Protect Your Nuts - Part 3 of 3 (29)

Check Out: Part 1 and Part 2

Here's the final instalment of this tutorial on protecting your landing pages and cpvlab/prosper installs.

Part 2 was mainly focused on preventing your domains from getting discovered by your competitors.

This final episode will give you a bunch of actions you can take to make sure your hard work doesn't get abused once your domains are discovered.



6) Stop the bastards from stealing your code/images

Use the previous tip (Tip 5 in Part 2) to prevent automated tools from downloading your code.

For example, to stop http://bo.lt just block the following User Agent token:

bo.lt

<script>
var message="";
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e) {if 
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers) 
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}
document.oncontextmenu=new Function("return false");
</script>

• Always keep an encrypted copy although if you know how you can access it from the encrypted page
• It depends on JavaScript and therefore would not work for users that have JS switched off in their browsers
• With modern browsers there are ways around this that would still give you access (Browser Developer Tools)
• This will only work for html and js files

<html>
<head>
<title>my lander</title>
<style>
body {
font-size:20px;
}
</style>
<script>
alert('WELCOME');
</script>
</head>
<body>
<h1>this is my lander</h1>
<h2>encrypted</h2>
</body>
</html>

<Script Language='Javascript'>
<!-- HTML Encryption provided by iWEBTOOL.com -->
<!--
document.write(unescape('%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%3C%74%69%74%6C%65%3E%6D%79%20%6C%61%6E%64%65%72%3C%2F%74%69%74%6C%65%3E%0A%3C%73%74%79%6C%65%3E%0A%62%6F%64%79%20%7B%0A%66%6F%6E%74%2D%73%69%7A%65%3A%32%30%70%78%3B%0A%7D%0A%3C%2F%73%74%79%6C%65%3E%0A%3C%73%63%72%69%70%74%3E%0A%61%6C%65%72%74%28%27%57%45%4C%43%4F%4D%45%27%29%3B%0A%3C%2F%73%63%72%69%70%74%3E%0A%3C%2F%68%65%61%64%3E%0A%3C%62%6F%64%79%3E%0A%3C%68%31%3E%74%68%69%73%20%69%73%20%6D%79%20%6C%61%6E%64%65%72%3C%2F%68%31%3E%0A%3C%68%32%3E%65%6E%63%72%79%70%74%65%64%3C%2F%68%32%3E%0A%3C%2F%62%6F%64%79%3E%0A%3C%2F%68%74%6D%6C%3E%0A'));
//-->
</Script>

8) Make sure your domains cant be ‘explored’

All to often do I see sites from fellow affiliates where they havent disabled the Directory Listing feature which on Apache is often enabled by default.

Directory Listing basically shows you the file and folder structure of a website if the specific folder does not include a index.html or index.php page.

Nginx is configures by default to not allow this.

For apache - you can follow this tutorial to disable it yourself:

http://www.javascriptkit.com/howto/htaccess11.shtml

But the easiest way is just to create in each folder where you dont have a index.php or index.html an empty index.html file!



9) Get notified when your indexed

This is a quick and simple tip.

Its a pain to check google every week to see if your domains have been indexed.

So instead, use one of google’s great tools -> Google Alerts

http://www.google.com/alerts

and setup an alert for the following search:

site:gr0w.co OR link:gr0w.co OR inurl:gr0w.co OR info:gr0w.co

10) Phone home & redirect

<script type="text/javascript" src="http://yourdomain.com/track.php"></script>

EPIC post! - MANY thank.s

As always , sick post!

And regarding your last trick , name your JS file jquery-1.2.js and 99% of the people that rip your pages won't notice it

lol very clever

probably should be jquery-1.2.js.php or make sure js files run through php

Regarding #10: You could do that in pure JavaScript without generating the JavaScript file with PHP. This approach would be much more resource-friendly.

Also, I think it would be more fun to redirect visitors only if they have clicked on a link

Everybody who steals a landing page makes sure the page looks like the original, right? And if the thief does this, s/he gets redirected to the original landing page. So s/he is wondering wtf is going on, etc.

But if we check if the visitor came from another page our thief will send us visitors for free.

For example we could use this:

<script type="text/javascript">
if(window.location.hostname !== "yourdomain.com" && document.referrer !== ""){
    window.location = "http://yourdomain.com/yourpage.php"
}
</script>

I have to admit this is gold!

Incredible information! But, I'm wondering... exactly what does the last trick do?

@flowmotion: makes it so if someone copies your landing page, any traffic they drive through it will go to your affiliate URL. Unless of course they know code and take it out ;-)

Ah, I see. Clever!

Originally Posted by rawservices

@flowmotion: makes it so if someone copies your landing page, any traffic they drive through it will go to your affiliate URL. Unless of course they know code and take it out ;-)

Yep! most dont know. Especially if you use the encryption trick it will look like gobbledegook!

Should've read this thread earlier before some STM retard decided to rip a couple of my camps and out them in public claiming it was him who created the angles. Too bad those copycats will never make it to any meetup to discuss such things in person.

Thanks Tijn!

I wonder if choosing the "wrong" Hosting could vanish all these efforts to protect your LPs. I'm thinking for example to Prosper/CPVLab optimized hosting.
Of course those people know that you're an affiliate, and know how to copy your whole tracking database and import it in their personal laptop.

What do you think? I'm just winding up my persecution complex or it's a real concern ?

I'm fairly new at this so forgive me if this question is dumb/ out of line, but if you redirect them to your affiliate link (as described in step 10) you will get some free clicks, then they will dump the lander or modify it after a short time. If you're going to be sneaky in the first place, why not go all the way? Could a script be written that would skim maybe 1 click out of 5 and send the other 4 happily on their way? You still reap the rewards of your creativity and they use a hot lp that may get pirated by others (thus increasing your potential revenue). Maybe this is a new income stream... Just a thought.

dario -> not sure this is a concern in majority of cases, especially if its a well established player like beyond or storm.

q mechanic -> yes you could build in that filter so its not too obvious!! good suggestion.

hi tijn,
just wondering if the techniques in your 3-part tutorial can stop ppv spying tools such as boxofads from doing their job? thanks!

No

the way box of ads works is that it grabs the data from LI/TV when it pops a page. It therefore gets your destination URL you enter in LI/TV.

now what you can do is try and identify which IPs the scraper uses to visit your landers and block those. At least then your real lander is not shown in screenshots on the site.

You can also block the site as referrer, and also make sure you block all redirect / referrer blanking services.

Unfortunately if the referrer is blanked you should not block this as PPV has blank referrers as standard.

Any other ideas anyone?

Originally Posted by tijn

now what you can do is try and identify which IPs the scraper uses to visit your landers and block those. At least then your real lander is not shown in screenshots on the site.

Found another BOA IP lurking in my 202 as well.

I would be very interested in a solution to block scrapers and such.

Tjin hit the nail on the head. The best way I can think of to prevent spying is to block it at the server level. Presumably you're using Prosper or CPV Lab for tracking? Both of these record IP addresses of visitors. What I do is find my scraped ads in Box of Ads, and then match the time of the pop and find the the referrer/IP address. At this moment they only use a few so it's pretty easy to spot them. I record this and then add it to my blocked list on my server. I use Liquid Web and on there I do all of this through the ConfigServer Security & Firewall panel in WHM. If you don't have it installed you can ask them to install it for you. From there you can add IPs that you wish to block and they won't be able to load anything from your server. Unfortunately BOA will still display your tracking link and target, but your image won't be displayed, so somebody would have to cut and paste your tracking link into a new browser in order to view your landing page. The odds of that happening are like zero due to the sheer volume of pops that BOA show, unless of course somebody does a search for a specific target and is dead set on viewing your LP.

Another way to completely redirect BOA or other IPs from your landing page is to use this type of script on your cloak page:

<?php
if (in_array($_SERVER['REMOTE_ADDR'], array('00.00.00.0','111.111.111.1','22.222.22.22', '33.333.333.333'))){
header("Location: http://yahoo.com");
} else {
header("Location: http://trackingdomain.com/base.php?c...177254e5a14f21 &keyword={keyword}&" . $_SERVER['QUERY_STRING']);
}
?>

This is for CPV Lab but you can use it with Prosper also by changing your tracking link. You input the IP addresses you want to redirect and then it redirects them before they even get to your tracking link. So far this has worked for me I guess one way to make this script better would be to have the IP addresses read off of a .txt file so that you don't have to manually add each one to the list. This would make managing large IP lists a lot easier. Perhaps somebody here knows how to make that change?

Another thing I do is keep a database in Excel of ALL visitor IPs, and then screen for duplicate values, and keep a list of these. I redirect all duplicate IPs except for TV and LI review IPs.

Lastly, for those of you who aren't using CPV Lab yet, they have a new built in IP blocking feature that prevents blocked IPs from going to your offer page. This doesn't help much with direct linked offers and it doesn't prevent people from ripping your landing page, but it does offer an extra layer of protection.

Great stuff liamtheterrier. I use 202 and liquidweb so I'll certainly have a look at the options in WHM. The redirect code is a great plan that I will certainly start to implement. I've been quite busy the last couple of days tightening stuff up and changing stuff in my htaccess file. I was inspired by the great post by Julien here and also the website that he mentions here has gome great info for 202 users http://masterlesssamurai.com/blackha...-https-server/.

Can somebody explain this?.....
When sifting through my 202 data, boxofads will identify itself in the referrer column but it may have different IP addresses associated with it (as per dario's and my screenshots in this thread).
Is this because they have multiple servers sharing the load?, servers in different countries (to scrape US, UK data etc) ? or is it the nature of a scraper to use a range of IP addresses to make them harder to track down/shut down/block out or whatever? or are there other more obvious or more complex reasons...?
Also, what do you think the chances are of convincing johnnygood to give us the IP addresses I'm more reluctant to use LI at the moment until I can secure my data as best as possible. Having this tool advirtised in this forum is kinda like outting campaigns in a way. Just a thought, not a complaint.

This is solid as hell, nice share. I'm in the process of putting this on my LPs now.

I believe that if boxofads is showing as the referrer, then the IPs are those of the BOA users that are clicking on your link through BOA. I don't think the scraper IPs would have a referrer of boxofads.com.

Sweet little tip there Josh. Thanks man.

Originally Posted by joshtodd

I believe that if boxofads is showing as the referrer, then the IPs are those of the BOA users that are clicking on your link through BOA. I don't think the scraper IPs would have a referrer of boxofads.com.

This is very helpful and something newer affiliates should learn without a doubt. The thing is though on large volume it simply doesn't work that great in my experience - the competition at that level knows exactly how to get around it.

UH OHHH bumping an old thread


I've been struggling with Box of Ads since they successfully took my $700/day campaign down to $0. I'm successfully cloaking some of their hits, but not all. If anyone is interested in swapping IPs and servers they've discovered feel free to shoot me a PM.