will require more discussion.

    Posted 2 days, 8 hours after the fact
  24. Ben Meadowcroft:

    "When the author of the comment selects the link they get a page with a generated graphic that has letters and numbers they must enter."

    Bye bye accessibility...

    Posted 3 days, 16 hours after the fact
    Inspired by: ↑ Tanny
    Inspired: ↓ Steven
  25. Web:

    I have had a similar problem with my girlfriend’s ex-boyfriend whom I have never met nor had a conversation with. (aka a Tool)

    Its unbelievable how people can simply just hide behind a keyboard (Keyboard Rambo's) and insult you all day long without even the slightest clue who you are.

    Good luck in squashing this guy. I have already banned his IP address from work, and your HTACCESS trick would be l33t to send his work computer to an alternate reality of porn popups and embedded spyware.

    Thanks, Happy New Year Dunstan I hope 2004 is everything you want it to be.

    Posted 3 days, 20 hours after the fact
  26. Steven:

    Good point, it would probably be best so that when comments are submitted, the author of the weblog has to approve of the comment before it shows up to the public. You could also enable a script, if such works show up in the comment then delete it, etc.

    Posted 5 days, 12 hours after the fact
    Inspired by: ↑ Ben Meadowcroft
    Inspired: ↓ Dunstan
  27. Dunstan:

    All of that's already in place, Steven :o)

    Posted 5 days, 17 hours after the fact
    Inspired by: ↑ Steven
  28. Craig C:

    There could be a half-step between registered and unmoderated that lessens the load on the moderator. Actually, this suggestion is more of a registration workflow alternative than anything else.

    The system flags commentator e-mail addresses as trusted or not. Trusted would be defined as them having made some number of successful posts in the past.

    When a post is made, the trusted commentator gets an e-mail notification. Through it, they may approve their own post. Really this just verifies their e-mail address. Of course the moderator could approve it as well.

    As I say, this is more of a registration workflow suggestion. You have to go through the hassle of the e-mail turnaround, but you don't have to go through the hassle of a login screen and remembering a password.

    Posted 1 year, 9 months after the fact
    Inspired by: ↑ Rands, ↑ Dunstan

Jump up to the start of the post


Add your comment

I'm sorry, but comments can no longer be posted to this blog.