Cookie stuffing revisited

[复制链接]
查看: 348   回复: 0
发表于 2012-4-15 02:23:41 | 显示全部楼层 |阅读模式
Recently my blackhat seo hacker friend Chewie went on some seomoz thing and talked briefly about cookie stuffing.

Before reading any further you might want to read my post on dropping affiliate cookies which explains what/why/where/when and also my cookie stuffing code examples page. However if you already know the basics then you can get going much quicker by sticking with this post.

I decided to write this post because the amount of emails I recieved all asking the same questions.

Avoiding high (100%) CTR when dropping cookies
One problem with dropping the cookies on every visitor is that it will result in a 100% CTR which can be an obvious flag that something isn’t right. To avoid this you can take a couple of steps, depending on how much time you wish to put into it and your coding skills.

The simplest way to avoid this problem is to use PHPs rand() function to select a random number between(and including) 1-4 and then only output the code to drop the cookie if the number equals 1. This method won’t allow you to set an exact percentage because the number chosen will always be random. Out of 100 visits, it might select the numbers 2,3 and 4 30 times each while selecting the number 1 only 10 times.

Code sample:

If you have time then you might want to code something more advanced. For example:

Drop cookie only once per IP address
Keep a daily count of visitors and then limit how many people you drop the cookie on the next day. For example if you have 1000 unique visitors on Monday, on Tuesday you will drop the cookie on a maximum of 200 people.
Log every visitor and only drop a cookie on every tenth visitor
Etc.
Avoid getting caught forcing cookies on users
A lot of people have said, surely it’s easy to get caught forcing cookies on people if you have an iframe where the source is the affiliates page. This is true to some degree. You should take the following things into consideration:

The iframe method is the most basic and is intended as proof of concept rather than real world usage
If you have been an affiliate for awhile and your CTR isn’t ridiculously high then there’s no reason the advertiser would ever check your site for cookie stuffing
So what is a safer method than Iframes for dropping the cookie?

A safer method of dropping the cookie would be using a false image which redirects to the affiliates page that has the HTTP Cookie header. The browser will try to load the image, be redirected to the affiliate page and although it won’t process any html on the final page, it WILL read and process the HTTP headers… including the one which places the cookie  It’s crucial that you redirect to the exact page that has the cookie header, so be careful if the affiliate site redirects a lot of times before landing on its final page so that you select the correct one which is dropping the cookie.

The simplest way to do this would be using a .htaccess file which says, if there is a reference to “tracking_pixel.jpg” then redirect it to xyz affiliate page.

.htaccess Code sample:

RewriteEngine On
RewriteRule tracking_pixel.jpg http://www.affiliate.com/BDHDHDHDJ/ [R,L]
You now edit your site template so that every page includes the image:


Now, even if the affiliate decides to come and take a look at your sites source code, they’re going to see nothing which catches their eye. If for example you had a website which sold clothes then the chances are you’d have a lot of images named blue_shirt.jpg and such like. So in this case you could easily name it red_shirt.jpg and have it mixed in somewhere in your template and they’d never know!

An even safer image cookie stuff..
Whilst it’s extremely unlikely, it is possible that someone checking your site for stuffing could try loading tracking_pixel.jpg into their browser and then they’d be redirected to the affiliate page and guess something is amiss. To combat this, instead of using .htaccess to redict to the affiliate page, we will instead tell it to treat a file named tracking_pixel.jpg as a PHP file.

.htaccess Code sample:


ForceType application/x-httpd-php
Now we put PHP code in tracking_pixel.jpg which checks the referring page. If the referrer is empty then the user has gone direct to our image and we should output a 404 error, if there is a referrer then the image has been included on a page and should be redirected to the affiliate site.

tracking_pixel.jpg code sample:

So now just include the following code on any page that you wish to drop cookies from:


Also note that you’re not limited to including the image on your own site! You could also include it on forums and such like… basically anywhere that will allow you to place images. So if you signed up to a popular bingo forum you might decide to start becoming a regular poster and dropping cookies for all the well known bingo rooms.

I think this pretty much covers most of the questions which have been asked

51 COMMENTS »
RSS feed for comments on this post. TrackBack URI

One remaining question — how to prevent the annoying red-X in IE when people are actually browsing the forum? It sticks out like a sore thumb.
Thanks!
Comment by Jojo — 30th June, 2008 #
Convert the world to firefox  No but really, I’m not sure… if the forum allows you to enter ‘Alt’ text then this would probably let you get around it by having it show text instead of the X.
Comment by admin — 30th June, 2008 #
Or perhaps using php to show a blank image? Or at least the times when the cookie isn’t dropped?
Nice write-up though!
Comment by underworld — 30th June, 2008 #
The bbcode spec does not allow the alt tag. Most forums do not allow HTML so you cant do it that way either.
Comment by Jojo — 30th June, 2008 #
Which kind of affiliate-programs would you use on which kind of pages ?
Comment by MacRip — 1st July, 2008 #
Your choice of affiliate program will depend where you’re dropping the cookies.. If you have a general site which doesn’t talk about a specific subject then you’d drop something really generic like ebay or amazon cookies. If you had a blog about music then you might drop cookies for ticketmaster. If you decide to go searching for forums on specific topics and find one on the topic of mobile phones then you might drop cookies for carphone warehouse, phones4u and so on.
Comment by admin — 1st July, 2008 #
noob question, which part of an amazon affiliate link would you use in the php (img) file?
also ForceType application/x-httpd-php doesnt seem to work, if i browse direct to the image FF asks you to download the jpg file. got any ideas what im doing wrong?
Comment by Volante — 6th July, 2008 #
1) If you can’t work out which url to use then you certainly shouldn’t be cookie stuffing. 2) If FF is asking you to donwload the file then maybe your server doesn’t have php support… ?
Comment by admin — 6th July, 2008 #
If I stuff cookie on forums, the merchant will see the forum as the referer, do you know a way to spoof it?
Comment by unknown_zero — 9th July, 2008 #
“If I stuff cookie on forums, the merchant will see the forum as the referer, do you know a way to spoof it?”
That’s what i would also like to know. If it’s too valuable info to give out openly, maybe you would bother to mail me a hint at least ?
BTW nice and interesting blog you are running here!
Comment by mart — 14th July, 2008 #
What if i wanna stuff few different cookies with one img?So i am doing right now smth which is similar to your last method: superimage.jpg on the site>htaccess line>Redirect /superimage.jpg http://www.mydomain.com/supercode.php>
supercode.php:
can i add another link into supercode.php so i can stuff few different affiliate links in one img redirection?so ah the end i get smth like this:
superimage.jpg>htaccess>supercode.php>affiliate1,affiliate 2,affiliate3 etc.?
thanks in advance for the infoCookie stuffing revisited
Comment by koleszka — 15th July, 2008 #
Hiya koleszka, no basically. You’d have to setup and use more than one of the fake images. As for those asking how to hide referer when cookie stuffing (e.g on forums)… yes I know of one way but I’ll have to check it still works. Remember, I don’t cookie stuff and I think its a pretty naff way to make money.
Comment by admin — 18th July, 2008 #
hey seospammer…
any updates on your above post? after seeing this thread i tried all possible ways of hiding a refer but could not succeed. Either the cookie is getting dropped or the referer is staying alive!!!
phew…any iputs from ur side???
Comment by kobraaa — 24th July, 2008 #
what if the merchant does a standard visit and sees if the cookie is dropped on visit surley he would wipe cookies before visiting then check again and notice its being dropped when the page loads?
Comment by mat — 28th July, 2008 #
can you tell us anyway to hide the referer when stuffing forums?
Comment by andre — 19th August, 2008 #
[...] möchte, sollte das hier bei Esrun lesen: Dropping affiliate cookies Cookie stuffing scripts Cookie stuffing revisited Aber man sollte sich immer im Klaren sein das cookie stuffing, wenn auch sehr lukrativ trotzdem [...]
Pingback by Ebay klagt DigitalPoint Chef Shawn Hogan an - angeblich Cookie Stuffing » Online Marketing — 29th August, 2008 #
what do you think about using GD libraries to generate a php file loading first the location directive and after that creating the image. Does it will works?
It will display the image but it will load the script too
Comment by curiousseo — 18th September, 2008 #
Nice Post, but it doesnt matter how well you hide your code. All the merchant has to do is delete his cookies, load your site and check his cookies again. if you drop cookies its then proven. All you did was hide how you did it but not that you did it.
So best advice for someone who wants to do it is to be low profile….
In fact all these methods are only good not to get other webmasters (by accident) curious about iframes or other strange images on your site.
Comment by Tom — 4th October, 2008 #
SEO Spammer,
I too have been trying to work out a method for blanking the referrer via an with no avail. I can easily do it via actionscript with php or flash, just not when I plant an .
Would you perhaps point me in the right direction?
Comment by ximscreamingx — 9th October, 2008 #
im my above comment there should have been two [img], i used “” and it read as html.
Comment by ximscreamingx — 9th October, 2008 #
[...] findet ihr eine Anleitung für Cookie Dropping Profis vom englischen Blackhat SEO, und hier einen selten dämlichen Cookie-Dropper… [...]
Pingback by Cookie-Dropping für Anfänger. — 10th November, 2008 #
Wow! Great info here.
Does the final js img method you suggest successfully stuff Internet Explorer? I know that the simple iFrame method does not.
Also, just a tip to lower your CTR. On a page that is being stuffed, be sure to include 4 or 5 banner ads for that advertisor. That way for every user that sees that page, it will log 4 or 5 impressions and only 1 click (cookie stuff).
Comment by Jason — 16th November, 2008 #
to get around that red X why not find out a way how to place a  face instead of a blank image inside the image embed php code simple
Comment by spider — 16th January, 2009 #
If I’m a merchant there’s a very simple method to check if your doing cookie stuffing :
1.Empty my cookies
2.Automatically refresh you page 1000 times
if I find an affiliate cookie, your busted. All these softwares for cookie stuffing and methods are serious bullshit.
Comment by Andrew — 20th January, 2009 #
Spider, if you think about how the php fake image redirection works and how browsers work then you see that can’t be done. You can’t send a redirection header in php and try output content, simply not possible.
Comment by admin — 21st January, 2009 #
Andrew, you’re making the presumption that the merchant actually knows what page/site the cookies are being dropped on! There are ways to hide the referer so the merchant doesn’t even know where the cookies are being dropped.
So if you setup a legit site promoting the merchant and do NOT drop cookies, it will all look good. But if you had 50 other sites which were cookie stuffing but hiding the referer then they’d never know
Comment by admin — 21st January, 2009 #
How can the referred be hidden?
Comment by J — 28th January, 2009 #
Andrew you could set up the script so it only stuffs if the referer is set to what you specify for example:
If you only allow traffic from google, yahoo e.t.c to be stuffed any other refering page to the CS page will not be stufffed at all. This means if you refresh the webpage 1000 times you wont find a thing, you would have to guess the correct referrer to see the CS in action.
To admin.
Yeh It was an idea but what if you set up a mysql database that tracks USER IP so basically in english GET MYSQL settings and Connect >> Get Vistors ip address >>Check V if IP is stored in DB–>> if visitor IP is in DB show some real image  –> if IP is NOT in DB Insert new IP in DB & continue CS visitor. That way the red X is only shown Once per unique IP and if the visitor right click and refresh image on forum it will show the ) face.
maybe only work in theory lol but you know some one will have allready figured that out.
Comment by spider — 3rd March, 2009 #
Im guessing here, but i take it you need to have your aff link on your site as well as the php code to avoid 100% ctr?
Comment by Nick — 25th March, 2009 #
Hi
There is one issue with cookie stuffing that I haven’t seen addressed. It is assumed that the first person that lands on your site is going to be the one that has the cookie set. However, a great many merchants are set up so that if a person lands on Site A and the cookie is set, then they go to site B, C and D before clicking thru to the merchant, it is site D that will get credit for the sale, not site A. Linkshare has almost all of their codes for banners set up with the img method that is referred to out side the tag, Therefor negating your effort to stuff a cookie.
I have also verified with Google/ Performics as to how the cookie is set and was told that it was the last person in that set the cookie, not the first.
So it begs the question. Is there a way to make sure that the cookie you set isn’t over written?
Comment by Bob — 2nd April, 2009 #
great explanation. is it even possible to blank the referrer with the forum stuffing method? if so how? people always seem to dance around the issue
Cant you avoid the merchant calculating the a ctr by just using text links, how can they calculate a ctr if they dont have a banner with a tracking pixel on your site to track impressions?
Comment by Karl — 8th April, 2009 #
[...] Article 1 servant de base à ce post : http://www.esrun.co.uk/blog/cookie-stuffing-revisited [...]
Pingback by Blog de Jice Lavocat » Blog Archive » Cookie Stuffing and click hidding — 23rd June, 2009 #
Hey , but the only problem with the image trick , is that you can’t fake or hide the referer. so , if you use this in a forum to drop cookies. the affilate will know that the referer is the forum Cookie stuffing revisited , and not you site. but with iframe u can do it !
Comment by Stachendrath — 30th June, 2009 #
Stachendrath, in it’s current form it wont hide the referer, however, it can be done. No popular forum software out there would let you post enough HTML to get an iframe on there so that’s just not practical.
Comment by admin — 1st July, 2009 #
oh ! , which way you can hide a referer using the image trick , couse i think that’s not posible..
please , let me know ! thanks mate !
Comment by Stachendrath — 1st July, 2009 #
maybe not a forum , but did you think about a ecommerce site ?  … think about it !
Comment by Stachendrath — 28th July, 2009 #
anything new concerning the hiding refferer issue ?
Comment by sup — 30th July, 2009 #
For us white hats how can we prevent you from dropping cookies on our sites?
Comment by Lori — 17th August, 2009 #
so whered everyone go? whats the answer to the forum cookie stuffing..i want to hide the referrers as it shows the forums
Comment by cloaker — 23rd September, 2009 #
Can you pls explain where to save this php line as you spoken above:
Do you mean saving this file as an image file – tracking_pixel.jpg?
The same goes for this:
Do we need to create a php file or just add it to the page where the cookies is dumped? Or just an independent file?
Thanks a lot.
Comment by Caroline Hudson — 4th November, 2009 #
ok as i read there is really no way to change or blank the referer with a header(“Location… redirect? if there is somebody out there knowing a way, please tell me and you’ll be generously rewarded  .
Comment by michael — 19th November, 2009 #
I think u should make this post an “Pay to Read” thing lol. (I’m serious, u will get subscribers  )
Well I have a quick question please reply if u have the time and feel like.
Though the last image method is pretty solid (htaccess / referrer checking) than others, i would like to know if the affiliate manager could read the content of this image file?
If yes could u give one method of how that could be done.
Comment by Sara Lin — 22nd November, 2009 #
1.
Where EXACTLY do i put this code? I use this code in .htaccess: Redirect /fakeimage.jpg http://affiliatesite.com and i stuff on forums using Cookie stuffing revisited
Thanks.
Comment by NewbieStuffer — 16th December, 2009 #
Sorry, the HTTP REFERRER code.
“Now we put PHP code in tracking_pixel.jpg which checks the referring page.”
Comment by NewbieStuffer — 16th December, 2009 #
Nice write up. I am not sure it should be out there spelled out but hey it’s your page.
In a way this post is helping the community get a few noob affiliate marketers out of the scene getting banned! lol.
Comment by john — 13th January, 2010 #
to hide referer don’t point to affiliatelink directly but to your own site and use a double meta refresh before sending it to the affiliate link.
or use referer cloaking tool.
Comment by Me — 18th February, 2010 #
hi there,
this method works fine for me in firefox but in ie (8) no cookie will be set. is this a security matter? can there be a workaround for ie?
thanks
scooter
Comment by scooter — 2nd March, 2010 #
Great post..  Im still new on this topic.
I have one quick question.
Let’s say I use the last technique (HTTP header)
If the merchant comes and opens my “tracking_pixel.jpg”
what picture will appear?
Comment by joe lambok — 19th April, 2010 #
is there a way to change or blank the referer or not? i have tried with redirects, curl, sockets but i couldn´t hide the referer.
if there is somebody out there knowing a way, please tell me. Thx
Comment by jo — 7th May, 2010 #
New to cookies. How are you guys stuffing cookies into forum posts these days? Almost none that I’ve found allow html so you can’t use that technique I’m guessing, and everything else is through that bbcode thing, that doesn’t allow images.
Email me if you can help out. anthony2610(AT)gmail.com
Comment by anthony — 2nd August, 2010 #
Are people using this method still and going without being banned? Forget the big networks…do the smaller ones take the time to look for this kind of stuff or do they welcome the sales regardless?
t
Comment by Tom — 25th March, 2011 #
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则