I recently got the chance to speak on Whiteboard Friday over at SEOmoz, it was a quick session whereby a few SEO’s just give up a couple of tricks that the general population may not be aware of, i chose to talk about cookie stuffing.
Cookie stuffing is not new and has been blogged about a few times so i am not pretending to have actually come up with the method. I wanted to talk about it because i have been doing it slightly different using .htaccess and i have also been getting some really good results.
Basically, Cookie stuffing is a method in which you place cookies on users computers without them nessecerally knowing about it. It can be used on your affiliate sites to auto drop a cookie without the user actually clicking through your banner and converting on the retailers site. This allows you to get a much better conversion rate for visitors of your site because even if they hit your page, bounce, and then goto the retailers page at a later date (within the cookie length) you still get the sale.
It can also be used off site, whereby you would drop a cookie for a large affiliate site (such as ebay or amazon) by simply having a reference to your image. You can use this trick anywhere which allows you to use image code.
So here are the steps to do it…
1) Create a directory on your server with an inconspicuous name such as /stats
2) In that directory create a .htaccess file with the following code…
RewriteEngine On
RewriteRule yourfakeimage.jpg http://www.cookiedroppingurl.com [R,L]
3) Place the /stats/yourfakeimage.jpg code in the footer of your site and then when the browser requests the image the .htaccess will return them the url which drops the cookie, this is all done in the background so unless someone is specifically looking out for it then you should get away with doing it
Obviously, you can use /stats/yourfakeimage.jpg in any other site that allows you to reference an image, aslong as the site doesnt cache the image locally on their server then you will be able to serve up as many cookies as you like.
There has been a lot of debate about whether using this method on external sites is classed as stealing and Esrun wrote a great article on cookie dropping.
I just want to add that you should be careful doing this, obviously if your affiliate see’s that you are generating a 100% clickthrough rate then they are going to start asking questions and can even ban you from the program.
Edit: Reader El Bueno has come up with a method for doing this on Windows IIS, you can see his solution in his comment
How would you do this in IIS6? That’s the environment I am on with my servers and I want to look into this more.
Hi Brent,
I have tried a few methods of doing this, but found that using .htaccess on apache is by far the easiest, and most bullet proof way of doing it.
If you are running php on IIS6 then you have some options available to you. You could reference an image which is actually an php script. So write the script to redirect to the Affiliate cookie dropping URL and call it yourimage.jpg. I guess you could actually do the same thing with ASP but i dont have any experience in that?
Can you set up a redirect in II6 for an individual file? You could try that and set the redirect to goto the cookie dropping URL when yourimage.jpg is called. Try it and let me know if that works.
My friend Esrun has some coding examples for other methods which may or may not work on IIS6…
http://www.esrun.co.uk/blog/wp-content/uploads/2008/03/cookie_stuffing_resource_files.zip
You could probably pull this off with a tiny as well.
The technical parts make total sense to me – it’s knowing what affiliates to use that I don’t know much about. I’ve never done much with affiliates before.
Er..whoops, my last comment contained an HTML tag that was stripped out:
“You could probably pull this off with a tiny (iframe) as well”
Matthew: You certainly can use an iframe but obviously that doesn’t allow you to drop Cookie’s from 3rd party sites that you dont own. With the image you can drop it anywhere on the web and the cookie will be delivered.
@Brent, I think you can use http://urlrewriter.net/ to accomplish this. I’ve recently started working in an Windows IIS environment as well and am looking into URL rewriting for other purposes, still, you should be able to accomplish similar results as you can with mod-rewrite/Apache.
More specific in the help section of that site and this page:
http://urlrewriter.net/index.php/support/reference/actions/rewrite
This is a low form of spam and is agianst the TOS with 99.9% of all affiliate companies. Not to mention this trick has been used for several years and some people are actually getting sued by affiliates over it.
You are completely correct Spambuster, i would not advise anyone to use the technique on a site they want to build up.
As i said in the post, there has been much debated about the morales of this technique and i also did say that it is certainly not new.
Question:
Let’s say that I own an affiliate website. Let’s pretend it is bestbuy.com. Is there any way that BestBuy can tell that I am doing the stuffing?
I know some companies that have affiliate programs utilize third party companies to analyze the incoming affiliate traffic and check for “fraud”.
Spambuster . . . It’s important to understand this technique for several reasons other than for profit reasons. Admitedly, I find both intriguing but mainly because this was going on for years without my knowledge and I ran major affiliate programs in the computer and consumer electronics industries. Plus, my past is one of blackhat (you’d call it spam) tactics to achieve incredible rankings from 2001 through 2005 in the computer and CE field targetting Amazon.com. My ability to hack Amazon’s UGC features is my biggest claim to fame. 😉
Chewie/Chuck Allied,
I don’t understand this . . . it seems so straight forward in Apache but I can’t figure it out in IIS. It seems considerably more difficult in IIS. Am I missing something? Do you have code samples? I’d swap server space on a colocated dedicated T1 for you to show me, step by step how to do this (and as you do it).
I seriously feel like such a moron having not discovered this before now. It tells you how clueless people on the ‘other side’ of the affiliate business are oblivious to some tactics. I even used to compare conversion rates to watch for stuff like this and never caught it. Grrrr.
Brent D. Payne
Mike: When the page loads you can see the status bar change to opening page http://www.cookieurl.com so a keen eye can spot it.
Brent: I have absolutely no idea how to do it on IIS, i am a LAMP man myself and dont have a lot of knowledge about Win boxes. Hopefully someone else will be able to help you out? Do you have access to php on the IIS server?
[…] Cookie Stuffing with .htaccess I recently got the chance to speak on Whiteboard Friday over at SEOmoz, it was a quick session whereby a few SEO’s just give up a couple of tricks that the general population may not be aware of, i chose to talk about cookie stuffing. … […]
Stupid question …I see how you can serve the cookie but how do you show the image too so it looks legit?
Hey Law,
It’s not a stupid question, you can’t actually show the image so the best thing to do is (in the html) assign the height and width to be 1px and also use alt=” “
Ok its a shame…I have a competitor who is hot linking to my images on my server. I was going to fix but then I saw this and I started to think …”what better justice than this”?
hmm….
Hey Law,
Well if you have someone who is hot linking to your images then simply do a 301 redirect on the image to your homepage, that way you can effectively pass some link juice and authority back to your own site.
Do a search on the net on how to combat hot linkers, else i might do a blog post on it with some coding examples if u cant find anything.
I have a video and screenshot guide for this exact method on my blog 😉
“Ok its a shame…I have a competitor who is hot linking to my images on my server. I was going to fix but then I saw this and I started to think …”what better justice than this”?
hmm….”
This is a BRILLIANT idea…Set up a site with hot link bait then replace some of the images with htaccess trick and some aff links….Wonder if this would work? Though the 301 is also a good idea…
Hey GM,
You could easily set the image to provide a cookie drop, although depending on what your are cookie dropping and who is linking to you then it may be better to 301 and get the link juice.
In IIS6 you’ll need a URL rewriter component installed on your server. I’ve used http://www.isapirewrite.com/.
You need to read their instructions on creating an httpd.ini file. If your image is something like myimage.gif, then the httpd.ini file will look like:
————————————-
[ISAPI_Rewrite]
# Block external access to the httpd.ini and httpd.parse.errors files
RewriteRule /httpd(?:\.ini|\.parse\.errors) [F,I,O]
#Fake Tracking Cookie
RewriteRule /myimage.gif /myaspredirectscript.asp [I,L]
————————————-
I am in the first stages of testing this so I don’t guarantee it 100%, it’s the approach I intend to take.
do you know how to hide the referer when cookie stuffing forums?
Andre: I guess you could drop an image that calls your URL first, and then that URL calls the cookie url to drop. Then the referrer should look like your own legit site.
El Bueno: Nice info for IIS users, let me know how you get on with it 🙂
Even though this is forbidden from almost every affiliate site this is a great post Chewie. I know a couple of people doing these tricks and they are making between $5,000 – $20,000 a month with hardly any work. I would say they work 30-60 minutes a day to receive this kind of revenue from cookie stuffing.
I myself would consider first what I am about to lose if I get caught before cookie stuffing. The only real reason I would cookie stuff in my opinion is if I know I had some big bills to pay next month such as car payment, mortgage, and stuff of that sort but once you have enough money take the cookie stuffer off your site completely.
Like I said before Chewie you are a great writer and have interesting subjects to write about and for folks to read about. Thanks for taking the effort to set up this blog and to teach all.
Hi IMHustle,
Yes this is certainly frowned upon by almost every single affiliate out there, unless of course you are in the porn or pills business 🙂
At the end of the day, if someone has a white hat site that is making them a couple of £k per month then it is pretty stupid to go and mess that up by trying cookie stuffing. However, a failing site that you are not too bothered about, or (as you have pointed out) a churn and burn site with people who know what they are doing can generate a hell of a lot of cash in such a short amount of time by using the above techniques.
Again, as you pointed out, people need to look to see if it is worth it for their situation and if they are trying to use it as a sole income then they are probably going to get burnt at some point like all black hat ventures.
Finally, Thank you very much for your kind words, other than blushing i am not really sure what to say. I guess when i get comments like yours it makes my ramblings all the more worth while 🙂
Hope to see you around here more often but your name does ring a bell… have you commented before? Have we met? I checked out your site but it was down 🙁
I personally do not cookie stuff, but as a basis it IS a intriguing idea; i actually discussed certain methods that could be employed to cookie-stuff over at my blog:
http://thenexus.tk/want-a-cookie/
Though before you click through I would like to reiterate it is written from a educational point of view.
The real question is is the trade-off worth it? the small fry get a slap and a ban but the bigger ones can get sued.
In my eyes it is a nono as bottom line you are stealing potential income from a more ‘whitehat’ person.
“Chewie Says:
August 21st, 2008 at 9:39 am
Andre: I guess you could drop an image that calls your URL first, and then that URL calls the cookie url to drop. Then the referrer should look like your own legit site.”
Can you explain how to actually do that?
Thanks.
Fxgator:
I haven’t tried this so i don’t know if it works or not…
Normal cookie drop does this…
Forum -> your server -> drops cookie
You could try…
Forum -> Obfuscated Server -> (301 redirects to) your server -> drops cookie
That way you have put an extra server in the way which might show up as the referring site?
Try it and let me know if it works.
Chewie
Is there a way to suppress the cookied site displaying briefly in the status bar?
Hi Kali,
There is no way that i know of being able supressing the url in the status bar.
Sorry
“I just want to add that you should be careful doing this, obviously if your affiliate see’s that you are generating a 100% clickthrough rate then they are going to start asking questions and can even ban you from the program.”
How do they know the click through that I am getting on my site?
So I buy traffic…from google say…then they get the cookie dropped on their PC when they visit my site…How does the affiliate program know that every visitor is getting that cookie? I mean I could have a 5000 people visiting the page and only 1000 people clicking the link???
If you could help clarify what information the cookie contains that would be great.
Thanks, Jim
Hey Jim,
Well when you drop the affiliate cookie then it comes from the affiliate URL, when the cookie is dropped then their stats record a click through.
If you started off a brand new site and did this from the very start then it wouldn’t be a massive deal because they wouldn’t already have numbers for your click through rate. However if usually you only get 50 people a day clicking on an affiliate banner but then you start to cookie drop and that number goes up to say 500, then they are going to wonder why it has gone up so quickly.
So basically each time you drop a cookie it is the equivalent of one of your users clicking the link and going through to the merchant page. If its really high then they are going to look into why, and then if they realise you are dropping cookies in the background then you’ll get busted.
If you’re looking for a secure way to do it, check out Flash Cookie Stuffer (flashcookiestuffer.com).
This looks a great way to make a lot of affiliate cash without getting caught.
[…] https://www.chewie.co.uk/blackhat/cookie-stuffing-with-htaccess/ […]
Cookie Stuffing is still alive and well! I know hundreds of people doing it
Hello Chewy,i am a relative newbie, i have been cooking stuffing with small results, i used a script set up by a friend that has ben down now for three weeks, i would like to be independant, not sure whether i should purchase a script, though reading your article above makes me wonder if i need to, only problem is i am not sure how to set up the files you talk about, could you please advise.
Regards
Loll
This is a great stuff. Will it be considered as a black hat? Wonder will Google take action on this or not.
well, its verry interesting, btw your affiliate acount will got ban alsofrom google ,
http://dayakcinta.com
I have developed a wordpress plugin that drops cookies using an iframe. A soon to be released upgrade will include the option of dropping cookies through an image tag and controlling the hit percentage. There are other enhancements coming but for now, it behaves very well using simple, small iframes on any page or post.
I'm guessing this just isn't possible anymore as modern day 2010 browsers are savvy to this, because it doesn't seem to work anymore?
will it also work for an image located at /images/blah/hello.jpg ?
Cheers
maybe I should try this method 🙂
Cookie stuffing (also cookie dropping) is a blackhat online marketing technique used to generate illegitimate affiliate sales. Cookie stuffing occurs when a user visits a website, and as a result of that visit receives a third-party cookie from an entirely different website (the target affiliate website), usually without the user being aware of it.[1] When (if) the user visits the target website and completes a qualifying transaction, the cookie stuffer is paid a commission. Depending on the terms of the affiliate agreement a qualifying transaction may refer to creating an account, making a purchase, completing an application (loan, credit, etc), or subscribing to a newsletter.
anyone know of a chocolate cookie like an oreo but without the stuffing?