All methods of Affiliate Link Cloaking

We continue this comprehensive overview about all easy-to-understand and easy-to-use "Affiliate Link Cloaking" strategies. In this Part III you will learn about "Cookie Dropping"/"Cookie Stuffing". Remember: Whatever you do, it is in your responsibility.

This blog post is a follow-up of Affiliate Link Cloaking - Part I and Part II. Please read both previous parts first, before you continue.

I got an interesting question via e-mail ref. to Part II, if, in general, iframes should not be used any longer. No, of course iframes can be used, also for visitors with IE7, but only if the merchant does not evaluate cookies for commission. If merchant is working with tracking pixel or only with Affiliate links, it's certainly no problem. Merchants are dropping cookies, but in some cases they don't evaluate them for commission. You should ask your merchant, if you are unsure.

Method 3: Cookie Dropping - Cookie Stuffing (Cookie stuffing)

Cookie Dropping/Cookie Stuffing is a fraudulent method of dropping or replacing/overwritting cookies without knowledge of visitors, respectively. Different methods exist for Affiliate beginners and more advanced Affiliates. But if you are caught, at least you will lose your business with merchant, if not merchant will make a report. Practically almost nobody cares about this risk.

Let us have a very close look at those methods.

Cookie Dropping - Cookie Stuffing with 1x1-pixel iframes

When Affiliate beginners load a bunch of merchant's websites within 1x1-pixel iframes it is the same way foolishly as e. g. backlinking with 1x1-pixels. Why? Because anyone can detect it easily by checking the source code. Furthermore it is even more foolish, because page load times explode. There are more problems:

Imagine you would work only with Cookie dropping. What will happen? Of course you may earn a lot of money online and you would have big success through a extremely high Click-Thru-Rate (CTR)... Certainly the CTR will be 100%. But be alarmed as merchants will notice.

The reason and how to avoid 100% Click-Thru-Rate?

Why up to 100% Click-Thru-Rate? If a prospective visits a website (that does not do Cookie dropping) he will not necessarily click a link. Perhaps only 10% of visitors may click a link. Then this results in a CTR of 10%. From 1000 visitors 100 will click. A click opens the merchant's website and a cookie will be dropped. - If you open the merchant's website within an iframe with every impression of your website, the CTR will be 100%. For the merchant it looks as if 100% of visitors click on the link. This can be continued. If 100% click, why only 3% order?

Some consider this and randomize the loading of iframes with PHP (e. g. function rand) to get this more natural. Only at every e. g. fifth impression the iframes are integrated. But merchants can still find them in the source code of the page. But page load time is still too long. What do you think? Is it really necessary to load the merchant's page for dropping cookies?

First we have to learn about what cookies drop. Is it really the page?

How are cookies dropped?

Have you ever wondered about Check Server Headers tools at SEO tools pages? Of course you can check HTTP status codes 200, 301, 302..., you can also check if Affiliates or merchants use "P3P Privacy Policies" from Microsoft for IE7 (see Part II of this post) and... if they drop cookies, because cookies are dropped via HTTP headers. There's no need to load the merchant's website for dropping cookies, but how can we call HTTP headers only?

If we check the HTTP header of a website, we see e. g.:
(only main details, some are deleted, all are changed)

#1 Server Response: http://www.domain.tld
HTTP Status Code: HTTP/1.1 200 OK
Date: Tue, 18 Nov 2008 19:57:41 GMT
Server: Server name
Set-Cookie: skin=noskin; path=/; domain=.domain.tld; expires=Tue, 18-Nov-2008 19:57:41 GMT
p3p: policyref="http://www.domain.tld/abcd/p3p.xml",CP="ABCDEF"
Set-cookie: ubid-main=846-635632673-5643454; path=/; domain=.domain.tld; expires=Tue Jan 01 06:00:01 2044 GMT
Set-cookie: session-token=kdf84/sWEo4ew/fj4dgf/ydff/ddjH7f3F/=; path=/; domain=.domain.tld; expires=Tue Nov 18 20:07:41 2008 GMT
Set-cookie: session-id-time=1326476; path=/; domain=.domain.tld; expires=Tue Nov 25 06:00:00 2008 GMT
Set-cookie: session-id=785-355784-3458732; path=/; domain=.domain.tld; expires=Tue Nov 25 06:00:00 2008 GMT
Connection: close

Cookie Dropping - Cookie Stuffing with <img> tag

How to call HTTP headers only?

We insert an image link incl. the Aff link in our source code:

<img scr="http://www.domain.tld/aff.php?id=a3f9h2t" alt=" ">

Mrs. Black Hat

Mrs. Black Hat

The browser tries to load this non existing image. The server of the merchant returns the HTTP Header (with 404) and drops the cookies. But, again, it's too easy to detect this image in your source code. We won't give up.

Let us think more advanced. How can we call the header of a merchant's website without using the Affiliate link in our source code?

It's that easy. Remember in connection with Affiliate Link Cloaking we talk about many methods of redirecting:

<img scr=" http://www.yourdomain.tld/ images/welcome.jpg" style="width:1px; height:1px; border:0">

If checking the source code of any website you find many images that are integrated. That's natural. But for what does this "welcome.jpg" stand? Does it exist?

Of course it does not exist, but will be redirected server-sided via htaccess or PHP by using the Affiliate link to a merchant's website. Here it does neither not exist and will return a 404 HTTP header. Nonetheless, cookies are dropped.

This solution is better than those mentioned above, but more advanced merchants will check all images at your page for redirection. We would need to recognize them to cloak their request. Perhaps we should show them another page instead of Aff link. But which one? I suggest to redirect them with another Aff link to Amazon. Perhaps merchants buy some products there?!

Honestly it's not the problem what to do. The problem seems to be how to find out who's the merchant that tries to load the images. Sometimes you find the solution if you think vice versa. As we will never get to know the IP addresses of merchants we only know one important fact. They will not visit our site via search engine. They have no referer. With HTTP_REFERER in PHP we check if there's no referer and redirect them with header("HTTP/1.0 404 Not Found"); to 404. Of course we redirect a few others that block their referer with this method to 404, but this percentage is not worthwhile to think about. Only if a merchant uses a fake referer we are trapped...

Have you realized those width:1px and height:1px in a. m. <img> tag? This looks pretty much suspicious.

Gets tricky?

I have seen a real good improvement...:

<img scr="http://www.yourdomain.tld/images/welcome.jpg" style="width:110px; height:25px; border:0; display:none">

That's brilliant... But what's more suspicious?

I found an outstanding sample in this:

<img class="logo" scr="http://www.yourdomain.tld/images/welcome.jpg">

I checked the external CSS file and found .logo {width:110px; height:25px; border:0; display:none}. Who would have thought of checking the CSS?

Cookie Dropping via Toggle page

You will find many other ideas if you check websites. Have you ever been redirected via a toggle page? You click a link, a new page asks you to wait for redirect and if you are not redirected within 5 seconds, you should click a link to redirect manually. This toggle page may include Cookie Dropping methods and use those few seconds to call merchant pages or merchants' HTTP headers.

Another day I found a page that displayed three banners at this toggle page and dropped cookies with <img> tag. Interestingly enough, those dropped cookies came from the same merchants like the banners. Perhaps this Affiliate thought to impress the merchant, when the latter comes to investigate the toggle page, and to stop him from deeper crawling?

Cookie Dropping with AdSense

Really cool are websites that simultaneously drop cookies from merchants that are shown in AdSense. For a long time I did not understand how this was possible. Some day I updated the page again and again and wondered about continuously the same Ads from AdSense. After some research with Google I found a hint: It was called AdLogger. AdLogger logged clicks on AdSense. A big amount of those logged clicks were valuable as AdLogger provided for those the linked merchants in AdSense Ads. With this information Affiliates blocked all Ads nobody clicked via Competitive Ad Filter at their AdSense account. At the end almost all shown Ads had been filtered. Only a handful lasted. At those merchants they became Affiliates and started dropping appropriate cookies. Later they used asRep.

Some more advanced methods of Cookie dropping are possible with PHP. Perhaps some day this story will be told...

Why Super Affiliates are to master the rules of Poker...

The answer is as easy as it can be. Why shouldn't it be useful to learn Poker if you can get rich with Poker Affiliate? And if you can drop images in forums and other places that are redirected one or, even better two times? Of course many of the Super Affiliates work legally, but if you look around the world also many of them directly do the opposite and drop cookies. This is no issue for becoming personal. I don't mind if they do so, because they have good reasons for it:

Let us play with some amounts as example. If a visitor of your site plays Poker at your Poker merchant and spends US-$ 100, you earn US-$ 25 or so. But if this visitor spends US-$ 1,000, you earn US-$ 250. As there are visitors that spend perhaps US-$ 10,000 to 40,000 a month you can earn (take a deep breath) up to US-$ 16,000 a month with only one big fish. This is a Straight Flush or perhaps Royal Flush. There exist different Affiliate payment models. Another model is to get commission in advance for any new player. Perhaps US-$ 75 to US-$ 150. Nothing will prevent them from completing their life's dream of becoming rich and independent.

In PART IV of this post you will learn about more interesting methods like "JavaScript Link Cloaking", "JavaScript-Redirect", "Redirect via htaccess" and "PHP Cloaking".

Of course it will be again extremely interesting. If you want to get informed, then subscribe to this blog's feed! - See you soon at SEM, SEO and SMO at Wulffy's Blog.

This blog post Cookie Dropping Cookie Stuffing - Affiliate Link Cloaking Part III is categorized under Search Engine Optimization, SEO, Web 2.0, Social Media Optimization, SMO, Search Engine Marketing, SEM.


© of picture by Lukic.
For demonstration purposes only. The portrayed model is not subject matter of Blackhat.

All methods of Affiliate Link Cloaking

We continue this comprehensive overview about all easy-to-understand and easy-to-use "Affiliate Link Cloaking" strategies. There will be more parts then have been planned before. In this Part II you will learn about Framebreaker and I will introduce "Cookie Dropping"/"Cookie Stuffing". Remember: Whatever you do, it is in your responsibility.

This blog post is a follow-up of Affiliate Link Cloaking - Part I. Please read it first, before you continue.

Recently I found a shop for car tires and used Internet Explorer 7. As it was not possible to add the selected product to the shopping basket, I wondered and checked the source code of the page. This shop was integrated with an iframe into the page. I got no error message from the shop. Each time I switched to the shopping basket, it was empty. Because cookie can't be dropped. Very bad for Affiliate. Why?

IE7 prevents Affiliates from getting commissions if they open merchant's website in frames or iframes

Cookies dropped by a merchant's page that is loaded into a frame or iframe are third-party cookies. Third-party cookies are cookies dropped from other domains. If you open a website within a frame/an iframe, this website is from third party. Those merchant's pages cannot drop cookies in latest IE7. Affiliates are wondering about decreasing commissions, but many of them are definitely not aware of the fact that deployment of P3P Privacy Policies in their website is absolutely necessary. At the end they don't even notice it, because commissions from visitors using Firefox are credited.

Framebreaker and introducing Cookie dropping/Cookie stuffing

Very often you can read about "Cookie dropping"/"Cookie stuffing". It means that Affiliates drop cookies onto visitors' browsers via merchant's website to get commission, if visitors order in 7, 30, 60... return days. Even worse if you as Affiliate already had set a cookie (via your merchants website), it will be overwritten. Normally a cookie would only be set after visitor's click on Affiliate link by loading targeted websites of merchant.

Caught with Cookie dropping

Also in 2008 some merchants complained about this unfair method, e. g. a German Social Bookmarking website was caught red-handed with Cookie dropping via iframes. Each time I read a complaint of a merchant I grinned from ear to ear, because I was wondering why merchants do not use a Framebreaker at their pages to stop Affiliate beginners. Framebreakers are very easy to understand. The page breaks out of the frame and opens in main window. Even more I wonder why they do not use it, because it works with IE7, FF2 and FF3. And it works with opening a website within a frameset AND opening a website within an iframe.

Framebreaker JavaScript code and Testing

<script language="Javascript">
if (top.location != self.location) {
top.location = self.location.href

Let's test this Framebreaker with Frameset and iframe...

I have already prepared the files, but let me explain first. In this you find six HTML files:

Framebreaker Test filesTwo of them to test Frameset without and with Framebreaker, two files for testing iframe without and with Framebreaker and two files that simulate the target page you load with your Affiliate link.

First test: Frameset without framebreaker

Click "1-Test_Frameset-without-framebreaker.htm" and the included code for Frameset will load "target-page-without-framebreaker.htm" into its main frame.

As you see the title of your page is visible at the target page that means the target page is shown in your frameset as mentioned in Part I of this post. (Remember "Source code cannot be viewed as usual, but..." from last post.)

Second test: Frameset with framebreaker

Click "2-Test_Frameset-with-framebreaker.htm" and the included code for Frameset will try to load "target-page-with-framebreaker.htm" into it's Frameset.

As you can see only the title of the target page is visible. The title of your page is invisible. Fail for Affiliate, good for merchant.

Third test: iframe without framebreaker

Click "3-Test_iframe-without-framebreaker-in-target-page.htm" and the included code for iframe will load "target-page-without-framebreaker.htm" into it's iframe.

As you can see the title and content of your page is visible and below the iframe with content. (Frameborder of iframe is switched on to see the iframe.)

Fourth and final test: iframe with framebreaker

Click "4-Test_iframe-with-framebreaker-in-target-page.htm" and the included code for iframe will try to load "target-page-with-framebreaker.htm" into its iframe.

As you can see only the title of the target page is visible. The title of your page is invisible as your page is overruled by merchant's page.

Are iframes really necessary for merchants and Affiliates?

In some niches, e. g. Travel Affiliate Programs (or car tires...), it seems to be barely necessary to work with iframes, because this method is easy-to-use for Affiliate beginners. Of course those merchants would never use Framebreaker. In these niches complete websites are opened within an iframe. As cookies are definitely obsolescent, those merchants must find other methods in future.

An easy-to-use method could be to provide a PHP Scraper... Scraping means to "scratch" content from a website and publish it at your own website in a way that the source code looks like it is your own published data. Search engines cannot detect that this content is scraped (perhaps they detect that it is Double content...). Cookie dropping could be done via calling merchant's server. Details will follow in next post. - There are other already existing methods like Postview-Tracking that is done by Super Affiliates.

Gets tricky?

Not really, but a straightforward tip. Never put this Framebreaker script directly into the source code. Use it as external JavaScript and do not name it framebreaker (!). Let's call it: menu.js. Advanced merchants may obfuscate/encrypt the external JavaScript.

<script src="http://www.domain.tld/scripts/menu.js" type="text/javascript">

If Affiliates beginners use iframes to open a bunch of websites from merchants in 1x1-pixel-iframes (Cookie dropping/Cookie stuffing), then it is strongly recommended for those merchants' websites to use a Framebreaker.

In PART III of this post you will learn about "Cookie Dropping"/"Cookie Stuffing" and you will finally understand what you've always wondered about: the reason why Super Affiliates are to master the rules of Poker. - And you will meet Mrs. Blackhat. She's so much hot and cool and she really loves to date with Super Affiliates.

Of course it will be again extremely interesting. If you want to get informed, then subscribe to this blog's feed! - See you soon at SEM, SEO and SMO at Wulffy's Blog.

Publishing of upcoming blog post is planned at this Saturday.

This blog post Framebreaker - Affiliate Link Cloaking Part II is categorized under Search Engine Optimization, SEO, Web 2.0, Social Media Optimization, SMO, Search Engine Marketing, SEM.