              Internet JUNKBUSTER Frequently Asked Questions

Download for UNIX  (Download for Windows 95/NT)  (Other OS)  Configuring
Browsers  IE 5.0  Installation  For Companies  Blocking Ads  Cookies 
              IP  Anonymity  Security  (Technical Manual)

                           The Top Ten Questions

For a list of the questions on this page (without the answers), see our
Table of Contents. It also contains detailed pointers into our pages on
cookies and on busting junk e-mail, junk mail and telemarketing calls.

 [Feedback]   What is the Internet Junkbuster Proxy and what does it do for
me?

The Internet Junkbuster Proxy TM is free privacy-enhancing software that
can be run on your PC or by your ISP or company. It blocks requests for
URLs (typically banner ads) that match its blockfile. It also deletes
unauthorized cookies and other unwanted identifying header information that
is exchanged between web servers and browsers. These headers are not
normally accessible to users (even though they may contain information
that's important to your privacy), but with the Internet Junkbuster you can
see almost anything you want and control everything you're likely to need.
You decide what's junk. SM Many people publish their blockfiles to help
others get started.

 [Feedback]   Is there a license fee / warranty / registration form /
expiration?

No, none of these. It's completely free of charge. Junkbusters offers you
the software to copy, use, modify and distribute as you wish, forever, at
no charge under the GNU General Public License.

It comes with no warranty of any kind.

You don't have to register, in fact we don't even provide a way to do so:
the practice of registering software is usually just an excuse to send you
solicitations and sell your name and information about your behavior. You
are welcome to obtain and use our software as anonymously you wish. (Your
IP address will naturally be disclosed when you download it, so if you work
for a web ad company you might want to use a service such as the lpwa.com
when you get it. We never want to be given any information that you
consider private or confidential.)

We are often asked why we give away a product that many would happily pay
for. The answer is that we are determined to carry out our mission: to free
the world from junk communications.

 [Feedback]   Does it run on Windows? On a Mac? On the AOL browser?

For the latest information on availability, see the Distribution
Information page. We don't think it will ever run on Windows 3.1. But you
don't need to have it running on your computer if you get your ISP or
Systems Administrator at work to run it.

 [Feedback]   How can I get my ISP to run the Internet Junkbuster?

Try their sales or support department (depending on whether you are already
a customer). You might send them email including the following URL:
   http://www.junkbusters.com/ht/en/ijbfaq.html#isps
You could mention that many other ISPs provide it, and that you regard it
as an important part of your decision on where to buy Internet service.

 [Feedback]   Who chooses the options that control what is blocked?

Whoever starts the Internet Junkbuster chooses the options and the
blockfile. If your ISP runs it for you, they have to make these decision
(though some may give you a choice of proxies, and a way to suggest new
URLs to block). If you run it on your computer, You decide what's junk. SM

 [Feedback]   How do I download and run the program on my computer?

It depends on your platform. If you are using Windows 95 or NT, see our
separate page on installing under Windows. If you have a C compiler and are
using almost any flavor of UNIX  you download it, compile it, start it
running, and then configure your browser. Several precompiled packages are
also available through links in our distribution page, which lists all
available platforms.

If you are using a platform for which we have no current availability, you
are welcome to port the code. If you do this and you would like us to
consider publishing your ported version, please tell us.

 [Feedback]   How can I tell which blockfile and options are being used?

Just point your browser to
http://internet.junkbuster.com/cgi-bin/show-proxy-args or to any URL ending
in show-proxy-args (even if it doesn't exist). It needn't exist because the
Internet Junkbuster 2.0.2 intercepts the request, blocks it, and returns in
its place information about itself. Using the URL above is useful for
checking that your browser really is going through an Internet Junkbuster,
because the junkbuster.com server returns a warning if the request actually
gets to it. Some people set the home page of their browser to such a URL to
be sure that it is configured to use the proxy.

If you wish to check the header information your proxy is actually sending,
a visit to http://internet.junkbuster.com/cgi-bin/show-http-headers will
give you the more relevant ones first. You might also like to turn the
proxy off and compare the difference. (Don't forget to turn it back on
again.)

 [Feedback]   My browser started giving me ``server not responding''
messages

Once your browser is told to use a proxy such as the Internet Junkbuster,
it thinks of it as its server for everything, so this message means it
can't talk to the proxy. The Internet Junkbuster may not be running, or you
may have specified its proxy address incorrectly. Check that the details
you entered are correct. If you have telnet you can try connecting to the
appropriate port to see if the Internet Junkbuster is running. If your ISP
is running the Internet Junkbuster, you may want to check with them. If you
are running it yourself under UNIX , try looking at a ps ax to see if it
is running. The port specified in its options should be the same one as
your browser has configured.

If your proxy was recently upgraded from a version before 2.0.2 and you are
not addressing it as localhost, a change will be needed to the
listen-address in the configuration file.

 [Feedback]   I've got this great idea for a new feature. Who do I tell?

We'd be very interested to hear it, but please bear a few things in mind.

   * Please check this FAQ to see if we've already considered the idea,
     such as automatic detection of banner ads and replacing ads with
     something else such as a transparent GIF.
   * Don't tell us anything you want to keep confidential or retain some
     right over.
   * We currently have a long wish list of things that we may or may not do
     in the near future, including a version for your favorite computer and
     a plug-in version.
   * If you don't want to wait you're welcome to improve on our code,
     publish your version on the Web, and tell us where to find it.
     Projects that are especially welcome include a port to the Mac and
     extensions for HTTP 1.1. (Meanwhile, be sure your browser is
     configured not to use HTTP 1.1.)

 [Feedback]   My question isn't listed here. Who do I ask for support?

If you find using our free product harder than you're used to for consumer
software, there are many commercial alternatives that you could consider.

The answer to detailed technical questions may be answered in manual page,
or in the source code. Also double-check this page for an answer: using the
``find'' feature on your browser for likely keywords may help. Our site
also has a search feature.

Many people post requests for help and responses on Usenet.

If your ISP is providing the Internet Junkbuster for you, and your question
is about how to use it, check their web page before asking them.

Even though we don't offer the kind of support you might expect if you paid
a lot of money for a software product, you can still ask us. But before you
do, please consider whether you could ask someone closer to you. And please
be patient if we're slow to reply: we never charge consumers for our
services, so we have to subsidize consumers with revenue from companies,
and our resources are limited.

If your company or organization would be interested in a maintenance
contract with phone and email support, hard copy documentation and source
code and pre-compiled binaries on tape or disk, please ask us for a quote.

                       [--- Back to Top of Page ---]

        Configuring your browser to talk to the Internet Junkbuster

 [Feedback]   What is the proxy address of the Internet Junkbuster?

If you set up the Internet Junkbuster to run on the computer you browse
from (rather than your ISP's server or some networked computer at work),
the proxy will be on localhost (which is the special name used by every
computer on the Internet to refer to itself) and the port will be 8000
(unless you have told the Internet Junkbuster to run on a different port
with the listen-address option). So you when configuring your browser's
proxy settings you typically enter the word localhost in the two boxes next
to HTTP and Secure, and the number 8000 in the two boxes labeled to the
right of those boxes. The Internet Junkbuster does not currently handle
other protocols such as Gopher, FTP, or WAIS, so leave those setting
unchanged. Nor does it handle ICQ or Instant Messenger services.

If your ISP or company is running the Internet Junkbuster for you, they
will tell you the address to use. It will be the name of the computer it's
running on (or possibly its numeric IP address), plus a port number. Port
8000 is the default, so assume this number if it is not specified.
Sometimes a colon is used to glue them together, as in
junkbuster.fictitious-pro-privacy-isp.net:8000 but with most browsers you
do not type the colon, you enter the address and port number in separate
boxes.

 [Feedback]   How do I tell the browser where to find the Internet
Junkbuster?

All current browsers can be told the address of a proxy to use. You enter
the same information in two fields in your browser's proxy configuration
screen (see list below): one for HTTP, and one for the Secure Protocol
(assuming your browser supports SSL). If you find some information already
entered for your proxy, see the next question. Here are the menus you go
through to get to the proxy configuration settings. (We also recommend that
you disable Java, which is a separate operation.) Make notes on the changes
you make so you know how to undo them! You will need to know what you did
in case you wish to discontinue using the proxy.

   * For Netscape 2.01, 2.02 and 3.0 [Graphic Illustration]: Options;
     Network Preferences; Proxies; Manual Proxy Configuration View ; enter
     proxy address details under HTTP and Security Proxy; click on OK;
     click on the next OK. [Return to Windows Installation Procedure]
     With Netscape 2.0, follow with Options, Save Options.
     With Netscape 4.X series, you first have to go through
     Edit/Preferences. [Graphic Illustration] Then in the frame on the
     left, click on triangle pointing to the right towards the word
     Advanced; it will switch to a triangle pointing down; and the words
     Cache, Proxies and Disk Space appear. Click on Proxies and the frame
     on the right will display a banner saying Proxies Configure proxies to
     access the Internet. Click the radio button labeled Manual proxy
     configuration then click the button labeled View; enter proxy address
     details under HTTP and Security Proxy; click on OK; click on the next
     OK. [Return to Windows Installation Procedure]
   * For Internet Explorer 3.0 [Graphic Illustration]: View; Options;
     Connections; tick Connect through proxy server box; Settings; enter
     proxy address details HTTP Box, with port number in the second box;
     same with Secure; click on OK. [Return to Windows Installation
     Procedure]
   * For Internet Explorer 2.0: View; Options; Proxy; enter proxy address
     details click on OK. [Return to Windows Installation Procedure]
   * On NT for MS-IE: Control Panel; Internet; Advanced; Proxy.
   * For MS-IE 4.0: similar to 3.0: View; Internet Options; Connections;
     tick Connect through proxy server box; Settings; enter proxy address
     details HTTP Box, with port number in the second box; same with
     Secure; click on OK. Note that 4.0 has Advanced settings to allow HTTP
     1.1 through proxies; these must be disabled because the proxy does not
     currently understand HTTP 1.1. Please tell us if you see any other
     differences. [Return to Windows Installation Procedure]
   * For MS-IE 5.0: similar to 4.0: Tools|Internet Options from the menu
     bar; Connections. Select either dial-up connection or LAN (depending
     on how you connect to the Internet); press Settings; and check the Use
     Proxy Server box; enter proxy address details in the HTTP Box, with
     port number in the second box; same with Secure; click on OK buttons
     to get out. Note: You must also uncheck the HTTP 1.1 checkboxes at the
     end of the Advanced options. This seems to have been made the default
     in IE 5.0. [Return to Windows Installation Procedure]
   * For Netscape's level 5 browser, we have no information. If you do,
     please tell us.
   * For NCSA Mosaic for Windows: Options, Preferences, Proxy; enter proxy
     address details under HTTP.
   * For Opera: Preferences, Proxy servers; check the box next to HTTP;
     enter the server and port number in the box on the other side; click
     on OK.
   * For Lynx, Mosaic/X, Grail, and W3O Arena, you can specify the proxy
     via environment variables before starting the application. This will
     probably be done with something like either
        setenv http_proxy http://localhost:8000/
     or
        http_proxy=http://junkbuster.fictitious-pro-privacy-isp.net:8000/
     export http_proxy
     depending on your shell and where the Internet Junkbuster lives.

If your browser is not listed here, or if you notice an error, please tell
us the correct procedure.

 [Feedback]   What should I do if I find another proxy is already
configured?

Some ISPs and companies require all Web traffic to go through their proxy.
In this case you would find your proxy configuration with values already
set, possibly under Automatic Proxy Configuration (in the case of Netscape
and MS-IE 3.0 and above). It's probably a firewall proxy between your
company and the outside world, or a caching proxy if you're using an ISP.

What needs to be done in this case is to use the forwardfile option to tell
the Internet Junkbuster the address of the other proxy. Specify a different
(unused) port number with the listen-address option, and configure your
browser to use that port. If you haven't done this kind of thing before,
it's probably best to consult your systems administrator or ISP about it;
check their web page first.

 [Feedback]   What if I want to stop using the Internet Junkbuster?

Just go through the same procedure you used to start your browser using the
Internet Junkbuster, but remove the details you put in (or if there was
something there before, restore it). You may need to use Save Options to
make this change permanent. On Netscape 3.0 you can go through Options;
Network Preferences; Proxies and click on No Proxy to turn it off, and
later click on Manual Proxy Configuration if you want to start using it
again. (No need to enter the again details under View as you did the first
time; they should remain there unchanged.)

This stops your browser talking to the proxy; shutting down the proxy is a
different matter.

 [Feedback]   Automatic dialing isn't working any more. How do I fix it?

Some browsers (such as MSIE-4) can be configured to dial your ISP
automatically when you click on a link, but this feature (called
"automatically connect" or "autoconnect") gets disabled if you specify a
proxy running on your own computer (with address localhost or 127.0.0.1)
because these addresses don't require dialing. The Internet Junkbuster
knows nothing about dialing, so it doesn't work. To make automatic dialing
work, make up a name such as junkbuster.ijb and use that name in the proxy
settings instead of localhost, and then add the line 127.0.0.1
junkbuster.ijb to the file c:\windows\hosts (if there already is a line
beginning with 127.0.0.1 just add junkbuster.ijb at the end of it.)

This should also work Netscape Communicator 4 on machines where IE-4 has
been installed.

                       [--- Back to Top of Page ---]

         Setting up the Internet Junkbuster on your local computer

The next two sections assume you wish to compile the code with your own C
compiler. If you just want to use the .exe file provided for Windows, see
the Windows Installation page.

 [Feedback]   How do I compile the code under Unix?

If you are running Redhat Linux you may prefer to use the rpm instead of
the following procedure.

  1. First download the tar file (~286k) and uncompress and extract the
     files from it with this command
        uncompress -c ijb20.tar.Z | tar xf -

  2. If your operating system is from Sun or HP examine the Makefile and
     make any changes indicated inside.
  3. Run

        make

  4. Copy the sample configuration file (junkbstr.ini, previously called
     sconfig.txt and other names in earlier releases) to some convenient
     place such as /usr/local/lib/junkbuster/configfile or whatever you
     choose. The sample file has all the options commented out. You can
     remove the # character on any that you want, but it may be better to
     leave this until to later. Run it asynchronously:

        junkbuster configfile &

     If you are running a version earlier than 2.0 you can start it with
     junkbuster &

  5. Configure your browser (described above).
  6. Verify that the Internet Junkbuster is working (described above).
  7. Decide on the options you really want, kill the process and start it
     again. The most popular option is blockfile to block ads. A sample
     blockfile is provided as an illustration, but it doesn't really stop
     many ads. More comprehensive ones are available elsewhere.
  8. You'll probably want to add an entry to /etc/rc.d/rc.local or
     equivalent to start it at boot time. (Any output you specify should be
     redirected to a file. And don't forget the & at the end to run it
     asynchronously or your system will seize up after the next reboot.)

 [Feedback]   How do I compile the code under Windows?

A .exe file (binary) is supplied with the source code, but if you prefer to
compile it yourself here is the likely procedure. Most of these steps are
repeated in our checklist for installation under Windows.

  1. First click here to download the zip file called ijb20.zip (~208k),
     then uncompress and unpack the zip archive using a tool like WinZip.
  2. Now the distribution (source and sample files) will be in a folder
     called ijb20. Go into that folder and then edit the Makefile for your
     system, removing the comment character (#) in the lines related to
     Win32. Then type:
        nmake
     This should create an executable called junkbstr.exe. For information
     on issues with various compilers, see the Distribution Information
     page.
  3. Run the executable with the command:
        junkbstr
     (Click on the icon with that name that looks like a terminal, not like
     a notepad.) The program will produce a message indicating that it has
     started and is ready to serve.

     (Version 2.0.1 and above uses the file junkbstr.ini as the config file
     if it exists and no argument was given. If you have an earlier version
     or if you want it to use a different config file, simply specify that
     file as the argument.)
  4. Configure your browser (described above).
  5. Check the proxy is working (described below).
  6. To have the proxy start itself automatically when you login to Win95,
     drop the ``shortcut'' to the junkbstr executable into the StartUp
     folder:
        C:\Windows\Start Menu\Programs\StartUp
     You might want to change the shortcut's Properties->Shortcut to Run:
     Minimized. If you specify the hide-console option then the DOS window
     will vanish after it starts.

     WinNT users can put it into their own StartUp folders or the
     Administrator can put it into the system's global StartUp folder. For
     details on how to make this a service under NT see our Windows page.

 [Feedback]   How do I check that the proxy is working?

Pick a page from somewhere (such as your bookmarks, or just one that your
browser was pointing to) and Reload it. If you get a message along the
lines of ``server not responding, using cached copy instead,'' see the
advice above. If the page reloads OK, check that your browser is actually
talking to the proxy by going to
http://internet.junkbuster.com/cgi-bin/show-proxy-args or any URL ending in
show-proxy-args (as described below, the proxy should intercept the
request.) When you see ``Internet Junkbuster Proxy Status,'' you'll know
it's working.

 [Feedback]   How and why would I have this proxy chained with other
proxies?

You may need the forwarding feature to ``daisy chain'' the Internet
Junkbuster to another proxy, perhaps an anonymizing proxy to conceal your
IP address, or a caching proxy from your ISP, or a firewall proxy between
your company and the outside world. Version 2.0 and above can be even
configured to forward selectively according to the URL requested: for
example, connecting directly to trusted hosts, but going through an
anonymizing or firewall proxy for all other hosts.

Network administrators might use it to provide transparent access to
multiple networks without modifying browser configurations. Most browsers
also provide a way of specifying hosts that the browser connects to
directly, bypassing the proxy. Some provide a method for Automatic Proxy
Configuration. A well written Internet Junkbuster configuration can be much
more flexible and powerful.

An ISP's caching proxy would typically be called something like
cache.your-isp.net:8080 (as described on you ISP's web page); you would put
this information in your forwardfile as described in our manual. Your
browser would be configured to the Internet Junkbuster for HTTP and
Security Proxies as before, but you probably want to tell it to use the
caching proxy for FTP and other protocols. If your ISP is running the
Internet Junkbuster for you, they have probably already decided whether to
chain with a caching proxy.

 [Feedback]   How does the Internet Junkbuster work with SOCKS gateways?

There is support for some gateways in Version 1.4 and above. The gateway
protocol used to be specified on the command line; it is now specified in
the same file as forwarding. Note that the browser's proxy configuration
must not specify a SOCKS host; it should specify the proxy as described
above.

 [Feedback]   How do I configure it to be just a plain old proxy?

To get the proxy to do as little as possible (which means not deleting any
sensitive headers), place in your configuration file the following three
lines (each ending in a space then a period) to stop it changing sensitive
headers:
   referer .
   from .
   user-agent .
   cookiefile mycookiefile
The fourth line is also needed to specify a cookiefile that might be called
mycookiefile containing a single line with a * character, to allow all
cookies through.

 [Feedback]   How do I shut down the proxy (to restart it)?

It depends on your platform.

   * Under Windows, you can click on the "X" button at the top right of the
     DOS window (and answer Yes when Windows warns you it cannot shut down
     the program automatically), or use Ctrl-Break or the old
     three-fingered salute of Ctrl-Alt-Delete and select End Task.
   * Under UNIX  you'll need to kill the junkbuster process. If you don't
     know the process number to give to kill, try this:
        ps ax | grep junkbuster

                       [--- Back to Top of Page ---]

                         Information for companies

 [Feedback]   What do advertising companies think of this kind of
technology?

We've seen only a few public comments from the advertising industry on
this, other than SEC filings. First, the president of the Internet
Advertising Bureau told CNET that he wasn't worried by banner blockers.
Second, after the Federal Trade Commission's workshop where we gave a live
demonstration of our proxy before many eminent representatives of the
industry, the Direct Marketing Association made the following statement in
the closing paragraphs of their summary comments to the Commission.

     Clever shareware developers have come up with products that can
     obliterate cookies and advertisements for those consumers who
     have these concerns. The Internet is a market that is so
     democratic and flexible that it is easy for companies and
     software developers to respond to a perceived market need.

Their attitude seems to be that they would prefer that people use technical
solutions to protect their privacy than have protections imposed by
legislation or government regulations. So, do you perceive a market need?
Then here are some ways to flex your democratic muscles.

 [Feedback]   Should we provide the Internet Junkbuster for our employees?

That depends. Try this quick three-point test.

  1. Do you want to spend your communications budget on bandwidth that
     wastes your employees' time by forcing them to wait for a lot of
     annoying distractions while they're trying to do their jobs?
  2. Do you want current and potential vendors to know quantitative details
     about the software and hardware platforms that you have?
  3. Do you want your competitors to be able to track exactly which of your
     employees are checking out their web sites?

If the answer to all three questions is yes, then you probably don't have
any need for this kind of product.

 [Feedback]   Can our company get commercial support for the software?

Yes, ask us for a quote on a maintenance contract with your choice of phone
and email support, hard copy documentation, source code and pre-compiled
binaries on tape or disk, and email alerting of upgrades and issues. We
also offer consulting services to help set up ``stealth browsing''
capabilities to help reduce the footprints left while doing competitive
analysis and other Web work where confidentiality is critical.

 [Feedback]   I run an ISP. What issues should I consider before offering
it?

Many ISPs who offer the proxy to their customers have told us that most of
their customers are delighted with it (although one reported that a
customer complaint that without banner ads, surfing was like reading a
novel: we recommend making it optional). Many ISPs like it because it
reduces bandwidth requirements. To help get you started, here's a checklist
we've developed from working with a few ISPs. You may think of more, and
we'd be interested if you're willing to share them with us.

  1. If you get more than one request for the Internet Junkbuster you may
     want to tell your customers on your News page that you already know
     about it and are assessing it.
  2. Try the software and verify that it performs satisfactorily.
  3. Determine whether your customers perceive the service as valuable (and
     therefore worth the time to set up). We've had reports of many
     delighted customers.
  4. Assess the level of security associated with the software. If access
     is to be restricted (to just dial-in ports, for example) how is this
     to be done?
  5. Consider whether to expect any additional load on computing resources
     required, and any change in use of bandwidth due to the blocking of
     large GIFs.
  6. Choose the options you wish to provide.
  7. Decide whether you want to offer a choice of configurations, such some
     of these four.
       A. Banners Blocked, Wafer with No-Cookie-Copyright notice
       B. Cookies not stopped (cookiefile with just a * in it), User Agent
          specified as Lynx
       C. Cookies from browser allowed, permitting registered services
       D. A proxy for kids.
     If you run a caching proxy, decide whether the Internet Junkbuster
     will chain with it by default, and whether to offer an alternate with
     no caching. (Some ISPs don't, because they want to give customers an
     incentive to use caching and save bandwidth.)
  8. Decide on a naming scheme for your proxies. If you're running only one
     proxy on one machine, the simplest way is to just use port 8000 on
     your main machine, such as our-isp.net. But it would probably be safer
     to put an entry in your name server and call it something like
     junkbuster.our-isp.net. If running several proxies, you could either
     use different ports on the same machine, or if you have the
     opportunity to distribute the load over a few machines you could use
     different hostname aliases such as banner.junkbuster.our-isp.net,
     lynx.junkbuster.our-isp.net and oneway.junkbuster.our-isp.net
     (corresponding to the examples in the previous point). You may want to
     set up Automatic Proxy Configuration.
  9. Prepare a page explaining the Internet Junkbuster to your customers.
     Here's are some examples from Australia, Germany, Florida, New
     York/New Jersey/Pennsylvania, North Carolina, Texas, and Utah. You are
     welcome to copy and modify material from Junkbusters according to the
     GPL. You might want to set up a process to check this page
     periodically and update it when it changes. (A few links can probably
     serve as well as lot of copying however.) A typical page would
     probably specify the following.
        * A brief explanation stating what the Internet Junkbuster does,
          with a link to this page.
        * The addresses of the proxy or proxies, with their port number(s).
        * The options used, and how to view the contents of the blockfile
          (which you can place on your web pages, preferably in a file
          called blocklist.html or blocklist.txt).
        * An indication of whether suggestions for the blocklist are
          considered, and if so, how to submit them: to a particular email
          address, via web-based form, etc.
        * Instructions on how to configure a browser. You may want to
          include details for only the two major browsers and leave the
          others to a link.
        * Procedures on how to report problems, give feedback etc.
 10. Invite a small number of technologically sophisticated customers to
     beta-test the service.
 11. Announce general availability on your ``News'' page. Tell us if you
     would like to be included on a list of ISPs offering the Internet
     Junkbuster.

 [Feedback]   What's a Proxy Server Server and how can I make money as one?

Other organizations with web presence and some bandwidth to spare can set
up as Proxy Server Servers (PS2s). The idea here is to allow users to
choose their proxy configuration, and provide it to them on a
semi-permanent basis. Users would fill in a form specifying what options
they want in their proxy, possibly even at a very high level, such as ``no
ads'' or ``no nudity.'' This information is sent to a CGI script that
configures a proxy, starts it running, and returns its address and port
number (possibly along with configuration instructions for the browser that
the user specified.)

Users could be charged a subscription fee, or the service could be thrown
in free in the hope of improving customer retention for some existing
business (which is what ISPs are doing). It might be possible to make money
by inserting new ads in the holes left where others were blocked, but the
original owners might object. PS2s could differentiate themselves by
providing frequently updated and comprehensive blocking of ads, or of
offensive material based on their own grading system. Some content
providers might do it for the chance to be the only company that the
consumer permits to set cookies. (Identification could even be done via
cookies, but this might not be popular with the kind of user who wants a
proxy.) PS2s might sell specific or aggregate information about their
users' browsing habits, so the agreement with users on whether they are
permitted to do this would be important to both sides.

If your organization establishes a Proxy Server Service you would like
publicized, please notify us.

                       [--- Back to Top of Page ---]

                                 Blocking

 [Feedback]   Where can I get an example blockfile that stops most ads?

The sample blockfile we provide blocks almost nothing, and we do not
publish blockfiles that stop almost all banner ads. But others have; you
can find them by asking Google. You can add any part of the new file to
your old one (probably called sblock.ini if you haven't changed the default
name in the latest version) or your just replace it completely. You
probably don't need to restart the proxy.

If you develop an interesting blocklist and publish it on the Web, you
might want to include the word ``junkbuster'' in it and use the word
``blocklist'' in the file name given in the URL so that others can find it
with the query given in the previous sentence.

 [Feedback]   If I see an ad I wish I hadn't, how do I stop it?

If your ISP is running the Internet Junkbuster, they should have a policy
on whether they accept suggestions from their customers on what to block.
Consult their web page.

If you are running the Internet Junkbuster yourself, you have complete
control over what gets through. Just add a pattern to cover the offending
URL to your blockfile. Version 1.3 and later automatically rereads the
blockfile when it changes, but if you're running an earlier version you'll
have to stop it and restart it.

To choose a pattern you'll first need to find the URL of the ad you want
cover.

Some people use the debug 1 option to display each URL in a window as the
request is sent to the server. It's then usually an easy task to pick the
offending URL from the list of recent candidates.

Alternatively, you can use View Document Info (or View Document Source if
your browser doesn't have that). The Info feature has the advantage of
showing you the full URL including the host name, which may not be
specified in the source: there you might see something like
SRC="/ads/click_here_or_die.gif" indicating only the path. (The host name
is assumed to be the same as the one the page came from.)

But ads often come from a different site, in which case you might see
something like SRC="grabem.n.trackem.com/Ad/Infinitum/SpaceID=1666" or
longer. If the company looks like a pure ad warehouse (as in the last
case), you may want to place just its domain name in the blockfile, which
blocks all URLs from that site.

If the ad comes from a server that you really want some content from, you
can include enough of the path to avoid zapping stuff you might want. In
the first example above, /ads/ would seem to be enough. If you don't
include the domain name, the pattern applies to all sites, so you don't
want such patterns to be too general: for example /ad would block
/admin/salaries/ on your company's internal site.

To speed the blocking of images, some UNIX  users create a shell script
called Image: containing a line such as echo $1 | sed s/http:..// >>
$HOME/lib/blockfile that adds its argument to the user's blockfile. Once an
offending image has been be found using View Document Info it's easy to
cut-and-paste the line (or part of it) into a shell window. The same script
can be linked to a file called Frame: to dealing with framed documents, and
junkbuster: to accept the output of the debug option.

When compiled without the regular expressions option, the Internet
Junkbuster uses only very simple (and fast) matching methods. The pattern
/banners will not stop /images/banners/huge.gif getting through: you would
have to include the pattern /images/banners or something that matches in
full from the left. So you can get what you want here, the matcher
understands POSIX regular expressions: you can use /*.*/banners to block
and any URL containing /banners (even in the middle of the path). (In
Versions 1.1 through 1.4 they were an option at compile time; from Version
2.0 they have become the default.) Regular expressions give you many more
features than this, but if you're not already familiar with them you
probably won't need to know anything beyond the /*.*/ idiom. If you do, a
man egrep is probably a good starting point).

Don't forget the / (slash) at the beginning of the path. If you leave it
out the line will be interpreted as a domain name, so ad would block all
sites from Andorra (since .ad is the two-letter country code for that
principality).

For a detailed technical description of how pattern matching is done, see
the manual.

 [Feedback]   How come this ad is still getting through anyway?

If the ad had been displayed before you included its URL in the blockfile,
it will probably be held in cache for some time, so it will be displayed
without the need for any request to the server. Using the debug 1 option to
show each URL as it is fetched is a good way to see exactly what is
happening.

If new items seem to be getting through, check that you are really running
the proxy with the right blockfile in the options. Check the blockfile for
exceptions.

Some sites may have different ways of inserting ads, such as via Java. If
you have ideas on how to block new kinds of junk not currently covered,
please tell us.

 [Feedback]   How do I stop it blocking a URL that I actually want?

You can change the patterns so they don't cover it, or use a simple feature
in Version 1.1 and later: a line beginning with a ~ character means that a
URL blocked by previous patterns that matches the rest of the line is let
through. For example, the pattern /ad would block /addasite.html but not if
followed by ~/addasite in the blockfile. Or suppose you want to see
everything that comes from a site you like, even if it looks like an ad:
simply put ~aSiteYouLike.com at the end of the blockfile. (Order is
important, because the last matching line wins.)

As well as unblocking pages that were unintentionally blocked, this feature
is useful for unblocking ads from a specific source. This might be because
you are interested in those particular ones, or if you have an explicit
agreement to accept certain ads, such as those from a free web-based email
provider.

If you want to find out exactly which pattern in the blockfile a given URL
matched, just click on the words ``Internet Junkbuster'' which are
displayed alone on a page when your browser requests a blocked URL. The
proxy displays a message that pinpoints the pattern for you.

 [Feedback]   Can I block sites I don't want my children to see?

Yes, but remember that children who are technically sophisticated enough to
use the browsers' proxy configuration options could of course bypass any
proxy. This kind of technology can be used as a gentle barrier to remind or
guide the child, but nobody should expect it to replace the parent's role
in setting and enforcing standards of online behavior for their children.

Some ISPs are starting to provide specialized proxies to protect children.
There are two basic approaches: the ``black list'' and the ``white list''
approach. The black list approach allows the child to go anywhere not
explicitly prohibited; the white list permits visits only to sites
explicitly designated as acceptable.

It's very easy for anyone to compile a white list from a page of
``recommended kids sites'' and to configure an Internet Junkbuster to allow
access to those sites only. (If you publish such a list on the web, please
tell us its URL). Assuming your version isn't an old one without regex, you
can place a * (asterisk) as the first line of the blockfile (which blocks
everything), and then list exceptions after that. Be careful to make the
exception sufficiently broad: for example, using
~www.uexpress.com/ups/comics/ch/ as the exception for Calvin and Hobbes
would block some of the graphic elements on the page; you would probably
want a wider exception such as ~www.uexpress.com/ups/ to permit them.

Version 2.0 has an experimental feature to permit only sites mentioned in a
nominated trusted site. This allows organizations to build lists of sites
for kids to browse, and the software automatically restricts access to
those on the list.

Many filtering products actually scan for keywords in the text of pages
they retrieve before presenting it, but the Internet Junkbuster does not do
this. Building a perfectly reliable black list system is hard, because it's
very difficult to state in advance exactly what is obscene or unsuitable.
For more info see our links page.

 [Feedback]   What do I see when a page or graphic is blocked by the proxy?

You usually see a broken image icon, but it depends on several factors
beyond the proxy's control. If asked for a URL matching its blockfile, the
proxy returns an HTML page containing a message identifying itself
(currently the two words ``Internet Junkbuster'') with a status 202
(Accepted) instead of the usual 200 (OK). (Versions 1.X returned an error
404: Forbidden, which caused strange behavior in some cases.) Status 202 is
described in the HTTP RFC as indicating that the request has been accepted
but not completed, and that it might complete successfully in the future
(in our case, if the blockfile were changed).

The broken image icon is most common because the browser is usually
expecting a graphic. But if it was expecting text, or if the page happens
to be using certain HTML extensions such as layer and your browser is a
late model from Microsoft, you may see the words ``Internet Junkbuster''
displayed as a hot link.

Clicking on the link takes you to an explanation of the pattern in the
blockfile that caused the block, so that you can edit the blockfile and go
back and reload if you really want to see what was blocked. The explanatory
link is generated by the proxy and is automatically intercepted based on
its ending in ij-blocked-url; even though the site is specified as
http://internet.junkbuster.com no request should actually made to that
site. If one is, it means that the proxy was been removed after it
generated the link.

To summarize: the identifying link to the blocking explanation is usually
turned into a broken image icon, but it may be displayed on a page alone,
or they may may be restricted to the particular frame, layer or graphic
area specified in the page containing them. The proxy has no way of knowing
the context in which a URL will be used and cannot control how the blocking
message will be rendered.

 [Feedback]   Why not replace blocked banners with something invisible?

Many users have suggested to us that blocked banners should be replaced by
a something like a 1x1 transparent GIF to make the page would look as if
there was nothing ever there. Apart from making it harder to catch
unintended blocking, this might also displease the owners of the page, who
could argue that such a change constitutes a copyright infringement. We
think that merely failing to allow an included graphic to be accessed would
probably not be considered an infringement: after all this is what happens
when a browser is configured not to load images automatically. However, we
are not lawyers, so anyone in doubt should take appropriate advice.

In a context where the copyright issue is resolved satisfactorily, a proxy
could simply return a status 301 or 302 and specify a replacement URL in a
Location and/or URI header. An alternative would be to use inline code to
return a 1 x 1 clear GIF. We do not publish sample code for this, and we
have no way of stopping others who have.

 [Feedback]   Why not block banners based on the dimensions of the image?

Many users have pointed out that most banner ads come in standard sizes, so
why not block all GIFs of those sizes? This would theoretically be without
fetching the object because the dimensions are usually given in the IMG
tag, but it would require substantial changes in the code, and we doubt
whether it would be much more effective than a good block list.

 [Feedback]   What about non-graphic advertising within the pages I want?

The Internet Junkbuster deliberately does not provide a way of
automatically editing the contents of a page, to remove textual advertising
or to repair the holes left by blocked banners. Other packages such as
WebFilter do.

For the same reason, it has no way of stopping a new browser window being
created, because this is done through the target attribute in the <a> and
<base> elements, not through headers. Nor do we plan to add a feature to
paralyze animated GIFs.

 [Feedback]   Does it block ads on the broadcasting ``push'' systems? How
about pop-up ads?

We haven't tried it but we expect it would probably work on image ads on
push channels. See also adchoice.

Disabling Javascript stops some pop-up ads. One problem is that some
advertisers throw open a new browser window to frame the ad. The ad is
easily blocked, but the empty window remains. You can kill it easily, but
this is a chore. We don't see how to stop them other than editing the HTML
from the parent window, which we don't like to do.

The TBTF newsletter warned subscribers to push information that in IE4,
LOGTARGET allows servers to determine the URLs viewed at their site even if
accessed from cache or through a proxy. If you use this browser see our
instructions on how to disable this.

If you find you have experience using the proxy with push, or have any
other advice about it, please tell us.

                       [--- Back to Top of Page ---]

                                  Cookies

For background information on cookies see our page describing their
dangers.

 [Feedback]   Might some cookies still get through? How can I stop them?

Yes, you should expect the occasional cookie to make it through to your
browser. We know of at least three ways this can happen; please tell us if
you find any others. One way is in secure documents, which are explained
below.

A few sites set cookies using a line such as <META HTTP-EQUIV="Set-Cookie"
CONTENT="flavor=chocolate"> in the HEAD section of an HTML document.
Cookies can also be set and read in JavaScript. To see if this is happening
in a document, view its source, look in the head for a section tagged
script language="JavaScript". If it contains a reference to
document.cookie, the page can manipulate your cookie file without sending
any cookie headers. The Internet Junkbuster does not tamper with these
methods. Fortunately they are rarely used at the moment. If a cookie gets
set, it should be stopped by the proxy on its way back to the server when a
page is requested, but it can still be read in Javascript.

To prevent cookies breaking through, always keep cookie alerts turned on in
your browser, and disable Java and Javascript. Making the files hard to
write may also help.

 [Feedback]   Exactly how do cookies get created and stored anyway?

When a web site's server sends you a page it also sends certain ``header
information'' which your browser records but does not display. One of these
is a Set-Cookie header, which specifies the cookie information that the
server wants your browser to record. Similarly, when your browser requests
a page it also sends headers, specifying information such as the graphics
formats it understands. If a cookie has previously been set by a site that
matches the URL it is about to request, your browser adds a Cookie header
quoting the previous information.

For more background information on how cookies can damage your privacy, see
our page on cookies. For highly detailed technical information see the RFC.
The Internet Junkbuster will show you all headers you use the debug 8
option, or you can get a sample from our demonstration page.

 [Feedback]   If cookies can't get through, will some things stop working
for me?

Possibly. Some personalized services including certain chat rooms require
cookies. Newspapers that require registration or subscription will not
automatically recognize you if you don't send them the cookie they assigned
you. And there are a very small number of sites that do strange things with
cookies; they don't work for anyone that blocks cookies by any means. Some
sites such as Microsoft explain that their content is so wonderfully
compelling that they will withhold it from you unless you submit to their
inserting cookies.

If you want such sites to be given your cookies, you can use the cookiefile
option provided you are running Version 1.2 or later yourself. Simply
include the domain name of those sites in the cookiefile specified by this
option. If it still doesn't work, the problem may be in other headers.

It's possible to let cookies out but not in, which is enough to keep some
sites happy, but not all of them: one newspaper site seems to go into an
endless frenzy if deprived of fresh cookies. A cookiefile containing a
single line consisting of the two characters >* (greater-than and star)
permits server-bound cookies only. The * is a wildcard that matches all
domains.

If someone else is running the Internet Junkbuster for you and has a
version that passes server-bound cookies through, you can try editing your
browser's cookie file to contain just the ones you want, and restart your
browser. To subscribe to a new service like this after you have started
using the Internet Junkbuster, you can try the following: tell your browser
to stop using the Internet Junkbuster, fill out and submit your
subscription details (allowing that web site to set a cookie), then
reconfigure your browser to use the Internet Junkbuster again (and stop
more cookies being sent). This also requires the cookiefile option, and its
success depends on the Web site not wanting to change your cookies at every
session. For this reason it does not work at some major newspaper sites,
for example. But you may prefer to look at whether other sites provide the
same or better services without demanding the opportunity to track your
behavior. The web is a buyer's market where most prices are zero: very few
people pay for content with money, so why should you pay with your privacy?

 [Feedback]   Can I control cookies on a per-site basis?

Yes, since version 1.2 the Internet Junkbuster has included advanced cookie
management facilities. Unless you specify otherwise, cookies are discarded
(``crumbled'') by the Internet Junkbuster whether they came from the server
or the browser. In Version 1.2 and later you can use the cookiefile option
to specify when cookies are to be passed through intact. It uses the same
syntax and matching algorithm as the blockfile.

If the URL matches a pattern in the cookiefile then cookies are let through
in both the browser's request for the URL and in the server's response.
One-way permissions can be specified by starting the line with the > or <
character. For example, a cookiefile consisting of the four lines
   org
   >send-user-cookies.org
   <accept-server-cookies.org
   ~block-all-cookies.org
allows cookies to and from .org domains only, with the following
exceptions:

  1. Cookies sent from servers in the domain send-user-cookies.org are
     blocked on their way to the client, but cookies sent by the browser to
     that domain are still be fed to them.
  2. The cookies of accept-server-cookies.org check in to the proxy and are
     passed through to the browser, but when they come back to the proxy
     they never check out.
  3. All cookies to and from block-all-cookies.org are blocked.

If the junkbuster was compiled with the regular expressions option they may
be used in paths. Any logging to a ``cookie jar'' is separate and not
affected.

It's important to give hosts you want to be able to set cookies sufficient
breadth. For example, instead of www.yahoo.com use yahoo.com because the
company uses many different hosts ending in that domain.

 [Feedback]   Can I make up my own fake cookies (wafers) to feed to
servers?

Yes, using the wafer option. We coined the term wafer to describe cookies
chosen by a user, not the Web server. Servers may not find wafers as tasty
as the cookies they make themselves. But users may enjoy controlling
servers' diets for various reasons, such as the following.

   * Users who consider cookies to be an unwelcome intrusion and a waste of
     their disk space can respond in kind. By writing ``signature wafers''
     they can express their feelings about cookies, in a place that the
     people in charge of them are most likely to notice.
   * Sites running a proxy that logs cookies to a file (such as the
     Internet Junkbuster does with the jarfile option on) may want to
     notify servers that their cookies are being intercepted, deleted or
     copied. One possible reason for doing this is the uncertain copyright
     status of cookie strings. Nothing here should be taken as legal
     advice: we are simply raising a question for any interested parties to
     consider, and make no representation that such measures are necessary
     or sufficient. Concerned proxy sites might decide to send a wafer
     (named ``NOTICE'' for example) containing text along the lines of the
     following.

          TO WHOM IT MAY CONCERN

          Do not send me any copyrighted information other than the
          document that I am requesting or any of its necessary
          components.

          In particular do not send me any cookies that are subject to
          a claim of copyright by anybody. Take notice that I refuse
          to be bound by any license condition (copyright or
          otherwise) applying to any cookie.

     Any company that tries to argue in court that the proxy site was
     breaching their copyright in the cookies would be met with the defense
     that the proxy site gave that company the opportunity to protect its
     copyright by simply not sending cookies after receiving the notice.

     Cookies can be as long as four thousand characters, so there's plenty
     of space for lawyerly verbosity, but white space, commas, and
     semi-colons are prohibited. Spaces can be turned into underscores.
     Alternatively, a URL could be sent as the cookie value, pointing to a
     document containing a notice, perhaps with a suggestive value such as
     http://www.junkbusters.com/ht/en/ijbfaq.html#licenses_on_cookies_refused

     But including the notice directly would probably be preferable because
     the addressee does not have to look it up.

     The Internet Junkbuster 2.0.2 currently sends a full notice as a
     ``vanilla wafer'' if cookies are being logged to a cookie jar and no
     other wafers have been specified. It can be suppressed with the
     suppress-vanilla-wafer option, which might be used in situations where
     there is an established understanding between the proxy and all who
     serve it.

Junkbusters provides a CGI script that lets you see your wafers as they
appear to servers.

Wafers confuse a few fragile servers. If this troubles you, don't use this
option.

Any wafers specified are sent to all sites regardless of the cookiefile.
They are appended after any genuine cookies, to maintain compliance with
RFC 2109 in the event that a path was specified for a cookie. The RFC's
provisions regarding the $ character (such as the Version attribute) are
transparent to the proxy; it simply quotes what was recited by the browser.

If you want to send wafers only to specific sites, you could try putting
them your browser's cookie file in a format conforming to the Netscape
specification, and then specify in the proxy's cookiefile that cookies are
to be sent to but not accepted from those sites, so they can't overwrite
the file. This may work with Netscape but not all other browsers.

 [Feedback]   Why would anyone want to save their cookies in a ``cookie
jar?''

We provided this capability just in case anyone wants it. There are a few
possible reasons.

   * It's conceivable that marketing companies might one day buy history
     files and cookie jars from consumers in the same way that they
     currently pay them to fill out survey forms. With this information
     they could gather psychographic information, see which competitors'
     sites the consumer has visited, and discover what advertising is being
     targeted at them.
   * Some consumers might employ semi-automated means of sorting through
     their cookie jars, selecting which ones to place in their cookies file
     for use by their browsers. Their decisions could be based on payments
     offered, privacy rating systems such as TRUSTe proposes, or their own
     opinion of the company. It could be done manually or with software.
     There's an Internet Draft on trust certification of cookies.
   * Users may even start ``sharing'' cookies among themselves, sending
     back cookies that servers generated for other visitors. Servers that
     aren't expecting this possibility will be misled about their visitors'
     identities. Cookies could be shared among users on a single machine,
     or across continents via FTP and anonymous remailers. Privacy
     activists may promote cookie disinformation campaigns as a way to
     defend the public against abuse. If a significant percentage of people
     send disinformative cookies, user tracking via cookies may become less
     reliable and less used.

                       [--- Back to Top of Page ---]

                                 Anonymity

For details on how your identity can be revealed while you surf, see our
page on privacy. Once you start using the Internet Junkbuster you should
find that much of the information previously indicated on that page will no
longer be provided. If the REMOTE HOST indicating your IP address is too
close for comfort, see our suggestions below on how to conceal your IP
address. We also recommend that you disable JavaScript and Java.

 [Feedback]   If I use the Internet Junkbuster, will my anonymity be
guaranteed?

No. Your chances of remaining anonymous are improved, but unless you are an
expert on Internet security it would be safest to assume that everything
you do on the Web can be attributed to you personally.

The Internet Junkbuster removes various information about you, but it's
still possible that web sites can find out who you are. Here's one way this
can happen.

A few browsers disclose the user's email address in certain situations,
such as when transferring a file by FTP. The Internet Junkbuster 2.0.2 does
not filter the FTP stream. If you need this feature, or are concerned about
the mail handler of your browser disclosing your email address, you might
consider products such as NSClean.

Browsers downloaded as binaries could use non-standard headers to give out
any information they can have access to: see the manufacturer's license
agreement. It's impossible to anticipate and prevent every breach of
privacy that might occur. The professionally paranoid prefer browsers
available as source code, because anticipating their behavior is easier.

 [Feedback]   Why should I trust my ISP or Junkbusters with my browsing
data?

You shouldn't have to trust us, and you certainly don't have to. We do not
run the proxy as a service, where we could observe your online behavior. We
provide source code so that everyone can see that the proxy isn't doing
anything sneaky.

You are already trusting your ISP not to look at an awful lot of
information on what you do. They probably post a privacy policy on their
site to reassure you. If they run a proxy for you, using it could actually
make it slightly easier for them to monitor you, but we doubt that any sane
ISP would try this, because if it were discovered customers would desert
them.

 [Feedback]   Can the proxy be used for logging who looks at what?

We don't want institutions to use this software as an instrument of
surveillance. We have deliberately not provided options to add timestamps
or records of which IP addresses accessed which URLs. However, because we
publish source code anyone can modify it to do such things, and there is no
way a remote user can find out if this is happening. Again, you need to be
able to trust the entity providing your proxy service, but you were
probably in that position even before using a proxy.

 [Feedback]   What private information from server-bound headers is
removed?

The Internet Junkbuster pounces on the following HTTP headers in requests
to servers, unless instructed otherwise in the options.

   * The FROM header, which a few browsers use to tell your email address
     to servers, is dropped unless the from option is set.
   * The USER_AGENT header is changed to indicate that the browser is
     currently Mozilla (Netscape) 3.01 Gold with an unremarkable Macintosh
     configuration. Misidentification helps resist certain attacks. If your
     browser and hardware happen to be accurately identified, you might
     want to change the default. (Earlier versions of the Internet
     Junkbuster indicated different details; by altering them periodically
     we aim to hinder anyone trying to infer whether our proxy is present.)
     If you don't like the idea of incorrectly identifying your computer as
     a Mac, set it accordingly.
   * The REFERER header (which indicates where the URL currently being
     requested was found) is dropped. A single static referer to replace
     all real referers may be specified using the referer option. Where no
     referer is provided by the browser, none is added; the add-header
     option with arguments such as -x 'Referer: http://me.me.me' can be
     used to send a bogus referer with every request.

In Version 1.4 and later you can use the -r @ option to selectively
disclose REFERER and USER_AGENT to only those sites you nominate.

Some browsers send Referer and User-Agent information under different
non-standard headers. The Internet Junkbuster 2.0.2 stops UA headers, but
others may get through. This information is also available via JavaScript,
so disable disable it. Some search engines encode the query you typed in
the URL that goes to advertisers to target a banner ad at you, so you will
need to block the ad as well as the referer header, unless you want them
(and anyone they might buy data from) to know everything you ever search
for.

If you have JavaScript enabled (the default on most browsers) servers can
use it to obtain Referer and User Agent, as well as your plug-ins. We
recommend disabling JavaScript and Java.

Currently no HTTP response headers (browser bound) are removed, not even
the Forwarded: or X-Forwarded-For: headers. Nor are any added, unless
requested. We are considering a more flexible header management system for
a future version.

 [Feedback]   Might some things break because header information is
changed?

Possibly. If used with a browser less advanced than Netscape 3.0 or IE-3,
indicating an advanced browser may encourage pages containing extensions
that confuse your browser. If this becomes a problem upgrade your browser
or use the user-agent option to indicate an older browser. In Version 1.4
and later you can selectively reveal your real browser to only those sites
you nominate.

Because different browsers use different encodings of Russian and Czech
characters, certain web servers convert pages on-the-fly according to the
User Agent header. Giving a User Agent with the wrong operating system or
browser manufacturer causes some sites in these languages to be garbled;
Surfers to Eastern European sites should change it to something closer.

Some page access counters work by looking at the referer; they may fail or
break when deprived.

Some sites depend on getting a referer header, such as uclick.com, which
serves comic strips for many newspaper sites, including Doonsbury for the
Washington Post. (If you click on that last link, you can then get to a
page containing the strip via the same URL we've linked to under Doonsbury,
but if you click on the Doonsbury link directly, it gives you an error
message suggesting that you use a browser that supports referers.) In
Version 1.4 and later you can use the -r @ option and place a line like
>uclick.com in your cookiefile. Wired News used to use referer to decide
whether to add a navigation column to the page, but they have changed that.

The weather maps of Intellicast have been blocked by their server when no
referer or cookie is provided. You can use the same countermeasure with a
line such as >208.194.150.32 (or simply get your weather information
elsewhere).

Some software vendors, including Download.com and Intuit use USER_AGENT to
decide which versions of their products to display to you. With the default
you get Mac versions.

As a last resort if a site you need doesn't seem to be working, the proxy
configuration of many browsers allow you to specify No Proxy For any
hostname you want.

We had reports that on some versions of Netscape the What's New feature did
not work with the proxy, but we think we fixed this in Version 2.0.1.

 [Feedback]   How is misidentifying my browser good for security and
privacy?

Almost every major release of both leading browsers has contained bugs that
allow malicious servers to compromise your privacy and security. Known bugs
are quickly fixed, but millions of copies of the affected software remain
out there, and yours is probably one of them. The header that normally
identifies your browser tells such servers exactly which attacks to use
against you. By misidentifying your browser you reduce the likelihood that
they will be able to mount a successful attack.

 [Feedback]   Does the Internet Junkbuster conceal my IP address?

Web sites get the IP address of any proxy or browser they serve pages to.
If you run the proxy on your own computer the IP address disclosed is the
same as your browser would, unless you use the forwardfile option is used
to chain to another proxy, in which case servers only get the last IP
address in the chain. Chaining slightly slows browsing of course, but it
improves anonymity.

One public proxy that you can forward to is lpwa.com port 8000. Read about
its privacy-enhancing features and the authentication procedures first, and
note that it blocks referer in almost all cases, as well as some other
headers.

 [Feedback]   How can I set the proxy to remember my LPWA password?

After you log in to LPWA it tells your browser to send a
Proxy-authorization header with each request. Whenever you shut down the
browser and start again with a new browser, you need to log in again. If
you are the only person using the Internet Junkbuster proxy, you can avoid
repeated logins to LPWA by telling the Internet Junkbuster to send the
information by placing a line such as
   add-header Proxy-authorization: Basic ZHVtbXk=.
in the configuration file. The exact example above does not work because
the code ZHVtbXk=. is a bogus one that LPWA would never generate; follow
the procedure below to generate a valid one.

  1. Restart your Internet Junkbuster with debug 8 so you can see the
     headers.
  2. Log in to LPWA and go to any other site.
  3. Find the Proxy-authorization header from the debug output and paste it
     after the word add-header into the config file. Also change the debug
     value back again.
  4. Shut down your browser, start it up again, and restart the proxy. Test
     that it works.

This trick is convenient for sole users, but is not suitable when more than
one person uses the proxy, because they will all get the same LPWA
identity.

 [Feedback]   Does the Internet Junkbuster thwart identification by identd?

We think so, provided you are not the user running the proxy. If your
computer (or your ISP's) is running the identd demon, servers can ask it
for the identity of the user making the request at time you request a page
from them. But if you're going through a proxy, they will identify the user
name associated with the proxy, not you. A visit to
http://ident.junkbusters.com lets you see what's happening. This test is
(quite rightly) blocked by many firewalls; just interrupt the transfer if
you get an abnormal wait after clicking. Running other applications may
also expose you via identd; the proxy of course doesn't help then.

 [Feedback]   Can web sites tell that I'm using the Internet Junkbuster?

With the default options the proxy doesn't announce itself. Obvious
indications such as Keep-Alive headers are deleted, but sites might notice
that you can cancel cookies faster than any human could possibly click on a
mouse. (If you want to provide a plausible explanation for this, change the
User Agent header to a cookie-free or cookie-crunching browser).

But when certain options are used they could figure out something's going
on, even if they're not pushing cookies. If you use blocking they can tell
from their logs that the graphics in their pages are not being requested
selectively. The add-forwarded-header option explicitly announces to the
server that a proxy is present, and sending them wafers is of course a dead
giveaway.

                       [--- Back to Top of Page ---]

                                 Security

 [Feedback]   What happens with Secure Documents (SSL, https:)?

If you enter a ``Secure Document Area,'' cookies and other header
information such as User Agent and Referer are sent encrypted, so they
cannot be filtered. We recommend getting your browser to alert you when
this happens. (On Netscape: Options; Security; General; Show an alert
before entering a secure document space.) We also recommend adding the line
:443 to the blockfile to stop all but sites specified in an exception after
that line from using SSL.

It may be possible to filter encrypted cookies by combining the blocking
proxy with a cryptographic proxy along the lines of SafePassage, but we
have not tried this.

 [Feedback]   Will using this as my Security Proxy compromise security?

We're not security experts, but we don't think so. The whole point of SSL
is that the contents of messages are encrypted by the time they leave the
browser and the server. Eavesdroppers (including proxies) can see where
your messages are going whether you are running a proxy or not, but they
only get to see the contents after they have been encrypted.

 [Feedback]   Can I restrict use of the proxy to a set of nominated IP
addresses?

Yes, we added an access control file in Version 2.0. But before you use it
please consider why you want to do it. If the reason is security, it
probably means you need a firewall.

The listen-address option provides a way of binding the proxy to a single
IP address/port. The right way to do this is to choose a port inside your
firewall, and deny access to it to those outside the firewall. The Internet
Junkbuster is not a firewall proxy; it should not be expected to solve
security problems.

For background information on firewalls, see Yahoo or a magazine article or
these well-known books: Firewalls and Internet Security: Repelling the Wily
Hacker by William R. Cheswick and Steven M. Bellovin or Building Internet
Firewalls by D. Brent Chapman and Elizabeth D. Zwicky. There's free Linux
software available, and a large number of commercial products and services.
For an excellent security overview, primer, and compendium reference, see
Practical Unix and Internet Security by Simson Garfinkel and Gene Spafford.

 [Feedback]   Are there any security risks for ISPs or others who offer the
proxy?

Yes. As with any service offered over the Internet, hackers can try to
misuse it. A well-run ISP will have professionals who are experienced at
assessing and containing these risks.

It's possible to set up your machine so that other people can have access
to your proxy, but if you lack expertise in computer security you probably
shouldn't have your computer configured to offer this or any other service
to the outside world.

Hackers can attempt to gain access to the machine by various attacks, which
we have tried to guard against but don't guarantee to thwart. They can also
use the ``anonymizing'' quality of proxies to try to cover their tracks
while hacking other computers. For this reason we recommend preventing it
being used as an anonymous telnet by putting the pattern :23 in the
blockfile (it's included as standard equipment). (Actually the current
implementation incidentally blocks telnet due to the way headers are
handled, but it's best not to rely on this.) If you wish to block all ports
except the default HTTP port 80, you can put the lines
   :
   ~:80
at the beginning of the blockfile, but be aware that some servers run on
non-default ports (e.g. 8080). You might also want to add the line ~:443 to
allow SSL.

On UNIX  systems it is neither necessary nor desirable for the proxy to
run as root.

Versions 2.0.1 and below may be vulnerable to remote exploitation of a
memory buffer bug; for security reasons all users are encouraged to
upgrade.

If you find any security holes in the code please tell us, along with any
suggestions you may have for fixing it. However, we do not claim that we
will be able to do so.

We distribute this code in the hope that people will find it useful, but we
provide no warranty for it, and we are not responsible for anyone's use or
misuse of it.

You may also want to check back periodically for updated versions of the
code. We do not currently maintain a mailing list. To get quick updates,
bookmark our Distribution Information page.

                       [--- Back to Top of Page ---]

Home  Next  Site Map  Legal  Privacy  Cookies  Banner Ads 
Telemarketing  Mail  Spam



Copyright  1996-9 Junkbusters  Corporation. Copying and distribution
permitted under the GNU General Public License. 1999/07/01
http://www.junkbusters.com/ht/en/ijbfaq.html
webmaster@junkbusters.com
