Anti-Phorm Joomla! Plugin

Introduction

This plugin allows you to very easily add robust countermeasures against spyware systems such as Phorm and NebuAd to your Joomla! website. No technical knowledge is required, and you can choose many different ways to handle visitors who are affected by this evil scourge - from displaying a warning to them, to completely denying them access to your content.

The plugin is completely invisible to normal visitors.

Contents

Background

Here's a quick primer on the basics of Phorm, in case you don't know much about it yet. If you want to learn more or to help out in the campaign against this intrusive technology, then there are many excellent resources linked from the PhormCheck website.

Phorm is a spyware system that runs on special servers in an ISP's network. Those servers intercept all unencrypted web traffic and read the contents, building up a personal profile for every customer of that ISP. Currently BT is the only ISP actively trialling or using Phorm, but others such as Talk Talk and Virgin Media are expected to join the scheme eventually.

If you, or your website visitors, are using BT, then you have no way to avoid having your traffic intercepted and profiled. This information is eventually used to send targetted ads to the customers. Phorm is widely believed to be illegal, but so far the authorities are doing nothing to stop it, and so your only defence against having your site content stolen and used to market your competitors' services is to install some form of countermeasures. This Joomla! plugin is intended to make that process easy for you.

Prerequisites

This plugin is designed and tested primarily on the Joomla! v1.0 release family only. It does also run on Joomla! v1.5, but the testing performed on that platform is less rigorous.

Optional: Data retrieval will be more robust and efficient if you have cURL support for PHP installed (e.g. the php5-curl package for Debian-based servers), but if you don't have it then a built-in HTTP client implementation will be used instead.

Installation

Installation is done via the standard Joomla! installation interface, so it's pretty straightforward. But the plugin comes in two parts (the mambot and the module), each of which needs to be installed separately.

Step by step instructions:

  1. First unzip this package to a temporary folder on your local computer.
  2. Go to the administration control panel of your Joomla! site (normally found at http://yoursite/administrator/) and log in.
  4. Go to the Upload Package File box, and click the Browse... button next to it. Find the temporary folder you unzipped into, then select the mambot_antiphorm.zip file and click OK.
  5. Now click the Upload File and Install button. If all has gone well, then you'll see an information screen and indication that the mambot has been installed successfully.
  6. Now go to the Installers menu, then this time the Modules menu item below that.
  8. Again click the Browse button next to the Upload Package File box, and this time select the module_antiphorm.zip file in the temporary folder you unzipped into, and click OK.
  9. Now click the Upload File and Install button. If all has gone well, then you'll see an information screen and indication that the module has been installed successfully.

Congratulations! Anti-phorm is now installed. Now you can go on to configure its options.

Configuration

Configuring the Mambot

First let's configure the mambot, and activate it. The mambot settings control how cookies are handled by Anti-phorm, and whether and how to redirect afflicted visitors, thereby blocking them from your site.

  2. Find the Antiphorm Support Mambot entry in the list (if you have a lot of mambots installed, then this might be on the second or subsequent pages). Click on it. This brings up the mambot options page:
    mambot options screenshot
  3. On the right-hand side of the screen, you'll see a set of parameters. These control the behaviour of Anti-phorm as follows:

    Redirect for suspicious cookie detection
    If Anti-phorm detects that cookies set by your site are being interfered with between your site and the visitor's browser, in a way that is consistent with Phorm-like spyware, then if this parameter is not set to 'none' (and is not blank), the visitor will be redirected to the URL specified by this parameter. The default setting is to redirect to a warning page on the PhormCheck site.
    Cookie names to check
    This is a comma-separated list of cookie names that are known to be interfered with by Phorm-like spyware systems. The default settings should detect both Phorm and NebuAd.
    Random name for 'canary' cookie
    This is the name of a cookie used to validate the interference checks. The exact name doesn't matter, but for maximum protection you should change it to a random word, which must not be the name of any existing cookie on your site.
    Redirect for suspicious IP address
    Anti-phorm checks your visitor's IP addresses against the PhormCheck IP address database. If your visitor's IP address matches an entry connected with Phorm-like spyware, and this parameter is not set to 'none' (and is not blank), then they will be redirected to the URL specified. The default setting is to not redirect. An example redirection page that you can use is http://www.phormcheck.co.uk/phorm_warning_ip, another warning page on the PhormCheck site.
    Database entry types to exclude
    This is a comma-separated list of PhormCheck IP database entry types that you do not want to check against. See the Politics page on the PhormCheck site to figure out what's appropriate for your site. The default is to only check against IP ranges belonging to the spyware companies themselves, and IP ranges belonging to ISPs that are known to be actively running or trialling Phorm-like spyware.
  4. Once you've set up the options to your liking, set the Published setting to Yes, and click the Save button.

The mambot is now active. Check that your site is still working as expected, you should see no change at this point. If there's a problem, you can unpublish the mambot to restore your site to a working state while you try to fix it.

Configuring the Module

The Anti-phorm module controls the display of informational banners to visitors. To configure it:

  1. Find the Anti-phorm entry in the list. Again, if you have a lot of modules installed, then this may be on the second or subsequent pages. You can type 'Anti' into the Filter box to make it easier to find if you like. Click on the Anti-phorm entry to open its settings page:
    Module settings page
  2. Set Show title to No
  3. Set Position to the name of an appropriate area of your template to display the warning banner. 'Banner' is usually a good choice, and is typically used to display advertising banners in most templates. You may need to experiment to find the right setting for your site.
  4. Set Published to Yes.
  5. Now set the Anti-phorm options as appropriate for your site. Their meanings are as follows.

    Show warning banner for cookies
    Set to On if you want to display a warning banner when tampered cookies have been detected.
    CSS style for cookie warning
    This is the CSS style information that will be applied to the warning banner. The default settings make the banner look like this:
    Default banner screenshot
    You only need to change this if you want to change the appearance (colours, font, etc.) of the banner.
    HTML text for cookie warning
    This is the text that will be displayed in the warning banner. You can insert some special tokens that will be replaced with information derived from the visitor's IP address if possible. Those tokens are:

    %%ISP%%
    The name of the visitor's ISP.
    %%SPYWARE%%
    The name of the spyware used by the visitor's ISP
    These are replaced by the words 'ISP' and 'spyware' respectively, if no information is available.
    Icon for cookie alert
    The URL to an image to display on the left of the banner. The default is the exclamation mark icon seen in the default banner above. You can leave this parameter blank to use no icon. For Joomla! 1.5, if you wish to use the default icon, you must change this to 'modules/mod_antiphorm/antiphorm/alert.png'.
    The remaining options have the same meaning as the first four, but are used to control how to display a warning banner to visitors coming from suspicious IP addresses, rather than those with tampered cookies.
  6. Click on the Save button to save your settings.

The Anti-phorm banner is now active. Again, you should see no change to your site and everything should still be working. If there is a problem, then you can unpublish the module, which will restore your site to a working state while you try to fix it.

Testing your installation

Testing cookie behaviour

The best way to test whether the cookie detection is working is to install a cookie editing plugin for your web browser. I use Firefox 3 and the Add n Edit Cookies cookie editor.

  1. Visit your website.
  2. Now open the cookie editor, and find the cookies that have been set for your site. For the AnEC cookie editor, this involves typing your site's domain name into the filter box, and clicking Filter/Refresh.
  3. Delete the webwise-uid cookie, then refresh the page in your browser.
  4. This should trigger cookie interference detection, and whatever actions you've configured for that case should now happen.

Testing IP address checking

This is a little bit trickier, and involves editing the PhormCheck IP address data that has been stored on your site.

  1. First identify the IP address of your workstation. You can do this by visiting What's My IP.
  2. Now find the PhormCheck data on your site. Relative to the topmost folder of your Joomla! installation, this will be at mambots/system/phormcheck/phorm_data/, in the files array_banner.php (for the banner display) and array_redirect.php (for the redirection).
  3. You need to edit these two files, and add a line of this form to the start of the list:
    '1.2.3.4/32' => 'vendor:dummy:dummy',
    (You should replace 1.2.3.4 with your IP address).
  4. Now visit your site, and you should see the actions you defined for suspicious IP addresses being acted on.
  5. Finally, delete the line you added to the two data files, so that your site no longer considers you to be a suspicious visitor!

Congratulations, the Anti-phorm plugin is now active and working on your site, and will now automatically warn, educate or block afflicted visitors according to the settings you have chosen.

Licensing

This code is released to the public domain as completely free, open-source software. If you enhance it, it would be nice if you'd let me know so that I can apply your patches into the upstream code and everyone can benefit from them, but there's no obligation.

It is provided free of charge, as-is and with absolutely no warranty express or implied. Use at your own risk, I'm afraid.

If you do find this code useful, I'd love to hear from you. Just drop me a note at fanjita-direct@fanjita.org

Acknowledgements

Many thanks to Dephormation.org.uk for the initial inspiration, and help during the development of the PhormCheck library which is used by this plugin.

Thanks are also due to the many fine anti-DPI information sites - see the Links section at PhormCheck.co.uk for at least a partial list.

Change Log