Hotlinked Images


So, there's a few rules on this vast, chaotic anarchy engine which we call the internet. Don't talk in ALL CAPS. Don't feed the trolls. And don't hotlink images without asking. That is to say, if you see a picture on someone's website that you think is nice, don't display that picture on your own site unless you've copied it to your own server first. Because otherwise that person's server is being hammered by the visitors to your site, and if they pay by the meg, you're costing them money. This is why the "without asking" part is so important.

(Clearly this doesn't even touch on the issue of copyright. If we were to start on that though, we'd both be bored and tired long before the end of this article.)

A lot of people, myself included, are usually flattered when someone says they like our images. And if bandwidth isn't an issue we're often happy to let some fledgling blogger or such use the images we were already displaying free on our own sites. But given the financial matters that can lurk underneath those images, it's always prudent to ask rather than assume.

To be fair, this usually isn't a big deal with stuff like small forums as the number of hits is probably a drop in the bucket, and it's not likely anyone's making money off of the results. In those cases I'm personally just happy that someone thought one of my pictures was interesting.

At the other end of the spectrum though are businesses who hotlink a person's images without asking. Now you have a situation where the person whose pictures have been hotlinked could be looking at a bill for a lot of traffic, AND their work is being used to support a company that not only disrespects their copyright, but could clearly afford to just make/license their own pictures and host 'em themselves. I'm not alone in finding this situation particularly insulting.

So guess what happened to me?

Yes, the operator of an Indonesian night club decided that one of my pictures of lasers would make a nice backdrop to their webpage. But rather than contacting me and asking permission to legally use my picture, or hiring someone to make a version that didn't have any royalties attached, they just went ahead and hotlinked that photo on their site. Now every time someone visited any one of their pages, that person's computer would pull the image off my server.

See the green background poking out through the sides? That's not nice.

Fortunately for site owners like me, hotlinking images opens the perpetrator up to retaliation in a way that a lot of other rude internet behavior is shielded from. Especially in the case of corporate hotlinking. Because the same hotlinks that cause the problem in the first place can also be used to take action.

As anyone who's ever tried to make their own site will surely know, the mechanics of web servers and browsers are quite complex. But in this case, there's one simple fact which can be used to great advantage. Whenever someone's computer views a webpage, the server which houses the relevent files will keep a record of the exchange. Not only that certain files were downloaded, but what the site and page were that they were downloaded through. These are called referral logs.

Here we see a piece of my referral log. It shows a lot of my own pages, the address of a forum which I've posted a lot of my pictures to, and an unexpected entry. The highlighted address is the Indonesian nightclub's homepage, a site I've never visited before, let alone posted pictures on.

And here we see a piece of the site's source code. Sure enough that's the address of my picture being used as the background image.

So now we know exactly what is being hotlinked and where it's being embedded. The next step is to interfere with it.

The most basic thing to do in this situation is to change the name of the file that's being hotlinked. This'll cause it to disappear off the linker's site. But that's not very satisfying, is it?. More fun is to put a different picture in place of the first one, so that people visiting the hotlinker's website get something unexpected (and hopefully offputting) in place of the picture the perp admired enough to steal.

The downside to this though is that it'll also expose any of your own readers to the same disgusting image if you don't go around changing the links on your own site, and those on any other sites that legitimately use it. So I decided to do one better.

As we covered above, web browsers tell web servers what page they came from when they download files and pictures from them. It turns out this referral information can be used by the web server to show different content to people, depending on how they're arriving at it. And that's exactly what we'll do today.

By inserting the following short piece of code into my Apache server's .htaccess file, we instruct it to allow most people to view images unheeded, but to re-direct anyone who arrives by way of a certain Indonesian nightclub to a much different image.

RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?(bdgparty-club\.com) [NC]
Rewriterule ^(.*)$ http://i.imgur.com/Yl4PI5W.jpg[r=307,NC]

The first part tells it to be on the lookout for the URL of the offending site, even if the person has typed the url with or without the www part, and even if they make an HTTPS connection.

The second part is there for when a match is found. In these cases the server quietly guides the person's browser to a different picture, without it telling the user anything has happened.


All that was left to do was find an appropriate image. I went to Google image search and started looking around for something suitable. What I found was a picture of a horse doing what horses do best, by one Christiaan Schulte. Then I added a bit of text and formatting in photoshop, and voila! We see this club's bold new look!

Beautiful, don't you think? I'm sure this tasteful background will be especially helpful in getting ladies' night off the ground. Feel free to have a look for yourself at http://www.bdgparty-club.com/

Okay, I'll admit, it's a bit childish. But it also has the advantage of being a completely legal response. There was no hacking involved, I didn't break into their server or do anything unauthorized like that. I simply moved around some files on my own server to better suit me. It's as though a local business had accidentally published my phone number in their TV commercials, and I, being tired of getting calls for them, began answering each call with a funny voice and pretending to be an incompetent salesman. And that sounds like more fun to me anyway.

Update: Despite their staff being active on twitter during the time of my little modification, no one did anything about it for 10 hours. Now they're stealing someone else's picture.

Page created May 13th 2013
Last updated May 15th 2013

Heavy horses move the land under me