How to block IE Snare

How to block IE Snare

What is IE Snare?

IE snare is a web tool use by many of the online bookmakers for ‘reputation management’ in order to counter ‘fraud and abuse’. It tracks information about your computer and browsing habits including:

  • Websites visited
  • Time on websites
  • Unique information about your computer

All of this allows the bookmakers to track where you’ve been and and idea of what you’ve been doing there.

 

Why does this matter?

Online bookmakers are keen to identify anyone they might consider as a ‘sharp punter’ Ie: Anyone who is going to cost them money. Matched Betting is a great example of how some people are able to make money for themselves at the expense of the bookmaker’s profit and so they’re keen to catch us!

By tracking your internet history, bookmakers are able to spot people who constantly bounce between many different online betting sites and the big online betting exchanges (Betfair, Smarkets etc). If they suspect you of being a matched bettor or sharp punter who’s shopping round for the very highest odds on a bet; they’re likely to ban you.

 

How can I tell if I’ve been infected?

The easiest way to check is to run a search on your computer for “mpsnare”

If IE Snare has been installed on your machine then it will find one or more of the following folders:

  • #mpsnare.iesnare.com
  • #ci-mpsnare-iovation.com
  • mpsnare.iesnare.com
  • ci-mpsnare.iovation.com

Another way is to run a command prompt (Go to Start – Run – “CMD”):

cmd

Then in the black box type: dir mp*.com /s

 

How to remove IE Snare

Removing IE Snare is as simple as deleting the folders found from the above searches. This will remove all history that IE Snare has stored and so you be safe until it gets installed onto your machine again.

Given that many online betting sites are using IE Snare, there is a good chance your machine will become infected again and so you should block IE Snare before you get infected.

 

How to block IE Snare

Blocking IE Snare doesn’t stop it from being installed onto your computer, but it does stop it from reporting back any ‘findings’ to the betting site, thus making it useless at tracking your matched betting activities. In order to stop is from reporting back you need to amend your computer’s “host file”.

– Go to: Start – Run – Notepad – Right click on “notepad” and select “Run as Administrator”

notepad

Within Notepad go to: File – Open

Then in the drop-down box select “All Files”:

notepad2

In the File Name box type: C:\Windows\System32\Drivers\Etc and then press ‘Open’

Notepad3

Right click on “hosts” and select “Properties” from the bottom of the list

Notepad4

Make sure that the box next to “Read-Only” is unticked

notepad5

Click “Apply” then “OK”. Now double click on “hosts”. It will open up and look like this:
notepad6

Copy and paste all of the below into the Notepad below the line “127.0.0.1 localhost”:

127.0.0.1 iesnare.com
127.0.0.1 iesnare.co.uk
127.0.0.1 www.iesnare.co.uk
127.0.0.1 mpsnare.iesnare.com
127.0.0.1 mpsnare.iesnare.co.uk
127.0.0.1 www.mpsnare.iesnare.com
127.0.0.1 www.mpsnare.iesnare.co.uk
127.0.0.1 ci-mpsnare.iesnare.com
127.0.0.1 ci-mpsnare.iesnare.co.uk
127.0.0.1 www.ci-mpsnare.iesnare.com
127.0.0.1 www.ci-mpsnare.iesnare.co.uk
127.0.0.1 admin.iesnare.co.uk
127.0.0.1 www.admin.iesnare.com
127.0.0.1 www.admin.iesnare.co.uk
127.0.0.1 iovation.com
127.0.0.1 iovation.co.uk
127.0.0.1 www.iovation.com
127.0.0.1 www.iovation.co.uk
127.0.0.1 www.iesnare.com
127.0.0.1 admin.iesnare.com
127.0.0.1 dra.iesnare.com
127.0.0.1 impsnare.iesnare.com
127.0.0.1 mpsnare.iesnare.com
127.0.0.1 mx.iesnare.com
127.0.0.1 snare.iesnare.com
127.0.0.1 iovation.com
127.0.0.1 accountlock-demo.iovation.com
127.0.0.1 admin.iovation.com
127.0.0.1 bam-pilot.iovation.com
127.0.0.1 batch.iovation.com
127.0.0.1 ci-accountlock.iovation.com
127.0.0.1 ci-admin.iovation.com
127.0.0.1 ci-mpsnare.iovation.com
127.0.0.1 ci-snare.iovation.com
127.0.0.1 dv-fw-a-nat.iovation.com
127.0.0.1 ioit.iovation.com
127.0.0.1 mx.iovation.com
127.0.0.1 p.iovation.com
127.0.0.1 rm-admin-demo.iovation.com
127.0.0.1 soap.iovation.com
127.0.0.1 test.iovation.com
127.0.0.1 testgw.iovation.com

 

So it now looks like:

notepad7

Go to File and click “Save”

notepad8

Now close notepad, restart your machine and you’re done!

 

How to check it’s worked

You can check the block has worked by going to:

Start – Run – CMD

Then in the black box type:

ping mpsnare.iesnare.com

The reply should come back from 127.0.0.1 and look like:

Pinging mpsnare.iesnare.com [127.0.0.1] with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Instructions for Mac computers

These are copied from another site so I am unable to verify or product screenshots however the method looks correct:

 

Instructions for Mac:

Step 1: Launch Terminal, found in /Applications/Utilities/ or launched through Spotlight

Step 2: Type the following command at the prompt to backup hosts file to documents folder:

sudo cp /private/etc/hosts ~/Documents/hosts-backup

Step 3: Type the following command at the prompt to open hosts file:

sudo nano /private/etc/hosts

Step 4: Enter the administrator password when requested – you will not see it typed on screen – then press enter/return

Step 5: Once the hosts file is loaded within nano, use the arrow keys to navigate to the bottom of the hosts file to make your modifications. We can then add the same lines as in the instructions above:

127.0.0.1 iesnare.com
127.0.0.1 iesnare.co.uk
127.0.0.1 http://www.iesnare.co.uk
127.0.0.1 mpsnare.iesnare.com
127.0.0.1 mpsnare.iesnare.co.uk
127.0.0.1 http://www.mpsnare.iesnare.com
127.0.0.1 http://www.mpsnare.iesnare.co.uk
127.0.0.1 ci-mpsnare.iesnare.com
127.0.0.1 ci-mpsnare.iesnare.co.uk
127.0.0.1 http://www.ci-mpsnare.iesnare.com
127.0.0.1 http://www.ci-mpsnare.iesnare.co.uk
127.0.0.1 admin.iesnare.co.uk
127.0.0.1 http://www.admin.iesnare.com
127.0.0.1 http://www.admin.iesnare.co.uk
127.0.0.1 iovation.com
127.0.0.1 iovation.co.uk
127.0.0.1 http://www.iovation.com
127.0.0.1 http://www.iovation.co.uk
127.0.0.1 http://www.iesnare.com
127.0.0.1 admin.iesnare.com
127.0.0.1 dra.iesnare.com
127.0.0.1 impsnare.iesnare.com
127.0.0.1 mpsnare.iesnare.com
127.0.0.1 mx.iesnare.com
127.0.0.1 snare.iesnare.com
127.0.0.1 iovation.com
127.0.0.1 accountlock-demo.iovation.com
127.0.0.1 admin.iovation.com
127.0.0.1 bam-pilot.iovation.com
127.0.0.1 batch.iovation.com
127.0.0.1 ci-accountlock.iovation.com
127.0.0.1 ci-admin.iovation.com
127.0.0.1 ci-mpsnare.iovation.com
127.0.0.1 ci-snare.iovation.com
127.0.0.1 dv-fw-a-nat.iovation.com
127.0.0.1 ioit.iovation.com
127.0.0.1 mx.iovation.com
127.0.0.1 p.iovation.com
127.0.0.1 rm-admin-demo.iovation.com
127.0.0.1 soap.iovation.com
127.0.0.1 test.iovation.com
127.0.0.1 testgw.iovation.com

Step 6: When finished, hit Control+O followed by ENTER/RETURN to save changes to /private/etc/hosts, then hit Control+X to exit out of nano

66 thoughts on “How to block IE Snare

      1. Hello .. I really would like to give this a try . I’ve been researching it since I read about it . And I would like to know if you are in us can you do it. Are there ones you can start with that you don’t have to put your money in just so you can see if it will actually work for you .

  1. Thank you for this Guy,

    just so you’re aware, slight mistake on the hosts file path…unless maybe it has changed for W10 or something?

    In W7 it’s In the File Name box type: C:\Windows\System32\Drivers\Etc and then press ‘Open’

    Thank you again for this!

  2. Hey, this is brilliantly explained! Are there any programs that you would recommend to block it?

    I read a different article saying an anti spyware?

    1. I’d not trust any of the anti-spyware products enough with this. They are well known to accept payments from advertisers in order to allow their own spyware through the filters.

      Instead this method ensures that even if you do get IE Snare on your machine it still cannot communicate any details.

  3. Thanks for the heads up!
    I do most of my betting on my mobile phone, is this something I need to worry about if I don’t use a pc/Mac?

  4. Wow, this is interesting!

    I’ll block it anyway as it seems trivial to do so, but is this not limited to IE only (hence the name?) I searched my Mac and there was no sign of it, and also wondered if simply using Chrome would bypass this? (I’m guessing not otherwise you would have mentioned it already, but it might be worth stating that it’s not just an IE only issue)

    Cheers

    1. I’m not sure if Chrome is affected as it may handle the drive-by install from websites differently. This fix will also fix it for Chrome if you can get infected through that browser so I guess there’s no harm in everyone just doing it anyway considering it takes about 30 seconds to implement the block which then lasts forever regardless of browser.

    1. I suspect it will need to be updated in the future as they change their receiving URLs, however thats impossible to predict if/when it will happen.

  5. Fantastic article, and more so…excellent blog!

    Quick question regarding this, do you think that blocking IE SNARE would lead the bookies to being suspicious as to why your account isn’t pinging any information back to their server?

    Lastly, in your opinion d’yu reckon that blocking it will lead to less gubbings?
    Thanks in advance!

    1. Hi Sean, I’ve been blocking IESnare for months now and not noticed any bookies gubbing me because of it. There could be any number of reasons why it’s not pinging back to them.

      In my opinion it certainly can’t do any harm to block IESnare, and may do some good.. so why not.

    1. I don’t believe it can affect phones/tablets as they us a sandboxed environment which doesnt allow browser plugins to install flash software.

  6. thanks for the info 🙂 i would imagine using the tor browser with a vpn routed via uk server could work also – any thoughts on this?

    1. My thoughts would be to never use TOR for anything which requires you to enter personal details! You’ve no idea who is running the exit node and what content sniffing they may be doing.

      1. good point, thank-you 🙂 – isn’t it safe if the address bar says https? i will take your advice as i am a novice to these things… however it wasn’t clear from the above if chrome was actually safe too?
        just ran your process for iesnare and pinged and got the result you said i should….signed up with profit accumulator, just getting going now, many thanks 🙂

    1. I dont believe its possible for a flash file to be installed on iOS. They may install a tracking cookie instead though which will need to be either blocked or cleaned out regularly. Unfortunately I dont use an ipad/phone so cannot advise on how to do it.

  7. Hi! Thanks for a great post 🙂

    I got the tip to always use private surfing when using betsites.

    Do this give the same results or is private surfing not working?

    1. Private surfing will still install flash components from sites you visit. I’d recommend blocking IE Snare as well.

  8. HI,

    I have a few accounts closed as linked accounts. how can i stop the bookies (365) from doing this. I refresh the IP delete cookies and still have the issue

    Any help appreciated

    1. It’s impossible to totally avoid getting accounts closed. Best advice is to never take bets where the bookie odds are higher than on the exchange and never bet on really obscure matches.

  9. Hi, I know I have iesnare and mpsnare on my computer, but when I type dir mp*.com /s into the
    ‘Run’ box I just get a message saying ‘windows cannot find dir’.
    Please can you clarify: should I type in cmd before dir mp*.com /s?
    Is there a space between r and m, and a space between m and/?
    Thank you.

    1. Yes, you need to type “Cmd” in the box first to run Command Prompt.
      Then in the black box type: “dir mp*.com /s”

  10. I’m informed that bookmakers will know if you uninstall/block iesnare, an action which will surely flag you up as bad news to them?

    Can you shed any light on this?

    Finally, thanks for this very informative post.

    1. All they will know is that visitor X does not have any previous tracking data on them when they visit their site. Whether that is because it is a brand new user or because IE Snare is blocked they will not know. Many things could be blocking IE Snare, both intentional or as a result of network settings so I’d be extremely surprised if a lack of IE Snare data being reported was itself a red flag. Indeed; I’ve been blocking IE Snare on my machine and recommended all of my friends/family do the same and none of them have reported any noticeable increase in gubbings. Infact they seem to be getting gubbed at a much slower rate than I was when I first started (and didnt originally have IE Snare blocked).

  11. When i open host it shows like this:

    # 127.0.0.1 localhost
    # ::1 localhost

    like everything you have but with that extra line saying ::1 localhost

    so when i do everything else properly and i restart my computer i don’t get the same results on cmd…i get 52.129.74.11 instead of 127.0.0.1 that you have

    HELP ME PLEASE

  12. Hi, I followed your instructions and could you please have a look below if this is normal? Thanks!

    Pinging mpsnare.iesnare.com [127.0.0.1] with 32 bytes of data:
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

    Ping statistics for 127.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

  13. So I deleted snare and did everything you suggested. I get this when I test it (Like Kris above):

    Pinging mpsnare.iesnare.com [127.0.0.1] with 32 bytes of data:
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

    Ping statistics for 127.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    I assume it's working but when I revisit sites and search for mpsnare again it's back on the system. Am I correct in saying this is fine and it won't be able to send information even though it's on the system?

    Thanks for your help

    1. Correct, a reply from 127.0.0.1 means that it won’t be able to talk back in. Blocking it does not stop it getting installed on your machine, just stops it talking back in when it is installed. If you have blocked the communications it is harmless being installed and can be ignored.

  14. I have been using phones throughout and sometimes the PC from the cafes. Is it possible my account could be blocked?

    1. You’re more likely to get banned because someone else has previously used that shared IP address in the cafe for their accounts and they ban you for suspected multi-accounting. I’d never use a shared computer for matched betting. Guy yourself a 3G dongle and laptop. You can pickup cheap laptops for £150 and a dongle for £10-£20 per month.

  15. What if when entering all that under “127.0.0.1 localhost” I have another line that reads “::1 localhost”

    Do I continue to enter the code under that or do I delete it?

    Or is there another thing I need to do?

    Im clearly no tech expert so help would be much appreciated, Thanks

    1. Very strange, It certainly shouldnt be blank. What happens if you just double click on the hosts file itself and select to open with Notepad when prompted?

Leave a Reply

Your email address will not be published. Required fields are marked *