Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

We have a system of CGI scripts written in Perl which reads cookies with a 'partner_id'. People can sign up to be partners and put banner ads on their sites. When someone visits a partner site, they get a cookie from us with the partner id. If someone clicks on a banner, it takes them to our site. If they buy something, the partner gets a small sum of money.

Some "partners" have registered variations of our domain name and set the cookie directly and redirect back to us. If someone mistypes the domain name, they only see our site. If they buy something, someone who registered the typo is getting commissions.

Aside from having terms of service which attempt to forbid this, can you recommend technical solutions to this problem? Even being able to minimize the problem would help.

Replies are listed 'Best First'.
Re: Detecting redirect fraud?
by amarquis (Curate) on Sep 06, 2007 at 15:42 UTC

    Non-Perl things to think about: Are you sure you want to disrupt the status quo? As it stands, if a customer mis-types your name, they can get to your site and make a purchase. It isn't perfect, because of the sum you pay to the partner, but it isn't terrible either.

    How mature are your partners? If antagonized will they, for example, just slap up some disturbing images/pornography at those domains? Will they put up a boilerplate "<misttyped domain>.com has closed, please take a look at these other solutions" and a cluster of AdSense ads? The latter case may infringe on your trademark (depending on many, many circumstances), but would it be worth going to court over?

    Since those domains bring in paying customers, you may want to outright purchase the domains from your partners. That will protect you now and in the future.

    Just some things to think about, if you haven't already.

    The technical solution, though, is probably best done as stated above. You can either disallow entries where the mistyped domain is the referring party, or allow only domains which your partners have registered.

    Edit: Fixed typos

[reply]
Re: Detecting redirect fraud?
by moritz (Cardinal) on Sep 06, 2007 at 15:18 UTC
    If somebody types in an URL and the server responds with a redirect, the client usually sets the referer, available via $ENV{HTTP_REFER}.

    You could ask your partners to tell you their domains, and don't count hits where the referer is available but doesn't match one of your partner's registered domains.

    Perl 6 in German

[reply]
[d/l]
      They are allowed to post the banner ads anywhere they want to. We could ask them to register all domains that they post the banner ads on, but it's easy to spoof the HTTP_REFERER.
[reply]
        That last bit isn't true. It's easy to spoof HTTP_REFERER *if you're the client*. It's not easy for the fake web site to convince the client to do a request with a spoofed HTTP_REFERER.
[reply]
        Any http request is easy to spoof, but if somebody sets up a useragent with a spoofed referer, that UA will not lead to a sale (and if it does, you are happy anyway).

        But it's harder to set up a server that responds to a standard client in such a way that it will send a wrong referer (at least I know no way).

        You can still log the referer and the corresponding partner ID from the cookie, and ask the partner to stop that practice, after all it's in your Terms of Service.

        Update: another idea: just send a request to the refering URL to see if it answers by a redirect. (Assuming that you don't allow images that lead to a redirecting CGI script)

        Perl 6 in German

[reply]
Re: Detecting redirect fraud?
by pemungkah (Priest) on Sep 07, 2007 at 00:20 UTC
    I'm guessing that your application is having an XSRF (cross-site resource forgery) problem. Take a look at http://www.cgisecurity.com/articles/csrf-faq.shtml for some more details on what this is and how to block it. Short answer is adding a URL "crumb" which is unique and can only have been generated by your site. This is embedded in the URL itself, not the form, so XSRF techniques can't steal it -- this is way oversimplifying this, but it's basically the answer. You will of course also have to make sure you're not vulnerable to XSS (cross-site-scripting) attacks as well.
[reply]
Re: Detecting redirect fraud?
by cowboy (Friar) on Sep 06, 2007 at 19:52 UTC

    They cannot be setting a cookie for your domain. Some request to your site has to set that cookie.

    Checking through your logs of what sets the cookies for anything suspicious you can then investigate further should be fairly easy, and contain the referring url of wherever page your cookie setting code was served on.

    There's no easy technical solution to solving this other than telling them not to, or removing the partners that aren't playing by the rules.

[reply]

      He's talking about ads, so I presumed he's talking about cookies set as follows: 

      <img src="http://ad.example.com?parter_id=1234">

      [download]

      Confirmation of this would be nice.

[reply]
[d/l]

Back to Seekers of Perl Wisdom