Back to the Antiadvertisement section

Courtesy of fravia's searchlores

Down in the Gehenna of Internet ads connections

The following reading is quite an eye-opener for those, among the readers, that yet fail to realize how much bandwidth is hiddenly used by the commercial bastards in order to blogger their PCs with advertsiement puke.
Enjoy the scary findings by Angela... and remember this essay the next time you visit wired.

Have you ever wondered...

By Angela Zaharia (September 2001)

Have you ever wondered... what exactly happens when you go on the Internet, type ( or click on a) URL and access a Web site with your browser? How do all those images, text, multimedia special effects, (and let's not forget the ads here!) "magically" appear on your screen? It's all rather mysterious, isn't it? Wanna take a lookie-see "behind the scenes"? That is what this FAQ is all about.

First, let's mention a few truths here and throw in some hooks:
Very few Web sites are actually profitable (making enough/or even any money to be in the black). That is why most dot-com sites throw all sorts of ads/Pop-Up banners/ combination at you.
But wait, have you ever noticed how all of those advertisments are on top of the page and are the first thing to appear (be d/loaded)? Have you ever monitored how many cookies an average Web site write onto your HD? Ever heard of companies such as DoubleClick, Aureate, Akamai and if yes, do you know what they do to make money? When you use a search engine, do you ever wonder why all the links you find on page one are all major commercial companies' sites? Weren't you surprised even a little bit when advertisments tailor made to fit what you were looking at began to pop up on your screen? All these questions, eh?

Here are the tools I will be using to unvail all those "secrets":
Your ordinary Web browser (Netscape, and not InternetExplorer), EditPad (a freeware, same as Windoze's NotePad, but of-course it does a lot more), a good firewall such as @Guard (oldie but goodie), and my brain. I will use @Guard's wonderful logging capabilites and dashboard window to monitor all the connections my Web browser will make in the course of my investigation, no matter how short-lived they may be, hehehe. The Web site I will be looking at is from the WIRED magazine, a tech news site, which I read almost daily. For this session, I will be accepting all ads, cookies, Java, java-script ActiveX and everything else they throw at me. I activate @Guard's dashboard window and I am ready to begin!

I start Netscape, click on the link and immediatly begin checking my connections by refreshing the option on the dashboard window. Here is what appears:

Executable    State          Remote                 Local Port  Sent  Recivd
===========   =============  =====================  ==========  ====  =====
NETSCAPE.EXE  Connected/Out myPC 2372   371   503
NETSCAPE.EXE  Connected/Out myPC 2373   368   582
NETSCAPE.EXE  Connected/Out   myPC 2374   350   419
Hmmmm....Rather interesting, isn't it?? Let's go over each part and explain what we are looking at exactly: Anything jumping at you already? I sure hope so! I do not remember asking to connect to either or, but to So who/what are those places and more importaintly why am I connecting to them and why am I sending and receiving data to/from them?? (small as it may be - 371 bytes is next to nothing)

Oops, and since I told Netscape to: "Warn me before accepting any Cookies" I get this lovely message on mah screen:
Wowo, this cookie will be "alive" on mah HD for a loooong time, won't it?? Not to worry, I love cookies and I eat them every day, making sure none are left on mah HD. So I click yes. But did you notice in the message how that cookie will be read by any server that is part of
We will come back to that part later.

Let's now save the HTML code of the Web page and look at it. To do that in Netscape, I go to File-->Save As (or Ctrl+S)-->Save. The name of the page is technology.html. Oh, wait, while talking to you, another connection appears, so let's hurry and look at it by refreshing the dashboard window again. The new connection is "connection number 4":
Executable    State          Remote                 Local Port  Sent  Recivd
===========   =============  =====================  ==========  ====  =====
NETSCAPE.EXE  Connected/Out myPC 2372   371   503
NETSCAPE.EXE  Connected/Out myPC 2373   368   582
NETSCAPE.EXE  Connected/Out   myPC 2374   350   419
NETSCAPE.EXE  Cnnctd/UNKNOWN local host             myPC        0     0
It stays active for a second and then its gone. Hehe, that was just an ad WIRED was trying to get by me, but I'm too clever for them and I simply threw it right back into their faces using my Hosts file. That's what local host means. I will talk about the Hosts file at the end of this FAQ. Let's continue studing. Using EditPad, I open the saved HTML code of technology.html and scroll down. AHA! There it is! Almost right at the top, in the <!-- THIS IS THE NEW NAV BAR --> I see multiple references to both the mysterious lycos and akamai. Here are a few of them:

The details of what all the above giberrish mean don't really matter; what's importaint is they include lycos and akamai. Let's just mark those obvious Web addresses:, and So now it is begining to make some sense, doesn't it? Everytime I go to I also connect to this bunch of other web sites too. appears to be one of the the main servers for this domain. I have done some info digging previously and I know Wired is part of the large lycos corporation which also includes free web hostings such as and, search engines ( and other various "free" Internet services such as free web pages building tools. Remember what my cookie said? It will be read by all the lycos domains, which means that if I ama frequent visitor to a few of their sites, they will have a rather detailed report of what I like to look at and what I like to do online just by tracking me with their cookies. Visiting those web sites, you can see they are international, with servers in just about every major country in the world. Spider webs indeed!

Now, let's look at the akamai part and see how they fit into this puzzle:

img src means image source. Its Web address matches exactly what the dashboard window showed:
 Remote                 Local Port  Sent  Recivd
 =====================  ==========  ====  ===== myPC 2372   371   503 myPC 2373   368   582
Reading the HTML akamai code further, it becomes clear what its function is. Akamai keeps Wired images on its servers and when we click on a Wired site, our browsers read the HTML code and also connect to the akamai server to get the images from there. Very interesting, isn't it? Bet you didn't know that, eh? Akamai hosts often-requested images and other data from hundreds of sites on their ring of servers scattered around the world. What's even more interesting, Akamai does all that "free of charge". How do you think they make their money, eh? I will leave that little puzzle for you to figure out.

Going thru the HTML code, I see numerous references to akamai. Just for the fun of it, I count them and come up with 36 times the akamai server got contacted to serve an image to me. Doing the same for lycos, I find 33 references.

Let's now look at my @Guard's logs and see what extra info we can dig from them. Here is @Guard's Web History Event Log, showing more sites my browser made connection with:

8/25/01 10:47:17.227
8/25/01 10:46:56.857

As you can see, the ? matches the date, but I'm not sure what the rest means.

Here is @Guard's Web Connections Event Log, showing the sites my browser made connection with:
8/25/01 10:47:16.510 Connection: http from [myPC]: 2368, 283 bytes sent, 43118 bytes received, 22.053 elapsed time

2368 is the port my PC used, 283 were the bytes my PC sent and 43118 is the bytes my PC recieved

Most eye opening is the Privacy Event Log, showing just about every connection established while the Web page's data (the images) was being transfered: Opps, I guess I told @Guard to block a few connections, hehe. Oh well....

Now, let's try accessing again exactly the same site, but this time with @Guard firewall turned off, just to see if anything different happens. I will again be using Netscape, so I can watch the connections as they appear on Netscape's status bar located along the lower bottom left side.

I go thru the same steps, and keep a constant eye on the bottom left part of Netscape. This time, along with the expected akamai and lycos I notice something different, something I haven't seen before:
The connections last for 1, 2 seconds at most.

[note* here is a secret I failed to mention before: I run on a painfully s-l-o-w 33,600 bps modem connection which helps me observe everything that happens in kinda of a slow motion. People using 56K modems, DSL cable or T1 lines won't be able to see what I see because everything will happen very fast for them. This is one instance where slow speed pays off, hehe.]

Intrigued, I go back to the technology.html file and search for the string first and again, I find numerous references such as:

How interesting! Besides connecting to, they also send images <img height=60 SRC=... from their server to my PC. Care to guess what kind of images those might be? Well, doubleclick are notorious for their ads! In fact, a big stink was raised last year when it was found out and how they began combining their ads with cookies, this tracking and making detailed reports on everyone who is stupid enough to even clicks on an ad. Just for the fun of it, I again count how many times my browser has to connect to to receive all the images and this time it's only 7 times. Well, I guess that's better than 36 times! Yeah, right!!

Let's play with the doubleclick ad now and see if we can learn anything interesting from it. On the Web page I run my mouse over it and carefully watch Netscape's status bar. Here is what I get:
and my browser runs into the end of the screen on the right side. Again that lycos appears, eh? Almost like its following us everywhere we wanna go! Wanna grab the whole string from the HTML code? Betcha million bux I can find it in there, hehe. No? Didnt think so either. What the hell I say, let's click on it, see what happens and where it will lead us. Immediatly, I begin to see the same:
Connect: Contacting Host: as before, over and over and over again. Transfering data from: and I am send to I guess lycos is in the music bizz too, selling/giving away free mp3, etc with that web site. I patiently wait untill the page has loaded, then since I don't care to get any pdiddy material, I use the Back button to go to the original Wired page. And the ad has now changed. Hmmm.....

Since I simply love punishment, I again click on the ad, and now I am sent to:

...and when I go back to Wired, I am not surprised to see that the ad has changed again...

Noticed all those lycos references all over the place in all the URL links?

Finally, I check the cookie file in C:\Program Files\Netscape\default\ folder. Here is the full text of the cookie I allowed in earlier:

There are those lycos and lubid names yet again. Funny, eh? Lycos, lycos, lycos, lycos, everywhere, even if it was a Wired cookie!

Let's review everything we have learned so far:
When we click on an ordinary Web page to access it, our browser reads the HTML code of that Web page and most likely it also opens numerous other short-lived back door connections to various other Web servers which contain the images and the ads for the original Web site. Usually, an average Web page will contact up to between 4 to 9 other servers and get data from them. The most common (the ones I know of) are akamai which "serves" images, doubleclick which servers both ads (in form of images) and cookies embedded into the ads. All this surreptious activity can easily be spotted with a good firewall and a bit of patience.

Are you starting to feel a little uncomfortable now, seeing all these "behind the scenes" activities happening just to read one lousy Web page?? Personally, all that connecting to multiple servers and sending and receiving data from/to them makes me highly annoyed, because I know exactly what doubleclick and akamai do. Numerous articles have already been written about doubleclick, so I don't have to repeat them here.

To summarize:
To survive the collapse of the NASDAQ, most commercial bastards on the Internet have been trying to find new various ways to make money. They throw as many ads at us as possible, and try to compile a very detailed use of all of our online activites using cookies, ads, web bugs, java, java-script and other known and unknown ways. Internet companies serving "content" (be it news, information, etc) get into contracts with sleaze bags such as doubleclick, akamai and others, and create data bases out of every bit of information they can squiize about you and your surfing habits.

Do you know how many people are monitoring, logging, classifing everything you are doing online right now? Isn't privacy importaint to you? Personally, I say that anyone who monitors you without your permission is your enemy. I say we must fight them with everything we got including but not limited to: knowledge how our PCs and all of our software work, a good firewall, and last but not least our brains!!

Don't kid yourself: Those clowns don't have any shame nor remourse. All the very juicy information they collect about you is later sold for a lot of money to different companies that may be interested in this kind of stuff (trust me, there are a lot). Go ahead and check what your favorite web page is doing behind your back. Betcha you will be surprised.


(c) III Millennium: [fravia+], all rights reserved