[nSLUG] Annoying Eastlink Notices

Gurjeet Clair gclair at espah.ca
Sun Feb 28 11:22:05 AST 2016


No prob. However from a professional POV I was wondering if it's possible
to grab a pcap of the session where a notice gets injected? I'd love to see
what's happening at that layer. As I'm no longer and Eastlink  I'm doubt
 I'm going to see this. I'm curious to see if there's any identifying hints
in the JavaScript that could be stripped out at maybe a squid layer.

On Sunday, 28 February 2016, Daniel AJ Sokolov <daniel at falco.ca> wrote:

> I've just figured it out, and they do as Gurjeet says: live JavaScript
> injection.
>
> http://24.222.0.93/dyn/bg/Movable_Copyright_Eastlink_v2/index.js?
>
> If I understand this correctly (and I'm not an expert), they load
> the abovereferenced javascript which changes the URL displayed in the
> browser to the URL of the original webpage, creates an iFrame, and
> finally adds HTML-code to the original HTML-page. This puts the text and
> link into the iFrame.
>
> I guess that it also checks the OS and does not insert the "notice" on
> Android and maybe other mobile OS.
>
> I do not use Citywide's DNS. For my testing, I've used Google's DNS.
>
> Yes, I can get around by using VPN and https. Thank you, Gurjeet.
>
> This is nasty.
> Daniel AJ
>
>
> On 2016-02-28 12:30 AM, Gurjeet Clair wrote:
> > If its city wides DNS you are using , it could be that is still fed by
> > eastlink upstream. I'd start with a switch to googles DNS. However I'm
> > fairly certain they are doing live http JavaScript injection. I'm going
> to
> > guess its AdPhonso . You can get around this with VPN or use https
> > everywhere. https://www.eff.org/HTTPS-EVERYWHERE
> >
> > On Sat, Feb 27, 2016 at 6:49 PM, Daniel AJ Sokolov <daniel at falco.ca
> <javascript:;>> wrote:
> >
> >> On 2016-02-27 at 18:32, Evan Lowry wrote:
> >>> https://en.wikipedia.org/wiki/DNS_hijacking
> >>>
> >>> I'm fairly certain, unless they've changed tactics.
> >>
> >> That's what I've found mentioned online, but I do not use the Eastlink
> >> DNS. So it has to be something different.
> >>
> >> BR
> >> Daniel AJ
> >>
> >>>
> >>> On Sat, Feb 27, 2016 at 6:29 PM, Daniel AJ Sokolov <daniel at falco.ca
> <javascript:;>
> >>> <mailto:daniel at falco.ca <javascript:;>>> wrote:
> >>>
> >>>     Hello,
> >>>
> >>>     this week, Eastlink has started to bombard me with copyright
> >>>     infringement notices under the "Notice and Notice"-regime of the
> >>>     Copyright Act.
> >>>
> >>>     However, they do not send emails. Rather, they insert these notices
> >> into
> >>>     (seemingly) random websites. It doesn't stop and blocks parts of
> the
> >>>     pages.
> >>>
> >>>     How do they do that? I can't find it in the source code.
> >>>
> >>>     I am not even a direct Eastlink customer, but a customer of their
> >>>     reseller Citywide Communications.
> >>>
> >>>     TNX
> >>>     Daniel AJ
> >>>
> >>>     PS: Needless to say, I did not infringe the Copyright. It is a scam
> >> by
> >>>     purported Copyright holders who want to bully us into paying
> >>>     "settlements".
> >>>     _______________________________________________
> >>>     nSLUG mailing list
> >>>     nSLUG at nslug.ns.ca <javascript:;> <mailto:nSLUG at nslug.ns.ca
> <javascript:;>>
> >>>     http://nslug.ns.ca/mailman/listinfo/nslug
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> Evan Lowry
> >>> CTO, PitchPlay Inc (https://pitchplay.io)
> >>> 902.403.5244
> >>> www.exitiumonline.com <http://www.exitiumonline.com> |
> >>> https://github.com/Lykathia
> >>>
> >>>
> >>> _______________________________________________
> >>> nSLUG mailing list
> >>> nSLUG at nslug.ns.ca <javascript:;>
> >>> http://nslug.ns.ca/mailman/listinfo/nslug
> >>>
> >>
> >> _______________________________________________
> >> nSLUG mailing list
> >> nSLUG at nslug.ns.ca <javascript:;>
> >> http://nslug.ns.ca/mailman/listinfo/nslug
> >>
> >
> >
> >
> > _______________________________________________
> > nSLUG mailing list
> > nSLUG at nslug.ns.ca <javascript:;>
> > http://nslug.ns.ca/mailman/listinfo/nslug
> >
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca <javascript:;>
> http://nslug.ns.ca/mailman/listinfo/nslug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20160228/b1e536fc/attachment-0001.html>


More information about the nSLUG mailing list