1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blank Referrer in Chrome?

Discussion in 'BlackHat Lounge' started by brent360, Jun 30, 2011.

  1. brent360

    brent360 Junior Member

    Joined:
    Feb 16, 2011
    Messages:
    102
    Likes Received:
    256
    Is it possible to blank the referrer in Chrome/Safari? I've searched but I can't find anything. Changing it is easy enough, but I don't want people to be able to follow a breadcrumb trail back to my original traffic source.

    Thanks
     
    • Thanks Thanks x 1
  2. Autumn

    Autumn Elite Member

    Joined:
    Nov 18, 2010
    Messages:
    2,197
    Likes Received:
    3,042
    Occupation:
    I figure out ways to make money online and then au
    Location:
    Spamville
    I've never tried, but why do you want to blank it completely? Faking it to a nice clean full page ad or similar on a clean domain is generally a better strategy if you're dealing with affiliate programs. It has the same effect of hiding your traffic source, but it looks less suspicious.
     
    • Thanks Thanks x 1
  3. brent360

    brent360 Junior Member

    Joined:
    Feb 16, 2011
    Messages:
    102
    Likes Received:
    256
    I'm passing it through my analytic server, so that already results in the referrer displaying as server.whatever.com/?sitename=whatever

    However, if someone checks out the traffic source for whatever.com, they'll see where it comes from.

    If I blank it and then pass it through the server, no leaks happen--but I don't know how to blank it in Chrome, Safari, and a few other browsers.
     
  4. Autumn

    Autumn Elite Member

    Joined:
    Nov 18, 2010
    Messages:
    2,197
    Likes Received:
    3,042
    Occupation:
    I figure out ways to make money online and then au
    Location:
    Spamville
    server.whatever.com/?sitename=whatever ---> CPA redirector 2 fakes referrer as server.whatever.com/my_ad.html or just server.whatever.com ---> final destination

    It's a couple more steps but if you keep CPA redirector 2 on the same domain as whatever.com then it should be fast because there are no extra DNS lookups in the middle. You have to add an extra 301 header in CPA redirector 2 for it to work with chrome.
     
    • Thanks Thanks x 1
  5. brent360

    brent360 Junior Member

    Joined:
    Feb 16, 2011
    Messages:
    102
    Likes Received:
    256
    My tracking software already "fakes" the referrer to the tracking page. The problem with that is that someone can easily check the traffic source of my analytic server. (Compete dotcom, etc.)
     
  6. Autumn

    Autumn Elite Member

    Joined:
    Nov 18, 2010
    Messages:
    2,197
    Likes Received:
    3,042
    Occupation:
    I figure out ways to make money online and then au
    Location:
    Spamville
    Then you'd have to put CPA redirector on another domain. You take a slight hit with the extra DNS lookup but I don't see any other alternative if you want to eradicate all trace of your tracking server from the trail. If you have fast hosting then it's not really a huge issue - I do something similar with Twitter traffic to track and then hide referrers. You sacrifice some track-ability and a small proportion of clicks lost to http errors in return for anonymity.

    In any case I'd definitely advise against completely blanking your referrer because I've seen heaps of affiliate reps cite it as a cause for suspicion. If you fake it to a pretty full page ad, you can just say "I bought my traffic at {second tier PPC company} and sent it to this full page ad."
     
    • Thanks Thanks x 1
  7. brent360

    brent360 Junior Member

    Joined:
    Feb 16, 2011
    Messages:
    102
    Likes Received:
    256
    If I do that, then they can just follow the breadcrumb trail one step further and they'll still find my traffic just the same. Blanking the referrer only serves to hide the traffic on the analytic domain, but the source will still show up as whatever.com if they check up on it.

    Example:
    ppc -> blank referrer -> analytics domain -> cpa offer

    referrer will come up as analytics domain, but they can't track it back to the original source. If I don't blank it, or if I use another domain before the analytics domain, it'll just be one step more for them to check up on--which doesn't really solve the problem.
     
  8. Autumn

    Autumn Elite Member

    Joined:
    Nov 18, 2010
    Messages:
    2,197
    Likes Received:
    3,042
    Occupation:
    I figure out ways to make money online and then au
    Location:
    Spamville
    I'm talking about ppc > analytics > fake referrer > cpa.

    I think you're possibly overestimating how much time the affiliate reps have to check up on your stuff. Their main concerns are a) make sure you're not sending fraud traffic and b) that the advertisers are happy with your traffic.

    Many programs ban Twitter traffic but I send it to them all day going Twitter > my own fake short url domains which fake referrer (to FPA on another domain) > CPA and I've never had a problem. However, if you're just sending shitty traffic then you have a bigger problem than your referrers.

    Also if you're worried about compete etc then you are going to have a hard time tricking them because a lot of those sites are based on toolbar data which is basically impossible to fake (ie. you can't manipulate the http header data that is sent back through the toolbar).
     
  9. brent360

    brent360 Junior Member

    Joined:
    Feb 16, 2011
    Messages:
    102
    Likes Received:
    256
    With your scenario, they could potentially use compete to check the traffic source of your own fake short url domains, which would reveal Twitter as the traffic source. That's all I was trying to circumvent.

    Thanks for the info
     
  10. Autumn

    Autumn Elite Member

    Joined:
    Nov 18, 2010
    Messages:
    2,197
    Likes Received:
    3,042
    Occupation:
    I figure out ways to make money online and then au
    Location:
    Spamville
    Yep but that's basically unavoidable. In my own case the shorturl domains have traffic coming from all kinds of sources (not just Twitter) so it provides plausible deniability, and the domains are also set up to appear to be public shorturl services. But it's never been an issue, I assume because a) I show a clean referrer with a nice FPA on it, b) the traffic is profitable for the advertiser so they never have a reason to complain, c) I send enough volume that they have an incentive to look the other way.

    Possibly you could add some more confusion by using a free host or public short url service to host your redirects, but then you run into more speed issues.

    You can also work around the compete et al problem by using lots of cheap domains. Most sites like compete won't show referral etc data if they don't have enough stats; I just had a look at some of my domains (that I've sent $1000s of traffic through) on compete and they don't show referral data. Collate the data on the backend for your own usage.
     
    • Thanks Thanks x 1
    Last edited: Jul 1, 2011
  11. brent360

    brent360 Junior Member

    Joined:
    Feb 16, 2011
    Messages:
    102
    Likes Received:
    256
    I believe you could avoid it by faking the referrer before passing the traffic on to your shorturl service
     
  12. Autumn

    Autumn Elite Member

    Joined:
    Nov 18, 2010
    Messages:
    2,197
    Likes Received:
    3,042
    Occupation:
    I figure out ways to make money online and then au
    Location:
    Spamville
    If you're looking at http referrer data then the short urls are hidden when the referrer is faked through the full page ad. But if you're worried about compete and other toolbar data then it may very well still show up because those toolbars possibly follow the urls in a particular toolbar or tab session (including redirects), not just the clickstream. If they are recording clicks then they probably can't distinguish between you clicking the form submit in CPA redirector 2 (with javascript) from an actual mouse click.

    The shorturls are there mainly because I need shorturls to fit into Tweets.

    A quick survey of alexa, quantcast and compete indicates that none of them like .info domains, which is a good thing because they're my favourite for tracking and referrer faking because they're cheap.
     
  13. brent360

    brent360 Junior Member

    Joined:
    Feb 16, 2011
    Messages:
    102
    Likes Received:
    256
    True, but there's still the lingering electronic trail, so-to-speak, which can be followed through. They could always follow the fake referrer back to the short urls, back to the traffic source (I do understand that's not practical--but it's possible). The only actual solution I can think of is to blank the referrer before faking it.

    As for the toolbar thing, that's a lost cause, so I won't worry about it.
     
  14. fapwire

    fapwire Newbie

    Joined:
    Jun 24, 2010
    Messages:
    16
    Likes Received:
    2
    does content lock pro blank it in chrome?
     
  15. adbox

    adbox Power Member

    Joined:
    May 1, 2009
    Messages:
    658
    Likes Received:
    107
    Home Page:
    Is there still not a PHP based solution for blanking the referrer with Chrome?
     
  16. Autumn

    Autumn Elite Member

    Joined:
    Nov 18, 2010
    Messages:
    2,197
    Likes Received:
    3,042
    Occupation:
    I figure out ways to make money online and then au
    Location:
    Spamville
    In general you can't just use server side redirection to blank a referrer, because most browsers will carry the referrer through a server side redirect. You have to go client side (ie. javascript) to get rid of the referrer.
     
  17. adbox

    adbox Power Member

    Joined:
    May 1, 2009
    Messages:
    658
    Likes Received:
    107
    Home Page:
    I managed to wash the referrer with CURL successfully yesterday and it seems to work for all browsers . What I did was use CURL's useragent tampering features to set the referrer to be blank rather than spoof it to something else.

    The thing is that with this, or any useragent based wiping or alteration, it's only protecting the deep link referrer of the traffic. A stats monitor can still look at the ip logs and reverse lookup to discover the true source.
     
  18. janny2030

    janny2030 Regular Member

    Joined:
    Apr 17, 2011
    Messages:
    334
    Likes Received:
    137
    This thread has helped me with BH for Adsense! Thanks
     
  19. adbox

    adbox Power Member

    Joined:
    May 1, 2009
    Messages:
    658
    Likes Received:
    107
    Home Page:
    Heya, coming back to post the meta referrer spoof with CURL. If your looking for easy wordpress integration check out my WP Traffic Tools

    PHP:
    //echo 1; exit;
            
    $ch curl_init();
            
    curl_setopt($ch,     CURLOPT_URL,     $redirect_url);
            
    curl_setopt($ch,    CURLOPT_COOKIESESSION,         true);
            
    curl_setopt($ch,    CURLOPT_FAILONERROR,         false);
            
    curl_setopt($ch,    CURLOPT_VERBOSE,            1);         
            
    curl_setopt($ch,    CURLOPT_REFERER,             $spoof_referrer_url); 
            
    curl_setopt($ch,    CURLOPT_FOLLOWLOCATION,        true);
            
    curl_setopt($ch,    CURLOPT_FRESH_CONNECT,         true);
            
    curl_setopt($ch,    CURLOPT_HEADER,             fasle);
            
    curl_setopt($ch,    CURLOPT_RETURNTRANSFER,        true);
            
    curl_setopt($ch,    CURLOPT_CONNECTTIMEOUT,     30);
            
    $result curl_exec($ch);
            
    curl_close($ch);
            
            
    $pattern "#Set-Cookie: (.*?; path=.*?;.*?)\n#";
            
    preg_match_all($pattern$result$matches);
            
    array_shift($matches);
            
    $cookie implode("\n"$matches[0]);

            
    $ch curl_init();
            
    curl_setopt($chCURLOPT_URL$redirect_url);
            
    // Then, once we have the cookie, let's use it in the next request:
            
    curl_setopt($ch,    CURLOPT_COOKIE,               $cookie );
            
    curl_setopt($ch,    CURLOPT_VERBOSE,            1);         
            
    curl_setopt($ch,    CURLOPT_REFERER,             $spoof_referrer_url); 
            
    curl_setopt($ch,    CURLOPT_COOKIESESSION,         true);
            
    curl_setopt($ch,    CURLOPT_FAILONERROR,         false);
            
    curl_setopt($ch,    CURLOPT_FOLLOWLOCATION,       true );
            
    curl_setopt($ch,    CURLOPT_FRESH_CONNECT,         true);
            
    curl_setopt($ch,    CURLOPT_HEADER,            false);
            
    curl_setopt($ch,    CURLOPT_RETURNTRANSFER,        true);
            
    curl_setopt($ch,    CURLOPT_CONNECTTIMEOUT,     30);
            
    $result curl_exec($ch);
            
    curl_close($ch); 
            
    //echo 1;
            //echo $redirect_url;
            
    echo $result;