I was over at Blackhat way reading this article about cookie stuffing, and I thought to myself, interesting but it is a bit too under hand method for me as it seemed unlike the Entrecard Bot this method may result in me stealing someone else’s commission.
Nonetheless I thought how could I improve the method?
Now before reading on I suggest you go and read what the author has written there so to get an idea.
Now I am not a ‘coder’ I have basic knowledge in a number of languages and can simplistic things done, but nothing ‘big’.
When thinking about ‘cookie stuffing‘ I thought of alternative methods it could be done; the first method I thought of was to use javascript in a method similar to below:
1 2 3 | <script language=”javascript”> window.open(‘http://affiliatelink.com‘,’WindowTitle’,’width=300, height=300, toolbar=NO, resizable=YES’); </script> |
The problem with this method is that it is easily defeated by a popup blocker, add this with the fact that the majority of internet buyers will have some tech knowledge I chose to give person ‘X’ the noscript addon for firefox as well so defeating javascript methods.
This made me think that the method therefore must be intrinsic to the page; so I though iframe;
1 | <iframe src =”http://AffiliateLink.com” width=1 height=1></iframe> |
The problem with this is that it will be spotted faster then a elephant on the tube. So like in the mentioned article the ‘only’ method that would have a chance of success would be htaccess method.
The main ‘crux’ of the method described there relies on:
1 | Redirect /image1.jpg http://www.SomeAffiliateWebsite.com/aff123 |
The problem with this is that the ‘referrer’ would always be the image, and some checks by the affiliate company on this referrer could easily lead to your commission disappearing.
Saying this I believed that the .htaccess method was the way to go, though had to be a bit tweaked.
My main ‘improvement’ on the idea is based around a principle I believe that as individuals humans unlike machines are ‘random’. So the first aspect therefore would be do drop ‘the cookie‘ on a random basis and from multiple affiliates, so to reduce risk.
Another note before I continue; this method plays on the assumption you have your own site and banners / links etc. to the relevant affiliate offers so to reduce the risk of getting caught if they happen to check referrals. This gives a plausible explanation to where the clicks/ cookies were dropped from.
Now back to the job at hand, to implement a randomization technique what I would need to do is effectively have the users access a piece of code that would then pass them on to the offer.
This can be done by the power of .htaccess as follows:
1 2 3 4 5 6 | // htaccess stuff HTACCESS SCRIPT // htaccess stuff <Files image.jpg> ForceType application/x-httpd-php </Files> |
What this effectively does is tells the browser that “image.jpg” (which is hidden on the page) is actually a .php document and it should read it as such. Note here that you affiliate banners must also have a similar name to the image name you specify. This can actually be taken one step further by giving it the same name but housing it via some trickery in a separate folder. Thus giving the impression the ‘banner’ is the ‘click through device’.
Now for the PHP itself; What I envisioned to keep it ’secure’ and ‘hidden’ is to do the following:
> Select only a % of the visitors to drop the cookie on;
> Select randomly which cookie to drop on them;
Now to achieve this I wrote the following (note this is ‘pseudo code’ and will not run unless properly written);
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | <?
//set var
var $doit; // runs the 'drop; part of the script
var $randomtar //rolls random number 1-10 for each visitor resulting in only 10% of visitors getting a cookie)
var $randomadd //rolls random number to select which cookie to drop
var $aff1; //defines affiliate location 1
var $aff2; //defines affiliate location 2
var $aff3; //defines affiliate location 3
var $afselec //if traget is selected roll which add to run,
//define var
$randomtar = rand(1,10); //rolls 1-10
$randomadd = rand(1,3); //rolls 1-3
$add1 = header("Location: $aff1"); //add location 1
$add2 = header("Location: $aff2"); // add location 2
$add3 = header ("Location: $aff3"); //add location 3
$afselec = if($random_number == 1)($randomadd); // if target selected run random to find out which affiliate page to go to
$doit = if $randomtar == 1 and $randomaff == 1 (add1) //if target acquired and add acquired run aff url 1
if $randomtar == 1 and $randomff == 2 (add2); // if target acquired and add acquired run aff url 2
if $randomtar == 1 and $randomaff == 3 (add3); // if target acquired and add acquired run aff url 3
} |
What this would effectively do is for each visitor it will roll 1 to 10; if the number was a ‘1′ it would proceed to the next step and roll 1-3 and then send the browser to the ‘header’ of the selected affiliate page where the cookie would be dropped.
Now being a bit paranoid of perhaps being caught doing something underhand I decided to add the following to the code to reduce the risk of some tech savvy affiliate manger snooping through my source code and finding my little script:
1 2 3 4 5 6 | // activation
if(!$_SERVER[‘HTTP_REFERER’]){
header("HTTP/1.0 404 Not Found");
} else { "$doit"
}
?> |
What this would do is check the referrer of where the click to the ‘image’ file was coming from; if it had no referrer it would display a 404 page. Though for the scenario I assumed most traffic to the site will be coming from referrers such as search engines and the kind and therefore it ‘$doit’ ie. run my php script hidden in a fake jpeg and drop one of three cookies on to 10% of all visitors hopefully netting me some cash…..that’s if I chose to do it :p
If you have any questions i’ll try and answer them but I am no php/htaccess whizz but i’ll give it my best shot.
If you want to learn more about htaccess have a quick snoop on one of my older articles and a concise write up by Jeff over at perishable press.
EDIT I actually wrote this article before today :p and it was due to publish on Monday, but on Thursday night when catching up on news; I cam across a few articles, and now I want to add emphasise on the fact that YOU CAN get caught and it CAN seriously fluff you over.
The news I am talking about is firstly the fact ebay started banning a lot of affiliates it suspected of cookie stuffing and not only that but they have gone after these people for damages the most known (or soon to be known case) is of digital point owner Shawn.
The court report can be seen here a bit more detail can be seen here and lastly the OMG he didn’t do it thread can be seen here.
So did Digital Point owner Shawn cookie stuff? Will be interesting how this case proceeds and it will effect this blackhat method a great deal.
Popularity: 18% [?]
Related posts:
- Beware the smiling man A few weeks ago I stumbled across some interesting spam; it was generic enough to make me think hmm is this spam or a...
- How to merge multiple CSV files This is a very simple trick I picked up that has saved me A LOT of time when doing research that has required multiple csv...
- Neverblue Affiliates Beware Neverblue Affiliate company appeared online one day promising to revolutionize affiliate marketing. Did it? or did it just damage your site? Neverblue.com Avoid! Recently I...
- 13 Comments
- Tags: .htaccess, black hat, code, cookie, cookie stuffing, cookiestuffing, DP, ebay, Fraud, How to, htaccess masking, PHP
hehe i never tried cookie stuffing
LOL and don’t we don;t want to see a repeat of DP now do we?!
Any idea on how to either blank or spoof the referer?
There are ways to do that; you basically tell the script that it is at location ‘x’ and you can hold multiple locations in a txt file for it to read.
The problem is though all these refers MUST be real, if your AM decides to check a refer that seems to be working well but it doesn’t exist….alarm bells will go off.
Again I would like to reiterate…cookies stuffing is wrong, this was just an educational documentation.
Could you be a bit more specific when you say:
“you basically tell the script that it is at location ‘x’ and you can hold multiple locations in a txt file for it to read.”
I have tried to blank and img tag for years with no avail.
Before I comment I would again state that this is for educational purposes only.
The basic gist though is you would write in the script a portion that tell it read the text file via the ‘file()’ command or fget()
// open the file and save each line as an array entry in $content
$content = file(‘myfile.txt’);
// count how many lines in the file
$numLines = count($content);
// loop through all the lines
for ($i = 0; $i < $numLines; $i++) {
// each line ends with a newline character
// you may want to get rid of this first
// using trim()
$line = trim($content[$i]);
// do whatever you want to do with that line
// ...
}
OR
// open the log file and check if the it's opened successfully
if (!($fp = fopen('myfile.txt', 'r'))) {
die('Cannot open file');
}
// keep fetching a line from the file until end of file
while ($line = fgets($fp, 4096)) {
// trim to remove new line character at the end of line
$line = trim($line);
// do whatever you want to do with that line
// ...
}
You then set the result as a variable (you could use $line) but I would recommend using $refer = $line so it is more readable in the different sections of code.
You then enter this $refer in to your script...actually spoofing the refer is a different matter and so as not to write another post in the comment section I sugges you check out http://www.anthonyshapley.co.uk/2008/08/27/http-referral-spoofing-with-php-and-curl/
has anyone successfully managed to serve image.jpg ( as img src=’image.jpg’ ) somwhere on the page so when the image is displayed the php redirection script is called which takes you to another php script which would than take you to aff.
For some reason I can only directly execute image.jpg and the code works fine but it does not work when served as img src=..
im assuming you mean your doing this on your own site, just to get some more info, have you set the .htaccess so it reads as a php file?
Though rereading your comment i’m thinking you want it to display a picture as well as redirecting to php code. Though I have no idea if this is possible, as the code then would have to be embedded in to the file. A flash based cookie stuffer imo would work better if this is your aim.
I could not get this to work for some reason. I setup the .htaccess file and the php file and I changed the file extension of the php file to .jpg. All filenames were changed to my picture.jpg and all paths were correct but the cookie would not plant. I tried this in a forum, not on my own server so it was within [IMG][/IMG] tags. Any ideas what I have done wrong? Was it that I simply changed the .php file to .jpg? It is definately now an image file and not a xxx.jpg.php file.
Hey Chris sorry for the late reply your comment was caught by askimet…
Just need to clarify what you actually put in the php file ?
Also if you are using forums it would be easier to do the following:
Add this to the .htaccess:
Redirect /image1.jpg ww.SomeAffiliateWebsite.com/aff123and then use the following format on forums:
[img]ww.SomeDomainOfYours.com/image1.jpg[/img]OR
add this to the .htaccess:
RewriteEngine OnRewriteRule image1.jpg ww.SomeAffiliateWebsite.com/aff123/ [R,L]
and use this:
Though if you are adamant on using a php add the following to .htaccess:
ForceType application/x-httpd-php
and add this to image1.jpg
< ?
if(!$_SERVER[‘HTTP_REFERER’]){
header("HTTP/1.0 404 Not Found");
} else {
header("Location: ww.SomeAffiliateWebsite.com/aff123/");
}
?>
Hope it helps….but remember cookie stuffing is bad and this is to help grow your knowledge ONLY! Also don’t forget to ad ‘http’ I didn’t because it was breaking the code tags.
Thanks a lot for the reply Donace, I’m currently still tring to make a script or change the .htaccess so that it will hide the referer, having a lot of trouble working out how to do it. I have been pushed in the direction of HTTPS –> HTTP to hide the referer but can’t find too much info on the net about it!
To hide the refer via .htacces is difficult (I dont know how it can be done thus elimating forum cookie stuffing/ image redirects etc).
With a php script though what you could do is something like this:
BH.com/BHpage1.php -> BH.com/BHpage2.php -> WH.com/Wpage.php -> Affilate pageSo on your ‘BHpage’ what it would do is redirect ALL your traffic to the ‘wpage’ which will drop the cookie and act as your refer.
To explain it another way you send 100 visitors to your BHpage (from ANY source) all of these will be redirected to your genuine landing page (i.e. a page that has that affilate links present) These will then fall target to a script as discussed in the article (i.e. a random cookie dropping script). This will result in the Affilate seeing ‘wpage’ as the referer to all the cookie drops.
What this is effect means is you can redirect different traffic sources to BHpage and by tweaking the % on the ‘landingpage’ drop a fair no of cookies.
SO BHpage1=
< ?phpecho "<**meta** http-equiv="refresh" content="0;url=h**ttp://www.BH.com/BHpag**e2.php">";
?>
BHpage2 =
< ?php
$referer = $_SERVER['HTTP_REFERER'];
if($referer == "")
{
echo "<**meta http-**equiv="refresh" **content="0;url=http://WH.com/whpage.php">";
}
?>
Whpage = (see pseduo script in post)
This in effect will hide ALL traffic sources and referers and use the ‘whpage’ as a referer etc.
OR an alternative:
With the same model above (except with 1 less page)
i.e. BH.com/BHpage1.php -> WH.com/Wpage.php -> Affilate pageyou could use is something like this:
< ?php
$site2 = "http://www.WH.com/Wpage.php";
echo "<**body onload="javascrip**t:frmClickTracking.submit();">";
echo "< **form action="" . $site2 . "**" method="post" name="frmClickTracking">";
echo "< **/form>";
?>
< ?php
$site1 = "http://www.BH.com/BHpage.php";
$affiliate_link = "http://www.youroffer.com";
if($_SERVER['HTTP_REFERER'] == $site1)
{
echo "<**body onload="ja**vascript:frmClickTracking.submit();">";
echo "< **form action="" **. $affiliate_link . "" method="post" name="frmClickTracking">";
echo "< **/form>";
}
?>
What the first script does upon landing on the page it redirects the user to your second ‘legitmate’ page which will then load the affilate page use the ‘legitimate page’ as your refer.
These methods would not as mentioned not work with forum stuffing (as in my knowledge) the refreshes etc will not work though this will work well with CPA offers that limit traffic sources (the second method) or just help you provide more users for your ‘cookie script page’ (the first method).
Also check out For a bit more info on controlling your referer
NB every where you see ‘**’ delete them as they are just there to stop the code being run in the comments
i was looking for how to cook cookies when i fall on this post
, lol just jocking great post dude 