Cookie stuffing revisited
June 30, 2008 on 9:00 am | In Blackhat SEO |Recently my blackhat seo hacker friend Chewie went on some seomoz thing and talked briefly about cookie stuffing.
Before reading any further you might want to read my post on dropping affiliate cookies which explains what/why/where/when and also my cookie stuffing code examples page. However if you already know the basics then you can get going much quicker by sticking with this post.
I decided to write this post because the amount of emails I recieved all asking the same questions.
Avoiding high (100%) CTR when dropping cookies
One problem with dropping the cookies on every visitor is that it will result in a 100% CTR which can be an obvious flag that something isn’t right. To avoid this you can take a couple of steps, depending on how much time you wish to put into it and your coding skills.
The simplest way to avoid this problem is to use PHPs rand() function to select a random number between(and including) 1-4 and then only output the code to drop the cookie if the number equals 1. This method won’t allow you to set an exact percentage because the number chosen will always be random. Out of 100 visits, it might select the numbers 2,3 and 4 30 times each while selecting the number 1 only 10 times.
Code sample:
-
<?
-
if($random_number == 1){
-
echo "Our cookie stuffing code goes here!";
-
}
-
?>
If you have time then you might want to code something more advanced. For example:
- Drop cookie only once per IP address
- Keep a daily count of visitors and then limit how many people you drop the cookie on the next day. For example if you have 1000 unique visitors on Monday, on Tuesday you will drop the cookie on a maximum of 200 people.
- Log every visitor and only drop a cookie on every tenth visitor
- Etc.
Avoid getting caught forcing cookies on users
A lot of people have said, surely it’s easy to get caught forcing cookies on people if you have an iframe where the source is the affiliates page. This is true to some degree. You should take the following things into consideration:
- The iframe method is the most basic and is intended as proof of concept rather than real world usage
- If you have been an affiliate for awhile and your CTR isn’t ridiculously high then there’s no reason the advertiser would ever check your site for cookie stuffing
So what is a safer method than Iframes for dropping the cookie?
A safer method of dropping the cookie would be using a false image which redirects to the affiliates page that has the HTTP Cookie header. The browser will try to load the image, be redirected to the affiliate page and although it won’t process any html on the final page, it WILL read and process the HTTP headers… including the one which places the cookie 
It’s crucial that you redirect to the exact page that has the cookie header, so be careful if the affiliate site redirects a lot of times before landing on its final page so that you select the correct one which is dropping the cookie.
The simplest way to do this would be using a .htaccess file which says, if there is a reference to “tracking_pixel.jpg” then redirect it to xyz affiliate page.
.htaccess Code sample:
-
RewriteEngine On
-
RewriteRule tracking_pixel.jpg http://www.affiliate.com/BDHDHDHDJ/ [R,L]
You now edit your site template so that every page includes the image:
-
<img src="tracking_pixel.jpg" />
Now, even if the affiliate decides to come and take a look at your sites source code, they’re going to see nothing which catches their eye. If for example you had a website which sold clothes then the chances are you’d have a lot of images named blue_shirt.jpg and such like. So in this case you could easily name it red_shirt.jpg and have it mixed in somewhere in your template and they’d never know!
An even safer image cookie stuff..
Whilst it’s extremely unlikely, it is possible that someone checking your site for stuffing could try loading tracking_pixel.jpg into their browser and then they’d be redirected to the affiliate page and guess something is amiss. To combat this, instead of using .htaccess to redict to the affiliate page, we will instead tell it to treat a file named tracking_pixel.jpg as a PHP file.
.htaccess Code sample:
-
<Files tracking_pixel.jpg>
-
ForceType application/x-httpd-php
-
</Files>
Now we put PHP code in tracking_pixel.jpg which checks the referring page. If the referrer is empty then the user has gone direct to our image and we should output a 404 error, if there is a referrer then the image has been included on a page and should be redirected to the affiliate site.
tracking_pixel.jpg code sample:
-
<?
-
if(!$_SERVER[‘HTTP_REFERER’]){
-
} else {
-
}
-
?>
So now just include the following code on any page that you wish to drop cookies from:
-
<img src="tracking_pixel.jpg" />
Also note that you’re not limited to including the image on your own site! You could also include it on forums and such like… basically anywhere that will allow you to place images. So if you signed up to a popular bingo forum you might decide to start becoming a regular poster and dropping cookies for all the well known bingo rooms.
I think this pretty much covers most of the questions which have been asked 
15 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
seospammer@onlinehoster.com
seospammer
seospammer
673418
Categories:
- Blackhat SEO (rss) (70)
- General (rss) (18)
- Negative SEO (rss) (1)
- Volkswagen Beetle (rss) (6)
Archives:
- November 2008 (2)
- October 2008 (4)
- August 2008 (2)
- July 2008 (2)
- June 2008 (1)
- March 2008 (2)
- February 2008 (6)
- January 2008 (2)
- December 2007 (4)
- November 2007 (1)
- October 2007 (1)
- September 2007 (3)
- August 2007 (4)
- July 2007 (4)
- June 2007 (2)
- May 2007 (13)
- April 2007 (7)
- March 2007 (6)
- October 2006 (7)
- September 2006 (22)
One remaining question — how to prevent the annoying red-X in IE when people are actually browsing the forum? It sticks out like a sore thumb.
Thanks!
Comment by Jojo — 30th June, 2008 #
Convert the world to firefox
No but really, I’m not sure… if the forum allows you to enter ‘Alt’ text then this would probably let you get around it by having it show text instead of the X.
Comment by admin — 30th June, 2008 #
The bbcode spec does not allow the alt tag. Most forums do not allow HTML so you cant do it that way either.
Comment by Jojo — 30th June, 2008 #
Which kind of affiliate-programs would you use on which kind of pages ?
Comment by MacRip — 1st July, 2008 #
Your choice of affiliate program will depend where you’re dropping the cookies.. If you have a general site which doesn’t talk about a specific subject then you’d drop something really generic like ebay or amazon cookies. If you had a blog about music then you might drop cookies for ticketmaster. If you decide to go searching for forums on specific topics and find one on the topic of mobile phones then you might drop cookies for carphone warehouse, phones4u and so on.
Comment by admin — 1st July, 2008 #
noob question, which part of an amazon affiliate link would you use in the php (img) file?
also ForceType application/x-httpd-php doesnt seem to work, if i browse direct to the image FF asks you to download the jpg file. got any ideas what im doing wrong?
Comment by Volante — 6th July, 2008 #
1) If you can’t work out which url to use then you certainly shouldn’t be cookie stuffing. 2) If FF is asking you to donwload the file then maybe your server doesn’t have php support… ?
Comment by admin — 6th July, 2008 #
If I stuff cookie on forums, the merchant will see the forum as the referer, do you know a way to spoof it?
Comment by unknown_zero — 9th July, 2008 #
“If I stuff cookie on forums, the merchant will see the forum as the referer, do you know a way to spoof it?”
That’s what i would also like to know. If it’s too valuable info to give out openly, maybe you would bother to mail me a hint at least ?
BTW nice and interesting blog you are running here!
Comment by mart — 14th July, 2008 #
What if i wanna stuff few different cookies with one img?So i am doing right now smth which is similar to your last method: superimage.jpg on the site>htaccess line>Redirect /superimage.jpg http://www.mydomain.com/supercode.php>
supercode.php:
can i add another link into supercode.php so i can stuff few different affiliate links in one img redirection?so ah the end i get smth like this:
superimage.jpg>htaccess>supercode.php>affiliate1,affiliate 2,affiliate3 etc.?
thanks in advance for the info:)
Comment by koleszka — 15th July, 2008 #
Hiya koleszka, no basically. You’d have to setup and use more than one of the fake images. As for those asking how to hide referer when cookie stuffing (e.g on forums)… yes I know of one way but I’ll have to check it still works. Remember, I don’t cookie stuff and I think its a pretty naff way to make money.
Comment by admin — 18th July, 2008 #
hey seospammer…
any updates on your above post? after seeing this thread i tried all possible ways of hiding a refer but could not succeed. Either the cookie is getting dropped or the referer is staying alive!!!
phew…any iputs from ur side???
Comment by kobraaa — 24th July, 2008 #
what if the merchant does a standard visit and sees if the cookie is dropped on visit surley he would wipe cookies before visiting then check again and notice its being dropped when the page loads?
Comment by mat — 28th July, 2008 #
[…] möchte, sollte das hier bei Esrun lesen: Dropping affiliate cookies Cookie stuffing scripts Cookie stuffing revisited Aber man sollte sich immer im Klaren sein das cookie stuffing, wenn auch sehr lukrativ trotzdem […]
Pingback by Ebay klagt DigitalPoint Chef Shawn Hogan an - angeblich Cookie Stuffing » Online Marketing — 29th August, 2008 #
[…] findet ihr eine Anleitung für Cookie Dropping Profis vom englischen Blackhat SEO, und hier einen selten dämlichen Cookie-Dropper… […]
Pingback by Cookie-Dropping für Anfänger. — 10th November, 2008 #