Stopping MySpace leeches

Only a few days ago did I write an utterly scathing rant about MySpace users on a div overlay I released to the public, extremely annoyed at the fact that my latest work was already quickly being ripped off by the MySpace sphere, slaughtered and pixellated before appearing on their own profiles. While some of the users that had done so were just teenagers, even supposed web developers had gone so far as to rip the entire block of code and leech all of the assets from my server. These people had blogs. These people had the ability to write code themselves. It left me wondering about the viability of anything they write as being authentically theirs.

I’m not making money off of my layouts or the time I put into them, and making money isn’t the issue. I’ll release all of the code as Creative Commons in due time; why is it that everyone on MySpace is so impatient? I sent a few people what were effectively non-legal cease-and-desist letters, saying they were copying my work and violating not that awful DMCA but MySpace’s own Terms of Service. I have no reason or want to deal with lawsuits for these people, and to be honest I don’t believe in DMCA’ing people over this stuff anyway.

Meanwhile, since the leeches really would never cease to exist, I had to find a way to protect assets on my server from being leeched and unnecessary bandwidth being used by third parties. The images on my MySpace profile should, well, be referenced by my own MySpace profile; I can’t be expected to give my bandwidth to the world. (Also, real pirates would probably be intelligent enough not to leech my images and have referrers to hyalineskies from their profiles showing up in my logs.) That said, if you need to stop your image, music or Flash content from being leeched on MySpace and sucking up precious bandwidth, all you’ll need is Apache and a common extension known as mod_rewrite. If you’re using most popular hosts, such as Dreamhost or MediaTemple, Apache and mod_rewrite are installed.

What’s mod_rewrite, anyway?

Any web developer knows the power of Apache’s rewrite engine, known colloquially by its Apache extension module name, mod_rewrite. mod_rewrite allows you to change URIs and redirect users on the fly or forbid them from accessing certain things (for geeky types, it’s what powers the “pretty permalinks” on most blogs and plenty of REST-style APIs.) If you’ve ever used anti-leech .htaccess before, WordPress permalinks, or maybe even your favourite web application, you’ve seen mod_rewrite in action.

For our use, we’re going to use mod_rewrite to restrict the places from which people can access images and media on a remote server. For example, we may want our images and mp3 files accessible from our own MySpace profiles, such as in my case www.myspace.com/hyalineeston, but not from some other guy’s profile, such as www.myspace.com/tom (That’s right, Tom, no leeching from me!) In any of these cases, we’ll need to tell Apache (the web server) to redirect those attempting to access forbidden files to access an anti-leech image instead (mine references an image that reads “this profile is stolen” in a pixel font; if you wanted to be really geek-lethal, you could always use Goatse (link goes to a clean Wikipedia page, don’t worry.)) In either case, those attempting to leech your images will have the anti-leech image appear instead of the images that they wanted to show up.

Working with mod_rewrite: Copy/Paste Edition

mod_rewrite is a beast within itself, and it is so complex that I could write a series of articles on using it. If you’re an über-geek with the ability to write Regular Expressions, Apache has official documentation on the module. For the purpose of this tutorial, however, we’re not going to worry about it. Open up your text editor, such as Notepad or my favourite TextMate, and create a new file.

Before we write any mod_rewrite code, you’ll need your MySpace Friend ID (in my case 16608804) and your MySpace URL (in my case www.myspace.com/hyalineeston.) If you’re this advanced with MySpace hacking, I shouldn’t have to explain how to retrieve your Friend ID; you can google for multiple tools to help you out in that regard. You’ll also need an image to link to that lives outside of the directory you are protecting (in my case, I have antileech.gif on a different domain.) You’ll need the full URI to that image, not just the name of it. At this point, copy and paste the code below into your text editor:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.|profile\.)?myspace\.com.*(useruri|friendID).* [NC]
RewriteRule \.(gif|jpg|jpeg|png|swf)$ antileechurl [R,NC]

You’ll then want to change useruri to your MySpace URI (mine is hyalineeston) and friendID to your friend ID. Once you’ve done that, change antileechurl to the full URI to the anti-leech image. Save the file as htaccess with no .txt or other such suffix and upload it to the directory where all of your images are. Once you’ve got it in the proper directory, rename the file on the server to .htaccess.

Warning It’s best not to put this file in the root (/) directory of your domain unless you’re hosting your anti-leech image elsewhere; otherwise, you’re going to cause an endless rewrite disaster when someone attempts to hit any image on the server from the outside. mod_rewrite is recursive and will apply to the parent directory and all of its children. There’s also a chance that you already have an .htaccess file on your server; if so, you’ll need to append these lines to the end of the existing one. Overwriting the existing .htaccess can cause some things to break badly.

Once you’re done, check your profile. If you have broken images, chances are you messed up the code above — mod_rewrite (and a regular expression in general, which is what that weird symbolic RewriteRule is) is not forgiving and will break if you don’t have things absolutely perfect. Make sure you didn’t delete the pipe (|) or parentheses or other such things, and make sure you don’t have unnecessary line breaks. If you navigate to the directory and get an Internal Server Error, you’ve broken the .htaccess.

Note that the code above also only makes the images in the directory available from your MySpace profile and most nowhere else. If you try to reference these from any place else, including your own domain, Apache will hand you the anti-leech image. If you want to add your own domain to the list, add

RewriteCond %{HTTP_REFERER} !^http(s)?://(.*\.)?yourdomain.com [NC]

above the first RewriteCond and below RewriteEngine on where yourdomain is your domain (such as hyalineskies.com).

Nuh uh, smart guy Those experienced with mod_rewrite may call me out and say that that first RewriteCond allows more than just your profile to access the files; in fact, it allows any blank HTTP_REFERER to access them, which is in fact true. Why did I do this? Many personal firewall applications, such as Norton Internet Security on Windows, strip the HTTP_REFERER from outgoing HTTP requests. For anyone running such a firewall, the images would break for them and it would appear to be stolen. I didn’t want this to happen. If you don’t care about those users, then simply delete that RewriteCond.

It doesn’t stop piracy

Note that this little .htaccess hack doesn’t effectively stop piracy; it just makes it slightly harder, and anyone that wants to rip off your page still can. The point of this isn’t really to curb piracy but rather to save your own bandwidth from incompetent MySpacers who steal your HTML/CSS code and try to freeload as many of the images from you as possible.

As I’ve said numerous times before on articles about DRM, piracy can’t be stopped: it exists whenever the user’s their expected utility of piracy outweighs the risk of penalty and/or their buyer value is too low to pay for something. If you want to stop piracy, you’re fighting a much larger battle, and mod_rewrite isn’t going to save you.