What is the Internet Junkbuster
Proxy and what does it do for me?Configuring Browsers · IE 5.0 · Installation · For Companies · Blocking Ads · Cookies · Hotmail · Children · Forwarding/Chaining · IP · Anonymity · Security
Development of JunkBuster is ongoing and this document is no longer current. However, it may provide some assistance. If you have problems, please use the Yahoo Groups mailing list (which includes an archive of mail), the SourceForge.net project page, or see the project's home page. Please also bear in mind that versions 2.9.x of JunkBuster are development releases, and are not production quality.
What is the Internet Junkbuster
Proxy and what does it do for me?The Internet Junkbuster Proxy TM is free privacy-enhancing software that can be run on your PC or by your ISP or company. It blocks requests for URLs (typically banner ads) that match its blockfile. It also deletes unauthorized cookies and other unwanted identifying header information that is exchanged between web servers and browsers. These headers are not normally accessible to users (even though they may contain information that's important to your privacy), but with the Internet Junkbuster you can see almost anything you want and control everything you're likely to need. Many people publish their blockfiles to help others get started.
Is there a license fee / warranty
/ registration form / expiration?No, none of these. It's completely free of charge. Junkbusters offers you the software to copy, use, modify and distribute as you wish, forever, at no charge under the GNU General Public License.
It comes with no warranty of any kind.
You don't have to register, in fact we don't even provide a way to do so: the practice of registering software is usually just an excuse to send you solicitations and sell your name and information about your behavior. You are welcome to obtain and use our software as anonymously you wish. (Your IP address will naturally be disclosed when you download it; use anonymizing software if you want to conceal this. We never want to be given any information that you consider private or confidential.)
We are often asked why we give away a product that many would happily pay for. The answer is that we are determined to carry out our mission: to free the world from junk communications.
Does it run on Windows? On a Mac?
On the AOL browser?For the latest information on availability, see the Distribution Information page. We don't think it will ever run on Windows 3.1. But you don't need to have it running on your computer if you get your ISP or Systems Administrator at work to run it.
How can I get my ISP to run the
Internet Junkbuster?Try their sales or support department (depending on whether
you are already a customer). You might
send them email including the following URL:
http://www.junkbusters.com/ht/en/ijbfaq.html#isps
You could mention that many other ISPs
provide it, and that you regard it as an important part of your
decision on where to buy Internet service.
Who chooses the options that
control what is blocked?Whoever starts the Internet Junkbuster chooses the options and the blockfile. If your ISP runs it for you, they have to make these decision (though some may give you a choice of proxies, and a way to suggest new URLs to block). If you run it on your computer, you get to choose.
How do I download and run the
program on my computer?It depends on your platform. If you are using Windows 95 or NT, see our separate page on installing under Windows. If you have a C compiler and are using almost any flavor of UNIX ® you download it, compile it, start it running, and then configure your browser. Several precompiled packages are also available through links in our distribution page, which lists all available platforms.
If you are using a platform for which we have no current availability, you are welcome to port the code. If you do this and you would like us to consider publishing your ported version, please tell us.
How can I tell which blockfile
and options are being used?Just point your browser to
http://internet.junkbuster.com/cgi-bin/show-proxy-args or to
any URL ending in show-proxy-args (even if it
doesn't exist). It needn't exist because the Internet
Junkbuster intercepts the request, blocks it, and returns in
its place information about itself. Using the URL above is
useful for checking that your browser really is going through
an Internet Junkbuster, because the junkbuster.com
server returns a warning if the request actually gets to it.
Some people set the home page of their browser to such a URL to
be sure that it is configured to use the proxy.
If you wish to check the header information your proxy is actually sending, a visit to http://internet.junkbuster.com/cgi-bin/show_http_headers will give you the more relevant ones first. You might also like to turn the proxy off and compare the difference. (Don't forget to turn it back on again.)
My browser started giving me
``server not responding'' messagesOnce your browser is told to use a proxy such as the
Internet Junkbuster, it thinks of it as its server for
everything, so this message means it can't talk to the proxy.
The Internet Junkbuster may not be running, or you may have
specified its proxy address incorrectly. Check that the details
you entered are correct. If you have telnet you
can try connecting to the appropriate port to see if the
Internet Junkbuster is running. If your ISP is running the
Internet Junkbuster, you may want to check with them. If you
are running it yourself under UNIX ®, try looking at a
ps ax to see if it is running. The port specified in its options should be
the same one as your browser has configured.
I've got this great idea for a
new feature. Who do I tell?We'd be very interested to hear it, but please bear a few things in mind.
My question isn't listed here.
Who do I ask for support?If you find using our free product harder than you're used to for consumer software, there are many commercial alternatives that you could consider.
The answer to detailed technical questions may be answered in manual page, or in the source code. Also double-check this page for an answer: using the ``find'' feature on your browser for likely keywords may help. Our site also has a search feature.
Many people post requests for help and responses on Usenet.
If your ISP is providing the Internet Junkbuster for you, and your question is about how to use it, check their web page before asking them.
Even though we don't offer the kind of support you might expect if you paid a lot of money for a software product, you can still ask us. But before you do, please consider whether you could ask someone closer to you. And please be patient if we're slow to reply: we never charge consumers for our services, so we have to subsidize consumers with revenue from companies, and our resources are limited.
If your company or organization would be interested in a maintenance contract with phone and email support, hard copy documentation and source code and pre-compiled binaries on tape or disk, please ask us for a quote.
What is the proxy address of the
Internet Junkbuster?If you set up the Internet
Junkbuster to run on the computer you browse from (rather than
your ISP's server or some networked computer at work), the
proxy will be on localhost (which is the special
name used by every computer on the Internet to refer to itself)
and the port will be 8000 (unless you have told
the Internet Junkbuster to run on a different port with the listen-address option).
So you when configuring your browser's proxy settings you
typically enter the word localhost in the two
boxes next to HTTP and
Secure, and the number 8000 in the two boxes
labeled to the right of those boxes. The
Internet Junkbuster does not currently handle other protocols
such as Gopher, FTP, or WAIS, so leave those setting unchanged.
Nor does it handle ICQ or Instant Messenger services.
If your ISP or company is running the
Internet Junkbuster for you, they will tell you the address to
use. It will be the name of the computer it's running on (or
possibly its numeric IP address), plus a port number. Port 8000
is the default, so assume this number if it is not specified.
Sometimes a colon is used to glue them together, as in
junkbuster.fictitious-pro-privacy-isp.net:8000 but with
most browsers you do not type the colon, you enter the address
and port number in separate boxes.
How do I tell the browser where
to find the Internet Junkbuster?All current browsers can be told the address of a proxy to use. You enter the same information in two fields in your browser's proxy configuration screen (see list below): one for HTTP, and one for the Secure Protocol (assuming your browser supports SSL). If you find some information already entered for your proxy, see the next question. Here are the menus you go through to get to the proxy configuration settings. (We also recommend that you disable Java, which is a separate operation.) Make notes on the changes you make so you know how to undo them! You will need to know what you did in case you wish to discontinue using the proxy.
setenv http_proxy
http://localhost:8000/
http_proxy=http://junkbuster.fictitious-pro-privacy-isp.net:8000/
export http_proxyIf your browser is not listed here, or if you notice an error, please tell us the correct procedure.
What should I do if I find
another proxy is already configured?Some ISPs and companies require all Web traffic to go through their proxy. In this case you would find your proxy configuration with values already set, possibly under Automatic Proxy Configuration (in the case of Netscape and MS-IE 3.0 and above). It's probably a firewall proxy between your company and the outside world, or a caching proxy if you're using an ISP.
What needs to be done in this case is to use the forwardfile option to tell the Internet Junkbuster the address of the other proxy. Specify a different (unused) port number with the listen-address option, and configure your browser to use that port. If you haven't done this kind of thing before, it's probably best to consult your systems administrator or ISP about it; check their web page first.
What if I want to stop using
the Internet Junkbuster?Just go through the same procedure you used to start your browser using the Internet Junkbuster, but remove the details you put in (or if there was something there before, restore it). You may need to use Save Options to make this change permanent. On Netscape 3.0 you can go through Options; Network Preferences; Proxies and click on No Proxy to turn it off, and later click on Manual Proxy Configuration if you want to start using it again. (No need to enter the again details under View as you did the first time; they should remain there unchanged.)
This stops your browser talking to the proxy; shutting down the proxy is a different matter.
Automatic dialing isn't working
any more. How do I fix it?Some browsers (such as MSIE-4) can be configured to dial
your ISP automatically when you click on a link, but this
feature (called "automatically connect" or "autoconnect") gets
disabled if you specify a proxy running on your own computer
(with address localhost or 127.0.0.1)
because these addresses don't require dialing. The Internet
Junkbuster knows nothing about dialing, so it doesn't work. To
make automatic dialing work, make up a name such as
junkbuster.ijb and use that name in the proxy settings
instead of localhost, and then add the line
127.0.0.1 junkbuster.ijb to the file
c:\windows\hosts (if there already is a line beginning
with 127.0.0.1 just add
junkbuster.ijb at the end of it.)
This should also work Netscape Communicator 4 on machines where IE-4 has been installed.
The next two sections assume you wish to compile the code
with your own C compiler. If you just
want to use the .exe file provided for Windows,
see the Windows Installation page.
How do I compile the code under
Unix?If you are running Redhat Linux you may prefer to use the rpm instead of the following procedure.
uncompress -c ijb20.tar.Z | tar xf
-Makefile and make any changes
indicated inside.makejunkbstr.ini, previously called
sconfig.txt and other names in earlier releases) to
some convenient place such as
/usr/local/lib/junkbuster/configfile or whatever you
choose. The sample file has all the options commented out.
You can remove the # character on any that you
want, but it may be better to leave this until to later.
Run it asynchronously:junkbuster configfile &
If you are running a version earlier than 2.0 you can
start it with junkbuster &
kill the process and start it again. The
most popular option is
blockfile to block ads. A
sample blockfile is provided as an illustration, but it
doesn't really stop many ads. More comprehensive ones are
available elsewhere./etc/rc.d/rc.local or equivalent to start it at
boot time. (Any output you specify should be redirected to a
file. And don't forget the & at the end to run it
asynchronously or your system will seize up after the next
reboot.) How do I compile the code under
Windows?A .exe file (binary) is supplied with the
source code, but if you prefer to compile it yourself here is
the likely procedure. Most of these steps are repeated in our
checklist for installation under Windows.
ijb20.zip (~208k), then uncompress
and unpack the zip archive using a tool like WinZip.ijb20.
Go into that folder and then edit the Makefile for your
system, removing the comment character (#) in
the lines related to Win32. Then type:nmake
junkbstr.exe. For information
on issues with various compilers, see the Distribution
Information page.junkbstr(Version 2.0.1 and above uses the file
junkbstr.ini as the config file if it exists
and no argument was given. If you have an earlier version
or if you want it to use a different config file, simply
specify that file as the argument.)
junkbstr executable into
the StartUp folder:C:\Windows\Start
Menu\Programs\StartUp
Properties->Shortcut to Run:
Minimized. If you specify the hide-console option then the
DOS window will vanish after it starts.
WinNT users can put it into their own StartUp folders or the Administrator can put it into the system's global StartUp folder. For details on how to make this a service under NT see our Windows page.
How do I check that the proxy is
working?Pick a page from somewhere (such as your bookmarks, or just
one that your browser was pointing to) and
Reload it. If you get a message along the lines of ``server
not responding, using cached copy instead,'' see the advice
above. If the page reloads OK, check that your browser is
actually talking to the proxy by going to
http://internet.junkbuster.com/cgi-bin/show-proxy-args or any
URL ending in show-proxy-args (as described below,
the proxy should intercept the request.) When you see
``Internet Junkbuster Proxy Status,'' you'll know it's
working.
How and why would I have this
proxy chained with other proxies?You may need the forwarding feature to ``daisy chain'' the Internet Junkbuster to another proxy, perhaps an anonymizing proxy to conceal your IP address, or a caching proxy from your ISP, or a firewall proxy between your company and the outside world. Version 2.0 and above can be even configured to forward selectively according to the URL requested: for example, connecting directly to trusted hosts, but going through an anonymizing or firewall proxy for all other hosts.
Network administrators might use it to provide transparent access to multiple networks without modifying browser configurations. Most browsers also provide a way of specifying hosts that the browser connects to directly, bypassing the proxy. Some provide a method for Automatic Proxy Configuration. A well written Internet Junkbuster configuration can be much more flexible and powerful.
An ISP's caching proxy would typically
be called something like cache.your-isp.net:8080
(as described on you ISP's web page); you would put this
information in your
forwardfile as described in our manual. Your browser would
be configured to the Internet Junkbuster for HTTP and Security
Proxies as before, but you probably want to tell it to use the
caching proxy for FTP and other protocols.
If your ISP is running the Internet Junkbuster for you,
they have probably already decided whether to chain with a
caching proxy.
How does the Internet Junkbuster
work with SOCKS gateways?There is support for some gateways in Version 1.4 and above.
The gateway protocol used to be specified on the command line;
it is now specified in the same file as forwarding. Note that the
browser's proxy configuration must not specify a
SOCKS host; it should specify the proxy as
described above.
How do I configure it to be just
a plain old proxy?To get the proxy to do as little as possible (which means
not deleting any sensitive headers), place in your
configuration file the following three lines (each ending in a
space then a period) to stop it changing sensitive headers:
referer .
from .
user-agent .
cookiefile mycookiefile
The fourth line is also needed to specify a cookiefile that might be called
mycookiefile containing a single line with a
* character, to allow all cookies through.
How do I shut down the proxy (to
restart it)?It depends on your platform.
kill the junkbuster process. If you don't know the process number to give
to kill, try this:ps ax | grep junkbuster
What do advertising companies
think of this kind of technology?We've seen only a few public comments from the advertising industry on this, other than SEC filings. First, the president of the Internet Advertising Bureau told CNET that he wasn't worried by banner blockers. Second, after the Federal Trade Commission's workshop where we gave a live demonstration of our proxy before many eminent representatives of the industry, the Direct Marketing Association made the following statement in the closing paragraphs of their summary comments to the Commission.
Clever shareware developers have come up with products that can obliterate cookies and advertisements for those consumers who have these concerns. The Internet is a market that is so democratic and flexible that it is easy for companies and software developers to respond to a perceived market need.
Their attitude seems to be that they would prefer that people use technical solutions to protect their privacy than have protections imposed by legislation or government regulations. So, do you perceive a market need? Then here are some ways to flex your democratic muscles.
Should we provide the
Internet Junkbuster for our employees?That depends. Try this quick three-point test.
If the answer to all three questions is yes, then you probably don't have any need for this kind of product.
Can our company get
commercial support for the software?Yes, ask us for a quote on a maintenance contract with your choice of phone and email support, hard copy documentation, source code and pre-compiled binaries on tape or disk, and email alerting of upgrades and issues. We also offer consulting services to help set up ``stealth browsing'' capabilities to help reduce the footprints left while doing competitive analysis and other Web work where confidentiality is critical.
I run an ISP. What issues should
I consider before offering it?Many ISPs who offer the proxy to their customers have told us that most of their customers are delighted with it (although one reported that a customer complaint that without banner ads, surfing was like reading a novel: we recommend making it optional). Many ISPs like it because it reduces bandwidth requirements. To help get you started, here's a checklist we've developed from working with a few ISPs. You may think of more, and we'd be interested if you're willing to share them with us.
* in it), User Agent specified as Lynxour-isp.net. But it would probably be
safer to put an entry in your name server and call it
something like junkbuster.our-isp.net. If
running several proxies, you could either use different ports
on the same machine, or if you have the opportunity to
distribute the load over a few machines you could use
different hostname aliases such as
banner.junkbuster.our-isp.net,
lynx.junkbuster.our-isp.net and
oneway.junkbuster.our-isp.net (corresponding to the
examples in the previous point). You may want to set up
Automatic Proxy Configuration.
blocklist.html or
blocklist.txt).
Where can I get an example
blockfile that stops most ads?The sample blockfile we provide blocks almost nothing, and
we do not publish blockfiles that stop almost all banner ads.
But others have; you can find them by asking Google. You can
add any part of the new file to your old one (probably called
sblock.ini if you haven't changed the default name
in the latest version) or your just replace it completely. You
probably don't need to restart the proxy.
If you develop an interesting blocklist and publish it on the Web, you might want to include the word ``junkbuster'' in it and use the word ``blocklist'' in the file name given in the URL so that others can find it with the query given in the previous sentence.
If I see an ad I wish I hadn't,
how do I stop it?If your ISP is running the Internet Junkbuster, they should have a policy on whether they accept suggestions from their customers on what to block. Consult their web page.
If you are running the Internet Junkbuster yourself, you have complete control over what gets through. Just add a pattern to cover the offending URL to your blockfile. Version 1.3 and later automatically rereads the blockfile when it changes, but if you're running an earlier version you'll have to stop it and restart it.
To choose a pattern you'll first need to find the URL of the ad you want cover.
Some people use the debug 1 option to display
each URL in a window as the request is sent to the server. It's
then usually an easy task to pick the offending URL from the
list of recent candidates.
Alternatively, you can use View Document Info (or View Document
Source if your browser doesn't have that). The Info feature has the advantage of showing you the full
URL including the host name, which may not be specified in the
source: there you might see something like
SRC="/ads/click_here_or_die.gif" indicating only the
path. (The host name is assumed to be the same
as the one the page came from.)
But ads often come from a different
site, in which case you might see something like
SRC="grabem.n.trackem.com/Ad/Infinitum/SpaceID=1666" or
longer. If the company looks like a
pure ad warehouse (as in the last case), you may want to place
just its domain name in the blockfile, which blocks all URLs
from that site.
If the ad comes from a server that you
really want some content from, you can include enough of the
path to avoid zapping stuff you might want. In the first
example above, /ads/ would seem to be enough. If
you don't include the domain name, the pattern applies to all
sites, so you don't want such patterns to be too general: for
example /ad would block
/admin/salaries/ on your company's internal site.
To speed the blocking of images, some
UNIX ® users create a shell script called
Image: containing a line such as echo $1 | sed
s/http:..// >> $HOME/lib/blockfile that adds its
argument to the user's blockfile. Once an offending image has
been be found using View Document Info it's
easy to cut-and-paste the line (or part of it) into a shell
window. The same script can be linked to a file called
Frame: to dealing with framed documents, and
junkbuster: to accept the output of the debug option.
When compiled without the
regular expressions option, the Internet Junkbuster
uses only very simple (and fast) matching methods. The pattern
/banners will not stop
/images/banners/huge.gif getting through: you would have
to include the pattern /images/banners or
something that matches in full from the left.
So you can get what you want here, the matcher understands
POSIX regular expressions: you can use
/*.*/banners to block and any URL containing
/banners (even in the middle of the path). (In Versions 1.1 through 1.4 they were an option at
compile time; from Version 2.0 they have become the default.)
Regular expressions give you many more features than this, but
if you're not already familiar with them you probably won't
need to know anything beyond the /*.*/ idiom. If
you do, a man egrep is probably a good starting
point).
Don't forget the / (slash)
at the beginning of the path. If you leave it out the line will
be interpreted as a domain name, so ad would block
all sites from Andorra (since .ad is the
two-letter country code for that principality).
For a detailed technical description of how pattern matching is done, see the manual.
How come this ad is still getting
through anyway?If the ad had been displayed before you included its URL in
the blockfile, it will probably be held in cache for some time,
so it will be displayed without the need for any request to the
server. Using the debug
1 option to show each URL as it is fetched is a good way
to see exactly what is happening.
If new items seem to be getting through, check that you are really running the proxy with the right blockfile in the options. Check the blockfile for exceptions.
Some sites may have different ways of inserting ads, such as via Java. If you have ideas on how to block new kinds of junk not currently covered, please tell us.
How do I stop it blocking a
URL that I actually want?You can change the patterns so they don't cover it, or use a
simple feature in Version 1.1 and later: a line beginning with
a ~ character means that a URL blocked by previous
patterns that matches the rest of the line is let through. For
example, the pattern /ad would block
/addasite.html but not if followed by
~/addasite in the blockfile. Or suppose you want to see
everything that comes from a site you like, even if it looks
like an ad: simply put ~aSiteYouLike.com at the
end of the blockfile. (Order is important, because the
last matching line wins.)
As well as unblocking pages that were unintentionally blocked, this feature is useful for unblocking ads from a specific source. This might be because you are interested in those particular ones, or if you have an explicit agreement to accept certain ads, such as those from a free web-based email provider.
If you want to find out exactly which pattern in the blockfile a given URL matched, just click on the words ``Internet Junkbuster'' which are displayed alone on a page when your browser requests a blocked URL. The proxy displays a message that pinpoints the pattern for you.
Can I block sites I don't want my
children to see?Yes, but remember that children who are technically sophisticated enough to use the browsers' proxy configuration options could of course bypass any proxy. This kind of technology can be used as a gentle barrier to remind or guide the child, but nobody should expect it to replace the parent's role in setting and enforcing standards of online behavior for their children.
Some ISPs are starting to provide specialized proxies to protect children. There are two basic approaches: the ``black list'' and the ``white list'' approach. The black list approach allows the child to go anywhere not explicitly prohibited; the white list permits visits only to sites explicitly designated as acceptable.
It's very easy for anyone to compile
a white list from a page of ``recommended kids sites'' and to
configure an Internet Junkbuster to allow access to those sites
only. (If you publish such a list on the web, please tell us
its URL). Assuming your version isn't an old one without regex,
you can place a * (asterisk) as the first line of
the blockfile (which blocks everything), and then list
exceptions after that. Be careful to make the exception
sufficiently broad: for example, using
~www.uexpress.com/ups/comics/ch/ as the exception for
Calvin and Hobbes would block some of the graphic
elements on the page; you would probably want a wider exception
such as ~www.uexpress.com/ups/ to permit them.
Version 2.0 has an experimental feature to permit only sites mentioned in a nominated trusted site. This allows organizations to build lists of sites for kids to browse, and the software automatically restricts access to those on the list.
Many filtering products actually scan for keywords in the text of pages they retrieve before presenting it, but the Internet Junkbuster does not do this. Building a perfectly reliable black list system is hard, because it's very difficult to state in advance exactly what is obscene or unsuitable. For more info see our links page.
What do I see when a page or
graphic is blocked by the proxy?You usually see a broken image icon, but it depends on several factors beyond the proxy's control. If asked for a URL matching its blockfile, the proxy returns an HTML page containing a message identifying itself (currently the two words ``Internet Junkbuster'') with a status 202 (Accepted) instead of the usual 200 (OK). (Versions 1.X returned an error 404: Forbidden, which caused strange behavior in some cases.) Status 202 is described in the HTTP RFC as indicating that the request has been accepted but not completed, and that it might complete successfully in the future (in our case, if the blockfile were changed).
The broken image icon is most common
because the browser is usually expecting a graphic. But if it
was expecting text, or if the page happens to be using certain
HTML extensions such as layer and your browser is
a late model from Microsoft, you may see the words ``Internet
Junkbuster'' displayed as a hot link.
Clicking on the link takes you to an
explanation of the pattern in the blockfile that caused the
block, so that you can edit the blockfile and go back and
reload if you really want to see what was blocked. The
explanatory link is generated by the proxy and is automatically
intercepted based on its ending in ij-blocked-url;
even though the site is specified as
http://internet.junkbuster.com no request should
actually made to that site. If one is, it means that the proxy
was been removed after it generated the link.
To summarize: the identifying link to the blocking explanation is usually turned into a broken image icon, but it may be displayed on a page alone, or they may may be restricted to the particular frame, layer or graphic area specified in the page containing them. The proxy has no way of knowing the context in which a URL will be used and cannot control how the blocking message will be rendered.
Why not replace blocked banners
with something invisible?Many users have suggested to us that blocked banners should be replaced by a something like a 1x1 transparent GIF to make the page would look as if there was nothing ever there. Apart from making it harder to catch unintended blocking, this might also displease the owners of the page, who could argue that such a change constitutes a copyright infringement. We think that merely failing to allow an included graphic to be accessed would probably not be considered an infringement: after all this is what happens when a browser is configured not to load images automatically. However, we are not lawyers, so anyone in doubt should take appropriate advice.
In a context where the copyright issue is
resolved satisfactorily, a proxy could simply return a status
301 or 302 and specify a replacement URL in a
Location and/or URI header. An alternative
would be to use inline code to return a 1 x 1 clear GIF. We do
not publish sample code for this, and we have no way of
stopping others who have.
Why not block banners based on
the dimensions of the image?Many users have pointed out that most banner ads come in
standard sizes, so why not block all GIFs of those sizes? This
would theoretically be without fetching the object because the
dimensions are usually given in the IMG tag, but
it would require substantial changes in the code, and we doubt
whether it would be much more effective than a good block
list.
What about non-graphic
advertising within the pages I want?The Internet Junkbuster deliberately does not provide a way of automatically editing the contents of a page, to remove textual advertising or to repair the holes left by blocked banners. Other packages such as WebFilter do.
For the same reason, it has no way of
stopping a new browser window being created, because this is
done through the target attribute in the
<a> and <base> elements, not
through headers. Nor do we plan to add a feature to paralyze
animated GIFs.
Does it block ads on the
broadcasting ``push'' systems? How about pop-up ads?We haven't tried it but we expect it would probably work on image ads on push channels. See also adchoice.
Disabling Javascript stops some pop-up ads. One problem is that some advertisers throw open a new browser window to frame the ad. The ad is easily blocked, but the empty window remains. You can kill it easily, but this is a chore. We don't see how to stop them other than editing the HTML from the parent window, which we don't like to do.
The TBTF newsletter warned subscribers to push information that in IE4, LOGTARGET allows servers to determine the URLs viewed at their site even if accessed from cache or through a proxy. If you use this browser see our instructions on how to disable this.
If you find you have experience using the proxy with push, or have any other advice about it, please tell us.
For background information on cookies see our page describing their dangers.
Might some cookies still
get through? How can I stop them?Yes, you should expect the occasional cookie to make it through to your browser. We know of at least three ways this can happen; please tell us if you find any others. One way is in secure documents, which are explained below.
A few sites set cookies using a line
such as <META HTTP-EQUIV="Set-Cookie"
CONTENT="flavor=chocolate"> in the HEAD
section of an HTML document. Cookies
can also be
set and read in JavaScript. To see if this is happening in a
document, view its source, look in the head for a
section tagged script language="JavaScript". If it
contains a reference to document.cookie, the page
can manipulate your cookie file without sending any cookie
headers. The Internet Junkbuster does not tamper with these
methods. Fortunately they are rarely used at the moment. If a
cookie gets set, it should be stopped by the proxy on its way
back to the server when a page is requested, but it can still
be read in Javascript.
To prevent cookies breaking through, always keep cookie alerts turned on in your browser, and disable Java and Javascript. Making the files hard to write may also help.
Exactly how do cookies get
created and stored anyway?When a web site's server sends you a page it also sends
certain ``header information'' which your browser records but
does not display. One of these is a Set-Cookie
header, which specifies the cookie information that the server
wants your browser to record. Similarly, when your browser
requests a page it also sends headers, specifying information
such as the graphics formats it understands. If a cookie has
previously been set by a site that matches the URL it is about
to request, your browser adds a Cookie header
quoting the previous information.
For more background information on how
cookies can damage your privacy, see our page on cookies. For
highly detailed technical information see the RFC. The Internet
Junkbuster will show you all headers you use the debug 8 option, or you can
get a sample from our demonstration page.
If cookies can't get through,
will some things stop working for me?Possibly. Some personalized services including certain chat rooms require cookies. Newspapers that require registration or subscription will not automatically recognize you if you don't send them the cookie they assigned you. And there are a very small number of sites that do strange things with cookies; they don't work for anyone that blocks cookies by any means. Some sites such as Microsoft explain that their content is so wonderfully compelling that they will withhold it from you unless you submit to their inserting cookies.
Many free Web-based email services
require cookies. Hotmail also seems to require allowing both
msn.com and passport.com to set
cookies.
If you want such sites to be given your cookies, you can use the cookiefile option provided you are running Version 1.2 or later yourself. Simply include the domain name of those sites in the cookiefile specified by this option. If it still doesn't work, the problem may be in other headers.
It's possible to let cookies out but not
in, which is enough to keep some sites happy, but not all of
them: one newspaper site seems to go into an endless frenzy if
deprived of fresh cookies. A cookiefile containing a single
line consisting of the two characters >*
(greater-than and star) permits server-bound cookies only. The
* is a wildcard
that matches all domains.
If someone else is running the Internet Junkbuster for you and has a version that passes server-bound cookies through, you can try editing your browser's cookie file to contain just the ones you want, and restart your browser. To subscribe to a new service like this after you have started using the Internet Junkbuster, you can try the following: tell your browser to stop using the Internet Junkbuster, fill out and submit your subscription details (allowing that web site to set a cookie), then reconfigure your browser to use the Internet Junkbuster again (and stop more cookies being sent). This also requires the cookiefile option, and its success depends on the Web site not wanting to change your cookies at every session. For this reason it does not work at some major newspaper sites, for example. But you may prefer to look at whether other sites provide the same or better services without demanding the opportunity to track your behavior. The web is a buyer's market where most prices are zero: very few people pay for content with money, so why should you pay with your privacy?
Can I control cookies on a
per-site basis?Yes, since version 1.2 the Internet Junkbuster has included advanced cookie management facilities. Unless you specify otherwise, cookies are discarded (``crumbled'') by the Internet Junkbuster whether they came from the server or the browser. In Version 1.2 and later you can use the cookiefile option to specify when cookies are to be passed through intact. It uses the same syntax and matching algorithm as the blockfile.
If the URL matches a pattern in the
cookiefile then cookies are let through in both
the browser's request for the URL and in the server's response.
One-way permissions can be specified
by starting the line with the > or
< character. For example, a cookiefile consisting of
the four lines
org
>send-user-cookies.org
<accept-server-cookies.org
~block-all-cookies.org
allows cookies to and from .org domains only,
with the following exceptions:
send-user-cookies.org are blocked on their way
to the client, but cookies sent by the browser to that domain
are still be fed to them.
accept-server-cookies.org check in to the proxy and
are passed through to the browser, but when they come back to
the proxy they never check out.
block-all-cookies.org are blocked.If the junkbuster
was compiled with the regular expressions option they may be
used in paths. Any logging to a ``cookie jar'' is separate and
not affected.
It's important to give hosts you want
to be able to set cookies sufficient breadth. For example,
instead of www.yahoo.com use
yahoo.com because the company uses many different hosts
ending in that domain.
Can I make up my own fake cookies
(wafers) to feed to servers?Yes, using the wafer option. We coined the term wafer to describe cookies chosen by a user, not the Web server. Servers may not find wafers as tasty as the cookies they make themselves. But users may enjoy controlling servers' diets for various reasons, such as the following.
Any company that tries to argue in court that the proxy site was breaching their copyright in the cookies would be met with the defense that the proxy site gave that company the opportunity to protect its copyright by simply not sending cookies after receiving the notice.TO WHOM IT MAY CONCERN
Do not send me any copyrighted information other than the document that I am requesting or any of its necessary components.
In particular do not send me any cookies that are subject to a claim of copyright by anybody. Take notice that I refuse to be bound by any license condition (copyright or otherwise) applying to any cookie.
Cookies can be as long as four
thousand characters, so there's plenty of space for
lawyerly verbosity, but white space, commas, and
semi-colons are prohibited.
Spaces can be turned into underscores. Alternatively, a URL
could be sent as the cookie value, pointing to a document
containing a notice, perhaps with a suggestive value such
as
http://www.junkbusters.com/ht/en/ijbfaq.html#licenses_on_cookies_refused
But including the notice directly would probably be
preferable because the addressee does not have to look it
up.
The Internet Junkbuster 2.0.2 currently sends a full notice as a ``vanilla wafer'' if cookies are being logged to a cookie jar and no other wafers have been specified. It can be suppressed with the suppress-vanilla-wafer option, which might be used in situations where there is an established understanding between the proxy and all who serve it.
Junkbusters provides a CGI script that lets you see your wafers as they appear to servers.
Wafers confuse a few fragile servers. Hotmail appears to be one of them. If this troubles you, don't use this option.
Any wafers specified are sent to
all sites regardless of the cookiefile.
They are appended after any genuine cookies, to maintain
compliance with RFC 2109 in the event that a path was specified
for a cookie. The RFC's provisions regarding the $
character (such as the Version attribute) are
transparent to the proxy; it simply quotes what was recited by
the browser.
If you want to send wafers only to specific sites, you could try putting them your browser's cookie file in a format conforming to the Netscape specification, and then specify in the proxy's cookiefile that cookies are to be sent to but not accepted from those sites, so they can't overwrite the file. This may work with Netscape but not all other browsers.
Why would anyone want to save
their cookies in a ``cookie jar?''We provided this capability just in case anyone wants it. There are a few possible reasons.
For details on how your identity can be revealed while you
surf, see our page on privacy. Once you start using the
Internet Junkbuster you should find that much of the
information previously indicated on that page will no longer be
provided. If the REMOTE HOST indicating your IP
address is too close for comfort, see our suggestions below on
how to conceal your IP address. We also recommend that you
disable JavaScript and Java.
If I use the Internet Junkbuster,
will my anonymity be guaranteed?No. Your chances of remaining anonymous are improved, but unless you are an expert on Internet security it would be safest to assume that everything you do on the Web can be attributed to you personally.
The Internet Junkbuster removes various information about you, but it's still possible that web sites can find out who you are. Here's one way this can happen.
A few browsers disclose the user's email address in certain situations, such as when transferring a file by FTP. The Internet Junkbuster 2.0.2 does not filter the FTP stream. If you need this feature, or are concerned about the mail handler of your browser disclosing your email address, you might consider products such as NSClean.
Browsers downloaded as binaries could use non-standard headers to give out any information they can have access to: see the manufacturer's license agreement. It's impossible to anticipate and prevent every breach of privacy that might occur. The professionally paranoid prefer browsers available as source code, because anticipating their behavior is easier.
Why should I trust my ISP or
Junkbusters with my browsing data?You shouldn't have to trust us, and you certainly don't have to. We do not run the proxy as a service, where we could observe your online behavior. We provide source code so that everyone can see that the proxy isn't doing anything sneaky.
You are already trusting your ISP not to look at an awful lot of information on what you do. They probably post a privacy policy on their site to reassure you. If they run a proxy for you, using it could actually make it slightly easier for them to monitor you, but we doubt that any sane ISP would try this, because if it were discovered customers would desert them.
Can the proxy be used for logging
who looks at what?We don't want institutions to use this software as an instrument of surveillance. We have deliberately not provided options to add timestamps or records of which IP addresses accessed which URLs. However, because we publish source code anyone can modify it to do such things, and there is no way a remote user can find out if this is happening. Again, you need to be able to trust the entity providing your proxy service, but you were probably in that position even before using a proxy.
What private information from
server-bound headers is removed?The Internet Junkbuster pounces on the following HTTP headers in requests to servers, unless instructed otherwise in the options.
FROM header, which a
few browsers use to tell your email address to servers, is
dropped unless the from option
is set.USER_AGENT header is changed to indicate that the browser is
currently Mozilla (Netscape) 3.01 Gold with an unremarkable
Macintosh configuration. Misidentification helps resist
certain attacks. If your browser and hardware happen to be
accurately identified, you might want to change the default.
(Earlier versions of the Internet Junkbuster indicated
different details; by altering them periodically we aim to
hinder anyone trying to infer whether our proxy is present.)
If you don't like the idea of incorrectly
identifying your computer as a Mac, set it accordingly.
REFERER header
(which indicates where the URL currently being requested was
found) is dropped. A single static referer to replace all
real referers may be specified using the referer option. Where no referer is
provided by the browser, none is added; the add-header option with arguments
such as -x 'Referer: http://me.me.me' can be
used to send a bogus referer with every request.In Version 1.4 and later you can use the -r @ option to selectively disclose
REFERER and USER_AGENT to only those
sites you nominate.
Some browsers send Referer and User-Agent
information under different non-standard headers. The Internet
Junkbuster 2.0.2 stops UA headers, but others may
get through. This information is also available via JavaScript,
so disable it. Some search engines
encode the query you typed in the URL that goes to advertisers
to target a banner ad at you, so you will need to block the ad
as well as the referer header, unless you want them (and anyone
they might buy data from) to know everything you ever search
for.
If you have JavaScript enabled (the default on most browsers) servers can use it to obtain Referer and User Agent, as well as your plug-ins. We recommend disabling JavaScript and Java.
Currently no HTTP response headers
(browser bound) are removed, not even the
Forwarded: or X-Forwarded-For: headers. Nor
are any added, unless requested.
We are considering a more flexible header management system for
a future version.
Might some things break because
header information is changed?Possibly. If used with a browser less advanced than Netscape 3.0 or IE-3, indicating an advanced browser may encourage pages containing extensions that confuse your browser. If this becomes a problem upgrade your browser or use the user-agent option to indicate an older browser. In Version 1.4 and later you can selectively reveal your real browser to only those sites you nominate.
Because different browsers use different encodings of Russian and Czech characters, certain web servers convert pages on-the-fly according to the User Agent header. Giving a User Agent with the wrong operating system or browser manufacturer causes some sites in these languages to be garbled; Surfers to Eastern European sites should change it to something closer.
Some page access counters work by looking at the referer; they may fail or break when deprived.
Some sites depend on getting a referer
header, such as uclick.com, which serves comic
strips for many newspaper sites, including
Doonsbury for the Washington Post. (If you
click on that last link, you can then get to a page containing
the strip via the same URL we've linked to under
Doonsbury, but if you click on the
Doonsbury link directly, it gives you an error message
suggesting that you use a browser that supports referers.) In
Version 1.4 and later you can use the -r @ option and place a line like
>uclick.com in your cookiefile. Wired News used to
use referer to decide whether to add a navigation column to the
page, but they have changed that.
The weather maps of Intellicast
have been blocked by their server when no referer or cookie is
provided. You can use the same countermeasure with a line such
as >208.194.150.32 (or simply get your weather
information elsewhere).
Some software vendors, including
Download.com and Intuit use USER_AGENT to decide
which versions of their products to display to you. With the
default you get Mac versions.
As a last resort if a site you need doesn't seem to be working, the proxy configuration of many browsers allow you to specify No Proxy For any hostname you want.
We had reports that on some versions of Netscape the What's New feature did not work with the proxy, but we think we fixed this in Version 2.0.1.
How is misidentifying my
browser good for security and privacy?Almost every major release of both leading browsers has contained bugs that allow malicious servers to compromise your privacy and security. Known bugs are quickly fixed, but millions of copies of the affected software remain out there, and yours is probably one of them. The header that normally identifies your browser tells such servers exactly which attacks to use against you. By misidentifying your browser you reduce the likelihood that they will be able to mount a successful attack.
Does the Internet Junkbuster
conceal my IP address?Web sites get the IP address of any proxy or browser they serve pages to. If you run the proxy on your own computer the IP address disclosed is the same as your browser would, unless you use the forwardfile option is used to chain to another proxy, in which case servers only get the last IP address in the chain. Chaining slightly slows browsing of course, but it improves anonymity.
Does the Internet Junkbuster
thwart identification by identd?We think so, provided you are not the user running the
proxy. If your computer (or your ISP's) is running the
identd demon, servers can ask it for the identity of the
user making the request at time you request a page from them.
But if you're going through a proxy, they will identify the
user name associated with the proxy, not you. A visit to
http://ident.junkbusters.com lets you see what's happening.
This test is (quite rightly) blocked by many firewalls; just
interrupt the transfer if you get an abnormal wait after
clicking. Running other applications may also expose you via
identd; the proxy of course doesn't help then.
Can web sites tell that I'm using
the Internet Junkbuster?With the default options the proxy doesn't announce itself. Obvious indications such as Keep-Alive headers are deleted, but sites might notice that you can cancel cookies faster than any human could possibly click on a mouse. (If you want to provide a plausible explanation for this, change the User Agent header to a cookie-free or cookie-crunching browser).
But when certain options are used they could figure out something's going on, even if they're not pushing cookies. If you use blocking they can tell from their logs that the graphics in their pages are not being requested selectively. The add-forwarded-header option explicitly announces to the server that a proxy is present, and sending them wafers is of course a dead giveaway.
What happens with Secure
Documents (SSL, https:)?If you enter a ``Secure Document Area,'' cookies and other
header information such as User Agent and Referer are sent
encrypted, so they cannot be filtered. We recommend getting
your browser to alert you when this happens. (On Netscape: Options; Security; General; Show an alert before entering a
secure document space.) We also recommend adding the line
:443 to the blockfile to stop all but sites
specified in an exception after that line from using SSL.
It may be possible to filter encrypted cookies by combining the blocking proxy with a cryptographic proxy along the lines of SafePassage, but we have not tried this.
Will using this as my Security
Proxy compromise security?We're not security experts, but we don't think so. The whole point of SSL is that the contents of messages are encrypted by the time they leave the browser and the server. Eavesdroppers (including proxies) can see where your messages are going whether you are running a proxy or not, but they only get to see the contents after they have been encrypted.
Can I restrict use of the proxy
to a set of nominated IP addresses?Yes, we added an access control file in Version 2.0. But before you use it please consider why you want to do it. If the reason is security, it probably means you need a firewall.
The listen-address option provides a way of binding the proxy to a single IP address/port. The right way to do this is to choose a port inside your firewall, and deny access to it to those outside the firewall. The Internet Junkbuster is not a firewall proxy; it should not be expected to solve security problems.
For background information on firewalls, see Yahoo or a magazine article or these well-known books: Firewalls and Internet Security: Repelling the Wily Hacker by William R. Cheswick and Steven M. Bellovin or Building Internet Firewalls by D. Brent Chapman and Elizabeth D. Zwicky. There's free Linux software available, and a large number of commercial products and services. For an excellent security overview, primer, and compendium reference, see Practical Unix and Internet Security by Simson Garfinkel and Gene Spafford.
Are there any security risks for
ISPs or others who offer the proxy?Yes. As with any service offered over the Internet, hackers can try to misuse it. A well-run ISP will have professionals who are experienced at assessing and containing these risks.
It's possible to set up your machine so that other people can have access to your proxy, but if you lack expertise in computer security you probably shouldn't have your computer configured to offer this or any other service to the outside world.
Hackers can attempt to gain access to
the machine by various attacks, which we have tried to guard
against but don't guarantee to thwart. They can also use the
``anonymizing'' quality of proxies to try to cover their tracks
while hacking other computers. For this reason we recommend
preventing it being used as an anonymous telnet by
putting the pattern :23 in the blockfile (it's
included as standard equipment). (Actually the current
implementation incidentally blocks telnet due to the way
headers are handled, but it's best not to rely on this.) If you
wish to block all ports except the default HTTP port 80, you
can put the lines
:
~:80
at the beginning of the blockfile, but be aware that some
servers run on non-default ports (e.g. 8080). You might also
want to add the line ~:443 to allow SSL.
On UNIX ® systems it is neither necessary nor desirable for the proxy to run as root.
Versions 2.0.1 and below may be vulnerable to remote exploitation of a memory buffer bug; for security reasons all users are encouraged to upgrade.
If you find any security holes in the code please tell us, along with any suggestions you may have for fixing it. However, we do not claim that we will be able to do so.
We distribute this code in the hope that people will find it useful, but we provide no warranty for it, and we are not responsible for anyone's use or misuse of it.
You may also want to check back periodically for updated versions of the code. We do not currently maintain a mailing list. To get quick updates, bookmark our Distribution Information page.
Copyright © 1996-8 Junkbusters ® Corporation. Copyright © 2001 Jon Foster. Copying and distribution permitted under the GNU General Public License.