Strider URL Tracer with Typo-Patrol
Please send feedback, bug
reports, and suggestions to tppatrol@microsoft.com.
·
Introduction
When a user visits a web site, her
browser may be instructed to visit other third-party domains without her
knowledge. Many third-party domains are heavily visited, but they
have remained mostly behind the scenes for the past decade. In recent years,
some of the third-party domains have become increasingly involved in activities
that raise security,
privacy,
and safety concerns.
The Strider URL Tracer is a tool designed to bring them to the spotlight. Given
a URL, the Tracer reveals all third-party domains that are contacted. Given a
set of URLs to scan, the Tracer highlights those third-party domains that are
most contacted. In particular, the tool includes a Typo-Patrol feature that,
given a target website URL, automatically generates and scans its typos and
highlights those domain parking services that have a large number of
typo-squatting domains in their programs. The tool also provides a domain
blocking feature to allow parents to protect their children's online activities
by blocking those domains that are serving adult
ads on typo-squatting domains of children's websites.
·
Domains
Parked with Different Services
·
FAQ
Step
#1: Launch the URL Tracer from IE’s “Tools” menu (see below)
·
Alternatively,
launch the Tracer from Windows StartàAll ProgramsàMSR
Strider URL Tracer,
or by pressing the IE button with a Strider logo, if available.
Step
#2: Scan a web site and use the “URL
Scan History” view
· To scan a web site, type its URL into the Tracer Address bar and click the “Scan Site” button (located next to the Address bar). The URL Tracer will start up a new instance of Internet Explorer to scan the site.
For example, try typing “doisney.com”
(note the extra “o”) into the Address bar and pressing the “Scan Site” button.
You should see results similar to the below displayed in the “URL Scan History”
view. (If doisney.com has been
deactivated, you can choose another one from this list: http://research.microsoft.com/URLTracer/O.htm.)
· As you can see, the Tracer scanned doisney.com and added details of the scan to the URL Scan History. The above shows that doisney.com instructed your browser to visit several third-party domains including: appliedsemantics.com (owned by Google), casalemedia.com (owned by Casale Media), and oingo.com (owned by Google according to WhoIs).
Ø If you have toolbars or web accelerators installed or if your machine has been infected with spyware, they sometimes generate additional third-party domain traffic.
Also, note that casalemedia.com is colored red in the above list. This indicates that the web site placed a “cookie” on your machine which will allow it to track your future visits to other sites that also redirect your browser to casalemedia.com.
Step
#3: Scan multiple web sites and use the
“Top Domains” view
·
To
see multiple web sites redirecting traffic to the same third-party domain, type
duisney.com into
the Address bar and press “Scan Site”. (If duisney.com
has been deactivated, you can choose another one from this list: http://research.microsoft.com/URLTracer/O.htm.)
·
Hit
the “Top Domains” button (the second one from the left) and you will see that
both typo domains fetched pop-up ads from casalemedia.com and fetched
domain-parking ads (i.e., the ads listing in the previous screenshot) from
oingo.com. Note that the third-party domain appliedsemantics.com is missing
from the duisney.com scan due to browser
caching. We recommend cleaning up browser cache before each scan in order to
capture the full set of third-party URLs.
Step
#4: Batched scanning using the “Scan List” view
·
Hit
the “Clear” button (marked “X”) to erase current scan results (from both “URL
Scan History” view and “Top Domains” view).
·
Press
the “View Scan List” button (see below).
·
Copy
the following six typo-domain URLs, paste them into the Scan List window, and
hit the green-triangle “Scan” button. (We highly recommend running batched scans
from a virtual machine or a non-mission-critical machine.)
·
Watch
the status bar at the bottom and wait for all scans to finish and all pop-up
scan windows to close. Explore the “URL Scan History” view to see which
companies are involved in each domain (see below). If you don’t want to wait,
once all scan windows stabilize, you can click on the blue-square “Stop” button
to force all scan windows to close.
·
Switch
to “Top Domains” view to see that third-party domains that are involved with
more typo domains are highlighted at the top.
·
You
can save the scan results (in an XML file) by pressing the “Save…” button (see below).
Later on, you can load the results back by using the “Load” button located next
to the “Save…” button
Step
#1: Pre-patrol cleanup
·
Clear
both the “URL Scan History” view and the “Scan List” view.
·
Double-check
the “Blocked Domains” view to make sure it’s empty.
Step
#2: Typo generation
·
Type,
for example, “WashingtonPost.com” into the Address Bar and hit the “Generate
Typos” button. The tool should switch to the “Scan List” view and display
hundreds of algorithmically generated typos of “WashingtonPost.com”.
Step
#3: Typo-Patrol
·
If
you hit the green-triangle “Scan…” button now, the tool will scan all the
generated typo domains, which is the default. You can use mouse left-clicks and
the Ctrl key to select, for example, the first four typo domains from the list
and hit the “Scan…” button. (The default settings are: a new domain is scanned
every seven seconds and each scan window stays up for 60 seconds. Click on
“Scan Settings…” to change these defaults.)
Ø
See
http://research.microsoft.com/URLTracer/Parked_Domains.htm#WaPo
for more scan results.
·
Once
all four pop-up scan windows stabilize, hit the blue-square “Stop” button.
Step
#4: Analysis and investigation
·
Switch
to “Top Domains” view to see which companies are more involved (see below, on
the left). Hit the “Save…” button, change “Save as type” to “Top Domain Report
(*.txt)” (see below, on the right), type in a file name, and hit the “Save”
button to save a typo-patrol report in plain text.
Step
#1: Pre-patrol cleanup
·
Clear
both the “URL Scan History” view and the “Scan List” view.
·
Double-check
the “Blocked Domains” view to make sure it’s empty.
Step
#2: Domain patrol
·
Copy
and paste the following four non-typo domains into the “Scan List” view and hit
the green-triangle “Scan…” button.
http://wwwMicrosoftWindows.com
http://MicrosoftServer2003.com
http://MicrosoftInternetExplorer6.com
Ø Such domains can be
obtained from the WhoIs database, reverse IP lookups, DNS zone files, services
that monitor new domain registrations, etc. See, for example:
“Hey,
TYPE-YOUR-CREDIT-CARD-NUMBER-HERE.COM is available for registration!,” http://www.f-secure.com/weblog/archives/archive-032006.html#00000845,
March 30, 2006.
Step
#3: Analysis and investigation
·
Once
the scan is done, switch to the “Top Domains” view to see which companies are
involved in this non-typo, cybersquatting activity.
·
Press
the “Internet Explorer History” button (see below) to display a read-only copy
of your browser history. Use mouse left-clicks and the Ctrl key to select URLs,
right-clickà”Add to Scan List”,
and press the “Scan…” button to do patrol.
·
If
in the meantime you have used other IE windows to do more browsing, you can
press the “Refresh” button (see below) to refresh the IE History view.
·
From
the “URL Scan History” view or the “Top Domains” view, double-click on any
third-party URL (not domain) to see which company is responsible for which ads. For example, the screenshot below shows that, by
double-clicking on the highlighted URL, one can determine which company is
responsible for serving these questionable ads on this extra-“p” typo of the
children’s website http://neopets.com.
·
Sometimes
ads are displayed by complex scripts and cannot be easily re-displayed by
clicking on the URLs. In such cases, you can try temporarily blocking
all-but-one third-party domains to zero in on the responsible party.
·
URLs
associated with HTTP Post requests cannot be replayed correctly because data in
the Post body is not recorded and replayed.
·
If
you find any third-party domain that repeatedly serve questionable ads, you can
right-click on that domain and choose “Block <DomainName>.com” (see
below) or type its domain name into the Address Bar and click “Block Domain”;
it should appear in the “Block Domains” view, the third button from the left.
You can unblock a domain by right-clicking on it in the “Block Domains” view
and selecting “Unblock…”. Domain blocking applies to all IE instances that are
started after the blocking list is updated.
Ø Note that advertising
is an important part of Internet economy. We recommend blocking only those
irresponsible advertising companies.
·
Another
domain blocking scenario is for parents to open the “Internet Explorer History”
view, use mouse left-clicks and the Ctrl key to select one or more URLs, and
either right-clickà”Block selected
domains” or right-clickà”Generate typos for
selected domains” and then from the “Scan List” view, select one or more typo
domains, and right-clickà”Block selected
domains”.
·
Domains Parked with
Different Services
·
Scan
the list below to familiarize yourself with the look-and-feel of all kinds of
parked domain pages. You can experience more parked domains by scanning the
following lists: O.htm,
DI.htm, S.htm, N.htm,
Q.htm, H.htm, M.htm,
Z.htm, T.htm, W.htm.
http://www.washingtonpoost.com
·
Privacy Patrol: Web Beacons
·
Check
web pages that use beacons to see if they properly display privacy statements
that reveal the use of web beacons. Check the Web Analytics companies that
collect browsing activities through web beacons to see if they provide proper
privacy notices that explain how the collected data may be used, correlated,
and shared. In general, any third-party URLs can serve as web beacons.
·
Web
sites that use first-party cookies or third-party cookies are highlighted in red (see below). If you are concerned about
cookie-based cross-site tracking, right-click on a third-party domain and
choose “Go to NAI Members Ad Network Opt Out Site” to see if the advertiser
provides a cookie opt-out option. (Or you can directly visit the opt-out page
at http://www.networkadvertising.org/consumer/opt_out.asp.)
·
FAQ
o
Q: How do I slow down the speed of typo-patrol if my machine
is not powerful enough to catch up?
A:
Click on “Scan
Settings”; increase “Wait time between sites”, click “Done”.
o
Q: How do I clean the IE cache before scanning each typo
domain so that all third-party traffic is captured?
A:
Click on “Scan
Settings”; select “Clear Internet Explorer cache before each scan”.