ISPs deploying rewriting proxies on web content

05.16.11 - 04:36am

I visited Asa Dotzler’s post about trees today, and I noticed some requests headed for a strange server. I was using my laptop tethered to a T-Mobile phone. I looked at the source, and found this image tag:

<img src=”http://64.19.142.12/farm3.static.flickr.com/2802/4376295211_b9d0014b3e_z.jpg” class=”photo”>

That src URL looked fairly suspect. I couldn’t figure out why Flickr would prefix images with an IP address and add a hostname to a path. Then, I found this bit of CSS:

.video {
-moz-border-image: url(http://64.19.142.11/weblogs.mozillazine.org/asa/tv-border.jpg) 27 31 37 31 stretch stretch;
border-width: 26px;
}

At this point, it seemed clear that an intermediary was rewriting the HTML content to point the images at a completely different server. Who would that be?

Hostname: 64.19.142.10
ISP: Monmouth Internet Corp
Organization: Flash Networks
Proxy: None detected
Type: Corporate
Assignment: Static IP

Looks like Flash Networks sells a rewriting product to mobile ISPs. Other T-Mobile users have noticed, as have Verizon users.

In the Verizon thread, you can see that the ISP has actually rewritten URLs to JavaScript files. Yikes! Also, I can’t find an instance of this now, but I am pretty sure this same proxy used to insert JavaScript rollover scripts into pages. These things would offer to display images at standard resolution if you right-clicked, if I recall correctly.

This stuff may be old news to some of you, but I was pretty surprised.

Category: Uncategorized |

No Comments Yet

You can be the first to comment!

Sorry, comments for this entry are closed at this time.