Image Thieves | June 3, 2004

I noticed several weeks ago that were deep linking to my images. This meant that not only were they using my images without permission, but they were piggy backing on my bandwidth as well. My host is currently charging me a small fortune for extra bandwidth so you can imagine that I was a little bit pissed off.

I wrote a short, sharp email asking them to stop, but unsurprisingly heard nothing back. I thought about using .htaccess to redirect them to some alternative content. In the past I've done this when people deep linked to the games on the message site. In that case, you got served with a swiff explaining that people were stealing the games, a link to the games section on our site and a request that people dobbed in the thieves.

Another option was to post up some rude or offensive image. As the site owners probably already had the images in their cache, they would see the old image, while new visitors would get to see something nasty. I entertained this notion for about 5 minutes, but decided it was a little juvenile.

In the end I've just added a .htaccess file to my image directory that denies access to any images called from outside the site. It won't stop people from lifting the images, but at least it stops them stealing my bandwidth. I believe that this method may cause problems for a few legit visitors who are accessing the site content through a server cache, so sorry if I've caused you any inconvenience.

If you are at all interested in the contents of my .htaccess file, here it is. Don't ask me to explain it because I'm no server guru and pretty much lifted it off another site.

SetEnvIfNoCase Referer "^" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
SetEnvIfNoCase Referer "^" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(gif|png|jpe?g)$">
  Order Allow,Deny
  Allow from env=locally_linked

Posted at June 3, 2004 7:31 PM


Robin said on June 3, 2004 8:47 PM

I ran into something similar a while back on my site and went the .htaccess route as well, though I structured it a bit differently. I wanted to be able to link directly to my images on forums I frequent and still disallow unauthorized access - so I made a “whitelist” of sorts.

Here’s my file contents:
RewriteEngine on
RewriteCond ^http://(www.)?*$ [NC]

RewriteCond {HTTP_REFERER} !^http://(www.)?*$ [NC]
RewriteRule .*[Jj][Pp]?[Gg]$|.*[Gg][Ii][Ff]$|.*[Pp][Nn][Gg]$ leech.gif [R,L]

Which will redirect unauthorized linkers to this image:

Tempting as it was to redirect them to something distasteful, I decided I spend that 1K of bandwidth advertising for my site instead.

Robin said on June 3, 2004 8:51 PM

Oops, looks like my image that showed in the preview below didn’t make it through to the post - here’s the link:
Leech image

I also tried to use your <pre class=”example”> in my post and it previewed fine, but got stripped out on posting. Oh well.

Eric TF Bat said on June 4, 2004 12:09 AM

You can replace the first four lines (but not the fifth) with this one line:

SetEnvIfNoCase Referer “^http://(www.)” locally_linked=1

Regular expressions are cryptic line noise at first, but they’re seriously Good Value. Regardless of your hourly rate, if you take the time to grok them in their fullness, they’ll repay you within days. There aren’t many really difficult technologies that I’d say that about without hesitation.

Jack said on June 4, 2004 2:31 AM

Yeah, it does cause a few problems for people who use web-based aggregators like Bloglines or Kinja. But a simple click-thru and the image displays (as long as your caching isn’t very aggressive).

Richard@Home said on June 4, 2004 8:51 AM

Would this be better in the httpd.conf file? That way it would only get parsed once for all requests and not once per request. You could limit its scope to just your image directories to further cut down the overhead.

orban said on June 4, 2004 9:45 AM

I use Bloglines and now I have to visit your site to view the images. Thanks.

James Wheare said on June 4, 2004 11:20 AM

Both of the options suggested here send my server into a fit of 500 Inteernal Server errors. Any ideas why?

Andy Budd said on June 4, 2004 1:23 PM

Probably just a permissions thing.

alastairc said on June 4, 2004 2:44 PM

I’m afraid I went the juvenile route, can you guess which one it is?
(It is only mildly offensive, but does kind of stand out ;)