|
Controlling Your Referer, and Hiding Your Traffic Sources
How Do I Keep Affiliate Programs From Knowing My Traffic Source?
This question comes up a lot, so I thought I’d handle it now. While truly everyone has a good reason to hide their referrer(outranking their affiliate program for key terms, blackhat traffic, fear someone else will clone your site/copy your traffic source, or general paranoia). I’m going to approach this from a blackhat angle though.
It’s no secret many affiliate programs do not like blackhat traffic. This is especially true for affiliate NETWORKS like commission junction. So how can we keep them from identifying our traffic source? We definitely do not want them to see our blackhat URL. But we also do not want them to see a user coming directly from the search engine. So how can we properly redirect someone, so we can control what the aff program sees as our referer? How can we make it survive a possible hand check?
While this is a complicated topic(since it IS the browser’s choice on who to pass), I’ll do my best to test out some sample setups.
Note: If you don’t want to read the various tests, that’s fine. I bring it all together at the bottom.
Note2: I’ve heard of a lot of blackhats using methods of redirect who say their results contradict the ones I got from this experiment. If any would care to chime in, I’d be more than interested.
The Basics: Our goal is to take our blackhat traffic, bounce it off a nice whitehat site, then from there send that to the affiliate program. This 2 way redirect, when implemented properly, can hide the traffic source decently. The trick is having the whitehat site know when to redirect, and when not to.
* Our Test File Structure
o myStartPage.php : This is taking the place of the Google search result page in our experiment. Passing this variable to the affiliate program tells them that the user was either redirected, or came straight from the search engine result page(hereafter referred to as a “SERP”)
o myBlackhatPage.php: The second stop in our redirection, this page is our scraped/cloaked/whatever’d site. Whatever site we’re actually using them to promote, but don’t want them to see.
o myWhitehatPage.php: What we WANT the affiliate program to see as our referrer. This page[optimally] has 2 modes: whitehat quality content mode, and blackhat redirection mode. This page is not actually promoted at all, even whitehat. So we don’t care if it ranks. It may eventually get banned, but we don’t care.
o myAffiliate.php: The end page of our redirection algo. We’re hoping that this page will show myWhitehatPage.php as the referrer.
Non-Changing Variables
myBlackhatPage.php will ALWAYS be a 301/302 redirect to myWhitehatPage.php. Although we may want to alert the whitehat page to this fact later on, for right now we’re just researching what passes from page to page.
* Experiment 1: 302/301 Redirect
o Path for this is myStartPage>myBlackhatPage>myWhitehatPage>myAffiliate.
o Code of Whitehat page page consists of
header(“HTTP/1.1 302 Temporarily Moved”);
header(“Location: http://localhost/referrerCheck/myAffiliate.php”);
o Result: Passed myStartPage.php: Failure
* Experiment 2: Meta Refresh (6 Second Refresh)
o Path for this is myStartPage>myBlackhatPage>myWhitehatPage(refresh)>myAffiliate.
Code of Whitehat page consists of
<meta http-equiv=”refresh” content=”6;url=http://localhost/referrerCheck/myAffiliate.php”>
o Result: Passed a blank referrer: Semi-Pass
* Experiment 3: Meta Refresh (Immediate Refresh)
o Path for this is myStartPage>myBlackhatPage>myWhitehatPage(refresh)>myAffiliate.
o Code of Whiotehat page consists of
<meta http-equiv=”refresh” content=”6;url=http://localhost/referrerCheck/myAffiliate.php”>
o Result: Passed a blank referrer: Semi-Pass
* Experiment 4: Javascript Redirect (Window.location)
o Path for this is myStartPage>myBlackhatPage>myWhitehatPage(JS redirect)>MyAffiliate
o Code of Whitehat Page consists of
<script type=”text/javascript”>
<!–
window.location = “http://localhost/referrerCheck/myAffiliate.php”
//–>
</script>
o Result: Passed blank referrer: Semi-Pass
* Experiment 5: Frameset
o Path for this is myStartPage>myBlackhatPage>myWhitehatPage(Frameset)>MyAffiliate
o Code of Whitehat page page consists of
<frameset><frame src=”http://localhost/referrerCheck/myAffiliate.php”></frameset>
o Result: Successfully Passes myWhitehat.php as the referring file!
o Note: This is less than optimal. Some affiliate programs are set to jump out of a frame, and also we don’t want the user overly aware of where they were bounced off of.
* Experiment 6: IFrame
o Path for this is myStartPage>myBlackhatPage>myWhitehatPage(IFrame)>MyAffiliate
o Code of Whitehat page page consists of
<frameset><frame src=”http://localhost/referrerCheck/myAffiliate.php”></frameset>
o Result: Successfully Passes myWhitehat.php as the referring file!
o Note: Suffers from the same problems as the previous (frameset) redirection method. Damn. However, with this, we can stop internet explorer only from breaking out of the iframe by adding security=restricted into the iframe tag, which [I believe] disallows the use of Javascript for iframes. But without firefox, this is not too useful.
Bringing it all Together
Now, we have no perfect example here. One might exist, one might not. My research says no. But we’re going to do the best we can. Here’s a decent start point for you all. The desired affect here is to get as close as possible to a perfect redirect in terms of not getting caught. It is not the most practical approach.
* Telling the Whitehat Site to Redirect, and Not Display it’s Content
1. IFrame the whitehat site/page itself, from the blackhat site/page.
2. On the whitehat page, check to see if their IP is in the database of people who have come in via the blackhat site previously. Or check to see if the cookie you [may] have dropped in step 4(yeah, confusing, I know) is still there. If they or the cookie is found execute a refresh to the affiliate program (if they’re already been here once, they will not pass a referrer. You’ll understand that better as you read on
3. On the whitehat page, have php search for the blackhat referrer:
if(stristr($_SERVER['HTTP_REFERER'],”myBlackhatdomain.com”)!==FALSE) //we have a BH redirect
{
//Output the Javascript in Step 5
}
else
{
//Output pretty whitehat content that will satisfy an affiliate program
}
4. Insert the user’s IP address into a database OR drop a cookie. Either one of these we can use to identify them as a user that got here via a blackhat source in the future.
5. Use Javascript(this may not work in Opera, but will in Internet Explorer/Firefox) to break out of said iFrame.
<script type=”text/javascript”>
if (top.location!= self.location) {
window.location = “http://www.mywhitehatdomain.com/myWhitehatPage.php”
}
</script>
Note: In case Javascript is turned off, you may want to throw a meta-refresh in there to pick up the slack. Give it a couple second delay to give the JS a chance to work. If the meta refresh is forced to execute though, we will still be iFramed in the blackhat URL. But the referrer should be the whitehat site. So in 99% of cases we’ll be ok.
6. Now, the command above SHOULD have made the page reload, with no referrer(since they were already in an iframe of http://www.mywhitehatdomain.com/myWhitehatPage.php, and Javascript redirects do not pass a referrer.) So, once again, as in step 2, we check to see if their IP is in the database, or the cookie is still present. If it is, that means….yup! We can now iframe the real affiliate offer, with the blackhat site nowhere in existance. Not in the URL bar, not in the referrer, nowhere! And the whole thing looks like it happened immediately to the user.
XMCP, Why the Hell Does that Have To be So Complicated?
Because we now have a way to set a whitehat domain as the referrer. But even if the affiliate program comes to check the URL, nothing appears to be odd about it! They can’t find the iframe unless it was initially accessed via the blackhat site, which they have no way to find. So it appears to be a static link.
There might be a simpler way to achieve that, but hell if I can figure out how. |
|