LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Beware Black Hat Cookie Stuffing Affiliate Marketing

Tags: , , , , , , Date/Time: July 18, 2021 @ 12:00 am, by raindog308

Cookie MonsterHey, you just browsed my site
And this is a crazy
Here’s a cookie you didn’t ask for
So make me some money maybe!

— Cookie Monster, Share It Maybe (sort of)

In the LowEnd hosting world, many providers run affiliate programs, which are a completely legitimate marketing method.  The way it works is that ExampleHost provides an affiliate code to Joe Marketer.  Joe Marketer then shares the link, asking uses to use that link or code when signing up with ExampleHost.  If Rita Random signs up, she pays the normal price to ExampleHost and ExampleHost pays a small commission to Joe Marketer in thanks for his advertising assistance.

Many marketers run sites in which they provide reviews and advice, and all links use affiliate codes.  There is sometimes a conflict of interest – the host that pays the fattest commission sometimes tends to get the biggest promotion.  On many sites (such as LowEndTalk), using affiliate codes when posting links is either forbidden or must be explicitly stated as such, to prevent spamming.

While these are all “white hat” techniques, there are also less ethnical techniques for making money from affiliate marketing.  Chief among them is cookie stuffing.

You probably know what HTTP cookies are: small files that are placed on a user’s computer in order to facilitate stateful information, such as identification, authentication, and tracking.  While cookies are controversial (as evidenced by those noxious “we use cookies” banners everyone clicks on and ignores), they have been part of the web landscape since 1994.

Cookie stuffing occurs when a user visits web site and receives a third party cookie, usually without the user being aware of it.

For example, imagine Rita Random visits SketchyHostingReviews.com, run by Bernie Blackhat.  The site shotguns dozens (or hundreds, potentially thousands) of cookies to her computer, including one indicating that she’s following an ExampleHost affiliate link, even though she’s not.  Of course, the web site doesn’t need to be a hosting review site – it could be have pottery class information, a parasailing directory, candle scent recipes, or anything.  Later, when Rita browses to ExampleHost, the affiliate cookie is still on her system and Bernie gets the affiliate commission, even though he provided no link or other legitimate advertising in the cycle.

It’s worth noting that this form of fraud has been prosecuted in the past, and those involved have gone to prison and paid fines.

The easiest way to defeat cookie stuffers is to refuse third-party cookies.  If you visit example.com then getting a cookie from example.com makes sense, but why do you need to receive a cookie from ExampleHost.com?  You don’t.  This policy can be turned on in your web browser, and virtually all privacy extensions implement this policy.  Note that this will also eliminate many trackers from watching you on the Internet.  Google Chrome disables third-party cookies in incognito mode and the company has stated that Chrome will disallow all third-party cookies in normal mode by default starting in 2023.

LowEndTalk administrator @FAT32 has recently started publishing a list of cookie-stuffers in the LowEndCommunity, which you can find in this thread.

I'm Andrew, techno polymath and long-time LowEndTalk community Moderator. My technical interests include all things Unix, perl, python, shell scripting, and relational database systems. I enjoy writing technical articles here on LowEndBox to help people get more out of their VPSes.

No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published. Required fields are marked *