Very nicely done: reporting this as abuse to the companies offering these affiliate programs seems quite appropriate, and it sounds like they reacted appropriately. One person complaining to an ISP is noise; one person making an abuse report is all it takes to get that ISP banned from the affiliate program.
Cox does something similar but bypasses the the DNS records and just slipstreams in a response. I noticed Cox would redirect javascript requests to their own HTTP server and put in their own snippets, effectively doing mass javascript injection.<p>The snippet ended up being some sort of alert about upcoming maintenance, but using a malicious technique for a benign purpose is the path to the dark side. Use HTTPS!<p>(I use 8.8.8.8, it didn't help)
If your ISP and/or Aspira were making any significant amount of affiliate commissions, I would be surprised if the merchants do not take action against them for fraud.<p>This sounds like the same behaviour that Shawn Hogan got in trouble for with cookie stuffing <a href="http://en.wikipedia.org/wiki/Shawn_Hogan" rel="nofollow">http://en.wikipedia.org/wiki/Shawn_Hogan</a>
The cynical side of me says that the ISP is just going to redirect the author's traffic to the "pure" DNS server in the future (even when he or she directs traffic to the main one) unless they get in serious enough trouble with one of the companies this first time.<p>If anyone wants to do this in the future, I'd recommend just sending affiliate abuse emails with no notice to the ISP. Also, the future person may want to revise the [2] script to scan in a more surreptitious manner (change the order, add delays, simulate legit web traffic, etc).
Eric, I am very sorry to see this happen to you. Unfortunately more and more companies are using our data for marketing purposes.<p>All is not lost though.<p>There are several ways you can protect yourself from these practices. The first thing I would do is get a router capable of using dnscrypt-proxy (<a href="http://www.opendns.com/technol..." rel="nofollow">http://www.opendns.com/technol...</a>. Then you can be confident that your DNS traffic is not being modified by your ISP. It does require that you have trust in a 3rd party DNS provider like OpenDNS, but at the end of the day you have to trust someone to provide DNS lookups.<p>The second option is to setup DNSSEC so that you can verify where your DNS responses are coming from. While people will still be able to intercept what sites you're looking up, at least you know you're getting valid responses which is better than your situation is currently.<p>Third is to use both. =)<p>Anyhow, really awesome to see people standing against these practices. It takes users complaining to make change. The sad truth of the matter.
As a ISP when we were considering using Aspira they claimed that no referral tokens would be replaced and that the only behavior was injecting a popup coupon window.<p>I decided not to proceed with it because it seemed like a support nightmare and tampering with non-malicious subscriber traffic crosses a line.<p>Their marketing affiliates (such as Cash4Trafik) are always reaching out to CEO types at small ISPs and the money they bring (particularly when you are small) can be hard to pass up.
Super shady stuff. I never rely on any ISP provided DNS servers. I'm glad you talked to the the etailers to let them know what was going on. These business practices do introduce latency, regardless of what he told you. Not to mention, they are highly unethical and dishonest.
"I will continue to monitor periodically their DNS entries and compare them with other public DNS servers."<p>This would make for a great watchdog site to provide visibility across different ISPs (and could also discourage other ISPs from pulling this crap).
<p><pre><code> This also shows a weakness in DNS. There is currently no
way to validate the DNS record you’re being served is what
the person hosting the website intended.
</code></pre>
That's what DNSSEC is for, but it hasn't become pervasive enough yet to be able to depend on it.
Is there a way we can choke companies like Apira by making a concerted distributed effort to disrupt the referral programs they exploit (either by reporting them or by feeding them false referrals somehow)?
Here it goes:
Behind a ISP-wide cache.
Any 'traceroute' passes by transtelco.net (ISP used to have their own infraestructure for voip services Megafon) now i have 5/6? DNS jumps! and all my traffic going to Transtelco.<p><pre><code> traceroute to news.ycombinator.com (198.41.191.47), 30 hops max, 60 byte packets
1 customer-GDL-**-***.megared.net.mx << 177.230.**.*** Dynamic IP, GDL is the city of the company
2 10.0.28.62 (10.0.28.62) 8.939 ms 8.941 ms 8.935 ms
3 10.2.28.195 (10.2.28.195) 8.912 ms 8.903 ms 8.891 ms
4 pe-cob.megared.net.mx (189.199.117.***) 8.878 ms 8.866 ms 14.201 ms << COB is the user city
5 10.3.0.29 (10.3.0.29) 23.494 ms 23.483 ms 23.408 ms
6 10.3.0.13 (10.3.0.13) 22.842 ms 19.609 ms 19.596 ms
7 10.3.0.10 (10.3.0.10) 19.560 ms 19.555 ms 19.536 ms
8 201-174-24-233.transtelco.net (201.174.24.233) 19.527 ms 20.650 ms 19.468 ms
9 201-174-254-105.transtelco.net (201.174.254.105) 34.239 ms 31.793 ms 31.268 ms
10 fe3-5.br01.lax05.pccwbtn.net (63.218.73.25) 31.792 ms 31.736 ms 33.533 ms
11 any2ix.coresite.com (206.223.143.150) 32.834 ms 33.221 ms 33.429 ms
12 ae3-50g.cr1.lax1.us.nlayer.net (69.31.124.113) 41.288 ms 41.228 ms 41.231 ms
13 ae2-50g.ar1.lax1.us.nlayer.net (69.31.127.142) 42.632 ms ae1-50g.ar1.lax1.us.nlayer.net (69.31.127.138) 35.192 ms 33.860 ms
14 as13335.xe-11-0-6.ar1.lax1.us.nlayer.net (69.31.125.106) 35.143 ms 44.714 ms 44.666 ms
15 198.41.191.47 (198.41.191.47) 37.638 ms 37.239 ms 36.997 ms
</code></pre>
I don't know how normal or ethic is this type of cache. No download limits, I have the 10mb and get 20mb(2000-2300kbps) downloads, for uploads is limited to 1mb.
One a slightly related note, in Chrome extensions, it's possible to redirect DNS requests on a per-URL basis. This is how Media Hint works to allow non-US Netflix users access the US version of the site.<p>I'm surprised we haven't seen similar behaviour from Chrome extensions. I'm sure it would be caught eventually, but this isn't exactly something that people tend to look for, so it would take a while for people to catch it.
Interestingly, you might have benefitted more from keeping quiet about this. While the original retailers are losing money through this, you aren't really affected negatively by them doing it. In fact, with this additional revenue source, they might be able to support thinner margins on their broadband charges, saving you some money. You did the morally correct thing, but perhaps at a potential personal cost.
I'd like to try out this curl command. I'm not using macports, though. Like many people, I've switched to brew since some time. Is there a quick way to see if my curl install is compiled with 'ares' whatever that is?