|
Stopping Redirects From Being Compromised By Spammers
By Manoj Jasra
Expert Author
Article Date: 2009-02-02
Late last week the Google Webmaster Central Blog discussed site redirects and how they can be potentially compromised by spammers. They also mentioned 7 ways in which you can prevent your site redirects from being abused, read more below:
- Change the redirect code to check the referer, since in most cases everyone coming to your redirect script legitimately should come from your site, not a search engine or elsewhere. You may need to be permissive, since some users' browsers may not report a referer, but if you know a user is coming from an external site you can stop or warn them.
- If your script should only ever send users to an internal page or file (for example, on a page with file downloads), you should specifically disallow off-site redirects.
- Consider using a whitelist of safe destinations. In this case your code would keep a record of all outgoing links, and then check to make sure the redirect is a legitimate destination before forwarding the user on.
- Consider signing your redirects. If your website does have a genuine need to provide URL redirects, you can properly hash the destination URL and then include that cryptographic signature as another parameter when doing the redirect. That allows your own site to do URL redirection without opening your URL redirector to the general public.
- If your site is really not using it, just disable or remove the redirect. We have noticed a large number of sites where the only use of the redirect is by spammers-it's probably just a feature left turned on by default.
- Use robots.txt to exclude search engines from the redirect scripts on your site. This won't solve the problem completely, as attackers could still use your domain in email spam. Your site will be less attractive to attackers, though, and users won't get tricked via web search results. If your redirect scripts reside in a subfolder with other scripts that don't need to appear in search results, excluding the entire subfolder may even make it harder for spammers to find redirect scripts in the first place.
- You can also use Webmaster Tools to remove URLs. Chances are that the spammers have also hacked and abused other sites to generate links to the spammed section of your site. If you see suspicious sites or spammed forums linking in, feel free to report those to us, preferably with the verified spam report form in Webmaster Tools.
Comments
About the Author:
Manoj Jasra is an online marketing veteran of almost 10 years who specializes in analytics, social/search strategy and mobile marketing. Manoj is currently a Sr. Strategist at one of Canada’s largest Telecommunications Companies, Shaw Communications Inc., where he leads Social Media, SEO, PPC and Web Analytics strategies. Manoj first started in the search marketing industry with Enquiro Search Solutions, where he spearheaded web analytics, SEO Training and the development of cutting edge search marketing solutions for clients.
Manoj is a Professional Speaker having participated at events such as Emetrics, Web Analytics Xchange, WebTrends’ Engage, Internet Marketing Conference, Social Media Innovation Summit and Search Engine Strategies. He authors Web Analytics World (a top 100 Online Marketing Blog) and consults through his firm Jasra Inc.
|
|
