antiadv
Jeff's SPECIAL PAGE
An ongoing lab on banners removing (in fieri)

Courtesy of fravia's pages of reverse engineering


Well, jeff has found quite a lot of interesting things, as you will see. This is an 'ongoing' lab, so your additions / ameliorations /suggestions are needed and welcome!

On this page you'll find contributions by the following reversers:
[Jeff one] ~ [Jeff two] ~

Jeff (June  1999)

Dear fravia

I find that I must change nearly everything on this page... that I had 'originally' sent to you:
A funny thing happened on the way home from snuffing the banner; most of them started breathing again...
I tested each of these changes in Homesite and ran them thru this editor and they seemed to work just fine. So I shipped them email and proudly had a glass of water ( ) (Theres beer commercial on the boob-tube...says; "Its the water" that makes it good.

Hopeing that these changes would not only work... but also would work undetected by a snoopy bot I soon came to the conclusion that the only proper way to run these tests to find  out if a bot did so; and the only way I would feel comfortable while leaving others wide open to be shut down, was to open an account at each of the mentioned sites instead of testing other peoples web pages in my editor...Haveing done so I soon discovered that most of the script changes that worked in editor did not work in the real 'environment'.
I have no clue why this is so; but the moral of the story is do not trust your edtior while playing with javascript...(or don't trust yourself if you don't have a clue to what your doing...:)
I also found several of these ideas elsewhere ...and were not the accidents... that most of my work is: I will try to go back to several places I have visited and credit those authors here as I can.

I set up an accountant with all of the sites I will mention below and began experimenting:
I believe I am now on experiment number 749 altogether...
I have set the tests up to goto the actual test site/s so that they can be monitored for any changes...
Should they continue to work, for a number of months, I will move the text and source here and close those sites...unless this format is perfered ?
I have noticed that there is a problem when trying to run these ideas below thru frames pages also...

NEW!
UPDATE: Sep-14-99
I guess I am about done with banners for awhile; I have found sources which know much more than I, and provide much more info than I can keep up with; it has been fun; and I have learned alot...See the References link below...

[Fortunecity] ~[Tripod] ~[Geocities] ~[Dencity] ~[Virtualave] ~[The Globe] ~[Xoom


~~[References] ~~[AD Busting Tools] ~~[FAQs] ~~[Tool Author]


>Fortunecity (june 11 1999)
Here are two variations that I have worked out to kill fortunecity banners

Test 1

june 23, 1999
results of test 1:
Test 1 stops working every fourth day. A Bot comes in an inserts code that pops a banner. Fortunately it inserts the same code as in Test 2 below; which has remained working thru-out the test period so far...

Test 2

Aha! On july 8; Test 2 stopped working! It gave me a 404 error page not found...does not exist;
(I have left test 1 alone; u can see the error by clicking on it above)

Going to the ftp site I was  thinking I would discover it gone;
I instead found that it was there and would let me view any directory i had there EXCEPT the directory for Test1 and Test2...the dirctories simply would not open! I don't know why but I noticed that the file attributes were not the same as the other files in the directory...
so I changed Test2 which had at that moment  ( drw-rw-r-)
too (drwxr-xr-r) (755) ...
and hey! I was then able to open the directory and see my former files...I then went back to fravias site and tried test 2 (above) and it works now...

So what happened? A bot found source tampering and changed the file attribute (?) so that the page could not load? I assume it was a bot because a human would simply have taken the site down...



Tripod (june 11 1999)

Here are three variations for tripod banners

Test 1
Test 2
Test 3

Update; June 23, 1999: All 3 Tests still working
Test no. 3... I found thru altavista: an essay by rootworm and daniel.... http://www.pheces.org/text/tripod.txt

NEW!

Test 3 above no longer works:  they change.. we change; they change... to keep up...

I will no longer be adding to this page (unless I myself find something significant thru my own work)  as i have found sources that understand and keep up with the changes faster than I can:
for great information an updates on Tripod: (as well as many others)
SEE



Geocities (june 11 1999)
tests 1-3 for pop ups:
Test 1
Test 2
Test 3

June 23, 1999
All three Geocities Tests stopped working at same time on june 22;
a bot came in an inserted a NEW code Above the Html tag;
IT would seem that this bot assigned the account a NEW account number!
and now all three have pop-ups once again...
First lesson I learned here: Never set up  multiple tests... within a singel account...

I will re-start this test to make sure i did not corrupt it somehow; I'll also put each test in seperate account for proper moderating...arrrrrgh ...(for next update; not this one)

july 4th
well I discoverd several days ago that these original Geocities tests are working again without my haveing made any changes;
The new account number that was present on june 23, is now back to the original account number...??? ...I had thought at first that perhaps it was some time/date driven revolving script that changed the account #s  to stay on top of source tampering...can only continue to watch this...time will tell...

Test 3 I found at altavista; but I don't remember where; I shall search to credit that person.

NEW!!
tests 4-5 for embeds:
Test 4:
Testing html layering:  for any embeded image ad

Test 5
javascript   for embeded ad



Dencity(june 11 1999)

Test 1

June 23, 1999:  Test 1 still working



Virtualave (june 11 1999)

heres my personal favorite; ...their poppers have drove me nuts!

Test 1

June 23, 1999: Both tests still working...

The script from test 1 came from my great friend Eternal Bliss while I was trying to kill ads at the asm disscussion board.
Test two, which is for the embedded ad (see source  below at jeff 2); which can also be viewed working at:

Test 2    http://the-ancient-one.virtualave.net/



The Globe (june 23, 1999)

Test 1
 

NEW!
August 25, '99
it seems the globe has done a change up on us..
.the code for test 1 is not working
because the globe has (at least on my page above) stopped using a 'pop up' and has inserted a banner at 'top' location...
so using the xoom top banner code this top banner is now gone in test 2 below:
I  myself  do not care one way or the other if providers use some small(er) unobtrusive  embedded banner; somewhere at the bottom of our pages would be nice; but;  in the globes case by putting my personal sign up info on display as so:  http://members.theglobe.com/ground_01/ ...........I will continue doing tests on their change-ups....as an educational experiment :>)

Test 2
 



Xoom (june 23, 1999)

Test 1

Test 2

NEW!
August 1,  Okay finally figured out The Seekers method;
Test 3

August 11,
I had trouble producing results with the exact method from vision (or was it Volition?)
(although others indicated they got it to work);
put it down to my lack of knowledge:
but I was able to get this  method to work this way:
Test 4

Be sure to see this one:
Encrypt your XOOM code!



REMEMBER ...To Search:
Now heres a good note to remember; before you spend five days re-inventing wheels;
try going to Altavista.
I went 5 days After I started this project and found two more ways to dump banners simply by typing in: "How can I kill pop up banners?"........
And several days later found a couple more sites simply by changing my "question" slightly...



KUDOS:
I would like to give speacial thanks to those who took the time to help me test these pages in their own individual browsers:
Andy           Opera 3.60
NoLoad       Ie   4.72
Don Quijote Opera 3.6
-Tx              Netscape 4.5
Stienb0ck     Ie5


Jeff (2) June 11 1999
Here is another idea I was playing with this morning; What I fear is that my lack of knowledge is probably missing something...In this following example for killing a "permanent embedded ad" (NOT a pop up ad) from virtualave banner you will see all I did was to add in a <!-- and a closing //--> so it will not print whats between the statement.........what I fear; is my lack of knowledge does not allow me at this time to know weather or not the bot that looks to see if the ad is still there will recognize my addition and close down someones site for tampering......because I have not changed the initial code I would hope not:

here is vrtualaves banner code:
By adding in these two lines, in the example below, I was able to kill the banner in Homesite Editor:

<HTML>



<HEAD>



 <TITLE>Virtualave BannerKiller</TITLE>



</HEAD>







<BODY>







<!-- VA Banner -->



   <!--            <<<<<<<<<<<<-------adding this here







   </XMP>



<CENTER>



<a



href="http://ad1.virtualave.com/cgi-bin/redirect.cgi?AD=NECX5_20_fakesrch"



target=_blank>



<img



src="http://ad1.virtualave.com/cgi-bin/getimage.cgi?AD=NECX5_20_fakesrch"



width=468 height=60></a>



<BR>



<a href="http://www.virtualave.net" target=_blank>



<img border=0



src="http://ad.virtualave.com/banners/freev/vanarrow.gif"



width=0



height=0></a>



</CENTER>



  //-->                 <<<<<<<<<<<<-------adding this here







</BODY>



</HTML>
What do u think? Does the virtualave bot still see the code as untampered like this?
(june 23, 1999; so far it sure has)

I have a fravia+ mirror set up on virtualave that I have been embarressed of because I corrupted your site by it haveing the virtualave banner on it; I can proudly say now that I used the above code and my mirror site no longer has this banner! (hummmm; it takes the banner away using MS (sorry; test only) but then pops a Pop Up ad instead...another reason not to use MS; eh?:) the mirror is at : http://the-ancient-one.virtualave.net/
I also have a mirror at: http://members.dencity.com/jas/fravia/
 



References
Counterexploitation and the Free Webpage Provider

Pop UPs Must Die!



AD Busting Tools
Proxomitron  (freeware)
 

I have listed no others here because I have not used any others yet:

*******
july 8th; here is a text file with adbusting addresses; its not pretty but I'll clean it up later:
ADBusting URLS



Proxomitron Author:

Here is a nice informative letter from the author of the Proxomitron tool, Scott Lemmon, in response to some questions I asked:

Hi,

At 05:44 PM 6/25/99 -0700, you wrote:
>Dear Scott;
>Your tool is a gawdsend...
>
>As your tool is freeware I hope u will not mind me promoting its use
>here:
>http://129.105.116.5/fravia/jef_rem4.htm
>

Glad you like it!  Of course feel free to post it wherever you wish.

>Because I am a seeker of knowledge I want to look deeper than mearly
>loading a tool and using it. I am wondering if you would mind
> in helping to explain what
>transpires when you click on a URL &  log into a ADspamming site; how a

>proxy redirects as a buffer; and how filters work to cloak its
>messages...

I'd be happy to help answer any questions if I can.

>Is it possible to include filters directly into source code; or can
they
>only be read and acted upon by and thru the proxy buffer?

Normally it's not possible to do this on the page itself. It works a bit

like this...

Web page->web server->Proxomitron->Browser

Ads and other junk are added by the free hosting sites at the web server

stage of the journey. Because the Proxomitron comes after that, whatever

HTML was added by the web server can be easily removed. The only trick
is
in sorting out what's been added from the page's original contents.
Normally that's easy for any specific case (since the code is very
predictable). The real challenge is making a single filter that works in
as
many different situations as possible.

When in comes to JavaScript however, sometimes it is possible to disable

things on the web page itself. This is because with Netscape and IE4 or
greater it's possible to replace a JavaScript command with one of your
own.
 You can replace "window.open" for example, with a command that does
nothing. This, in fact, is the trick used by Proxomitron's default
filter
set to stop pop-up windows, and if you study very closely Proxomitron's
home page you may notice something there too. ;-)

The main problem is that it doesn't work on IE3 or Opera. Their
JavaScript
implementations aren't quite as advanced and don't allow overriding of
built-in functions.

As I'm sure you've noticed, the most common way to block stuff from the
web
page itself is by trying to place comments or other HTML before where
the
code will be inserted. I'm sure you've also noticed it's hard to make it

work all the time. Here's a few alternate way to "comment out" HTML you
may
find useful.

<!--    --> Normal HTML comment
<noembed> </noembed> Works with any browser that supports the "embed"
command
<script language="foo"> </script> Browser's will ignore any language the

don't understand.

There are other ways too. It won't help if the server inserts stuff at
the
very top of the page (before the HTML tag even), but since that can
confuse
some browsers most will avoid doing so.
 

Another interesting thing I've noticed is *many* sites (including
Tripod,
Geocities, and Xoom) will not insert stuff at all if they don't
recognize
the browser's user-agent HTTP header.  This is to avoid causing problems

with browsers that may not support JavaScript. Unfortunately, although
easy
enough to do with a program like Proxomitron, this again is something
that
can't be changed on the webpage itself (since in this case the info is
coming from your browser).

Hope that's of some help,

Scott



FAQs
A Good Link for filtering faqs
http://www.junkbusters.com/ht/en/links.html#filtering


june 11;
hummmmm; it seems the more web servers that I check the more slightly different ways to eliminate their banners....perhaps I had better put together a comphrehensive list and code changes for each as a regular essay rather than haveing u take your time to cut and paste all these mails I keep sending??? Had I known when I began this yesterday that it would grow like this I would have done so; I apologize... I hesitate once again however because although the banners are indeed gone I fear that bot will see my changes and bring someones page down...I do not want this to happen to anyone for sure....Would u prefer me to do it or is this way okay?





We'll see. I think there's enough material in here, that you have dug out, to get us starting. Bots'behaviour can follow quite different parameters on the various moronical advertisement web-sites, and can moreover be easily modified. It would not wonder me if they will start checking WHAT people have found out to avouid their dirty banners in order to better defend them :-( Well, I guess it's the usual 'evolutionary' aspect of the Web. We'll anyway always win because what we do, we do for passion and for knowledge's sake, not for money.


red




red

redhomepage redlinks redanonymity +ORC redstudents' essaysredacademy database redbots wars
redantismut redtools redcocktails redjavascript wars redsearch_forms redmail_fravia
redIs reverse engineering illegal?