The problem of ad blocking

Drewbert · #1 (**permalink**) 15th-April-2003, 04:43 PM

OK. There are two main ways that adblockers work. One is designed to stop pop-up/pop-under adverts, by intercepting the javascipt call that opens the pop-up window.

Some of them allow you to build a database of the people you will/won't accept pop-up's from.

Now, the nasty ad-blocking method - an explanation requires delving back into the dim dark past of the Internet...

In the early days, there were only a very small number of computers ("hosts") actually connected together via the Internet. So few, that each computer kept a list of ALL the other computers out there in a special file called "hosts". In Unix, it was stored in the location /etc/hosts. This file was updated regularly and sent to everyone who had a computer connected.

All it had in it was a list of host names, and the IP number they were using.

As the number of computers connected increased, this file updating became a chore, and the DNS was born. This allowed people to find the IP number of a host buy asking special computers ("name servers") what the IP number of a computer was.

Even though the DNS has exploded in growth, the "hosts" file still exists and is supported in most (I presume) computers that connect to the Internet. This includes Windows, Apple Mac and Linux.

Now, here's the rub. Most systems are configured so that they check entries in the hosts file BEFORE checking the DNS. So if a hostname appears in the hosts file, the IP # assigned to it in there will be used, ignoring what the DNS would say.

OK. So there exists a method to kill off a website, or divert it to a different location. If you managed to convince people to download a "poisoned" hosts file, you could divert all those users traffic destined to hotmail.com, aol.com, msn.com etc to an IP number of your choice. Luckily, it's a bit difficult to convince people to download a hosts file, and generally hen thye type in msn.com and get to your site instead, they're going to be a little peeved.

So along comes the famous file-sharing network Kazaa, which has been downloaded over 160 million times (just from the cNet download site alone). This software finances it's network by popping up ads. Some people get upset about this, so a Russian company released "Kazaa Lite" which does everything Kazaa does, but is stipped of the ad-display function.

Unfortunately, Kazaa Lite also distributes a poisoned hosts file, and this is installed by Kazaa Lite.

This poisoned host file contains a huge number of host names (domain names) together with the IP address 127.0.0.1

127.0.0.1 is a special IP address known as a "loopback" address. 127.0.0.1 points to your own local computer, no matter who you are. http://127.0.0.1 will display the web server running on your local machine (if one is running) or will just display nothing. Try it - you may find you have a web server running on your computer you didn't know was there!

Now, this hosts file supplied by Kazaa Lite contains the domain/host names of just about every known banner advert serving network on the planet. Commission Junction is listed. Befree is listed. Linkshare is listed.

All those banner ad networks are directed to the IP number 127.0.0.1

This means that when the person's browser asks for an image from a banner network, instead of the DNS telling the browser to get the banner from the correct host on the Internet, the browser asks for it from http://127.0.0.1 - the image doesn't exist at that location, so the banner never shows up.

This is all well and good, if all you want is to stop banners from appearing. The MAJOR problem occurs when you realise that almost ALL of these networks server their banner images from the same hostname as their main website. So if you have a textlink to one of these revenue networks, people with the poisoned hosts file on their computer CANNOT VISIT THAT SITE VIA THE TEXT LINK.

Even if the person has stopped using Kazaa Lite, even if they're de-installed the Kazaa Lite software, the hosts file remains and you will not see ANY revenue from that person when they try to get to blocked sponsors via your website.

Try to imagine just how many computers out there now have a poisoned hosts file on their computer. Try to imagine how much revenue you are losing because of it.

Even worse, it's not only Kazaa Lite that is installing poisoned hosts files. Even "pestpatrol", supposedly a scumware detector, installs a hosts file that blocks legitimate revenue networks.

Now, take a look at a couple of these poisoned host files, ad see if any of your networks or sponsors are listed: You'll need to download and unzip these files, but it's safe as long as you don't move thm into the exact location on your machine that the system expects that file to be.

http://www.kazaalite.com/ (listed as "Host file v1.29 - Blocks ad's and spyware")

http://www.pestpatrol.com/Support/Ho..._Block_Ads.asp contains handy instructions on how to block banner ads, including where the hosts file is located on most computers - the hosts file they recommend is at http://www.pestpatrol.com/Downloads/Misc/hosts

Unfortunately, short of going around and deleting all these poisoned hosts files from every infected computer on the planet, there is little we can do. There is no known way to detect when someone has a poisoned hosts file installed. I'm working on a possible detect javascript, but it's not working yet. :^(

The only way to fix this problem is to convince the ad netwrks and sponsors to stop sering adverts fromthe same domain as they host their website (or take clickthoughs) from.

If they leave their ad servers on the host/domain name that is included in the poisoned hosts file, but MOVE their main website or clickthrough servers to a different name, all this wasted traffic will return.

Commission Junction (the biggest affiliate aggregator?) is working on doing this right now.

Most of the rest don't even realise there's a problem. If you look in those hosts files and find one of your sponsors listed, EMAIL THEM, and tell them they have a problem. Point them to this thread if they don't understand what you're on about (a common problem, I'm afraid).

Dominique · #2 (**permalink**) 15th-April-2003, 04:57 PM

Wow, I have learned a huge amount of info from you. Thank you for posting this!!!

SlyCin56 · #3 (**permalink**) 15th-April-2003, 06:30 PM

Quote:

Captain Stupid?

If you're Captain Stupid, I must have an IQ of 1. :-?

Wow! I'm not one of the technically skilled here, but I managed to follow most of that - THANK YOU, immensely, for sharing your knowledge! It will be put to good use.

Spearmaster · #4 (**permalink**) 15th-April-2003, 07:03 PM

Brilliant, Drewbert... I knew about hosts.sam but that was a beautiful explanation you gave!

Detection should not be that difficult - the great, great majority of people do not use this file, and probably even less use it for ad-blocking purposes.

Normally, there is like one entry - if that - in the file, so a huge file containing certain domains should be automatically suspicious.

One way would to be detect certain domains, especially one which is not commonly blocked but is in kazaalite's list.

Another way would be to check the filesize - if over say 1-2K it is almost certainly poisoned.

Pam712 · #5 (**permalink**) 16th-April-2003, 04:11 AM

Thanks Drewbert - that was great info

Drewbert · #6 (**permalink**) 16th-April-2003, 02:28 PM

The good news is that I have managed to get the javascript detector running, and I've got it set up on a website that gets a fair whack of traffic. So tomorrow, I'll be able to say with some certainty just what percentage of surfers have the ad blocking hosts file set up on their system.

Spearmaster · #7 (**permalink**) 16th-April-2003, 03:13 PM

Why is Drewbert a non-member? LOL...

Can't wait to see these stats

I just wish I had more time to test scripts... or about three more sets of hands...

Drewbert · #8 (**permalink**) 17th-April-2003, 11:33 PM

OK. For the 24 hour period encompassing all of Wednesday 16th April, I monitored how many browsers reported an error retrieving an image from qksrv.net.

Out of 17330 MSIE/Win users who had Javascript switched on, 471 of them couldn't get the image.

This indicates that around 2.7% of the computers out there have a poisoned hosts file installed that is blocking qksrv.net (and the rest).

For me, 2.7% of my CJ revenue is a fairly significant sum.

Especially when added to the amount being lost to BHO's and parasiteware.

Grrrrr.

Spearmaster · #9 (**permalink**) 18th-April-2003, 04:42 AM

Losing even one visitor, as far as I'm concerned, is too much - if he's the recently retired guy who was looking to do something with his money, he I do NOT want to lose

Next question - do we install something which either warns the user, or "fixes" his hosts file?

former member 2 · #10 (**permalink**) 18th-April-2003, 09:59 PM

Quote:

Losing even one visitor, as far as I'm concerned, is too much - if he's the recently retired guy who was looking to do something with his money, he I do NOT want to lose

Amen.

that's the thing about our niche; its not like shaving hits to porn sites where each click is roughly worth only X amount of dollars.

Each click possibly represents $1000s.

Its also the reason I am always after folks to police their sites for links to sponsors that don't pay. every single link is another possible route to supplying a big fish to a sponsor that cheats us; and what does that mean?

it enables those scumbags to hang around a little longer and that means they'll probably get another one of us before its over.

and if you're thinking well; I"ve already cleansed myself of those leeches; so what if it happens that they cheat someone else?

the answer to that is : if it proves a profitable practice ; more of them will be born and we will each have to find out the hard way which casinos are of that breed.