Home > General > Affiliate Marketing Forum

---

Best Way to Block Ad Spy Tools? (17)

---

Hi,

I would like to know what's the best way to block Ad Spy Tools. In particular, I am talking about Mobile Ad Spy Tools such as AdPlexity, AdsXposed, Mobile Ad Scout etc.

I am guessing they are using some kind of patterns on their Headers/User Agents/IPs/Hostnames

Also, taking this opportunity, I would like to ask you about how these tools work from behind. How are they able to simulate every country, every carrier, see the timeframe an ad/lander is running, detect things right away etc.

Thanks

---

Im interested to know as well.

Add me on skype if u want to discuss. (nigelgexon)

---

If they did, everyone could block them in 5 seconds... New filter > User Agent string > Forward to hell.

If there is a solution it's certainly not that easy.

---

You can't, everything can be faked. That's the short answer. Your time is better spent focusing on creating more campaigns and better angles.

---

These tools pop up every now and then, but it becomes a never ending arms race between the spy tools and the anti-spy tools.

I think kepe95 was working on creating another such tool recently as well.

---

Likely there is a cloaker that can somehow reverse engineer a list of IP-addresses from the spy tools.

There are some things you can do to make it harder to rip your LP:
1. Only accept traffic from your target geo, + at your campaign url append a token with a "key" like you append subids.

Say you append: &h=231ehw#23hj#" at the end of your url when you enter it at your traffic source,
and then at your tracker/server only serve LP to those with h=231ehw#23hj#" , and 404 "resource not found" page to the rest.

This won't stop spy tools from ripping it once they are at it though, but many times the spy tool rip is defunct so people click the direct url to the lander and just copypaste the code from there into their index.html.

2. Creating bloated rips
If you call out dates, you can pepper your html with document.write statements writing the date. If you really want to go the extra mile make your entire body into many little document.write statements.. This way if your page is ripped, they will get the document.write statements and the already written statements. So if they run it they will have everything doubled up plus old dates and stuff, still possible to overcome but you'll make it less tempting. You can also obfuscate your code, though it's pretty easy to de-obfuscate but it might scare off some...

All this work might not be worth it unless you have a really really really kickass lander+campaign going.

The document.write technique... - It would be totally possible to make a tool that turns your clean html into a mess of document.write statements everywhere. Like first it would obfuscate the html and make short names and such, then chop it up into random bits and document.write it all. That way if your html is like this:

abcd

Spy tool rip would look like this: aabbccdd

I only know this would work on AdsXPosed because I've seen document.write statements followed by some old date, which required manual cleanup. It might be that this wouldn't work at all on other spy tools but who knows.

Maybe a tool like this already exists It's still possible to reverse engineer although it would be more time consuming. This is just a random idea though but it should be possible if you really think it's worth it.

If someone really really wants it they will be able to get it and there's nothing you can do about it most likely. No matter what you must serve an index.html file and some scripts, when you serve it it is at the clients computer and there's no way to keep them from simply saving it.

---

Good things here

Some questions.

- I know there are scripts to disable right click functions. Will that help (not in detecting the landing page but in ripping it off)?
- Is obfuscation similar to encoding? Is there a certain tool you recommend for that? I have seen some landing pages with base64 encoding and those were hard to rip. Basically I didn't want to spend time with them and I moved one to the next one, so that could be a good one.
- I guess that if I minify the code, as it is all compacted, it will scare a lot of people also, what do you guys think?

Thanks

---

You can definitely mess with the landers. I know one STMer the made six figures from other affiliates copying his page and leaving scripts in there that redirected a portion of their traffic. Karma cash.

---

Seems are worse enemy is each other lol

---

1. Not really since you can just for example type view-source: in front of the url in chrome and there it is + there are other ways for sure. But it might stop a few who can't figure that one out
2. Yeah, it replaces all method names with short cryptic names and changes the syntax up to something logically equivalent but totally unreadable for humans, though it is still possible to undo it. Google around, there are plenty of tools. I haven't looked at ones who obfuscate/minify html+css+js in one go though, that would probably be more effective but you better be damn sure there's no errors in the encoding. Actually making something like this shouldn't be too difficult it's not rocket science. All that's really needed is to identify stuff like: all classes, ids etc across js, css and html and then replace the names with nonsense names, consistently across the entire document.
3. Minifying code might help but there's a way around that too.


De-obfuscating code is literally as simple as this: Google "javascript deobfuscator", then you find some site that does it, paste in the obfuscated code, click, and it spews out the actual code. If you make the method names cryptic it's still more work to do though.

If you could push together all used js libraries, html, css, images+ mp3s as base64 into one file, and then minify + obfuscate it, it would be hard to at least tweak/simplify the code, and probably you could hide some redirection scripts inside there. Even better: create one super-obvious placeholder like "afflink=___" somewhere, and then direct only 70% of the traffic to that one. If your code is a huge block of cryptic text that might work. There are some tools for this if you google around.

If you have some skills and time you could probably create a simple program where you input a html file with everything + links to images/libraries etc, and it outputs an obfuscated standalone file with a sneaky redirect script.

This is a super interesting topic!

---

It's ironic that on this forum, there's TWO opposite sides of thoughts
1) use spying tools to get inspiration
2) prevent bots from stealing their inspiration

Well, whatever the case might be, I built something internally. Works well for me. Blocks a shit tons of scrapers. But bots that are out to steal your CPM ad money.. that's a different story.

Some of this is algorithmic, so unless you can code, most of it will mean gibberish to you.

1) This is impossible to do on media buying tracking software (CPVlab, Voluum, etc.). You need this layer BEFORE it hits your tracker. - Remember, put on condom BEFORE sex. Not during.
2) Don't block good bots.
3) You can't block human spying. (Tip: But you can look at behavior by user agent / ip )
4) Block IP by ISP
5) Should you block VPN traffic? I dunno. You be the judge. If you're in this forum, so most likely you're not targeting people who even understand the concept of VPN, so I guess I would.
6) Look at connection behavior. Ain't no human looking at your lander 20 times a day, 5 days a week.
7) Leech stolen LP traffic (but this is challenging unless you're an adept programmer => embedding & hiding code)

There's no point in blocking out whole ips b/c some subscribers on certain wireless carriers come through one proxy. Why? I have no idea. IPv6 can supply more IPs than they are planets in the entire universe. Stupid T-mobile.

This "arms" race @cmdeal mentions, can be won, if everyone freakin' worked togehter. If enough people are interested, I guess i can open this up. (If STM gave me their visitors logs, i can even weed out the affs.). Imagine gathering information at 1b+ clicks per day.. we would be WAY ahead of these scrapers.

GDN & Facebook figured it out b/c they have massive amounts of info. I don't see why any decent group of engineers can't figure this out. You need to understand some lower level network stuff (like BGP), but it's not rocket science.


PS: Additional tips - there's even ways to "attract" bots and scrapers.

---

^^ This.

---

I found this funny. Saw this LP in AdPlexity: https://s04.adplexity.com/storage/im...2b16a1c003.png

In the past I saw a few of them which where similar. This guy is cloaking the tool I'm guessing.

---

At this stage should not really care to much about blocking spy tools. Unless you are making 10k a day from your ad which then you could pay for a programmer to build such tool. This reminds me when people say I want to make a game but tell no one about it because people will steal the "idea" lol

---

^^This
The moment I stop worrying about spy tools is the moment I have more campaigns being launched and greater results.

---

Like others have said: focus on creating and launching campaigns.

But what i do:
- Add referrer rule in tracker (eg only accept popads)
- Change domain regulary (tracker url and domain where you host your creatives)
- Change IP address regulary
- Prevent bots with robot.txt
- add meta tag in landers
- add php code that checks referrer (only accept tracker referrer). You can do some fun stuff here.
- turn your apache access log on and review your logs

After those changes my landers didnt show up in adplexity

---

I've had good luck blocking some of the spy tools just by looking for their footprints. I can't give you all the secret sauce, but I will say, I print information about the visitor, like click ID, on the LP so that it shows up in the screenshots. Then I use that to look up who the user is, where they are coming from and see if their is any way to easily exclude their traffic. Then I just redirect them to a dummy landing page that looks legit so that everyone copies that shitty campaign that doesn't work.

Not 100%, but it does help quite a bit.

---

Home > General > Affiliate Marketing Forum