Cookie Stuffing with .htaccess

I recently got the chance to speak on Whiteboard Friday over at SEOmoz, it was a quick session whereby a few SEO’s just give up a couple of tricks that the general population may not be aware of, i chose to talk about cookie stuffing.

Cookie stuffing is not new and has been blogged about a few times so i am not pretending to have actually come up with the method. I wanted to talk about it because i have been doing it slightly different using .htaccess and i have also been getting some really good results.

Basically, Cookie stuffing is a method in which you place cookies on users computers without them nessecerally knowing about it. It can be used on your affiliate sites to auto drop a cookie without the user actually clicking through your banner and converting on the retailers site. This allows you to get a much better conversion rate for visitors of your site because even if they hit your page, bounce, and then goto the retailers page at a later date (within the cookie length) you still get the sale.

It can also be used off site, whereby you would drop a cookie for a large affiliate site (such as ebay or amazon) by simply having a reference to your image. You can use this trick anywhere which allows you to use image code.

So here are the steps to do it…

1) Create a directory on your server with an inconspicuous name such as /stats
2) In that directory create a .htaccess file with the following code…
RewriteEngine On
RewriteRule yourfakeimage.jpg http://www.cookiedroppingurl.com [R,L]
3) Place the /stats/yourfakeimage.jpg code in the footer of your site and then when the browser requests the image the .htaccess will return them the url which drops the cookie, this is all done in the background so unless someone is specifically looking out for it then you should get away with doing it

Obviously, you can use /stats/yourfakeimage.jpg in any other site that allows you to reference an image, aslong as the site doesnt cache the image locally on their server then you will be able to serve up as many cookies as you like.

There has been a lot of debate about whether using this method on external sites is classed as stealing and Esrun wrote a great article on cookie dropping.

I just want to add that you should be careful doing this, obviously if your affiliate see’s that you are generating a 100% clickthrough rate then they are going to start asking questions and can even ban you from the program.

Edit: Reader El Bueno has come up with a method for doing this on Windows IIS, you can see his solution in his comment

Leave a Reply

43 Comments on "Cookie Stuffing with .htaccess"

Notify of
avatar
Brent D. Payne
Guest

How would you do this in IIS6? That’s the environment I am on with my servers and I want to look into this more.

Matthew Inman
Guest

You could probably pull this off with a tiny as well.

The technical parts make total sense to me – it’s knowing what affiliates to use that I don’t know much about. I’ve never done much with affiliates before.

Matthew Inman
Guest

Er..whoops, my last comment contained an HTML tag that was stripped out:

“You could probably pull this off with a tiny (iframe) as well”

chuckallied
Guest

@Brent, I think you can use http://urlrewriter.net/ to accomplish this. I’ve recently started working in an Windows IIS environment as well and am looking into URL rewriting for other purposes, still, you should be able to accomplish similar results as you can with mod-rewrite/Apache.

More specific in the help section of that site and this page:
http://urlrewriter.net/index.php/support/reference/actions/rewrite

spambuster
Guest

This is a low form of spam and is agianst the TOS with 99.9% of all affiliate companies. Not to mention this trick has been used for several years and some people are actually getting sued by affiliates over it.

mike
Guest

Question:

Let’s say that I own an affiliate website. Let’s pretend it is bestbuy.com. Is there any way that BestBuy can tell that I am doing the stuffing?

I know some companies that have affiliate programs utilize third party companies to analyze the incoming affiliate traffic and check for “fraud”.

Brent D. Payne
Guest
Spambuster . . . It’s important to understand this technique for several reasons other than for profit reasons. Admitedly, I find both intriguing but mainly because this was going on for years without my knowledge and I ran major affiliate programs in the computer and consumer electronics industries. Plus, my past is one of blackhat (you’d call it spam) tactics to achieve incredible rankings from 2001 through 2005 in the computer and CE field targetting Amazon.com. My ability to hack Amazon’s UGC features is my biggest claim to fame. 😉 Chewie/Chuck Allied, I don’t understand this . . . it… Read more »
trackback

[…] Cookie Stuffing with .htaccess I recently got the chance to speak on Whiteboard Friday over at SEOmoz, it was a quick session whereby a few SEO’s just give up a couple of tricks that the general population may not be aware of, i chose to talk about cookie stuffing. … […]

Law
Guest

Stupid question …I see how you can serve the cookie but how do you show the image too so it looks legit?

Law
Guest

Ok its a shame…I have a competitor who is hot linking to my images on my server. I was going to fix but then I saw this and I started to think …”what better justice than this”?

hmm….

Jordan Stevens
Guest

I have a video and screenshot guide for this exact method on my blog 😉

gm
Guest

“Ok its a shame…I have a competitor who is hot linking to my images on my server. I was going to fix but then I saw this and I started to think …”what better justice than this”?

hmm….”

This is a BRILLIANT idea…Set up a site with hot link bait then replace some of the images with htaccess trick and some aff links….Wonder if this would work? Though the 301 is also a good idea…

El Bueno
Guest

In IIS6 you’ll need a URL rewriter component installed on your server. I’ve used http://www.isapirewrite.com/.

You need to read their instructions on creating an httpd.ini file. If your image is something like myimage.gif, then the httpd.ini file will look like:

————————————-
[ISAPI_Rewrite]
# Block external access to the httpd.ini and httpd.parse.errors files
RewriteRule /httpd(?:\.ini|\.parse\.errors) [F,I,O]

#Fake Tracking Cookie
RewriteRule /myimage.gif /myaspredirectscript.asp [I,L]
————————————-

I am in the first stages of testing this so I don’t guarantee it 100%, it’s the approach I intend to take.

Andre
Guest

do you know how to hide the referer when cookie stuffing forums?

IMHustle
Guest
Even though this is forbidden from almost every affiliate site this is a great post Chewie. I know a couple of people doing these tricks and they are making between $5,000 – $20,000 a month with hardly any work. I would say they work 30-60 minutes a day to receive this kind of revenue from cookie stuffing. I myself would consider first what I am about to lose if I get caught before cookie stuffing. The only real reason I would cookie stuff in my opinion is if I know I had some big bills to pay next month such… Read more »
Donace
Guest

I personally do not cookie stuff, but as a basis it IS a intriguing idea; i actually discussed certain methods that could be employed to cookie-stuff over at my blog:

http://thenexus.tk/want-a-cookie/

Though before you click through I would like to reiterate it is written from a educational point of view.

The real question is is the trade-off worth it? the small fry get a slap and a ban but the bigger ones can get sued.

In my eyes it is a nono as bottom line you are stealing potential income from a more ‘whitehat’ person.

Fxgator
Guest

“Chewie Says:
August 21st, 2008 at 9:39 am

Andre: I guess you could drop an image that calls your URL first, and then that URL calls the cookie url to drop. Then the referrer should look like your own legit site.”

Can you explain how to actually do that?

Thanks.

Kali
Guest

Chewie

Is there a way to suppress the cookied site displaying briefly in the status bar?

Jim Kramer
Guest
“I just want to add that you should be careful doing this, obviously if your affiliate see’s that you are generating a 100% clickthrough rate then they are going to start asking questions and can even ban you from the program.” How do they know the click through that I am getting on my site? So I buy traffic…from google say…then they get the cookie dropped on their PC when they visit my site…How does the affiliate program know that every visitor is getting that cookie? I mean I could have a 5000 people visiting the page and only 1000… Read more »
Flash Cookie Stuffer
Guest

If you’re looking for a secure way to do it, check out Flash Cookie Stuffer (flashcookiestuffer.com).

This looks a great way to make a lot of affiliate cash without getting caught.

BizCredit
Guest

Cookie Stuffing is still alive and well! I know hundreds of people doing it

Loll
Guest

Hello Chewy,i am a relative newbie, i have been cooking stuffing with small results, i used a script set up by a friend that has ben down now for three weeks, i would like to be independant, not sure whether i should purchase a script, though reading your article above makes me wonder if i need to, only problem is i am not sure how to set up the files you talk about, could you please advise.

Regards

Loll

Pinjaman Koperasi
Guest

This is a great stuff. Will it be considered as a black hat? Wonder will Google take action on this or not.

dayakcinta
Guest

well, its verry interesting, btw your affiliate acount will got ban alsofrom google ,

http://dayakcinta.com

Michael Pedzotti
Guest

I have developed a wordpress plugin that drops cookies using an iframe. A soon to be released upgrade will include the option of dropping cookies through an image tag and controlling the hit percentage. There are other enhancements coming but for now, it behaves very well using simple, small iframes on any page or post.

Dewi_Rukmana
Guest

maybe I should try this method 🙂

Mr. Print
Guest

I'm guessing this just isn't possible anymore as modern day 2010 browsers are savvy to this, because it doesn't seem to work anymore?

john
Guest

will it also work for an image located at /images/blah/hello.jpg ?

Cheers

SEO Sheffield
Guest
Cookie stuffing (also cookie dropping) is a blackhat online marketing technique used to generate illegitimate affiliate sales. Cookie stuffing occurs when a user visits a website, and as a result of that visit receives a third-party cookie from an entirely different website (the target affiliate website), usually without the user being aware of it.[1] When (if) the user visits the target website and completes a qualifying transaction, the cookie stuffer is paid a commission. Depending on the terms of the affiliate agreement a qualifying transaction may refer to creating an account, making a purchase, completing an application (loan, credit, etc),… Read more »
SEO Sheffield
Guest

anyone know of a chocolate cookie like an oreo but without the stuffing?

wpDiscuz