http://www.sitepoint.com/forums/showthread.php?t=568450

.... WOW ....

One could say DP is a respectable site .. Imagine how many sites do this that can't be considered that.

Disclaimer: I hardly ever use DP or eBay.

Interesting stuff, thanks Floris.

It seems that unscrupulous forum members can cookie stuff legitimate forums too - does the vbulletin team have a remedy for this? (I don't know how the stuffing is being done.)

http://affiliate-blogs.5staraffiliateprograms.com/1526/affiliate-cookie-stuffing-forum-trick.html

As posted on DP,I think that this may be a fake since at the time I search for other articles relating to aforementioned event, no results were acquired.

Nice find Floris, what can you say about that?

It makes me laugh that the DP faithful are talking over there as though their innocent. LOL.

Well, it was quite clever what they did, I'll give them due for that! Bet they made a fortune too of that scam. But a little stupid to do something like that to a site like ebay and seriously expect to get away with it. I mean, ebay must have the best techy guys in the business working over their, so it's not surprising really they where rumbled.

Hi Floris and all,

I don't think it's off topic at all, since it's talking about cookie stuffing and it sounds like most of the 'alleged' stuffing happened on forums.

ct2k7 it's real and I did a major blog about it right after it was discovered, lots of people are talking about it, even over at the eBay affiliate forum, so maybe you just used the wrong search terms or something.

Here's a link to the legal doc I referenced: eBay Inc. v. Digital Point Solutions, Inc. et al (http://news.justia.com/cases/featured/california/candce/5:2008cv04052/206526/)


It seems that unscrupulous forum members can cookie stuff legitimate forums too - does the vbulletin team have a remedy for this? (I don't know how the stuffing is being done.)

http://affiliate-blogs.5staraffiliateprograms.com/1526/affiliate-cookie-stuffing-forum-trick.html

THANKS doug1 that's my 5 Star blog you linked to about the problem of cookie stuffing on forums - it's a growing problem.
It sounds to me like the cookie stuffing method used in that eBay case was the same one I blogged about in the link Doug shared.

For those that may not know cookie stuffing is stealing. If you own a forum and someone cookie stuffs a busy thread, tons of your members could have their affiliate commissions stolen from them.

The specific method I reference in that blog post is really hard to spot. I've been helping any forum owner that wants to find out how it's done and get some ideas on how to stop it.

"does the vbulletin team have a remedy for this? (I don't know how the stuffing is being done.)"

I know how it's done and would be happy to talk to someone at VB about it. There is a solution that I think would work really well and I assume there may already be a hack designed for something else that would prohibit the method they use to jack cookies.

Feel free to contact me if you are a VB hack writer, a VB staffer that wants to learn more or even a forum owner. Only thing is I won't give the info out to anyone unless you email me from your forum email address or can verify you are a forum owner. I've had too many scammers that don't even own forums try to get the info from me.

Thanks,

It makes me laugh that the DP faithful are talking over there as though their innocent. LOL.

Innocent until proven guilty. Wonderful thing this justice system we have eh? Oh yeah, I forgot, because they are being sued means they must be guilty.

I very much doubt ebay would take action against them unless they knew 100% it was them.

Lets put it this way, I don't see them posting over at DP in that thread saying their inocent. Do you?

But I'll take onboard your inocent until proven guilty, as yo do have a point! "sort off"! :D

"does the vbulletin team have a remedy for this? (I don't know how the stuffing is being done.)"

I know how it's done and would be happy to talk to someone at VB about it. There is a solution that I think would work really well and I assume there may already be a hack designed for something else that would prohibit the method they use to jack cookies.

Feel free to contact me if you are a VB hack writer, a VB staffer that wants to learn more or even a forum owner. Only thing is I won't give the info out to anyone unless you email me from your forum email address or can verify you are a forum owner. I've had too many scammers that don't even own forums try to get the info from me.

Thanks,
I've created a mod that will help mitigate any attempted cookie stuffing done by forum members. I'm testing it on my own forums as we speak and I'll release it on www.vbulletin.org as soon as I'm satisfied with it.

This is something serious enough that Jelsoft should address.

This is something serious enough that Jelsoft should address.
Err what?

Err what?
I'll PM the details to you if you're interested. Basically using BBcode that is enabled by default, any user can insert code in a post that will plant an affiliate tracking cookie on all visitors' computers. See http://en.wikipedia.org/wiki/Cookie_stuffing

Like so :

http://www.steverenner.com/wp-content/uploads/2008/06/cookie_0611_02.jpg

I'll PM the details to you if you're interested. Basically using BBcode that is enabled by default, any user can insert code in a post that will plant an affiliate tracking cookie on all visitors' computers. See http://en.wikipedia.org/wiki/Cookie_stuffing
I know how it is done, but I do not see how vb can stop this. Unless they completely stop allowing remote urls and images.

[edit] never mind, it just came to me ... ;)

Jezz, how long as this been around. Is there anyway to tell if your computer has been affected

I'll PM the details to you if you're interested. Basically using BBcode that is enabled by default, any user can insert code in a post that will plant an affiliate tracking cookie on all visitors' computers. See http://en.wikipedia.org/wiki/Cookie_stuffing

Thanks sockwater,

Please let me know when it's ready. I have tons of forum owners contacting me every week asking how to block this.

From the little you've said, it doesn't sound like you're working on blocking the particular type of cookie stuffing alleged in that suit and the type I blogged about. It's done through images and can use BBcode image tags or HTML.

I know what I'd like a script to do, I'm just not the least bit technical. I think there's a mod that may do what we need but I haven't had time to look too much.

Holler if you want to brainstorm!

One of the solutions is to make the forum be the man in the middle so any returned data (minus the headers) is displayed only. However, this has a huge impact on traffic used since everything has to parse through the forum software. Personally I would not have a problem with this, but we already get so many customers asking how to lower traffic because of the bad hosting they use, or because they have a huge site and performance is then everything.

Floris,

I'll PM you a couple ideas and solutions to see if you know of something or if this is an option you want to offer in upcoming versions. I think the info I have written up about how they do it may be too long for a sticky so you may get a couple messages from me.

Oops you have PMs disabled. Please email me at linda AT 5staraffiliateprograms DOT com or PM me with the best way to reach you.

Thanks,

Floris,

I'll PM you a couple ideas and solutions to see if you know of something or if this is an option you want to offer in upcoming versions. I think the info I have written up about how they do it may be too long for a sticky so you may get a couple messages from me.
Please email me on floris at vbulletin dot com
This way besides reading your input I could forward it to the appropriate developer for review.

Thanks Floris, long email sent your way!

Appreciate you taking the time to look at this issue!

Thanks sockwater,

Please let me know when it's ready. I have tons of forum owners contacting me every week asking how to block this.

From the little you've said, it doesn't sound like you're working on blocking the particular type of cookie stuffing alleged in that suit and the type I blogged about. It's done through images and can use BBcode image tags or HTML.

I know what I'd like a script to do, I'm just not the least bit technical. I think there's a mod that may do what we need but I haven't had time to look too much.

Holler if you want to brainstorm!

I've released the first iteration of my Cookie Stuffing Detector (http://www.vbulletin.org/forum/showthread.php?t=189979) on vBulletin.org At this point it doesn't block cookie stuffing, but it will help admins and moderators detect it a lot easier. I have a few more ideas for further development that I have already started on.

Is there anyway to check your own computer, or anything you can do like clearing all temp files from your computer to make sure if you have been hit by this, you can clear the cookie stuffing

Is there anyway to check your own computer, or anything you can do like clearing all temp files from your computer to make sure if you have been hit by this, you can clear the cookie stuffing
Just clear your browser's cookies.

ok thanks

Well actually dumping all your cookies is a counter attack on the root of the problem. Maybe some of you aren't affiliates. If you don't earn revenue as an affiliate, you don't care about other affiliates making the income that's due to them, then you don't need to worry if someone plants a cookie - it won't hurt a darn thing and you'll likely never use the cookie anyway so don't even worry about it. If you delete all your cookies it creates an even bigger problem.

In case someone does not understand the basics, let me try to explain it.

Let's say a member here is an affiliate for a hosting company. You created content, maybe wrote reviews or put together host comparisons. Maybe you even did PPC and PAID to get a visitor to read your ad, you spent time building the landing page and you sent that visitor to the Host. The visitor legitimately gets your cookie for tracking purposes, so if that customer does not buy the 1st time but comes back a week later you will still get commission for that visitor you sent. (So in simple terms you tagged that customer and when they buy you should get paid.)

So the visitor does not buy right away. He leaves then ends up at a forum and reads a thread. He never clicks a link or does anything. But a cookie stuffer is mass loading his cookies onto everyone at the forum. YOUR customer goes back to the Host to sign up and the cookie stuffer who did NO legitimate work at all - steals your sale because he over-wrote your cookie. You PAID for that visitor, you did the work, it's your customer - the cookie stuffer gets your commission.

With legitimate affiliates sales the affiliate needs to create content or a site or a link or do some type of advertising to get the visitor to click their link and go to the merchant.

HOWEVER if I was doing black hat affiliate marketing, I could stuff an invisible cookie right in this forum. We could be talking about "whats the best Vbulletin host" and I could stuff a cookie for HostGator. You guys would not see anything, there is no link to click and you'd never go to my site or read my ad and you don't get to eBay through me at all, in any way. I did nothing to get you to go to Hostgator and I don't deserve credit for the sale. BUT every time anyone reads this thread - I would be stuffing my cookie on all your computers. Now if you end up getting a HostGator account even if you had previously clicked an affiliate ad and they should get credit - they won't - because I just STOLE their commission even though I didn't do any work.

MRGTB asked: "Is there anyway to check your own computer, or anything you can do like clearing all temp files from your computer to make sure if you have been hit by this, you can clear the cookie stuffing"

So just to be clear. If you let's say visited a review site about a hosting company and decided based on the greatereview and the info you recieved that you want to buy hosting, if the person who wrote the review is an affiliate they should get the commission. You visited their site, they took the time to write a good review. It helped you make a decision.

If you wipe out ALL your cookies for fear you've been cookie stuffed then you also wipe out the cookie of the deserving affiliate and they don't get paid for the work they did.

It's a little hard to understand. Did that help or did I make it more confusing?

Like most people I run adsense ads, but no I'm not an affiliate making commission by trying to get people to buy something.

Thanks again sockwater for working on this!

And I also really want to thank Floris for taking the time to talk to me, hear my suggestions and forward them on to the rest of the Vbulletin team for consideration.

Thanks again sockwater for working on this!

And I also really want to thank Floris for taking the time to talk to me, hear my suggestions and forward them on to the rest of the Vbulletin team for consideration.
If you have any other ideas on how to make the addon more useful, let me know. I'm using it as an interim measure until vBulletin implements something to combat this problem.