I'm getting some complaints about the ad-blocker HOSTS file I implemented on the proxy server. I have clearly stated to my users that if they're having trouble navigating a particular site because of the block, simply send me the URL and I will fix that site for them.

Since implementing it, I have only recieved two specific requests to unblock sites.

However, there seem to be complaints surfacing, complaints which never reach me directly. I only hear the complaints third-hand. I suspect it's because the users don't want me to know what sites they're surfing (I guess they don't know about proxy server logs) and that if they specifically requested to ublock a site, they would be embarassed if it became known what the site was.

In any case, I'm anticipating that I'll get some sort of class-action "Take It Down" request from the users soon, and I'm composing a defense in advance, just so I can have it ready.

I already intend to include the following benefits:

- Reduced bandwidth usage on the shared DSL line (ad graphics and code are not downloaded). Overall speed slightly improved because of this.

- Reduced hard disk usage in the users' local disk drive cache.

- Users not exposed to as much commercial advertising on company time.

- Certain sites that are clearly prohibited by the company are blocked, such as X-rated content.

- Some pop-ups, pop-unders, and other similar nefarious ad techniques are blocked, increasing overall productivity.

Anyone have any other benefits I can list?

Well, i have to say that I'd be iritated if a company I worked for wanted to decide what I could and couldn't see, but there definitly are justifications for it...

When I worked at the tech support desk for a Navy base one summer, I heard plenty of gossip. One of the big issues was people being caught looking at porn at work. If you're caught, it's basicaly sexual harasment for the parties witnessing it, and grounds to be fired. (and being fired from a government job is next to impossible). In a lot of ways you'd be doing people a favor by removing this temptation.

Perhaps you could sugest an anoynoymous site delist request? That way people wouldn't feel too embaraseed requesting a page that was borderline.

Another issue is that with the proxy I run I find it necessary to turn off every day or two to access something I actualy want to see. I realize it's rather active in filtering, but all proxy's screw things up in some way or the other at some time, as you discovered when you tried to implement your own hosts.txt file for yourself, I beleive. Is there a quick way for a user to get around the add-killing code?

I think an issue that should be stated is if this is censorship or simply banner-add killing. As an employer, you're perfectly within your rights to tell people what they can and can not do at work, but you should agree on a policy and stick to it.

Matthew

It's only meant as ad-killing, not as censorship. The fact that there are some X-rated sites on the list (because they serve up X-rated ads) is a side benefit, and its main purpose is not to block porn.

There's no way for me to allow individual users to opt-in or opt-out of the block, due to the way I had to implement it on the proxy server (discussed in another thread).

I'm not trying to hide sites from users, i.e., I'm not trying to dictate what they can and can't see. I'm simply trying to remove ads.

Well, ethics of SysAdmin say that you should respect users' privacy by only using those logs for troubleshooting purposes, and that discussing their surfing habits and destinations is a big no-no. Even just satisfying a personal curiosity about a user's surfing habits is invading their privacy even if you don't discuss it with anyone else. Discussion about surfing habits with Management should be kept to a statistical nature too.

I guess that you perhaps need to make this clear - That you really don't care what they look at within the bounds of what the company policy allows them to view.

You should also point out that the proxy server protects them (ie, their jobs) too, by reducing the chances that they accidentally hit an unscrupulous site that automatially pops up 20 porn ads - and encourage them to report anything that does incorrectly get through. Management would have a tough time firing someone for porn-browsing when the proxy is supposed to eliminate it.

I've got a question for the sysadmins here.

Do you make access to group mailing aliases within your company or domain available to recevie mail originating from outside of the domain?
For example, a spammer mails to a project mailing list [email protected] and is able to spam everyone on that internal mail list.
Is it common pracitce for sysadmins to leave these open?
Would you as a user find it offensive to get spam sent to the project lists at your job? Just wondering... for a friend, yeah that's it...

Well, ethics of SysAdmin say that you should respect users' privacy by only using those logs for troubleshooting purposes

Agreed, that is my long-standing policy.

I think I have a solution for you. Have your HOSTS file automatically modified by users indirectly without your knowledge. I don't know exactly how you would implement it but maybe a script file or Word macro?

You get the best of both worlds... ad blocking and respecting user's privacy.

Do you make access to group mailing aliases within your company or domain available to recevie mail originating from outside of the domain?

I would say that can only be decided on a list-by-list basis. I could see some being useful and others being detrimental.

In practice, our company has its group lists exposed, and I've never seen them get spammed. The only time I could imagine a spammer getting hold of a group list is if someone put that in their return address field (which is a no-no) or entered it into a web site's data form (bigger no-no).

I have found it useful to sometimes be able to send an email to our local "[email protected]" address when I'm away from the office, but this is very rare.

I personally agree with you whole heartedly, Tony. You're merely upholding the companies best interests and if some employees find that a problem, they'll just have to cope. How many smokers at your work get inconvenienced by non-smoking policies? Did the company make special concessions for them?
Genixia's comment: I guess that you perhaps need to make this clear - That you really don't care what they look at within the bounds of what the company policy allows them to view. is spot on. the company has control of the data lines and you're being proactive in upholding various policies. The fact is that adult sites are the most notorious advertisers and 'abusers' of netiquette.
If users want to look up those kind of sites, they should do so on their own equiment.
What's the companies policy on personal phone calls?

I agree with many of the others... and yourself, that simply making the employees better informed as to why you are doing it is the best bet. I would be proactive about it (gosh I HATE the word proactive- it should be added to the other thread!) so that their "cause" doesn't gain momentum..

Your reason above about saving hard drive space seems wrong because the cache will just be filled with other stuff... the size of the cache can be preset - it is not dependant on content.

The way I look at it, quite simply, it is company's bandwidth and company computers. That's why I bought my own laptop and plug into the network!

Greetings!

Since you are throwing the IP addresses of the ad sites to a non-existant server, perhaps you could redirect them to a real web server. Rig the web server so that it either:

a) ...gives them a blank ad, maybe rigging the web server to serve up a 1 pixel image no matter what specific URL is asked for. They do not notice any error messages or see any banners.

b) ...give them a popup explaining exactly why you are doing this, and giving them a pseudo anonymous web form to request that site be removed from the block. Perhaps you can even rig an "opt-out" on this popup, writing a cookie that you can ckeck for future popups.

In any case, I'm anticipating that I'll get some sort of class-action "Take It Down" request from the users soon, and I'm composing a defense in advance, just so I can have it ready.

Is it literally done with the Hosts file? If not, you could run two proxy servers on different ports, one de-added and one not.

Peter

Have it point to an .html page that says "Tony is watching you... tracking you.."

There is a great image you might want to use for that... Are you familiar with Big Brother???

I agree that the cache would be filled in any event, however with Tony's modification a higher percentage of it would be filled with potentially useful material instead of useless information and code.

-Zeke

Do you make access to group mailing aliases within your company or domain available to recevie mail originating from outside of the domain?

Most do, just for the fact that it is more work to close it off, and some people may not know how.

And be careful of doing this. Most legal departments could probably come down on you under some spam law somewhere, and possibly fine you for every user who received the spam.

Personally I believe spam needs to die. I get so much of it, and I ensure I never support the business advertised in it, nor do I respond. A backup job of mine right now if I lost my current job would be to move to a state with severe spam laws, and start suing under that law. I have heard of a few people doing this now, with pretty decent success. Most choose to pay the fee out of court instead of allowing it to escalate.

In reply to:

---

There's no way for me to allow individual users to opt-in or opt-out of the block, due to the way I had to implement it on the proxy server

---

I'd have already hated you for the proxy server

Of course, unless you block port 3128 when I cared I'd just not use your proxy.

a) ...gives them a blank ad, maybe rigging the web server to serve up a 1 pixel image no matter what specific URL is asked for. They do not notice any error messages or see any banners.

This is more or less what Privoxy (new name for Junkbuster) does for me. Ad site graphics are replaced with a simple grey/white checkerboard that resizes to fill the original space. Very unobtrusive, but I know it's working. I have it chained with Squid and I'm quite pleased with the overall setup.

I think you can reconfigure it to a 1X1 graphic or something, but not sure what this would do to page displays.

This is more or less what Privoxy (new name for Junkbuster) does for me.

Cool, I might have to set it up again at home. Last time I ran Junkbuster, it broke all the images, and made the page look worse at times.

I do like the way Omniweb does it, it matches size and gets most banners. And if it's important to see, a right click on a menu choice will make it appear.

Cool, I might have to set it up again at home. Last time I ran Junkbuster, it broke all the images, and made the page look worse at times.

Yeah, my first go-round with Junkbuster produced some of the same problems, but the more recent version seems much better behaved WRT images (FYI, for anyone using Redhat, the version in their latest distros is very old. Get the Privoxy version from Sourceforge).

And be careful of doing this

Oh I'm not going ot spam, I'm actually the user that's getting pissed off our company has left groups open and all the spam is now coming through. Our sysadmin that has the ultimate say in the matter says he's got a spam filter in the works and that they need to be open for people outside our company (partners.) In the meantime I'm getting spammed at engineering, internal project names, etc. It's going to those names at several companies on the To: line.
I was just inquiring to see if it's normal. Everywhere else I've worked, internal groups were not able to be mailed to from outside the domain.

I'm actually the user that's getting pissed off our company has left groups open and all the spam is now coming through

Well, sounds like someone made a mistake somewhere in cc-ing the group addresses into a public medium, but a bigger mistake may have been made earlier in the process. If I really wanted e-mail groups to be private, I'd construct them on top of a private, not-publically-reachable DNS/domain, say "[email protected]" instead of "[email protected]". yes, more planning, hardware and stuff, and some limitations, but probably less aggravating over the long haul.

I think your stance depends on your company.
In my place of work, I would be shot for just doing somehing like that without first proving it in the lab and demonstrating the capabilities and advantages to my management so they can sell it to the user groups.
Ads have to be seen as something bad before you can just block them.
Same goes for unwanted emails, spam, UCE etc. You can't just start blocking it without proving it is bad first.
Maybe that is just large company mentality.
Just my 2c

And sites like Safeweb are cool for keeping prying eyes off your web-browsing habits. Being the Network Nazi ay my company DOES have some advantages.

Tony,
How much bandwidth was being taken up by spam and ads? I'm just curious if it has been quantified. What was the perceived need?

No attempt at quantification has been made, as it would require a lot of intermediate software. This is something much less formal, I only run the network for a fairly small department (20-30 users).

Tony, do i *dare* put in my .02 here? I think a short description of the types of activities and productivity scale of most of the employees at your place of business needs addressing.

If there was ANY idea of the amount of time wasted with games, non-work surfing, emailing family and friends, etc, non of this BS privacy argument would come up. Please don't flame me, I used to work at the company Tony works for (same office).

Of course, being that I used to work there, I won't touch this argument directly. I'd be shooting fish in a barrel. Wait, make that koi in a bucket.

For what it's worth, the department manager agrees with me and wants to try it out for a while and see how it goes, with people sending me the URLs of trouble spots (so far, it's only been servers that store their button graphics at akamai).

Still, I've only gotten 3 specific URL requests so far, which, if I'm to believe the third-hand reports, is fewer than the number of complaints.

I had interesting things happening when I put the ad server for CNN into my hosts list. There was javascript that actually referenced objects created *from* the blocked (redirected) sites so the page would simply stop running scripts and give me a bunch of "object does not exist" errors (I run with debugging ON).

This made the pages at CNN completely unbearable for me.