Cookie Stuffing with .htaccess

I recently got the chance to speak on Whiteboard Friday over at SEOmoz, it was a quick session whereby a few SEO’s just give up a couple of tricks that the general population may not be aware of, i chose to talk about cookie stuffing.

Cookie stuffing is not new and has been blogged about a few times so i am not pretending to have actually come up with the method. I wanted to talk about it because i have been doing it slightly different using .htaccess and i have also been getting some really good results.

Basically, Cookie stuffing is a method in which you place cookies on users computers without them nessecerally knowing about it. It can be used on your affiliate sites to auto drop a cookie without the user actually clicking through your banner and converting on the retailers site. This allows you to get a much better conversion rate for visitors of your site because even if they hit your page, bounce, and then goto the retailers page at a later date (within the cookie length) you still get the sale.

It can also be used off site, whereby you would drop a cookie for a large affiliate site (such as ebay or amazon) by simply having a reference to your image. You can use this trick anywhere which allows you to use image code.

So here are the steps to do it…

1) Create a directory on your server with an inconspicuous name such as /stats
2) In that directory create a .htaccess file with the following code…
RewriteEngine On
RewriteRule yourfakeimage.jpg http://www.cookiedroppingurl.com [R,L]
3) Place the /stats/yourfakeimage.jpg code in the footer of your site and then when the browser requests the image the .htaccess will return them the url which drops the cookie, this is all done in the background so unless someone is specifically looking out for it then you should get away with doing it

Obviously, you can use /stats/yourfakeimage.jpg in any other site that allows you to reference an image, aslong as the site doesnt cache the image locally on their server then you will be able to serve up as many cookies as you like.

There has been a lot of debate about whether using this method on external sites is classed as stealing and Esrun wrote a great article on cookie dropping.

I just want to add that you should be careful doing this, obviously if your affiliate see’s that you are generating a 100% clickthrough rate then they are going to start asking questions and can even ban you from the program.

Edit: Reader El Bueno has come up with a method for doing this on Windows IIS, you can see his solution in his comment

(Visited 4,084 times, 1 visits today)
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

43 Comments
Inline Feedbacks
View all comments
Brent D. Payne
12 years ago

How would you do this in IIS6? That’s the environment I am on with my servers and I want to look into this more.

Matthew Inman
12 years ago

You could probably pull this off with a tiny as well.

The technical parts make total sense to me – it’s knowing what affiliates to use that I don’t know much about. I’ve never done much with affiliates before.

Matthew Inman
12 years ago

Er..whoops, my last comment contained an HTML tag that was stripped out:

“You could probably pull this off with a tiny (iframe) as well”

chuckallied
chuckallied
12 years ago

@Brent, I think you can use http://urlrewriter.net/ to accomplish this. I’ve recently started working in an Windows IIS environment as well and am looking into URL rewriting for other purposes, still, you should be able to accomplish similar results as you can with mod-rewrite/Apache.

More specific in the help section of that site and this page:
http://urlrewriter.net/index.php/support/reference/actions/rewrite

spambuster
spambuster
12 years ago

This is a low form of spam and is agianst the TOS with 99.9% of all affiliate companies. Not to mention this trick has been used for several years and some people are actually getting sued by affiliates over it.

mike
12 years ago

Question:

Let’s say that I own an affiliate website. Let’s pretend it is bestbuy.com. Is there any way that BestBuy can tell that I am doing the stuffing?

I know some companies that have affiliate programs utilize third party companies to analyze the incoming affiliate traffic and check for “fraud”.

Brent D. Payne
12 years ago

Spambuster . . . It’s important to understand this technique for several reasons other than for profit reasons. Admitedly, I find both intriguing but mainly because this was going on for years without my knowledge and I ran major affiliate programs in the computer and consumer electronics industries. Plus, my past is one of blackhat (you’d call it spam) tactics to achieve incredible rankings from 2001 through 2005 in the computer and CE field targetting Amazon.com. My ability to hack Amazon’s UGC features is my biggest claim to fame. 😉

Chewie/Chuck Allied,

I don’t understand this . . . it seems so straight forward in Apache but I can’t figure it out in IIS. It seems considerably more difficult in IIS. Am I missing something? Do you have code samples? I’d swap server space on a colocated dedicated T1 for you to show me, step by step how to do this (and as you do it).

I seriously feel like such a moron having not discovered this before now. It tells you how clueless people on the ‘other side’ of the affiliate business are oblivious to some tactics. I even used to compare conversion rates to watch for stuff like this and never caught it. Grrrr.

Brent D. Payne

trackback

[…] Cookie Stuffing with .htaccess I recently got the chance to speak on Whiteboard Friday over at SEOmoz, it was a quick session whereby a few SEO’s just give up a couple of tricks that the general population may not be aware of, i chose to talk about cookie stuffing. … […]

Law
Law
12 years ago

Stupid question …I see how you can serve the cookie but how do you show the image too so it looks legit?

Law
Law
12 years ago

Ok its a shame…I have a competitor who is hot linking to my images on my server. I was going to fix but then I saw this and I started to think …”what better justice than this”?

hmm….

Jordan Stevens
12 years ago

I have a video and screenshot guide for this exact method on my blog 😉

gm
gm
12 years ago

“Ok its a shame…I have a competitor who is hot linking to my images on my server. I was going to fix but then I saw this and I started to think …”what better justice than this”?

hmm….”

This is a BRILLIANT idea…Set up a site with hot link bait then replace some of the images with htaccess trick and some aff links….Wonder if this would work? Though the 301 is also a good idea…

El Bueno
El Bueno
12 years ago

In IIS6 you’ll need a URL rewriter component installed on your server. I’ve used http://www.isapirewrite.com/.

You need to read their instructions on creating an httpd.ini file. If your image is something like myimage.gif, then the httpd.ini file will look like:

————————————-
[ISAPI_Rewrite]
# Block external access to the httpd.ini and httpd.parse.errors files
RewriteRule /httpd(?:\.ini|\.parse\.errors) [F,I,O]

#Fake Tracking Cookie
RewriteRule /myimage.gif /myaspredirectscript.asp [I,L]
————————————-

I am in the first stages of testing this so I don’t guarantee it 100%, it’s the approach I intend to take.

Andre
Andre
12 years ago

do you know how to hide the referer when cookie stuffing forums?

IMHustle
11 years ago

Even though this is forbidden from almost every affiliate site this is a great post Chewie. I know a couple of people doing these tricks and they are making between $5,000 – $20,000 a month with hardly any work. I would say they work 30-60 minutes a day to receive this kind of revenue from cookie stuffing.

I myself would consider first what I am about to lose if I get caught before cookie stuffing. The only real reason I would cookie stuff in my opinion is if I know I had some big bills to pay next month such as car payment, mortgage, and stuff of that sort but once you have enough money take the cookie stuffer off your site completely.

Like I said before Chewie you are a great writer and have interesting subjects to write about and for folks to read about. Thanks for taking the effort to set up this blog and to teach all.

Donace
11 years ago

I personally do not cookie stuff, but as a basis it IS a intriguing idea; i actually discussed certain methods that could be employed to cookie-stuff over at my blog:

http://thenexus.tk/want-a-cookie/

Though before you click through I would like to reiterate it is written from a educational point of view.

The real question is is the trade-off worth it? the small fry get a slap and a ban but the bigger ones can get sued.

In my eyes it is a nono as bottom line you are stealing potential income from a more ‘whitehat’ person.

Fxgator
Fxgator
11 years ago

“Chewie Says:
August 21st, 2008 at 9:39 am

Andre: I guess you could drop an image that calls your URL first, and then that URL calls the cookie url to drop. Then the referrer should look like your own legit site.”

Can you explain how to actually do that?

Thanks.

Kali
Kali
11 years ago

Chewie

Is there a way to suppress the cookied site displaying briefly in the status bar?

Jim Kramer
11 years ago

“I just want to add that you should be careful doing this, obviously if your affiliate see’s that you are generating a 100% clickthrough rate then they are going to start asking questions and can even ban you from the program.”

How do they know the click through that I am getting on my site?

So I buy traffic…from google say…then they get the cookie dropped on their PC when they visit my site…How does the affiliate program know that every visitor is getting that cookie? I mean I could have a 5000 people visiting the page and only 1000 people clicking the link???

If you could help clarify what information the cookie contains that would be great.

Thanks, Jim

Flash Cookie Stuffer
11 years ago

If you’re looking for a secure way to do it, check out Flash Cookie Stuffer (flashcookiestuffer.com).

This looks a great way to make a lot of affiliate cash without getting caught.

BizCredit
11 years ago

Cookie Stuffing is still alive and well! I know hundreds of people doing it

Loll
Loll
10 years ago

Hello Chewy,i am a relative newbie, i have been cooking stuffing with small results, i used a script set up by a friend that has ben down now for three weeks, i would like to be independant, not sure whether i should purchase a script, though reading your article above makes me wonder if i need to, only problem is i am not sure how to set up the files you talk about, could you please advise.

Regards

Loll

Pinjaman Koperasi
10 years ago

This is a great stuff. Will it be considered as a black hat? Wonder will Google take action on this or not.

dayakcinta
10 years ago

well, its verry interesting, btw your affiliate acount will got ban alsofrom google ,

http://dayakcinta.com

Michael Pedzotti
10 years ago

I have developed a wordpress plugin that drops cookies using an iframe. A soon to be released upgrade will include the option of dropping cookies through an image tag and controlling the hit percentage. There are other enhancements coming but for now, it behaves very well using simple, small iframes on any page or post.

Mr. Print
Mr. Print
10 years ago

I'm guessing this just isn't possible anymore as modern day 2010 browsers are savvy to this, because it doesn't seem to work anymore?

john
john
8 years ago

will it also work for an image located at /images/blah/hello.jpg ?

Cheers

Dewi_Rukmana
10 years ago

maybe I should try this method 🙂

SEO Sheffield
8 years ago

Cookie stuffing (also cookie dropping) is a blackhat online marketing technique used to generate illegitimate affiliate sales. Cookie stuffing occurs when a user visits a website, and as a result of that visit receives a third-party cookie from an entirely different website (the target affiliate website), usually without the user being aware of it.[1] When (if) the user visits the target website and completes a qualifying transaction, the cookie stuffer is paid a commission. Depending on the terms of the affiliate agreement a qualifying transaction may refer to creating an account, making a purchase, completing an application (loan, credit, etc), or subscribing to a newsletter.

SEO Sheffield
8 years ago

anyone know of a chocolate cookie like an oreo but without the stuffing?